cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Need help on accessing transaction?

Former Member

on ‎05-26-2010 6:07 PM

0 Kudos

Hi,

I am doing an SOD audit and come across one role where the user is given authorization to ME21N (create purchase order) for example in auth object S_TCODE.

But he has been given display (and not create) authorization in Document Type in Purchase Order.

So I would like to know whether user still can access transaction ME21N and create purchase order?

Thx.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎05-26-2010 9:45 PM
0 Kudos

HI:

The user should NOT be able to fully execute ME21N without additional "create" authorizations for the object "Document Type in Purchase Order" (M_BEST_BSA) as this is usually the first object checked in standard execution of this transaction code. He might be able to get into the first screen of ME21N without an authorization error...but he will not be able to save anything.

If the intent was to allow user to display PO's only...then they should use ME23 or ME23N.

If the user has display (03) access for doc type NB, and create (01) authorization for doc type XX, then the user would be able to use ME21N to create PO of doc type XX, but not NB. Check the role to validate that there isn't multiple authorizations...and you might also want to run a report to see if the user has an authorization for the object M_BEST_BSA through another role...since it doesn't matter where this authorization came from (ie: whether it is in the same role as ME21N or not), but rather he "steals" it from another role assigned to him as well.

You can fully prove this by running an authorization trace and you will see that this object is required to have activity 01 of certain doc type in order to "save" the newly created PO.

Margaret

Show replies
Show replies
Former Member
‎05-27-2010 5:20 AM
0 Kudos

Hi Margaret,

It was really a helpful answer.

Just tell me if I have the create (01) access in M_BEST_BSA but the transaction code ME21N is not added to S_TCODE, can user access the transaction ME21N and save the order?

Thanks.

Former Member
‎05-27-2010 5:25 AM
0 Kudos

Like you said, user might have authorization for this transaction in another role, I have another question. If user is blocked in one role and given access in another role, which role supersedes? The one which blocks the user or the one which allows the user to access the transaction?

Thx

Former Member
‎05-27-2010 1:59 PM
0 Kudos

Hi There,

Speaking simply, the authorisations will combine together and provide access to the functionality if assigned by different roles.

Authorisation Objects form the key to the concept. These are made up from fields and values. The combination of Fields and values are held together as an "authorisation" for the specific Authorisation Object.

eg. your Create authorisation for Purchase Orders.

Transactions are checked by the object S_TCODE when they are executed and so can be technically separated from the underlying authorisations.

You could therefore have transaction ME21N assigned in one role but the authorisations to M_BEST... assigned through a different role.

If both roles are assigned, the authorisations would still be available to the user despite being available from separate roles.

There is a great deal more information and potential complexity around this concept but hopefully, this will aid in answering your question.

Simon

Former Member
‎05-31-2010 3:50 PM
0 Kudos

HI:

If the user has the S_TCODE authorization for ME21N in one role, and the authorization for the M_BEST_XXX objects in another role, then all authorizations will be dumped together in the user's buffer, and it doesn't matter which role it came from.

If the user has the authorization for M_BEST_XXX however, does NOT have an authorization for ME21N (S_TCODE) in any other role...then the user should not have authorization to create the PO.

Margaret

Former Member
‎06-11-2010 5:40 AM
0 Kudos

Thx Margaret.

Ask a Question