Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Vendor Master Extend authorization without authorizing XK01 access

laura_paez4
Explorer

‎08-31-2011 9:04 PM

0 Kudos

I have a request to allow extend of Company code and Purchasing organization for Finance and Purchasing people accordingly. But of course the do not have access to XK01. So I wonder if there are specific authorizations that allow this. We do not want them to have access to Create abrand new vendor, but extends is fine. Any hints are greatly appreciated.

Thank you,

Laura

4 REPLIES 4

Former Member

‎08-31-2011 9:37 PM

0 Kudos

Have you looked at the available activities of the objects and considered a different transaction as entry ponit into the process of maintaining this data?

What have you tried so far?

Cheers,

Julius

laura_paez4
Explorer

‎08-31-2011 10:03 PM

0 Kudos

Hi, these are my trials:

1. Create BDC session with service account, that has SAP_ALL, as authorization. So at time of running in background would use that, but the systems catches User trying to schedule under a different ID.

2. Program RFBIKR10 tr. FK15, but it ends up checking XK01 authorizations.

4. Authorization objects F_LFA1_BEK and F_LFA1_BUK have acttivities create/Change/Display/lock/Delete/Display change documents/Confirm change. I don't think any of them are for extend, the confirm change I think is a workflow where somebody has to "confirm" the change in FK08. I asked my security person to check F_LFA1_GEN, I'm still waiting for her feedback, so I started my own research.

Thanks,

Laura

Former Member
In response to laura_paez4

‎08-31-2011 10:16 PM

0 Kudos

1) BDC is a pest, but you could define a batch user with only this access fpr the process sent into the background task. HOwever basis people dont like this because you will have an explosion of system type users which are historically theirs to admin.

2) You can use SE97 to disable tcode checks but they will not work reliably for application objects. This might bight you later on.

3) No comment, as it would be my solution... hahaha

4) Yes workflow is an option to defer the task into (and the authorizations) but pleaase take note that the (logical destination of the) workflow engine does not need SAP_ALL and API functions should not check any S_TCODEs.

I am tempted to move this to the workflow forum where the options of inbound workflow processing might be mentioned, then we can reconsider security considerations of your requirement.

Cheers,

Julius

laura_paez4
Explorer

‎08-31-2011 11:56 PM

0 Kudos

Oops! Where is my number 3!? You could read my mind ha!? I know workflow, but this is not what we want to do, we would like to have the user being able to extend without having to wait on the Vendor Master Expert. And exactly this is what I am trying to find in this thread if there is a different transaction or an authorization I can provide them in order to do that. I saw a couple of questions with the same issue but did not have answers.

Regards,

Laura