Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

how to restrict user docment type for plant level

Former Member

‎08-16-2007 5:55 AM

0 Kudos

We seek you assistance to resolve the following issue:

T code ME21N is used for creation of - 1) Purchase order ( doc type NB)

2) Stock transport order( doc type UB)

We have given authorisation for this t code to one user at plant 1000 and as a result, he can use this t code for creating a PO as well as STO in this plant.

However, for another plant 2000, the requirement is that authorization for ME21N for this user should be restricted to creation of a STO ( DOC TYPE UB). The user should not be able to create a PO in this plant ( doc type NB)

Is it possible to map this requirement? is it possible to assign a T CODE for a plant for a user.But we are unable to restrict the user from creating a PO as there is no provision for restricting the authorization based on DOC TYPE .

Kindly advice.

Regards,

Nagendra.

7 REPLIES 7

Former Member

‎08-16-2007 12:57 PM

0 Kudos

Hi Nagendra,

After looking the auth. objects checked for ME21N, I think you need tho create 2 seperate roles for different plan. In ME21N object M_BEST_WRK is responsible for activity on Plant and object M_BEST_BSA is responsible for activity on Purchasing document type. As a combination of this you can't seperate the activities based on Purchasing document type as well as Plant at the same time.

So by maintaing these values in seperate roles, your purpose will be served.

I hope this will help.

Regards,

Prasad

Former Member

‎08-16-2007 1:49 PM

0 Kudos

Hello,

Yes, it is not possible.We have to go with separate roles as Prasad said ...!!

Note: Points always encourage me to reply !!

Former Member

‎08-16-2007 10:40 PM

0 Kudos

I believe it will NOT be possible to map this requirement, even with two role suggested by Prasad & MSR. The problem is both Auth Field reside in two separate Auth Objects. If the user has both roles, when the Auth check for Plant, the user will pass the check becuase the user buffer has boh value, same case for the document type.

The only time it will be possible is both field is within the same Auth Object.

You can create a test case to verify it, but I am about 99% sure you can't restrict it.

Hope this help.

Thanks,

Lye

Former Member
In response to Former Member

‎08-17-2007 6:31 AM

0 Kudos

Hi Lye,

we can facilitate Nagendra's requirement by providing two separate roles.

In first role we can provide the plant 1000 with create, display activities in object M_BEST_WRK and providing the create activity in object M_BEST_BSA for Purchasing document type UB, NB.

In second role, we can provide plant 2000 in object M_BEST_WRK as in previous role. For providing the separate activities on Purchasing doc we need to add another object M_BEST_BSA manually. In one copy of M_BEST_BSA we can provide create activity doc type UB and in other copy of M_BEST_BSA we can provide display activity on doc type NB.

I hope this will help.

Regards,

Prasad M. Musale

Message was edited by:

Prasad Musale

Former Member
In response to Former Member

‎08-17-2007 9:26 AM

0 Kudos

Hello,

This is what i am saying, then what is the use of field values...??

Createing 2 roles, and restrict them based on activities respectvely.

Nagendra, I am 100% sure, it will work. Testing is not required.

I appreciate Prasad's explanation.

Note: Points always encourage me to reply !!

Former Member
In response to Former Member

‎08-17-2007 2:26 PM

0 Kudos

Prasad,

Looking at the roles, it will works for two separate users. Looking at how the authorization store in user buffer and how the auth-check code work, it will not work for a user assigned BOTH roles because of aggregate effect.

Here is the breakdown:

Role 1:

M_BEST_WRK

Actvt: 01, 02, 03

Plant: 1000

M_BEST_BSA

Actvt: 01, 02, 03

Doc Type: UB, NB

Role 2:

M_BEST_WRK

Actvt: 01, 02, 03

Plant: 2000

M_BEST_BSA

Actvt: 01, 02, 03

Doc Type: UB

Actvt: 03

Doc Type: NB.

If both roles are assign to the same user. This is what the user will have in the user buffer:

M_BEST_WRK

Actvt: 01, 02, 03

WERK: 1000, 2000

M_BEST_BSA

Actvt: 01, 02, 03

Doc Type: UB, NB

Actvt: 03

Doc Type: NB

Furthermore, in general, the Auth-Code will check one Auth Object at a time. That is why I said the requirement is only possible if both Field (Plant & Doc Type) are in the same Auth Object.

The only possible solution is to create a custom auth object that contains Actvt, WERK & Doc Type, and find a user-exit in ME21n to put the Auth-Check code for the new custom auth object. That is too much work for these simple requirement.

I am 99% sure about this, I will only be 100% sure after I test it myself.

Thanks,

Lye

Former Member
In response to Former Member

‎08-20-2007 8:38 AM

0 Kudos

Hi Lye,

Thanks for the catch !!!

I haven't considered the combined effect of two roles on users UMR.

You are 100% right that we can't seperate these two activities for same user.

I think solution provided by you is the only solution.

Thanks again!

Regards,

Prasad M. Musale