on 10-19-2015 3:34 PM
Hi - I see that there have been a lot of clever answers to authorizing in PM - I feel lucky today hoping to get your feed back on this 🙂
In transaction code IH08 (display equipments) we want to restrict some users to certain equipments and have looked into the use of authorization groups and the authorization object I_BEGRP.
We have created a role with access to authorization group X and expected that the user would only view a list of relevant equipments assigned to this authorization group - but the list also contains all the equipments without authorization group X assigned - all the blank ones.
Is this an error in SAP - or is it just the way it is supposed to work?
- or have we missed something here?
Please, if you have any idea - don't hesitate to write - it is quite urgent 🙂
Best regards
Jennifer McKay
Greetings Jennifer,
If I remember correctly, the Authorization Group for Equipments can only be used effectively if it is combined with a non-blank value in the Equipment master data. In other words, the Authorization Group prohibits anybody without the relevant I_BEGRP value from displaying or changing the Equipment - and if the value is left blank, then there is nothing to base this restriction on.
As Jogeswara Rao Kavala said, I believe there are no shortcuts here - you'd need to have a role that would allow the display of Equipments with I_BEGRP = 'Y' to assign to all users, then a role with I_BEGRP = 'X' to some users only, and then each and every Equipment would have to have a non-blank value of either X or Y to the Authorization group.
This could necessitate configuring the Authorization Group screen field as mandatory for IE01/IE02 t-codes and also maintenance for the value for existing Equipments, e.g. via IBIP.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Jennifer,
We have this situation and we filled all the Authorization Group fields with some values. We did not leave anything blank. I think there is no short-cut for this, Means the Equipments with blank BEGRP field will appear in any structure. They will not be filtered. BTW, this topic I documented sometime ago.
Good luck
KJogeswaraRao
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi, It was actually because of your document regarding "IH01 Structure Customizing ..." that I got the idea of writing on SDN - I got the fealing that there are some very high skilled users in here 🙂
I have set up the authorizations and it works fine whenever we have typed in an authorization group on the master data. And it also ensures that users are only allowed to see / maintain the master data with the authorization groups that they have in their roles.
I have worked with authorizations for many years and in some parts of SAP (on S_TABU_DIS - access to tables) it works in the way that if you need access to tables without authorization group, you need to be authorized to the authorization group = blank (' '). The use of authorization groups differs in SAP - and I was just hoping that it was working this way in EAM as well.
For us it will be a major work load to update our master data with authorization group.
Thanks for your reply.
BR
Jennifer
User | Count |
---|---|
86 | |
7 | |
6 | |
4 | |
3 | |
3 | |
3 | |
3 | |
3 | |
2 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.