Solved: Limit Document types

Former Member · ‎03-09-2008

Does anyone know how I can limit what purchase order document types a user can use in a purchase order when accessing the transactions ME21N like the drop down list only shows ZUB and ZNB etc.

<removed_by_moderator>

Edited by: Julius Bussche on Mar 12, 2008 10:02 AM

Former Member · ‎03-09-2008

You appear to follow-up on your threads and ask questions which can be taken seriously, so no need to lure us with points

In addition to what Alex has already stated, keep an eye out for:

- Activity '03' relates to displaying existing document types within the plant / purchasing org, so I don't think that will restrict the drop-down list in ME21N. Try restricting activity '76' (Enter)? If it works for the drop-down list, then consider adding it to the SU24 indicators for ME21N so that you and others don't need to test it again each time ME21N is added to a role. By default, it is not a value in the proposal indicators.

- Do you have a release strategy in place? (authorization object M_EINK_FRG). You might want to consider that document types can also be controlled via the purchase requisition (authorization object M_BANF_BSA) and for internal material orders (authorization object M_MSEG_WWE).

Cheers,

Julius

Former Member · ‎03-09-2008

Hi,

Don't worry about the points. Not sure if this is exactly what you are after (reference to the dropdown box) but you control access to process doc types vie ME21N by restricting auth object M_BEST_BSA

You can see this by running SU24 and entering ME21N this will give a rough list of what objects control the transaction and M_BEST_BSA text tells you it is related to document types.

Ensure that this object is restricted to only the document types they need.

Former Member · ‎03-09-2008

You appear to follow-up on your threads and ask questions which can be taken seriously, so no need to lure us with points

In addition to what Alex has already stated, keep an eye out for:

- Activity '03' relates to displaying existing document types within the plant / purchasing org, so I don't think that will restrict the drop-down list in ME21N. Try restricting activity '76' (Enter)? If it works for the drop-down list, then consider adding it to the SU24 indicators for ME21N so that you and others don't need to test it again each time ME21N is added to a role. By default, it is not a value in the proposal indicators.

- Do you have a release strategy in place? (authorization object M_EINK_FRG). You might want to consider that document types can also be controlled via the purchase requisition (authorization object M_BANF_BSA) and for internal material orders (authorization object M_MSEG_WWE).

Cheers,

Julius

Former Member · ‎03-09-2008

Thank you guys...appreciate it. I will probably have more question because I am a SD consultant but thank you again.

Former Member · ‎03-09-2008

Hello Saad,

Feel free to keep the thread open until you get it to work.

Regards,

Julius

Former Member · ‎03-09-2008

Activity '03' relates to displaying existing document types within the plant / purchasing org, so I don't think that will restrict the drop-down list in ME21N. Try restricting activity '76' (Enter)? If it works for the drop-down list, then consider adding it to the SU24 indicators for ME21N so that you and others don't need to test it again each time ME21N is added to a role. By default, it is not a value in the proposal indicators.

Do you have a release strategy in place? (authorization object M_EINK_FRG). You might want to consider that document types can also be controlled via the purchase requisition (authorization object M_BANF_BSA) and for internal material orders (authorization object M_MSEG_WWE).

Well I am going to ask a few stupid questions like:

1. What do you mean by activity?

And no we do not have a release strategy in place but we will.

2. How do I view the authorization objects?

Like I said i have no experience on the security side so if you can list the steps with the transactions I'll try to see what I can do.

Thanks.

Former Member · ‎03-10-2008

Hello Saad,

This is a "cliche", but there are no stupid questions, only stupid answers to questions which act as "enablers" for them...

I would also like to use this opportunity to point out that you can achieve a lot by using SAP's authorzation concepts correctly. You do not always have to activate exits and write your own programs - in fact I would recommend avoiding that until absolutely necessary.

> 1. What do you mean by activity?

These are to a large extent defined (for syntax check purposes) in table TACTZ for the object in question.

Depending on the "activity" field (technically the field ID 'ACTVT'), you can use the same authorization object (and even the same instance of the AUTHORITY-CHECK statement) to determine that some users can create (typically ACTVT = '01'), other users can change (ACTVT = '02'), others can do everything... (ACTVT = '*' or all possible values from the value range of the field ID (see above, table TACTZ).

> And no we do not have a release strategy in place but we will.

Okay. See my comments above when you get there.

> 2. How do I view the authorization objects?

Either using various selection criteria reports in transaction SUIM, or directly (via their classes) in transaction SU21.

> Like I said i have no experience on the security side so if you can list the steps with the transactions I'll try to see what I can do.

See above. You don't necessarily need different transactions, but different roles for the different users of ME21N, which have different field values for the same objects defined in the authorizations of those roles. The users will have a different experience, in the same transaction, because of the different roles.

Generally, for more information on a transaction, which is also release dependent information(!), you can start the transaction (e.g. PFCG, SU24, ME21N...) and from the initial screen open the menu: Help => Application Help (or type .he into the ok-code field). It does not contain all or even "enough" information always, but it is a very good place to start.

Hope that helps,

Julius

Former Member · ‎03-10-2008

Well thank you again and I will start my work on this for now before I ask anymore questions.

Former Member · ‎03-10-2008

Hi,

Thanks again and I understood what exactly to do.

Also the problem has been extended to the fact that I need to limit document types between two plants meaning a user should be able to use only one document type when buying from another plant but have all other types available for use generally.

I am sure thats not a security issue unless you have anything to share.

Thank you.

Former Member · ‎03-10-2008

> saad A wrote:

> Also the problem has been extended to the fact that I need to limit document types between two plants meaning a user should be able to use only one document type when buying from another plant but have all other types available for use generally.

>

> I am sure thats not a security issue unless you have anything to share.

I am not sure whether that can or cannot be done using authorizations for ME21N.

There is a quick way to find out though by testing it: Create 2 roles, one for Plant A with restricted Doc Types, and another seperate role (to be sure) for Plant B with all Doc Types.

Of course, your original requirement to restrict the displayed list of Doc Types will now possibly be impacted as well...

Cheers,

Julius

Former Member · ‎03-10-2008

My question is that is it possible to create 2 roles and assign them to a single user?

And by roles do you mean profile?Please eloborate.

Former Member · ‎03-10-2008

Hello Saad,

Yes, to test it you can create 2 seperate roles with different authorization definitions and assign them to the same user to test the effect (ABAP roles created in PFCG generate profiles).

You can also create profiles manually (without roles, initially) if you want to in SU02. This is sometimes frowned upon...

Good luck,

Julius

Former Member · ‎03-11-2008

Thank you that was a good idea. I'll try it.