cancel
Showing results for 
Search instead for 
Did you mean: 

PM Cross Plant Authorization Objects

former_member245085
Participant
0 Kudos

Dear Experts,

My client having two Maintenance Plants XXXX & YYYY ( Logistic Plant = Maintenance Plant = Planning Plant)

I need to restrict cross plant Transaction data  & Master data Creation & Editing while allowing cross plant Transaction data  & Master data Display.

This is my Requirement

  • Plant XXXX  users should not be able to Edit Plant YYYY Maintenance Orders / Notifications / Equipment /Functional Locations and vice versa.
  • Plant XXXX  users should be able to Display Plant YYYY Maintenance Orders / Notifications / Equipment /Functional Locations and vice versa.
  • Both Plant XXXX & YYYY users should be able to Display Both plants MM Transaction data  & Master data ( eg: MM60 , MB52 )

How can I handle this with standard SAP Authorization objects?

Please advice.

Thanks in Advance

Ashok M

Accepted Solutions (1)

Accepted Solutions (1)

peter_atkin
Active Contributor
0 Kudos

Ashok M,

This should be possible with authorisation object I_IWERK. Talk to your Security/Authorisation Team.



PeteA

former_member245085
Participant
0 Kudos

Hi Maria & Pate,

Thanks for your ideas

In below example, To display Plant YYYY data we have assign Plant YYYY into I_SWERK

Then Both plat XXXX & YYYY are editable if we assign T-code IW32

Even for Planning Plant

There is no  Authorization Level such as ( R - Read)  or ( W - Write)

Is this Standard behavior of SAP?

Thanks

Ashok

sebastian_lenartowicz
Active Contributor
0 Kudos

Greetings Ashok,

It's best if you create more than 1 single role for this purpose:

1) create a role with t-codes such as IW32, IW38 & activity codes such as "02" - "Change" for the relevant authorization objects. This role controls the "Write" privilege. In the objects for this role and profile, only include the Plant XXXX

2) create a role with t-codes such as IW33, IW39 & activity codes such as "03" - "Display" for the relevant authorization objects. This role controls the "Read" privileges.  In the objects for this role and profile, maintian both Plants XXXX & YYYY

3) If needed, create additional roles for MM* etc t-codes containing both Plants.

It is possible to combine these into one role, if you include multiple instances of Authorization Objects with different values in the role and profile. However, I feel maintenance is easier and more straightforward if these roles are separate.

What is vital is that you keep the t-codes, activity codes and Plants separated by Auth Object instance.

It's quite a basic requirement - your Authorizations consultant ought to be able to help with that with ease.

MTerence
Active Contributor
0 Kudos

Hi Ashok,

As i mentioned earlier, you cannot put * in the transaction column. You need to assign tcodes which are related to create / change and display in another role.

Regards

Terence

Answers (2)

Answers (2)

former_member245085
Participant
0 Kudos

Thank you all for the valuable inputs

Ashok M

MTerence
Active Contributor
0 Kudos

Hi Ashok,

First i suggest you to use transaction SU24 and enter the transactions to check various authorization objects available.

1. Create / Change of Maintenance orders / Notifications / Equipment / Functional location can be restricted using the Authorization Object I_SWERK

Need separate roles for different plants

2. and 3. To restrict the display, you need to check whether setting up a different role for display alone. You need to select all the display transaction and pull into one role, this role provide access to two plants.

The transaction code you provide in the I_SWERK for the maintenance plant, will restrict the users for gng into the transaction

Regards

Terence