Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Access Cross Pollination

Former Member

‎06-17-2010 8:58 PM

0 Kudos

We are implementing SAP ECC in our organization, and I had a question about SAP access cross pollination. We may have instances in our organization where people may need different access in SAP, based on the organization they are working with.

For example: an individual needing to park (but not post) documents for company code 0001 and post (but not park) documents for company code 0002

From what I remember, one has to be careful because crossing authorization objects/values for certain t-codes will lead to opening up unintended access and SOD conflicts for a user.

Is there a way to design security roles on SAP ECC to so that we can assign a user the ability to run F-02 for Company 0001 and FBV0 for company 0002 without having them inherit access to be able to park and post documents for companies 0001 and 0002?

Thanks in advance!!

2 REPLIES 2

Former Member

‎06-20-2010 7:58 PM

0 Kudos

The use of parking documents has been abused a bit in the name of SoD im my opinion.

As far as I know, it was intended for when a soccer match is about to start or the accountant wants to go to the toilet and the SAPGui timeout is set too low or the network itself is unstable.

If you want to achieve this, then you might want to look into WAPIs (workflow application program interfaces). They are BAPIs (business application program interfaces) on steriods.

I would speculate that user training and some business process monitoring would be an easier route and has other advantages as well.

On a serious note without development effort: You can look to see whether config and the "B-segments" of the authority-check give your a usable option to "isolate" an object to a specific transaction code context, or if you are brave then turn one of them off (No-Check in SU24) so that you can hobble the activity '77' check for that use-case. But it should be treated with care.

Have fun paralyzing your business efficiency with SOX requirements for end-users....

Cheers,

Julius

mvoros
Active Contributor

‎06-21-2010 12:16 AM

0 Kudos

Hi,

have a look at FI validaiton as well. You can easily implement additional authorization checks here.

Cheers