03-23-2009 5:08 AM
Is company id = trading partner? Does SAP allow users to view certain company ids / trading partners via authorisation in PFCG? What if I would like to give a user certain display access to some company ids/ trading partners, is that possible?
Best Regards,
Ethan Quek
03-23-2009 6:38 AM
Hi,
Yes its possible. Organizational values(Company code, plant, sales organization and etc) are maintained in each role as per the requirements. Also you have certian transactions only for display access like mm03. I am not sure what is actually meant by trading partner.I didn't see this value in organizational values in SAP.
Regards,
Gowrinadh
03-23-2009 6:38 AM
Hi,
Yes its possible. Organizational values(Company code, plant, sales organization and etc) are maintained in each role as per the requirements. Also you have certian transactions only for display access like mm03. I am not sure what is actually meant by trading partner.I didn't see this value in organizational values in SAP.
Regards,
Gowrinadh
03-24-2009 8:10 AM
Hi Gowrinadh,
Trading partner is actually the company id that is declared in a company code. If you go to any of the vendor or cust master data under Control section (you may have to check whether if the field is enabled in the vend or cust master), you'll see the trading partner field. The trading partner field can also be enabled at the posting level of FI trns.
I hope I've explained clearly. I'm still trying to find out how to restrict viewing of these trading partners / company ids. Apparently, anyone who has access to SAP can see ALL trading partners regardless of which company code the person belongs to which is quite risky as I don't want any one to know who I'm trading with.
Best Regards,
Ethan Quek
03-24-2009 8:52 AM
Hi,
Can I please know how one can see all trading partners? which transaction they use. One way to find the corresponding object will be by tracing the user for authorization checks.
Regards,
Gowrinadh
03-24-2009 9:43 AM
Hi there,
Go to SPRO-->Enterprise Structure --> Definition --> Financial Accounting --> Define Company.
The company id aka trading partners are defined over there. Will there be a limitation to authorisation if it's not company code specific?
03-24-2009 10:41 AM
Trading partners and company code are usually kept in sync by the customisers, These are used for intercompany transfers to the best of my knowledge. But they are still independent and restricting a company code 'XXX' should not automatically restrict trading partner 'XXX'.
03-24-2009 10:43 AM
Hi,
You can restrict the access to this company codes option by removing access to object S_TABU_DIS for authorization group DICBERCLS=GC. To edit or create new entries users need create/change access on this object. if you would like to restrict display as well, then please do not give display access as well for GC authorization group.
Hope this helps.
Regards,
Gowrinadh
03-25-2009 12:54 AM
Hi Gowrinadh,
When you say 'restrict display as well, then please do not give display access as well for GC authorization group.', do you mean that if there're 20 company ids in the list, I can choose to either allow my users to see ALL or just a subset of them?
Best Regards,
Ethan
03-25-2009 5:29 AM
Hi,
You can't restrict on subset level. If you restrict display (activity 03) then the users can't see any entries in the table.
When you say 'restrict display as well, then please do not give display access as well for GC authorization group.'
Yes please do not give display access as well for GC authorization group.
Regards,
Gowrinadh
03-25-2009 8:05 AM
Hi Gowrinadh,
Do we need to customise the system if we want to let users view a sub-set of the company ids? Can it even be customised in such a way in the first place? If it can be customised then how do we go about doing it?
03-25-2009 8:15 AM
Hi,
I think the customization should be possible. But it should be done for each of the specific Tcodes where you need to check for the Company Ids. You would need to create a new Authorization object and include it in the authorization-Check section of the Program.
Regards,
Partha
Edited by: Parthasarathy Sridharan on Mar 25, 2009 9:15 AM
03-25-2009 8:19 AM
Hi Partha,
I've never done this before. Do you think you could explain how it can be customised specifically? Can you give some examples? Would be most glad to learn a tip or 2 from you.
03-25-2009 9:05 AM
Hi,
I am also not sure how it is done completely. But I'll try to give the general Idea.
To check for Authorization you need an authorization object. Customized authorization objects can be created in Tcode SU21. You can create you own object class for this purpose as well. The fields and values for allowed for this object will have to be defined here as well.
Once this is done the actual code to check for authorizations needs to be written in the program corresponding to the Tcode. There are alot of Function Modules with names authority_check which could be used for this purpose.
If it is a standard SAP Tcode then I am not sure whether it is recommendable to modify the cod. But you may consider creating Z* version of Tcode as well. But I have seen custom auth. objects added to the std. Tcodes as well.
As far the examples are concerned hard luck. I have not got one right now.
Gurus, Please pardon and correct if I am wrong .
Regards,
Partha.
03-25-2009 12:16 PM
Hi,
If you could actually let me know the requirement then we can see all the possible methods and decide on best one.
Regards,
Gowrinadh
03-26-2009 12:34 AM
Hi Gowrinadh,
Requirements:-
1. Allow user to only view reports but with restricted display access to certain company ids
2. System has a set of 100 company ids and user is only allowed to see a subset (eg. 10 company ids) of the 100 company ids
3. For eg. Company id = 001 ...... all the way to 100
But this particular user is only allowed to see company id = 001 - 020
Any reports either standard or customised or any tcodes that have this field, the user can only see transactions related to company id = 001 to 020.
I hope the above requirements are clear enough.
Best Regards,
Ethan Quek
03-26-2009 6:53 AM
>
>
> Requirements:-
> * Any reports either standard or customised or any tcodes that have this field, the user can only see transactions related to company id = 001 to 020.
>
> I hope the above requirements are clear enough.
>
> Ethan Quek
Hi Quek,
I do not believe this could be done at user level. This needs to be done at the Tcode level as far as my knowledge goes and then user has to be assigned access accordingly.
Regards,
Partha.
03-26-2009 7:35 AM
Hi Quek,
The access to reports/company codes are given on roles / profiles. If you need the user to go and access even SPRO, you have to provide the access either through a role / profile.
You need to create a role with all reports/transaction codes, in which while editing or fine tuning authorizations you will have an option to set Organizational levels.
Here you can set the required organizational levels company codes (as required). The user will be able to execute reports and see the data only related to this company codes.
Hope this clarifies. Correct me If I misunderstood your requirements.
Regards,
Gowrinadh
03-26-2009 9:09 AM
>
> Here you can set the required organizational levels company codes (as required). The user will be able to execute reports and see the data only related to this company codes.
>
Yes, but even for this to work you will still need to code it in the program of Tcode. The reason is when the Tcode is run the authorization check happens only if it is written in the ABAP code. Else the users will still be able to access all the org levels.
Regards,
Partha.
03-27-2009 12:31 AM
Hi Partha,
Thanks for the note. Does that mean, I must go thro' the many tcodes in the system which shows Trading partner & I need to customise those tcodes inorder for the requirements to be fulfilled? Any other shortcuts?
For eg, just design a prog to see that if any other tcodes displays the trading partner / company id, it'll just allow partial display of the whole set. Any ideas?
Best Regards,
Ethan Quek
03-27-2009 6:30 AM
>
> Does that mean, I must go thro' the many tcodes in the system which shows Trading partner & I need to customise those tcodes inorder for the requirements to be fulfilled? Any other shortcuts?
>
Yes Pretty much. At least, I do not any other way from the Security point of view.
>
> For eg, just design a prog to see that if any other tcodes displays the trading partner / company id, it'll just allow partial display of the whole set. Any ideas?
>
Yes, that might be possible. But that would be ABAP. Even then I am not sure how it could be done. Also the Question arises (for me) how will that program be run. It'll be too tedious to run it continuously to check for each Tcode that is ever accessed in the system. Won't it? Else, will you tie this program to the Tcodes with requirement?
Correct me if I am wrong about this.
Anybody with better ABAP knowledge could give a better suggestion on this option.
Regards,
Partha.
03-27-2009 12:28 AM
03-27-2009 11:13 AM
Hi,
The SAP transactions are already equipped with such kinds of checks. You need to worry only about custom / newly developed transactions. For example, in VA01 which is restricted on company code levels. Please let me know the transaction codes for example purpose I can let you know how can you apply restriction on them.
P.S Till now I am not talking about new Z transactions.
Regards,
Gowrinadh
03-28-2009 3:59 AM
Hi Gowrinadh,
Tcodes FAGLL03, FBL3N, FBL5N & FBL1N all have trading partner fields for users to see. These are the more commonly used tcodes. I've got other Z trns that also display the trading partner / company id fields.
However, I only want to apply partial display restriction to certain trading partners / company ids not ALL of them.
Best Regards,
Ethan Quek
03-28-2009 9:41 PM
FAGLL03 , there are no defined objects by SAP in the background.
FBL3N, FBL5N & FBL1N has limitation on company code. You can check them by browsing the table on SE16 --> USOBT / USOBT_C and enter the name of the transaction in name field.
You will see list of authorization objects attached to it. You will find filed called BUKRs (company code), it provides restriction on the Company id or Trading partner. You can enter as many as in the role which user supposed to see.
And for Z transactions, you can use exiting sap authorization objects if they provide similar functionality of SAP transactions, like
F_BKPF_BUK
F_KNA1_BUK
F_LFA1_BUK
or create a new authorization objects. Also you need to change the source code of the Z transactions to check the authorization (Authority-check) statement (ABAP job).
Regards,
Gowrinadh
03-30-2009 2:06 AM
Hi Gowrinadh,
From my understanding on your below advice, I can assign any number of company ids to a company code in the authorisation? The configuration in my organisation is such that, there're no specific company codes assigned to any company ids. It was intentionally left blank which means, regardless of whether you've got access to company code A or B, you can still view ALL company ids / trading partners or assign whichever company id / trading partner to a company code at transactional level.
You can go to SPRO --> Enterprise Structure --> Assignment --> Financial Accounting --> Assign company code to company
Is authorisation dependant on this config?
Best Regards,
Ethan Quek
03-30-2009 8:40 AM
Hi,
SPRO is the place where you configure and view the data. As per I know there is know such procedure available today to just display the part of the data. However, you can develop Z transctions which takes some value as a parameter and displays the company code based on the input received and restrict the access to particular path in SPRO as I already mentioned before.
Regards,
Gowrinadh
05-08-2009 1:56 AM