10-10-2011 1:17 PM
Hi Experts,
I want to give access to BD87 Tcode with only Display Access - But even when i give only 03 , The role allows to Process Idocs which is strange. Any Suggestion pls. Same is the issue with SM51 Tcode too ...
regards,
Shawn.
10-10-2011 1:31 PM
Hello Shawn,
i understand that the possibility of processing depends on the additional t-codes you have added to the t-code field in object S_IDOCMONI (for instance WE02 etc)
b.rgds, Bernhard
10-11-2011 9:59 AM
Not Exactly Bernhard
Even without any object at all - just with S_Tcode = BD87 it allows to process the idocs !
You could try it yourself. The sad part is that can't create a SHD0 too to remove this button from screen.
regards,
Shawn.
10-11-2011 10:37 AM
HI Shawn,
I tried it. Inbound processing with a user which has only s_tcode=BD87 could not process idocs. Message:
You are not authorized to display/edit IDoc 00000000000xxxxxxx
Message no. B1285
In fact there is currently no 'process' authority-check implemented in BD87. But a development request for this functionality exists already for future releases.
if users should be able to display idocs only, BD87 shall not be granted, but only WE02.
In BD87 the current implementation of the authority check is made in a way that you are allowed to process IDocs only if you have the authorization to display the IDoc. The concept behind is that if you are able to see the application data you should be able to process the IDoc. For the inbound process you have the possibility to remove the authorization to process the application data from the user profile. This way the IDoc will go into error status and can be processed later on by a user with sufficient authorizations.
But as soon the user has display auths for the idoc and s-tcode bd87, he will be able to process the idoc.
b.rgds, Bernhard
-->see also SAP note 1269516
Edited by: Bernhard Hochreiter on Oct 11, 2011 12:00 PM
02-11-2012 3:31 PM
What is critical about being able to process an IDOC with an error status if you anyway can display it? Normally you want the IDOCs to be processed (after you fix the master data problems, typically).
I am only aware that the ability to change IDOCs is considered undesirable if the user has access to display them in the monitor. You can even reset passwords with that authorization.
Cheers,
Julius