Hello,

First of all, the thread has to be moved to Security forum, isn't it?

Create roles which allows the user to work only on a specific company code (BUKRS)..

You need to:

1. Find out the transactions used by the end-users

2. Create single role with the specific set of transactions(several single roles and club them to composite roles etc if required .......)

3. In the Organizational tab, provide the company code they want to access.

4. assign the role to the end user.

PS: i would take a role as z:xx_YY_abcd_12345

where xx=module (FI)

YY=sub module(AP Payments)

abcd=company code

12345=other description

Regards,

Srihari

I'll take a shot at this, please don't scream at me if nothing I write makes sense.

We have to setup authorization rules for financial intercompany process as usually the end-users are not allowed to post entries in different company codes than their own.

Are there special authorization objects for this process which ensure that users are only allowed to perform entries in foreign company codes that are related to the intercompany process?

I would say, set the user so that he/she only has general system access (can log in, but not run anything). Then run ST01 traces from there and have the user run all the necessary transactions. You may have to repeat ST01 withe very error encountered, but this is one way to ensure that the user only has permissions to post under 1 company code and not another. I'm sure there's a standard object somewhere out there, maybe someone later will post it.

Furthermore we need to setup a control mechanism or an approval process in which the sites can review and accept/approve the entries made from other plants within their accounting. How can this be realized? Is there an approval process or does this work via a special clearing account?

Check to see if SAP has a standard work flow for this. If not, then you may need to result to customizations.