Skip to Content
avatar image
Former Member

Restricting access to IDocs

Greetings All,

I'm currently in a situation where we have an SAP installation that we wish to restrict access to IDocs.

Basically, we have several entities (defined as company codes in SAP) on the same instance and the issue arises when executing transaction code such as BD87 where everyone is able to view and process all IDocs in the system.  Ideally, we want to restrict access such that a person belonging to company code 2000 can only view and process IDocs created by other people belong to company code 2000.

I did some research and performed a search on SCN and am aware of S_IDOCMONI, but this does not appear to address the issue.  I was thinking that perhaps, there is a way to code a custom transaction code with a company code field.  However, this gets tricky as how will we know to which company code a specific IDoc is associated with?

Any ideas would be greatly appreciated on how to approach this issue.



Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    May 15, 2012 at 03:55 AM


    do your entities deal with different partners? If yes then you should be able to restrict access with S_IDOCMONI.

    If not then I don't think that you will be able to achieve your requirement with standard transactions. You can see that the fields available in S_IDOCMONI are stored in IDoc control record. You are asking for check based on content of IDoc. So it's obvious that generic authorization check would be too difficult to implement (maybe even impossible from technical point of view - performance issues and so on).So you can try to build a custom solution and remove access to standard authorizations. You can restrict this custom solution just to subset of message types where you know location of values for authorization checks. This will be significantly slower than standard transaction. The good news is that SAP provides some API for displaying/modifying IDocs so you will have to develop only a report with selected IDocs based on user's authorization. Another approach could be to extend standard transactions using enhancement framework. This can be tricky.


    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hello Martin,

      Thanks a lot for explaining about how S_IDOCMONI works. This saved us a huge effort in experimenting and finding out how to interpret this authority object.

      Keep up the good work!