Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Role Based Authorizations

Former Member
0 Kudos

Hello:

I have a question related to the role based authorization.

I have a ROLE:A, which includes Display PO (ME23N) transaction with activity 03 and Pur. Org (M_BEST_EKO) A.

I have another role ROLE:B, which includes Create/Change PO transaction with activity (ACTVT) 01-Create and 02-Change and Pur. Org (M_BEST_EKO). B.

If I assign these roles to user, Will he be able to create Purchase order for Pur. Org. A?

My situation is I do not want him to be able to create a PO for Pur. Org = A since he does not have access to ME21N transaction in Role A.

How Can I achieve this??

5 REPLIES 5

jurjen_heeck
Active Contributor
0 Kudos

> I have a ROLE:A, which includes Display PO (ME23N) transaction with activity 03 and Pur. Org (M_BEST_EKO) A.

>

> I have another role ROLE:B, which includes Create/Change PO transaction with activity (ACTVT) 01-Create and 02-Change and Pur. Org (M_BEST_EKO). B.

>

> If I assign these roles to user, Will he be able to create Purchase order for Pur. Org. A?

No

As long as activity and org.field are in the same object the authorizations remain separated.

Former Member
0 Kudos

Jurjens answer is right as the activty is directly related to the purchase ORG values given in this situation

and besides that: While SAP calls the TRX Display, there is a change that even giving wider activity codes will not allow the user to create /change. But the ONLY way to be certain: Create a test user with both roles and test for yourselve.

Edited by: Auke Visser on Jan 21, 2008 6:44 PM

Edited by: Auke Visser on Jan 21, 2008 6:46 PM

Former Member
0 Kudos

Hi Tridev,

In ur scenario, user will be not able to create PO for Purch.Org.A as per ur activity and maintenance of ORG levels in Role A.He can only create/change PO for Purch.Org.B.

T-codes does only check for relative Objects along with activities only which r maintened in Roles.

ur scenario is only possible when user have 2 roles.

Othercase, if the same user has only one role , then u cannot differenciate Purchasing Organisation.

Still u can do it, but then u have to insert manually into the Object M_BEST_EKO which is not recommended.

Rgds,

Gadde.

Former Member
0 Kudos

Hi Tridev,

Field values in any object are picked using the AND operator i.e. Activity 03 AND Pur Org A. Similarly it will be ACTVT 01/02 AND Pur Org B. So for every set of authorization values the fields will always have AND. So a user can have multiple sets of values for the same object BUT the field values will always be tagged together !

It will never be a PnC of the authorization values.

What you have proposed to do is absolutely correct!

Regards

Sachin

Former Member
0 Kudos

Hi Tridev,

since the user has display activity in org.A, he can only display. And since the user has create activity in org B, he can create in B.

As the organisations are different, the he cannot have both activities in both organisations.