Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SD Invoices - Not secure with right Authority-Checks

Former Member
0 Kudos

If we have a Company Code CXX1 and sales organization SXX1 and Distrubution channels defined as X1, X2, X3........

The sales area would be SXX1/X1/* and SXX1/X2/* and so on.........

when the demographic locations of these sales areas are different, the user base presumably would be different..

In the above situation, If a user in SXX1/X2,* so wishes he can go to VF02 and change invoices of SXX1/X1,.........since there is no authority check at the Distribution channel level for Billing documents, the check V_VBRK_VKO is only at Sales organization level.

We can make changes in the user exit and have a custom object built and the issue CAN be solved, but do you think - there is a logical reason behind not having this check (or) does it make sense to have this added in the ever growing "Wish List"

14 REPLIES 14

Former Member
0 Kudos

Julius,

I am personally apologetic if this has been discussed earlier - Its my mistake not to have checked the forum before asking about it. I have just seen something similar to the request i had .........

0 Kudos

> I have just seen something similar to the request i had .........

Where? I am only aware of 1 or two questions around this area and could not offhand remember any solutions which did not include exits etc.

Though looking in config (SPRO) and the coding of the checks can be very helpfull sometimes.

Cheers,

Julius

0 Kudos

Its true that there have been no definite answers, but i saw something similar related to VF11 transaction......the request was to have access restriciton on Sales office level (which for my thought is stretching things too far, maybe...............) But, logically speaking, the question was related i would think.

Anyway, apart from having this change implemented in custom set-up, do you think it is a valid request to ask SAP to take notice?

My argument for the case is: One one hand in Fucntional training on SD, we train and show-case the flexibilty of SD customizing....how nice and flexible sales areas can be defined......and on the flip side we dont make enough restricitons on what should and what shouldnt be seen

Case Valid???? Is it admitted????

0 Kudos

> My argument for the case is: One one hand in Fucntional training on SD, we train and show-case the flexibilty of SD customizing....how nice and flexible sales areas can be defined......and on the flip side we dont make enough restricitons on what should and what shouldnt be seen.

I am not knowledgable enough about this specific customizing aspect of yours to comment, but setting things up with security considerations is always a good idea to avoid exits and other mal-investments...

I can only state from my experiences that looking deeper into the options reveals that "it is not possible" should actually be "faulty config design" or "conflicting requirements using the same object".

For this there are a host of "optional objects" which sometimes have specific use cases which are transaction dependent, or for others they are disabled in SU24 and apply to anything else.

IMO the easiest way is to track down a developer who understands security and role building and also understands SD and other dependencies, and take a look at the checks made and options in the coding with them.

It must work and be sustainable as a technical and business concept.

Clicking around for a solution in a PowerPoint showcase is crap...

Cheers,

Julius

0 Kudos

well...I dont know how to answer to your explanation .....but let me try........

For a start ...I am a Functional Consultant (SD) who stumbled into working on Authorization Security a few years back (personally.it feels like ages

I sincerely feel i have invested time and effort to check available options to make restrcition on SD invoices (via SU24, or checks in Programs....) and having no great luck apart from planning to add some checks in the user exit for Billing - I sought an opinion from the forum members

With guys like you, Alex, Jujen....... i fancy my chance of getting some advice that could show the right direction

Coming to the issue and your comment

" For this there are a host of "optional objects" which sometimes have specific use cases which are transaction dependent, or for others they are disabled in SU24 and apply to anything else"

I should say, i didnt completely understand what you meant. Are you suggesting that there are obects that could be triggered ON/OFF in SU24 for VF02 and that "might" help - Honestly, i wouldnt think so

and for the record, i dont train people on SD - its just that i wanted to be decent and not say "When SAP trains"

0 Kudos

> I should say, i didnt completely understand what you meant. Are you suggesting that there are obects that could be triggered ON/OFF in SU24 for VF02 and that "might" help

There is a possibility to turn checks back off again, transaction context specifically.

There is no possibility to turn checks on in the first place, if the check is not in the code.

> Honestly, i wouldnt think so

From what you have described, I don't think so either because you want to turn a check on which isn't there. At least not for VF02. Right?

Cheers,

Julius

0 Kudos

> From what you have described, I don't think so either because you want to turn a check on which isn't there. At least not for VF02. Right?

>

> Cheers,

> Julius

Bingo, we are on the same page now

question 2: is this a valid request for the wish list? or is too flimsy a request

0 Kudos

Lets give it a while to see what others post. Perhaps there is a solution?

> is this a valid request for the wish list? or is too flimsy a request

Let me know if you would like to have permissions to maintain the wiki. Then you can decide for yourelf.

Enjoy the weekend,

Julius

0 Kudos

>

> Lets give it a while to see what others post. Perhaps there is a solution?

Perfect, I am ok to wait

> > is this a valid request for the wish list? or is too flimsy a request

> Let me know if you would like to have permissions to maintain the wiki. Then you can decide for yourelf.

>

> Enjoy the weekend,

> Julius

As many times i read this i always get the same thoughts "Is this is a back-hand slap (or) is it a nice gesture "

KUDOS for the writing skills, i should say

4 more hours to get out of office and its a gloomy week-end out here

You have fun & a good time over the week-end

0 Kudos

It was meant earnestly that you can add it to the wiki if you want to.

I don't want to be the one to decide. I am only a wiki-gardener...

Cheers,

Julius

0 Kudos

>

> Lets give it a while to see what others post. Perhaps there is a solution?

>

> > is this a valid request for the wish list? or is too flimsy a request

> Let me know if you would like to have permissions to maintain the wiki. Then you can decide for yourelf.

>

> Enjoy the weekend,

> Julius

I am overwhelmed by the gesture. But, Honestly speaking being a novice, i feel i am still finding my feet out here........If you give me the liberty to ask, when i feel i am ready to maintain the wiki - that itself would be an achievement and a honour i would think

thanks once again

Former Member
0 Kudos

Let me start by saying your issues can be resolved using two options;

Option 1.... all distribution should be mapped to their respective sales organization, and that would resolve it. How you do this?

The Sales Distribution funtional guys will have to go into SPRO (Customizing guide), and set up properly the mapping of distribution channel to Sales organization. If this is not the case at your end, then something is wrong. Once this is done, the user will be forced to use a distribution channel assigned to their sales org. You may want to ask but what happens if user tries to change data at other distribution channel not assigned to them? They would not be able to process against the data in the disctribution channel where they re not authorized.

Option 2.... create a group variant and assign all the users who should not have access to certain distribution channel. Even though they assigned the role but it would limit them to specific distribution channel.

That should resolve your problem.

0 Kudos

Dear XXXX,

As suggested by Julius in an other thread - i think we all would be mightily impressed if you could change your log-in credentials (thats a personal view)

coming to the discussion and my views:

Option 1 you sggested:

I feel we are not in SYNC in understanding each other - customizing of Sales area was never under debate. I do understand that each Distribution channel is assigned to a sales organization (this doesnt require rocket science ) and i would think having one distibution channel per sales organization would be the most un-foreseen suggestion (well if i someone proposes this to business guys and walks away with it - hats off to them)

Multiple disribution channels can also be assigned to a sales organization (which is more often the case 99 out of 100 times) and business wise it is logical to have it this way. The problem that i highlight is an issue you would have when invoices are checked.

EXAMPLE;

For a sales Organization SXX1, you can have Internal Distribution as DIst.Channel 1 and External Distribution as Dist.Chanl 2

Once you place the sales order, complete the delivery processing and create the invoices, user in Sales Org SXX1 and Dist chnl 2 , can also change the invoices of Sales Org SXX1 and Dist Chnl 1- there is no check

Option 2 you suggested:

I apprecaite your thoughts and your penchant for creating group variants. But, I have users in 16 countries, i have a minimum of 32 sales organizations and minimum of 3 distribution channels per sales organzation. If i create group variants per distribution channel and sales org and users combination - i would be left with a bee hive - Give it a thought

No offence meant but, If i can manage via group variants, i can as well file for a patent similar to this "System for joining elements to complex junctions and links in road network "

Former Member
0 Kudos

This has been open for sometime and I dont see any concrete answers coming up, so it makes sense to close the thread

Thanks to all those who contribued