cancel
Showing results for 
Search instead for 
Did you mean: 

PO release strategy - SAP_ALL

Former Member
0 Kudos

Dear All,

we are having 3 plants called a01,a02,a03. We configured PO release strategy and we assign to the users by using the roles and we restricted in plant level.So that no one can see other plant PO and they can't release.But Our manager having SAP_ALL authorization and he is the one releasing 30 in all the plants.Now i want restrict him for a01 plant for 30.I tried different ways but i unsuccessful.


Please give suggestion on this.



Regards,

Patan Thavaheer.

Message was edited by: Jürgen L

Accepted Solutions (1)

Accepted Solutions (1)

steverumsby
Active Contributor
0 Kudos

Wait. You have business users in your production system with SAP_ALL? If so, you have bigger problems than your PO release strategy. Step 1 - take away SAP_ALL and give them access to only the things they actually need. That will certainly require some work to build some new roles.

SAP security golden rule - nobody has SAP_ALL in production...

Steve.

Answers (5)

Answers (5)

srinivasan_vinayagam
Active Contributor
0 Kudos

Hi Thava,

If you want restrict only release or display also.

If you give all to display only..You can copy SAP_ALL ()

and modify as per requirement.

Regards,

V Srinivasan

0 Kudos

Hi

Please create a role with the following details as required and Attach this role to the User.So, System will restrict the PO Release based on the following.

Plant     

Purchase Group

Document Type

Release Code

Release Group

Any other characteristics if you want to restrict

Remove SAP_ALL from the user as it is not suggestible in Production Environment

Ram

Former Member
0 Kudos

Hi Ram,

Without SAP_ALL we can create the role and we can restrict the users(Except managers we are restricting like that only). But the requirement is that, they are having SAP_ALL, I need to restrict them for plant level.

Regards,

Patan Thavaheer.

Former Member
0 Kudos

Hi Patan,

Since you assigned the SAP_ALL to your Manager ID, further you cannot restrict any authorizations.

Rgs

Gopi

Former Member
0 Kudos

Hi Patan,

one workaround can be, that you create a role out of the SAP_ALL profil. deactivate the objects releated to the PO release strategy. Create a second role put the objet in this role an restrict it on plant level.

rgs

Bernhard

Former Member
0 Kudos

As noted, SAP_ALL supersede all authorization restrictions so as long as your manager has it there is no point trying to limit what he can see and approve.

You can create a security role for him in transaction PFCG and restrict his access via the Purchasing set of authorization objects (MM_E). Plant is one of the objects you can restrict his access to (M_BANF_WRK).

Considering he currently has SAP_ALL, if he does other things in SAP, you may have to build out other roles to maintain his access when you take away SAP_ALL.

former_member190893
Active Participant
0 Kudos

Hi, authorization of SAP_ALL / (*) means the manager can release all plants. remove the SAP_ALL, & give the particular plant,PORG,PRG,Doc Type so then he cannot release other plant Releases. Regards Kumar

former_member183424
Active Contributor
0 Kudos

If you manager having the authorization of SAP_ALL, then how you can control the authorization object.

SAP _ALL mean he has the all authorization.

As per your requirement, you need to remove the SAP_ALL and you have to assign the correspond profile.