07-01-2009 6:21 PM
Hi:
How can I prevent user from plant 100 from issuing items for a plant maintenance order created for plant 200.
07-01-2009 8:13 PM
What is the Tcode? Security people are not also Functional experts.. at least me
Regards,
Dipanjan
07-01-2009 9:06 PM
When I use transaction MIGO with movement type 261 (Goods issue to order) for PM order. System does not check if order belongs to issuing plant.
that means, If I have authorization to preform MIGO in plant 100, I am still able to issue Goods to a PM order in plant 200. I want to prevent this from happening.
07-01-2009 9:43 PM
Hi,
There several Objects associated with MIGO to check access for Plant. Please find the list below:
M_MRES_WWA WERKS $WERKS
M_MSEG_LGO WERKS $WERKS
M_MSEG_WMB WERKS $WERKS
M_MSEG_WWA WERKS $WERKS
M_MSEG_WWE WERKS $WERKS
But for your case, you need to do the following steps:
First find out the roles though which user id is getting access to MIGO. for this you need to go to
A. SUIM... Role by complex selection criteria ........ unmark composite role.. put the user id in "With User assignment" field ........ put S_TCODE in the authorization object filed and in TCD ..put MIGO.......... then execute... you will get the list of roles providing access to MIGO.
Now do the next steps to check the available "PLANT" value for the user:
1. Go to SUIM
2. Users by complex selection criteria
3. Put the user name and execute
4. Click on Display Details .. the left most selection option in the application toolbar (or press F2)
5. Select the user name and click on "Select/Expand Subtree"
6. Put the mentioned
Download the list and check the value for Plant in those roles... go to those roles and change "Organization Level" Plant if you want to change the existing roles... or you can copy them into new and then provide limited access to Plant as you want which is more convincing. Otherwise other users having having those existing roles will loose their pretended access.
Let me know for more details if required..
Regards,
Dipanjan
07-01-2009 9:50 PM
Hi Dipanjan
I have a role Z:00:INV_CLERK-100 for plant 100,. The organization level is restricted to plant 100 ONLY.
i.e. Following objects are restricted to the plant 100.
M_MRES_WWA
M_MSEG_LGO
M_MSEG_WMB
M_MSEG_WWA
M_MSEG_WWE
User is assigned this role ONLY. He can not perform MIGO transaction to any other plant.
I have a PM Order 1000000 created for a plant 200. This user whose access is restricted to plant 100, can issue Goods using movement type 261 (Goods Issue-Others) to this PM order 1000000 which is for plant 200 and not in 100. I want this to be restricted. System is not checking the plant of PM Order. Since Plant of PM order is different, user should not be able to issue material from stores to this PM order.
How Can I prevent this.