Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restricting MEMASSIN by Plant

Go to solution
Former Member

‎07-06-2011 4:32 PM

0 Kudos

Hello all,

I am having an issue with transaction MEMASSIN. Our BA has a requirement for me to restrict Purchasing Info Records being changed to only specific Plants. They are using MEMASSIN rather than ME11,ME12, and ME13 (which MEMASSIN touches anyway).

I have used SU24 to review M_EINF_EKO, M_EINF_EKG, M_EINF_WRK and I am restricting my Plants via ORG levels in the role, however when the BA tests they can still make changes to inforecords outside the restrictions in Plants they are not supposed to.

The user id does not have any other roles assigned that contain ME11, ME12, MASS, or MEMASSIN. I am unsure as to why they are able to get around the restrictions. However when we only have that single role assigned, it works, so they must be picking up authorizations from another role...

Is it possible that the ORG levels of * in any of the other roles assigned to the user (this user has multiple job functions and 30+ roles assigned) could be causing this?

Any help would be much appreciated.

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎07-06-2011 6:31 PM

0 Kudos 
However when we only have that single role assigned, it works, so they must be picking up authorizations from another role...
Is it possible that the ORG levels of * in any of the other roles assigned to the user (this user has multiple job functions and 30+ roles assigned) could be causing this?

Yep, sounds reasonable to check fields WERKS in the other roles with their ACTVT field values.

Cheers,

Julius

2 REPLIES 2

Go to solution
Former Member

‎07-06-2011 6:31 PM

0 Kudos 
However when we only have that single role assigned, it works, so they must be picking up authorizations from another role...
Is it possible that the ORG levels of * in any of the other roles assigned to the user (this user has multiple job functions and 30+ roles assigned) could be causing this?

Yep, sounds reasonable to check fields WERKS in the other roles with their ACTVT field values.

Cheers,

Julius

Go to solution
martin_voros
Active Contributor

‎07-07-2011 1:15 AM

0 Kudos

Hi,

you can use transaction SU56 to display authorization buffer for any user. You can see there where authorization values are coming from. So you can trace user in ST01 and use SU56 to figure out which roles give him required authorizations.

Cheers