Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

No authorization for company code in MRBR

0 Kudos

Transaction MRBR is currently wide open. Anyone with authorization to this transaction can unblock invoices in any company code.

Standard security profiles can only restrict users at universal (*) or purchasing group level. We require control on company code.

OSS 399953 suggests creating validation rule (GGB0) to test user authorizations for transaction MRBR and authorization object F_BKPF_BUK.

Can anyone supply the validation coding to solve this security problem?

Is anyone familiar with this problem ? Do you have a solution ? also None standard SAP solutions are welcome

Thanks in advance

Greetings,

Vincent

1 ACCEPTED SOLUTION

morten_nielsen
Active Contributor
0 Kudos

Hi Vincent

Another option could be to implement an authorization check in the BAdI MRM_RELEASE_CHECK - this is, of course not Standard.

The code could look somthing like this:

DATA: wa_rbkp_blocked TYPE mrm_tab_rbkp_blocked.

  LOOP AT i_rbkp_blocked INTO wa_rbkp_blocked.

    AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
             ID 'BUKRS' FIELD wa_rbkp_blocked-bukrs
             ID 'ACTVT' FIELD '02'.

    IF sy-subrc EQ 0.
      APPEND wa_rbkp_blocked TO e_rbkp_blocked.
      CLEAR wa_rbkp_blocked.
    ENDIF.
  ENDLOOP.

Regards

Morten Nielsen

2 REPLIES 2

Former Member
0 Kudos

Look in Su24 and then you see that standard SAP checks MRBR On Purchase Organisation and

Purchasing Group, if you want more Organisational control (WHY???) you will have to change the abap!

So set up your Purchasing Organisation and Groups correctly in SAP and you are in control. There is alo a check on Blocking reasons that you can add to a role as restriction!

morten_nielsen
Active Contributor
0 Kudos

Hi Vincent

Another option could be to implement an authorization check in the BAdI MRM_RELEASE_CHECK - this is, of course not Standard.

The code could look somthing like this:

DATA: wa_rbkp_blocked TYPE mrm_tab_rbkp_blocked.

  LOOP AT i_rbkp_blocked INTO wa_rbkp_blocked.

    AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
             ID 'BUKRS' FIELD wa_rbkp_blocked-bukrs
             ID 'ACTVT' FIELD '02'.

    IF sy-subrc EQ 0.
      APPEND wa_rbkp_blocked TO e_rbkp_blocked.
      CLEAR wa_rbkp_blocked.
    ENDIF.
  ENDLOOP.

Regards

Morten Nielsen