on 10-29-2009 12:43 PM
Hello,
We need to limit users accessing projects through company code. We have created a role for "Menu --> Logistics --> Project System" and limited organizational levels for authorizations. The problem is that SAP ignores authorization conditions, and lets any user assigned to this role to create/modify/view any project in SAP, regardless the limitation of company code or plant.
Any ideas/solutions?
Thanks to all of you.
I finally resolved the problem by creating a new authorization object and performing an authority check in the enhancement CNEX0002 Check on authorizations
Thank you all for your replies.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Gaizka Gonzalez ,
I am also looking for the same Authorization help . I mean authorization based on Company Code.
But may be limiting the PS reoprts by Company Code. I think I should be able touse the same CNEX0002 with Functional module EXIT_SAPDBPSJ_001..
Did you get this done on FM: EXIT_SAPLCNAU_001 (PS Customer Exit: Project Definition Authorization Check) ?
Awating your reply.
Thanks
Hi Psconsultant,
Yes, I did it using FM EXIT_SAPLCNAU_001. In this FM I did an authority check by company code like this
DATA: objetc(10).
objetc = 'ZPSCC100'. This is an authorization object created and included in ps module. All it does is check by bukrs.
CALL FUNCTION 'AUTHORITY_CHECK'
EXPORTING
user = sy-uname
object = objetc
field1 = 'BUKRS'
value1 = sap_proj-vbukr
EXCEPTIONS
user_dont_exist = 1
user_is_authorized = 2
user_not_authorized = 3
user_is_locked = 4
OTHERS = 5
.
IF sy-subrc EQ 3.
MESSAGE 'You are not authorized to view this project' TYPE 'E'.
WAIT UP TO 2 SECONDS.
LEAVE PROGRAM.
ENDIF.
SAP_X_ACTVT = 'X'. This line is mandatory and has to be in every FM of CNEX0002 enhancemet. Otherwise ps transactions won't work.
I agree with what Ravi said.
Check the profiles assigned to the log-id you are using to test this.
Take the help of your basis consultant. You can handle it effectively using roles & authorization.
What I feel is, there are multiple profiles assigned in the Role maintainance. Even though you have created role & created profile, there might be another profile which is overriding the one you have created. Just check again.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi once more.. can you explain in detail what authorization object you used in order to achieve the company code authority check in project/wbs element?
Thanx
Pan
PS.. in su22 transaction (for cj02 transaction) no standard authorization object is available for company codes.... That is why you can use an easy alternative (Person responsible)...at least this is the way we have handled the case when the question arose in the company i work..
Edited by: Panagiotis Papaspyridakos on Oct 30, 2009 10:07 AM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Gaizka,
As far as authorisation is concerned SAP does not permit security leaks, that too at organisation level the authorisation checks are very strong.Please check for the user in PFCG any other roles are assigned for which access to other company codes are provided, which might override the control over the company code, which you have assigned to the role you created.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ravi,
We have checked them and there is no overriding. The user is a dummy user to test the role, and the user has assigned only the role we have created. And we check the organization in the role. The main problem, I think, is that the ps authorizations do not consider the company code as a check.
Edited by: Gaizka Gonzalez on Oct 30, 2009 10:04 AM
Hi,
I agree with Pan. Instead of maintaining authorizations with respect to Company code maintain it with respect to Person Responsible. This will be much more better i guess.
Best Regards,
Gokul
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi..i know for sure that an easy alternative would be to use the person responsible instead (i think C_PRPS_VNR and C_PROJ_VNR).
If possible use a substitution so that each time a new project is created the values of company code are written in Responsible person.
It may work as an alternative...
Pan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
108 | |
12 | |
11 | |
6 | |
5 | |
4 | |
3 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.