Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Posting for goods receipt invoices ONLY and parking access for all invoices

Former Member
0 Kudos

Hello everyone,

There is a new business requirement from the client to allow a role to park for all documents (via txn codes FBV2, FV60 and MIR7) AND allow posting access for only a goods receipt invoice via MIRO.

First, has anyone had experience in configuring this? I've executed traces to determine what objects are being checked and determined that there are three objects involved (that really 'check') and need help with determining if this possible. (also created test roles to see how things interact).

The authorization object to control the activities is F_BKPF_BUK, with 01 being for posting and 77 for parking. Prior to the request to add MIRO, the role had only parking access for all documents (great - that worked)

With the new requirement, I looked into was what authorizations were checked for the document type when posting and two objects are checked, F_BKPF_KOA and F_LFA1_GRP.

However, after this point, I am stuck. For F_BKPF_KOA, the account type field is an org value for which they have access to all. There is no further restriction possible for a <b>type</b> of invoice for an account type (in this case, a vendor). The other option is for F_LFA1_GRP and secure the Vendor Account Group

Any suggestions on how to approach this? I've created a copy of the actual production role and tweaked some of the authorizations to have them test, but I feel like I am going around in a circle. Any help is appreciated.

1 REPLY 1

Former Member
0 Kudos

Hi Julie,

If you are willing to give up the F_BKPF_BUK activity control over posting / parking to the G/L and rely on F_BKPF_KOA actvt 77 (or even F_BKPF_BLA actvt 77 if your document types all have authorization groups on them), then it might work to use the authorizations of M_* objects to determine within MIGO that the user can only process a goods receipt (with unhindered corresponding G/L effects), and not any other type of logistical movement (like a 501er, etc...). However if they went via another tcode or navigated into one of them, the F_BKPF_KOA or BLA would let them park only, including account type 'K' or document type 'WE'.

Of course, if MIGO checks F_BKPF_KOA or BLA, then this won't work. (I did a quick check, and it appeared not).

As another approach (I would say, a last resort), you could consider deactivating a specific authority-check for a MIGO context of goods reciept, but leave it active for other tcodes. However that might lower the security of MIGO to an unacceptable level for you?

Cheers,

Julius