Solved: Restricting access to IDocs

Former Member · ‎05-15-2012

Greetings All,

I'm currently in a situation where we have an SAP installation that we wish to restrict access to IDocs.

Basically, we have several entities (defined as company codes in SAP) on the same instance and the issue arises when executing transaction code such as BD87 where everyone is able to view and process all IDocs in the system. Ideally, we want to restrict access such that a person belonging to company code 2000 can only view and process IDocs created by other people belong to company code 2000.

I did some research and performed a search on SCN and am aware of S_IDOCMONI, but this does not appear to address the issue. I was thinking that perhaps, there is a way to code a custom transaction code with a company code field. However, this gets tricky as how will we know to which company code a specific IDoc is associated with?

Any ideas would be greatly appreciated on how to approach this issue.

Thanks,

Bartz

mvoros · ‎05-15-2012

Hi,

do your entities deal with different partners? If yes then you should be able to restrict access with S_IDOCMONI.

If not then I don't think that you will be able to achieve your requirement with standard transactions. You can see that the fields available in S_IDOCMONI are stored in IDoc control record. You are asking for check based on content of IDoc. So it's obvious that generic authorization check would be too difficult to implement (maybe even impossible from technical point of view - performance issues and so on).So you can try to build a custom solution and remove access to standard authorizations. You can restrict this custom solution just to subset of message types where you know location of values for authorization checks. This will be significantly slower than standard transaction. The good news is that SAP provides some API for displaying/modifying IDocs so you will have to develop only a report with selected IDocs based on user's authorization. Another approach could be to extend standard transactions using enhancement framework. This can be tricky.

Cheers

mvoros · ‎05-15-2012

Hi,

do your entities deal with different partners? If yes then you should be able to restrict access with S_IDOCMONI.

If not then I don't think that you will be able to achieve your requirement with standard transactions. You can see that the fields available in S_IDOCMONI are stored in IDoc control record. You are asking for check based on content of IDoc. So it's obvious that generic authorization check would be too difficult to implement (maybe even impossible from technical point of view - performance issues and so on).So you can try to build a custom solution and remove access to standard authorizations. You can restrict this custom solution just to subset of message types where you know location of values for authorization checks. This will be significantly slower than standard transaction. The good news is that SAP provides some API for displaying/modifying IDocs so you will have to develop only a report with selected IDocs based on user's authorization. Another approach could be to extend standard transactions using enhancement framework. This can be tricky.

Cheers

Former Member · ‎05-15-2012

Thanks Martin. I believe your answer confirms my initial observations that a custom solution may need to be involved in this. I will mark your answer as helpful, but will leave this thread open for anyone else who has suggestions.

Former Member · ‎04-05-2013

Hello Martin,

Thanks a lot for explaining about how S_IDOCMONI works. This saved us a huge effort in experimenting and finding out how to interpret this authority object.

Keep up the good work!