08-31-2007 1:16 PM
Hi All,
We are following role based authorisation for creating roles for FI/CO module and we are seggregating roles as per the company codes.We are assigning Tcodes like KO01,KO02,KO03(Internal order) and KS01,KS02,KS03(cost center) which are connected with Controlling area in one role.We have 5 company codes and we are trying to create 5 roles with the above Tcodes for 5 different company codes.
The problem we encountered is when we entered the Tcodes in the role, and we get to the 'Change authrisation data' option in the 'Authorisation' tab in PFCG, the system is not prompting for the Company code organisational level. Hence in this case, a user will be able to access the above mentined Tcodes for all the company codes. But we need to create a role in such a way that a user who is assigned this role is only able to access Tcode like KO01,02,03 etc for his company code only and should not be authorized to access these Tcodes for remaining 4 company codes.
Can anybody please help me with a way to restrict these Tcodes to a particular company code in our scenario.
Thanks and Regards,
Abdul Khyoom A.
08-31-2007 1:34 PM
hi,
here you can do one thing, check the authorization objects which is holding the company code (bukrs). Then directly you maintain the values there.
if you need more send me the authorization objects.
thanks
Ashok
09-01-2007 1:29 PM
Hi Ashok,
Thanks for the response.
Here in my case, when I insert the Tcodes related to conrolling like(KO01,KO02,KO03 etc) in a role, then I dont find any authorization objects(bukrs) which is related to the company code in the authorization genaration area in PFCG. So there is no way I can maintain values in them.
Please suggest any alternate solution.
Thanks and Regards,
Abdul Khyoom A
09-01-2007 1:40 PM
if you look in SU24 you will see that there is no object available with Field BUKRS in TRX KO01/02/03. (internal orders) , so it seems not be relevant.
Solution can be, find an object (with field BUKRS) that has relevance to the data end have an ABAPPER add this as a custom authorisation check to a userexit in the programm.
09-03-2007 10:28 AM
Dear Abdul Khyoom,
Here is object K_VRGNG (Controlling Area) you can restrict user by assining perticular Contrilling area of company.
Hope this will help you creating roles,
Thanks
Kavita