10-11-2007 9:01 AM
Hi experts,
I need to give authorizations as follows.
1. Auth for creating PO (ME21N) for 10 users of Document type (M_BEST_BSA =All)
2. Auth for creating PO (ME21N) for 20 users of Document type (M_BEST_BSA =UB)
3. Display of POs (ME23N) to all 30 users for all document types.
Assume I have 30 users total. when i create roles and assign to users. All 30 users are able to create POs of all doc types.
Can someome give some clue. . . .
Adv thanks. . .
10-11-2007 9:43 AM
Hi Jalli,
First of all can you confirm that you have created:
Role1. ME21N + M_BEST_BSA Activity=01, Doc Type=*
Role2. ME21N + M_BEST_BSA Activity=01, Doc Type=UB
Role3. ME23N + M_BEST_BSA Activity=03, Doc Type=*
Role 1 and 3 are assigned to people who can create PO for all doc types
Role 2 and 3 are assigned to people who can create PO for doc type UB
It sounds like the users are getting the doc type auth from somewhere so want to check that they have been segregated properly
10-11-2007 1:16 PM
Hi alex thanks . . .
yes. it is gettin the doc type auth from 4th role for ML81N. But how to restrict. . .
10-11-2007 5:29 PM
From what you have said, you are in a difficult position.
Auths are additive, so if you need M_BEST_BSA with actvt=01 and doc type = * in the same role (or any other role that is assigned to the users) there is no way that you can provide the restriction for ME21N.
Your options are:
- Restrict ME21N and ML81N in the same way
- Do not restrict ME21N but provide an alternative control, e.g. user training + review of each PO to ensure they are correct doc type
- Split the assignment of ME21N and ML81N to different users
- Find a user exit in ME21N that will allow an additional check on a custom object that includes doc type.
Hope that makes sense
Cheers
Alex