Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BD87 - Display Only

Former Member

‎10-10-2011 1:17 PM

0 Kudos

Hi Experts,

I want to give access to BD87 Tcode with only Display Access - But even when i give only 03 , The role allows to Process Idocs which is strange. Any Suggestion pls. Same is the issue with SM51 Tcode too ...

regards,

Shawn.

4 REPLIES 4

Bernhard_SAP
Advisor
Advisor

‎10-10-2011 1:31 PM

0 Kudos

Hello Shawn,

i understand that the possibility of processing depends on the additional t-codes you have added to the t-code field in object S_IDOCMONI (for instance WE02 etc)

b.rgds, Bernhard

Former Member
In response to Bernhard_SAP

‎10-11-2011 9:59 AM

0 Kudos

Not Exactly Bernhard

Even without any object at all - just with S_Tcode = BD87 it allows to process the idocs !

You could try it yourself. The sad part is that can't create a SHD0 too to remove this button from screen.

regards,

Shawn.

Bernhard_SAP
Advisor
Advisor
In response to Bernhard_SAP

‎10-11-2011 10:37 AM

0 Kudos

HI Shawn,

I tried it. Inbound processing with a user which has only s_tcode=BD87 could not process idocs. Message:

You are not authorized to display/edit IDoc 00000000000xxxxxxx

Message no. B1285

In fact there is currently no 'process' authority-check implemented in BD87. But a development request for this functionality exists already for future releases.

if users should be able to display idocs only, BD87 shall not be granted, but only WE02.

In BD87 the current implementation of the authority check is made in a way that you are allowed to process IDocs only if you have the authorization to display the IDoc. The concept behind is that if you are able to see the application data you should be able to process the IDoc. For the inbound process you have the possibility to remove the authorization to process the application data from the user profile. This way the IDoc will go into error status and can be processed later on by a user with sufficient authorizations.

But as soon the user has display auths for the idoc and s-tcode bd87, he will be able to process the idoc.

b.rgds, Bernhard

-->see also SAP note 1269516

Edited by: Bernhard Hochreiter on Oct 11, 2011 12:00 PM

Former Member

‎02-11-2012 3:31 PM

0 Kudos

What is critical about being able to process an IDOC with an error status if you anyway can display it? Normally you want the IDOCs to be processed (after you fix the master data problems, typically).

I am only aware that the ability to change IDOCs is considered undesirable if the user has access to display them in the monitor. You can even reset passwords with that authorization.

Cheers,

Julius