on 11-27-2014 3:17 AM
Dear All,
we are having 3 plants called a01,a02,a03. We configured PO release strategy and we assign to the users by using the roles and we restricted in plant level.So that no one can see other plant PO and they can't release.But Our manager having SAP_ALL authorization and he is the one releasing 30 in all the plants.Now i want restrict him for a01 plant for 30.I tried different ways but i unsuccessful.
Please give suggestion on this.
Regards,
Patan Thavaheer.
Message was edited by: Jürgen L
Wait. You have business users in your production system with SAP_ALL? If so, you have bigger problems than your PO release strategy. Step 1 - take away SAP_ALL and give them access to only the things they actually need. That will certainly require some work to build some new roles.
SAP security golden rule - nobody has SAP_ALL in production...
Steve.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi
Please create a role with the following details as required and Attach this role to the User.So, System will restrict the PO Release based on the following.
Plant
Purchase Group
Document Type
Release Code
Release Group
Any other characteristics if you want to restrict
Remove SAP_ALL from the user as it is not suggestible in Production Environment
Ram
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As noted, SAP_ALL supersede all authorization restrictions so as long as your manager has it there is no point trying to limit what he can see and approve.
You can create a security role for him in transaction PFCG and restrict his access via the Purchasing set of authorization objects (MM_E). Plant is one of the objects you can restrict his access to (M_BANF_WRK).
Considering he currently has SAP_ALL, if he does other things in SAP, you may have to build out other roles to maintain his access when you take away SAP_ALL.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi, authorization of SAP_ALL / (*) means the manager can release all plants. remove the SAP_ALL, & give the particular plant,PORG,PRG,Doc Type so then he cannot release other plant Releases. Regards Kumar
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
If you manager having the authorization of SAP_ALL, then how you can control the authorization object.
SAP _ALL mean he has the all authorization.
As per your requirement, you need to remove the SAP_ALL and you have to assign the correspond profile.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
86 | |
7 | |
6 | |
4 | |
3 | |
3 | |
3 | |
3 | |
3 | |
2 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.