04-06-2011 11:00 AM
Hi Experts,
I would like to know how does SAP authorize that the user can update/edit/view the particular business document (example: sales order, purchase requisition) depends on field value.
example1:
user A is not suppose to view purchase requisition of more than 10000$. But user B can view this PR.
example2:
user X cannot release SO 123123123 because of some values (it could be SO type, customer, no of items or total amount). But user Y can release this SO.
Basically how to restrict security access when information is dynamically changed.
Thanks,
Sukhbold
04-07-2011 12:14 AM
Hi,
as you know authorization check is always a question if user has authorization for particular object and values. Therefore you have to map values into sets. For example PO with total value less than 1000$ is set A and everything else is set B and then check if a user has authorization for set A or B. For example this is how PO release strategies work, To summarize it, an application needs to map values into discrete values and then authorization checks is performed for these new values.
If you want to implement something like this then I would suggest using BRF+ if you are on sufficient release level. This allows you to pass business rules definition back to business. You just need to agree on interface.
Cheers