02-01-2012 11:26 AM
Hello, we design nonstandard roles conception in our company. The essence of this conception - we create organisation roles which contain organization levels defined only and functional roles which contain the specific user transactions. Then we assign two roles to user.
There is a special moment. The ACTIVITY field of Org. authorisation object is assigned in functional role only. In Org. role this field is left unsigned.
For example. We want to create Sales Order.
1) For this, we create Org. role which contains Authorization object: V_VBAK_VKO. We fill all necessary auth. fields of V_VBAK_VKO. The activity field we leave empty.
2) Then we create functional role which contains transaction VA01. We fill the activity field of V_VBAK_VKO only (01-create order value). Other fields of V_VBAK_VKO we leave as unsigned (certainly don't forget to add V_VBAK_AAT).
But this approach DOES NOT work. When we try to create sales order the system reports the user have NO authorization for maintaining sales documents. The system states we need to assign V_VBAK_VKO authorization to the user.
If we fill all authorization fields of V_VBAK_VKO objects including activity field in Org. role(or func. role) all works fine.
Tell me why it happens. Why the authorisation fields value of the same authorization objects of two roles are not summarized???
Thank you very much.
02-01-2012 11:36 AM
How you got this idea of creating roles without giving activities in Org role?
Anyone told or seen in any site?
In both the roles Org role and in Fun role maintain all the fields, In org role activity and org level ,In func role give activity and in org field put xxxx ,otherwise it wont work
You cannot change the way sap checks authorizations
02-01-2012 11:57 AM
Hi,
The reason why it doesn't work as you expected is
when you are creating a functional role and not maintianing org field over there you are creating one authorization and similarly in org role you are maintaining only org values in this case you are creating another authorization as mentioned below.
ACTVT - 01 & Sales ORG - " " -
Auth 1
ACTVT - " " & Sales ORG - "1000" -
Auth 2
In SAP Users are checked against authorizations, not on induvidual authorization fields
Hope this helps
Regards,
Rakesh
02-01-2012 12:08 PM
So, if you are right then we have to define functional activity in Org. role!
it seems to me this scenario simply makes no sense of Org. roles.
02-01-2012 12:40 PM
So, if you are right then we have to define functional activity in Org. role!
> it seems to me this scenario simply makes no sense of Org. roles.
Exactly! Who gave you the impression that this would work??
It looks nice in PowerPoint sometimes but does not work and sooner or later (mostly sooner) created a big mess...
Cheers,
Julius
02-02-2012 10:10 AM