Solved: Regarding Parking and Posting access

Former Member · ‎07-02-2010

Hi All,

The requirement for my client scenario is as follows:

There are about 6 company codes (lets name it as AAA) which need to be isolated based on the following rule:

Users belonging to AAA should be able to PARK as well as POST to all entities whereas Users belonging to other than AAA should not be able to POST to AAA. They should be able to POST to non AAA only and PARK everywhere.

Also a user who PARK's should not be able to POST.

Options which I have tried are -

- Created a separate role with activity 01 for the object F_SKA1_BUK and gave the AAA entities only and at the same time removed 01 activity for the same object in a separate role. The combination of these two roles gave the result as

- Was able to PARK and POST to AAA entities using FB01 (True)

- Was unable to post to other entities (Failed - user should have been able to)

- The person who parked was not allowed to Post (True)

The other combination with 01 activity to non-AAA entities and minus 01 activity to AAA entities:

- Failed to PARK to non AAA entities (Failed - user should have been able to) failed at 01 activity

- Was able to PARK to only non AAA. (True)

- Was unable to POST to AAA entities (True)

- The person who parked was not allowed to Post (True)

I came to know that this can be achieved by creating separate roles for posting and parking Tcodes and using SOD.

I have an already existing GL role - I removed all the posting tcodes in the original GL role so that it can allow only parking to all entities. Then I created a separate role and put all the Posting Tcodes in it and maintained the objects in the same was as they were maintained in the original GL role but here I have given only the AAA entities. Can some one help me in this approach.

Regards

Shakeel

Former Member · ‎07-02-2010

What you need is a 2nd user ID for each person, which is obviously a bit silly... unless they all have the same 2nd user ID to share and the user's name is WF-BATCH.

Take a look into workflows as an alternate option to large numbers of roles. There are however some other security considerations when setting up workflow. The "engine" does not need SAP_ALL...

Cheers,

Julius

Former Member · ‎07-02-2010

What you need is a 2nd user ID for each person, which is obviously a bit silly... unless they all have the same 2nd user ID to share and the user's name is WF-BATCH.

Take a look into workflows as an alternate option to large numbers of roles. There are however some other security considerations when setting up workflow. The "engine" does not need SAP_ALL...

Cheers,

Julius

Former Member · ‎07-03-2010

Thanks Julius,

Are there any other options?

Shakeel

Former Member · ‎07-03-2010

> Are there any other options?

Yes.

Reading the SU21 documentation on F_SKA1_BUK and then revert back with the same for F_BKPF_BUK...

If you ST01 trace FB01 you will see what is checked.

Cheers,

Julius

Former Member · ‎07-05-2010

The objects designed to protect posting of accounting documents directly in FI are F_BKPF, F_SKA1 protects the Chart of Accounts maintenance by company code.

You should generate two master roles, one with the activity 77 in all F_BKPF* Objects and other with activity 77 and 01

The first one only lets you parking documents. The second one parking and posting too.

Be careful with the tcodes you are going to use. The FB01 does not work if you don't have 01 in your authorizations for the F_BKPF_BUK object.

The Tcodes for excellence for parking documents are:

Invoices ( Vendors and Customer)

FV60

FV65

FV70

FV75

GL Documents

F-65

FV50

Regards!!

Former Member · ‎07-05-2010

Thanks a lot for your inputs.

My client uses FB01 though.

Regards

Shakeel

Former Member · ‎07-06-2010

One option is to reconsider the choice of transaction.

Another would be to remove the actvt 01 at the start of FB01 and "reduce" it to actvt 77. You can do this in SE93. It would be a modification, but a rather mild one.

Cheers,

Julius