04-22-2009 9:56 AM
Transaction MRBR is currently wide open. Anyone with authorization to this transaction can unblock invoices in any company code.
Standard security profiles can only restrict users at universal (*) or purchasing group level. We require control on company code.
OSS 399953 suggests creating validation rule (GGB0) to test user authorizations for transaction MRBR and authorization object F_BKPF_BUK.
Can anyone supply the validation coding to solve this security problem?
Is anyone familiar with this problem ? Do you have a solution ? also None standard SAP solutions are welcome
Thanks in advance
Greetings,
Vincent
04-22-2009 12:11 PM
Hi Vincent
Another option could be to implement an authorization check in the BAdI MRM_RELEASE_CHECK - this is, of course not Standard.
The code could look somthing like this:
DATA: wa_rbkp_blocked TYPE mrm_tab_rbkp_blocked.
LOOP AT i_rbkp_blocked INTO wa_rbkp_blocked.
AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
ID 'BUKRS' FIELD wa_rbkp_blocked-bukrs
ID 'ACTVT' FIELD '02'.
IF sy-subrc EQ 0.
APPEND wa_rbkp_blocked TO e_rbkp_blocked.
CLEAR wa_rbkp_blocked.
ENDIF.
ENDLOOP.
Regards
Morten Nielsen
04-22-2009 11:07 AM
Look in Su24 and then you see that standard SAP checks MRBR On Purchase Organisation and
Purchasing Group, if you want more Organisational control (WHY???) you will have to change the abap!
So set up your Purchasing Organisation and Groups correctly in SAP and you are in control. There is alo a check on Blocking reasons that you can add to a role as restriction!
04-22-2009 12:11 PM
Hi Vincent
Another option could be to implement an authorization check in the BAdI MRM_RELEASE_CHECK - this is, of course not Standard.
The code could look somthing like this:
DATA: wa_rbkp_blocked TYPE mrm_tab_rbkp_blocked.
LOOP AT i_rbkp_blocked INTO wa_rbkp_blocked.
AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
ID 'BUKRS' FIELD wa_rbkp_blocked-bukrs
ID 'ACTVT' FIELD '02'.
IF sy-subrc EQ 0.
APPEND wa_rbkp_blocked TO e_rbkp_blocked.
CLEAR wa_rbkp_blocked.
ENDIF.
ENDLOOP.
Regards
Morten Nielsen