cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Limit project access through company code

gaizka_gonzalez
Explorer

on ‎10-29-2009 12:43 PM

0 Kudos

Hello,

We need to limit users accessing projects through company code. We have created a role for "Menu --> Logistics --> Project System" and limited organizational levels for authorizations. The problem is that SAP ignores authorization conditions, and lets any user assigned to this role to create/modify/view any project in SAP, regardless the limitation of company code or plant.

Any ideas/solutions?

Thanks to all of you.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (6)

Answers (6)

gaizka_gonzalez
Explorer
‎11-02-2009 11:39 AM
0 Kudos

I finally resolved the problem by creating a new authorization object and performing an authority check in the enhancement CNEX0002 Check on authorizations

Thank you all for your replies.

Show replies
Show replies
Former Member
‎11-17-2009 2:24 PM
0 Kudos

Hi Gaizka Gonzalez ,

I am also looking for the same Authorization help . I mean authorization based on Company Code.

But may be limiting the PS reoprts by Company Code. I think I should be able touse the same CNEX0002 with Functional module EXIT_SAPDBPSJ_001..

Did you get this done on FM: EXIT_SAPLCNAU_001 (PS Customer Exit: Project Definition Authorization Check) ?

Awating your reply.

Thanks

gaizka_gonzalez
Explorer
‎11-17-2009 2:37 PM
0 Kudos

Hi Psconsultant,

Yes, I did it using FM EXIT_SAPLCNAU_001. In this FM I did an authority check by company code like this

DATA: objetc(10).

objetc = 'ZPSCC100'. This is an authorization object created and included in ps module. All it does is check by bukrs.

CALL FUNCTION 'AUTHORITY_CHECK'

EXPORTING

user = sy-uname

object = objetc

field1 = 'BUKRS'

value1 = sap_proj-vbukr

EXCEPTIONS

user_dont_exist = 1

user_is_authorized = 2

user_not_authorized = 3

user_is_locked = 4

OTHERS = 5

.

IF sy-subrc EQ 3.

MESSAGE 'You are not authorized to view this project' TYPE 'E'.

WAIT UP TO 2 SECONDS.

LEAVE PROGRAM.

ENDIF.

SAP_X_ACTVT = 'X'. This line is mandatory and has to be in every FM of CNEX0002 enhancemet. Otherwise ps transactions won't work.

Makal
Active Contributor
‎10-30-2009 9:09 AM
0 Kudos

I agree with what Ravi said.

Check the profiles assigned to the log-id you are using to test this.

Take the help of your basis consultant. You can handle it effectively using roles & authorization.

What I feel is, there are multiple profiles assigned in the Role maintainance. Even though you have created role & created profile, there might be another profile which is overriding the one you have created. Just check again.

Show replies
Show replies
panagiotis_papaspyridakos
Contributor
‎10-30-2009 9:06 AM
0 Kudos

Hi once more.. can you explain in detail what authorization object you used in order to achieve the company code authority check in project/wbs element?

Thanx

Pan

PS.. in su22 transaction (for cj02 transaction) no standard authorization object is available for company codes.... That is why you can use an easy alternative (Person responsible)...at least this is the way we have handled the case when the question arose in the company i work..

Edited by: Panagiotis Papaspyridakos on Oct 30, 2009 10:07 AM

Show replies
Show replies
Former Member
‎10-30-2009 8:48 AM
0 Kudos

Hi Gaizka,

As far as authorisation is concerned SAP does not permit security leaks, that too at organisation level the authorisation checks are very strong.Please check for the user in PFCG any other roles are assigned for which access to other company codes are provided, which might override the control over the company code, which you have assigned to the role you created.

Show replies
Show replies
gaizka_gonzalez
Explorer
‎10-30-2009 9:03 AM
0 Kudos

Hi Ravi,

We have checked them and there is no overriding. The user is a dummy user to test the role, and the user has assigned only the role we have created. And we check the organization in the role. The main problem, I think, is that the ps authorizations do not consider the company code as a check.

Edited by: Gaizka Gonzalez on Oct 30, 2009 10:04 AM

Former Member
‎10-30-2009 5:08 AM
0 Kudos

Hi,

I agree with Pan. Instead of maintaining authorizations with respect to Company code maintain it with respect to Person Responsible. This will be much more better i guess.

Best Regards,

Gokul

Show replies
Show replies
panagiotis_papaspyridakos
Contributor
‎10-29-2009 12:59 PM
0 Kudos

Hi..i know for sure that an easy alternative would be to use the person responsible instead (i think C_PRPS_VNR and C_PROJ_VNR).

If possible use a substitution so that each time a new project is created the values of company code are written in Responsible person.

It may work as an alternative...

Pan

Show replies
Show replies
Ask a Question