Solved: Geographical segregation

Former Member · ‎03-02-2010

Dear Gurus,

we have an ECC 6.0 with one client multicompanies. Approximately one company for country. For many transactions we can segregate thanks to authorization object for company code, plant, controlling area and so on. For many other transactions (such as also S_ALR_*) we haven't any authorization object for the geographical segragation. How can we proceed?

Thanks a lot

Bob

Former Member · ‎03-02-2010

Hi Bob,

In addition to Shekar's comments, where are you getting the info on the geographical restrictions? SU24 is not a good source for these.

If you do a search on the term S_ALR you will see some posts that explain the auth concept for many of these reports as they are implemented slightly differently at the code level.

Former Member · ‎03-02-2010

Hi Bob,

It is too vast a topic to discsuss. I would think it would make better sense if we target specific S_ALR_* transactions for a start.

\Many of these transactions are dependant on other transactions in the user master (or) table authorization groups. If you are looking at specific transactions that have neither, then i think it is worthwhile to spend time to check the problem. I think it is irrational to ask a generic answer for all the 12000+ S_ALR_* transactions

Former Member · ‎03-02-2010

Hi Bob,

In addition to Shekar's comments, where are you getting the info on the geographical restrictions? SU24 is not a good source for these.

If you do a search on the term S_ALR you will see some posts that explain the auth concept for many of these reports as they are implemented slightly differently at the code level.

Former Member · ‎03-03-2010

Well,

nothing is irrational but all is perfectible. After that I can make an example. We consider the tcode/report S_ALR_87010129. From SU24 there aren't authorization object about the company code, instead, if you launch the tcode, the first field of tcode/report is the company code. So for this kind of tcode/report how can we proceed for segregation at company code level?

Thanks

Bob

Former Member · ‎03-03-2010

Hi Bob,

It looks like this report is linked to a query. I don't have the data to execute it but if there is no comp code check performed, you will need to change the coding of the query infoset to force a check on company code.

Unfortunately in some reporting areas SAP (queries and report painter/writer reports), there are no auth checks by default and you have to add them in.

Former Member · ‎03-03-2010

Hi Alex,

so only with a change at code level it is possible to force a check on company code. But as the field BUKRS (company code) is in many authorization object if I assign one of these authorization objects with the field BUKRS to the report S_ALR_87010129 from SU24 in your opinion does this solution works fine?

Thanks and Warm Regards,

Bob

Former Member · ‎03-03-2010

Hi Bob

Adding in the auth object to SU24 won't force a check unless there is a corresponding change in the code. For queries, you can add this validation into the infoset code for the query. Your ABAP team can reference an existing auth object which you can then update in SU24 to make sure it is pulled through into the role when you add the transaction.

When you update the infoset code, all queries that run off that infoset will also have the new check forced.

I hope that makes sense

Former Member · ‎03-03-2010

Bingo........this answer nails all "queries"