Authorization for VAP2 in conflict with VD02 for F_KNA1_GRP
Our sales people need create, change and display access for contact persons (VAP1-2-3) of all customer account groups (F_KNA1_GRP). Meanwhile they also need to be able to create, change and display prospects (account group 0005). For changing prospects, you need access to S_TCODE VD02, but the users should not have access to other customer account groups (eg sold-to or ship-to parties) while using VD02. Can this be done?
Julius von dem Bussche replied
> I created a second role with VAP2 as S_TCODE
> F_KNA1_GRP: ACTVT 02, KTOKD=*
The calling transaction takes care of what can be navigated in the called transaction's context, if it cannot be accessed directly.
What you could also try is a combination of F_KNA1_AEN (optional authorization to change fields of the groups, as a protective mechanism), then disable VD02 for the VAP2 in SE97 and disable F_KNA1_AEN in SU24 for VAP2.
Might work... (just a brain-storm...