03-02-2011 10:52 PM
Hi,
We are looking to restrict CO24 and CO27 transactions by Plant number. But irrespective of the Plant assigned to the user, they can see the data for any Plant. We need to restrict these trx based on the Plant number.
Below are the authorization objects in SU24
CO24 (MissingPartsInfoSyst):
C_AFKO_AWA CIM: Authorization for Prod.Order/Order Type/Plant/Activity
C_AFKO_AWK CIM: Plant for order type of order
CO27 (Picking list):
C_NAV_PROF Navigation Profile
M_MSEG_BWA Goods Movements: Movement Type
M_MSEG_WWA Goods Movements: Plant
Authorization objects checked as per ST01 trace:
CO24:
S_TCODE RC=0 tcode=CO24;TCD=CO24;
S_ALV_LAYO RC=0 tcode=CO24;ACTVT=23;
S_GUI RC=0 tcode=CO24;ACTVT=61;
CO27:
S_TCODE RC=0 tcode=CO27;TCD=CO27;
M_MSEG_WWA RC=0 tcode=CO27;ACTVT=01;WERKS= ;
C_AFKO_AWK RC=0 reason=B;tcode=CO27;WERKS=1110;AUFART=ZP01;
C_AFKO_AWA RC=0 reason=B;tcode=CO27;ACTVT=03;AUTYP=10;AUFART=ZP01;WERKS=1110;
S_ALV_LAYO RC=0 tcode=CO27;ACTVT=23;
S_GUI RC=0 tcode=CO27;ACTVT=61;
Can someone please help me with this?
Regards,
Chintan
03-03-2011 7:48 AM
03-03-2011 1:04 PM
CO24 appears to have no plant check so you will either have to:
1. Put in an alternative control (e.g. manager reviewing use of the transaction)
2. Accept it
3. Find an appropriate exit or enhancement point to add in additional auth check & resulting logic.
CO27 looks like it has some ability to restrict on the C_AFKO* auth objects, what happens when you try and run a selection with a plant that you are not authorised for? what is the trace result? is the auth object deactivated in SU24?
03-03-2011 10:00 PM
For option 3 the transaction C024 has BADI WORKORDER_INFOSYSTEM with method ORDER_TABLES_MODIFY which might be used for modifying results. Same BADI is used in CO27. If for some reason this BADI can;t be sued then there is still option using implicit enhancement points.
Cheers
03-04-2011 12:16 AM