Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Goods issue for PM Order

sunilv_dev
Participant

‎07-01-2009 6:21 PM

0 Kudos

Hi:

How can I prevent user from plant 100 from issuing items for a plant maintenance order created for plant 200.

4 REPLIES 4

sdipanjan
Active Contributor

‎07-01-2009 8:13 PM

0 Kudos

What is the Tcode? Security people are not also Functional experts.. at least me

Regards,

Dipanjan

sunilv_dev
Participant
In response to sdipanjan

‎07-01-2009 9:06 PM

0 Kudos

When I use transaction MIGO with movement type 261 (Goods issue to order) for PM order. System does not check if order belongs to issuing plant.

that means, If I have authorization to preform MIGO in plant 100, I am still able to issue Goods to a PM order in plant 200. I want to prevent this from happening.

sdipanjan
Active Contributor
In response to sdipanjan

‎07-01-2009 9:43 PM

0 Kudos

Hi,

There several Objects associated with MIGO to check access for Plant. Please find the list below:

M_MRES_WWA WERKS $WERKS

M_MSEG_LGO WERKS $WERKS

M_MSEG_WMB WERKS $WERKS

M_MSEG_WWA WERKS $WERKS

M_MSEG_WWE WERKS $WERKS

But for your case, you need to do the following steps:

First find out the roles though which user id is getting access to MIGO. for this you need to go to

A. SUIM... Role by complex selection criteria ........ unmark composite role.. put the user id in "With User assignment" field ........ put S_TCODE in the authorization object filed and in TCD ..put MIGO.......... then execute... you will get the list of roles providing access to MIGO.

Now do the next steps to check the available "PLANT" value for the user:

1. Go to SUIM

2. Users by complex selection criteria

3. Put the user name and execute

4. Click on Display Details .. the left most selection option in the application toolbar (or press F2)

5. Select the user name and click on "Select/Expand Subtree"

6. Put the mentioned

Download the list and check the value for Plant in those roles... go to those roles and change "Organization Level" Plant if you want to change the existing roles... or you can copy them into new and then provide limited access to Plant as you want which is more convincing. Otherwise other users having having those existing roles will loose their pretended access.

Let me know for more details if required..

Regards,

Dipanjan

sunilv_dev
Participant
In response to sdipanjan

‎07-01-2009 9:50 PM

0 Kudos

Hi Dipanjan

I have a role Z:00:INV_CLERK-100 for plant 100,. The organization level is restricted to plant 100 ONLY.

i.e. Following objects are restricted to the plant 100.

M_MRES_WWA

M_MSEG_LGO

M_MSEG_WMB

M_MSEG_WWA

M_MSEG_WWE

User is assigned this role ONLY. He can not perform MIGO transaction to any other plant.

I have a PM Order 1000000 created for a plant 200. This user whose access is restricted to plant 100, can issue Goods using movement type 261 (Goods Issue-Others) to this PM order 1000000 which is for plant 200 and not in 100. I want this to be restricted. System is not checking the plant of PM Order. Since Plant of PM order is different, user should not be able to issue material from stores to this PM order.

How Can I prevent this.