This question has been asked so often already that we have decided it's worth creating a note for it

<ahem>

https://service.sap.com/sap/support/notes/1050832

The Enjoy SAP transactions, which include ME21N, ME22N and ME23N were originally built to all call the same program. Because of this, if a user has the necessary authorizations, you can create, change and display from any of the transactions. Therefore, with ME23N, if the user has the necessary authorizations, they can create and change purchase orders via this transaction. Please see attached OSS notes 751129, 491789 and 212447 for details and explanation.

For this reason, ME23N is included in the default ruleset with the appropriate update authorization objects enabled.

Subsequent to the creation of these enjoy transactions, SAP has now issued certain versions and support packs for which ME23N cannot be used to create or change PO's without a user having ME21N or ME22N. See attached notes 661689, 797521.

However, the SAP supplied ruleset is not version or support pack specific so this is why it is delivered with ME23N. It is up to each company to evaluate whether their system does allow creation just using ME23N. To test this, a test role should be created with ME23N with all activities for all authorization objects and the role should be tested to determine if ME23N alone will allow create and change of PO's.

If the testing shows that ME23N alone cannot allow a user to do this, then the rules on the company's application should be changed to remove the transaction. See SAP Notes 986998 and 986996 on how to make the rule changes.