03-04-2010 4:10 PM
Hi All -
We are currently using ME22N to park and post a PO.
User with just the PO Processor role is now able to post with AR Approver role
(without the PO Approver role). The authorization objects related to
post are being shared across different modules. These object are
available in all the approver roles and it gives the ability for the
user to post a PO even without a PO Approver role.
It appears as if the F_FICA_FOG, F_FICA_FSG, F_FICB_FKR, and F_FMMD_MES
are being shared across multiple FI modules. One role has the park
(actvt 11) access (PO Processor) and the other role (AR Approver) has
posting capabilities (actvt 10).
We are leaning towards creating custom authorization objects to achieve this. We are trying to prevent Segregation of Duty conflicts in our system. Are there any standard was to prevent someone from posting a parked document in the purchasing module (a PO) if the person has access to post AR documents (AR Invoices)?
02-10-2011 2:43 PM
We decided to have the DEV team create a custom auth object and custom table to handle this issue. In the table there is a listing of activities, for example:
PO1 - PO Processor Park
PO2 - PO Approver Post
AR1 - AR Processor Park
AR2 - AR Processor Post
In the PO Processor role, in the custom object, the value would be PO1, and in the AR Approver, the custom object would have AR2. This will require a lot of testing. I hope this helps someone in that may have this problem in the future.
Edited by: T on Feb 10, 2011 9:43 AM
02-11-2011 12:36 AM
Creating a purchase order is a basic step - it has some standard objects associated with it which are purchase order specific. I've not encountered a need to go down a custom object route so far - please could you add a little more detail so that it is clearer?