07-20-2009 2:41 PM
Hi,
I want to restrict the access in VA01 in that whenever a user use this combination
" <ordertype = z011> + <sales offc X> + <plant X>" he could able to create the document
but not on this combinatoin "<ordertype = z011>+<sales offc X> + <plant Y > "
i.e he could able to access the plant of the concerned sales office and not any other plant.
thanks
07-20-2009 3:16 PM
you need an enhancement for this. the plant is on the same organizational level as sales org but the two of them do not combine (at least not when it comes to authorizations in SD).
you could go for structural authorizations, but if that one decribed is your only issue, that would be shooting rockets at sparrows.
07-20-2009 6:35 PM
You may use Authorization Object V_VBKA_VKO for this purpose. But w/o any check proposal in the program for VA01 it's irrelevant to add this Object in SU24 for VA01. You can go for inserting an Exit (for e.g. LV02PF0S which contains the Object V_VBKA_VKO in Authority-Check) to append a Check for Sales Office in VA01. [take help of ABAPer, may be I am not correct with the explanation language as I am not a Developer).
AUTHORITY-CHECK OBJECT 'V_VBKA_VKO'
ID 'VKORG' FIELD KNVV_TAB-VKORG
ID 'VTWEG' FIELD KNVV_TAB-VTWEG
ID 'SPART' FIELD KNVV_TAB-SPART
ID 'VKBUR' FIELD KNVV_TAB-VKBUR
ID 'VKGRP' FIELD KNVV_TAB-VKGRP
ID 'KTAAR' FIELD AUART
ID 'ACTVT' FIELD US_ACTIVITY.
Then add this object in SU24 w/ C/M proposal for VA01.
While maintaining Fields in the Profile generator for VA01, please put same Value as WERKS (Plant). Also make sure that the Sales Offices are properly created/maintained to use with such values (check table TVBUR).
Regards,
Dipanjan
Edited by: Dipanjan Sanpui on Jul 20, 2009 2:21 PM
Edited by: Dipanjan Sanpui on Jul 20, 2009 2:23 PM
07-20-2009 10:07 PM
I dont think that checking authority for VKORG is usefull here.
You would need the VKORG first (the value in the document, not the authorizations...), and subsequently check for WERKS for them to be compatible.
If my interpretation of the question is correct, this is a compatability of VKORG and WERKS question - and not a security question really.
The authority-checks should be performed anyway, as context specific checks generally only deactivate checks (setting sy-subrc to 0).
Whether to move it to ERP SD or ERP MM, please advise? If all else fails, ABAP General.
Cheers,
Julius