Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Organization Units Authorization on user level

Go to solution
Former Member

‎09-04-2009 9:16 AM

0 Kudos

Hello experts,

Is there a way to add authorization for an organization unit (i.e. Company Code) on a user (SU01) level and not on a authorization objects (PFCG) level?

For example,

I would like to create the following Role (profile):

ZFI_AP_REPORT_DISPLAY

This role should be able to display AP report from the Financial module.

However our problem is, we would like to create authorization levels with organizational units for each user:

For example:

User Anson has ZFI_AP_REPORT_DISPLAY assigned but can only display Report from Company Code 3202.

We know we can create this authorization creating several roles, like:

ZFI_AP_REPORT_DISPLAY_3201

ZFI_AP_REPORT_DISPLAY _3202

ZFI_AP_REPORT_DISPLAY_3203

but our idea is not create several roles, but to assign the Company Code authorization on a user level and leave just one role so we would only need ZFI_AP_REPORT_DISPLAY.

Is there a way to do this?

Thank you in advanced for your replies.

Christine Tseng

1 ACCEPTED SOLUTION

Go to solution
jurjen_heeck
Active Contributor

‎09-04-2009 9:30 AM

0 Kudos

> Is there a way to do this?

This is what the parent-derived concept is meant for. Properly implemented it shouldn't cause more workload than the concept you're thinking of. It is not possible to assign authorizations to a user without using profiles.

3 REPLIES 3

Go to solution
jurjen_heeck
Active Contributor

‎09-04-2009 9:30 AM

0 Kudos

> Is there a way to do this?

This is what the parent-derived concept is meant for. Properly implemented it shouldn't cause more workload than the concept you're thinking of. It is not possible to assign authorizations to a user without using profiles.

Go to solution
Former Member

‎09-04-2009 9:50 AM

0 Kudos

I agree with Jurjen. There is no point creating a "new" authorisation concept for a few transactions. If you use standard authorisation objects for the check in your custom tcodes then you will likely have very little work to do if you assign those tcodes to existing roles.

Even using a custom auth object & creating the variants will take up no more time than doing something like repeating the variable functionality in BI or messing about with PIDs in the UMR (which I definitely do not recommend). By sticking with the standard concept you ensure consistency, making it much easier to support and/or handover if you move on from the role.

Go to solution
Former Member

‎09-04-2009 10:24 AM

0 Kudos

> but our idea is not create several roles, but to assign the Company Code authorization on a user level and leave just one role so we would only need ZFI_AP_REPORT_DISPLAY.

On which basis do you determine the company code of each user?

There might be a way of doing this via their HR or address data?

Cheers,

Julius