08-10-2010 3:49 AM
Hello all,
I am using SAP R/3 version 4.7 and FI module.
I would like to know are there any exit can be called automatically when performing authorization checking.
I need to create some roles to control to authority for different users from different departments. To reduce the effort, I am thinking to create one common role, and then call the user-exits. Inside the user-exit, I can check by retrieving the authorization information from tables.
Are there any exit can be called when performing authorization checking?
Many thanks
Sunny
08-10-2010 4:41 AM
Hi,
If you want to perform custom authorization checks for each FI posting then I would suggest to use FI validations. They are called for each FI posting and you can hook up your own routine for validation.
But your approach with bespoke table is wrong and I highly recommend you to avoid z-tables with additional authorizations. Basically, you create another authorization source which you have to maintain. If you keep everything in roles then user management is easy. Another disadvantage is that you can't use CUA or IdM (Note: I guess that you can implement own custom step to manage custom records in z-table but it will significantly increase an implementation cost).
Cheers
08-10-2010 7:52 AM
Hi
Use master derive concept for authorization control and maintain data in orzanization levels
Steps go to PFCG create Master role give necessary t codes then save it.
then run transaction PFCG -->create derive roles and assigned master roles -->go to orzagination levels and maintain data like plant level,Shiping area,Shiping point etc as per requirment
Thanks
Manish Gupta
08-10-2010 8:57 AM
>
> Hi
>
> Use master derive concept for authorization control and maintain data in orzanization levels
>
> Steps go to PFCG create Master role give necessary t codes then save it.
>
> then run transaction PFCG -->create derive roles and assigned master roles -->go to orzagination levels and maintain data like plant level,Shiping area,Shiping point etc as per requirment
>
>
> Thanks
> Manish Gupta
I am interested to know, How is this related to the OP's question?
08-10-2010 10:12 AM
I think they are advising not to mess about with FI exits and use derived role concept to simplify role admin.
I've worked with a similar requirement for CO module and while it worked reasonably well when set up, cost many £'s and was not very cost effective if you compare it against other techniques that could have extended provisioning of roles based on other data sources.