Authorisation Restrictions in PR05
Hi Experts,
We want to restrict Authorisatons in t-code PR05 userwise ie.,
The scenario is X user will created the Trvl Exp. in PR05
Head-HR ( Y user) will approve the Trip ( only display)
Pre-Audit(Z User) will Verify the Expense Voucher and Trip details do corrections if required, save & settle the Trip
Creater should not have Change
Approver should have only disply and approve
pre-audit only change and settle
Now how can I restrict Authorisation Userwise
Thanks in advance
Chaitra
Hi Chaitra
There is very good documentation for this so you should be achieve this via PFCG and the authorization objects P_TRAVL/F_TRAVL and for the values for the authorization fields BUKRS, KOSTL, PERSA, PERSG, - remember though that the object P_ORIGINCON (structural authorization) is not checked in travel.
Values of the individual authorization fields:
The authorization field AUTHC
In the components HR and Travel Management (FI-TV) the authorization
level is defined using the field AUTHC. The following authorization
level values are possible:
Value Authorization for
R Read (display travel plans)
W Maintain SAP data (create/change travel plans)
A Approve travel plans
B Book in connected reservation system
C Book approved trips in connected reservation system
Q Create trip templates
All operations
You can only specify the values 'W', 'A', 'B' and 'C' together with 'R'
and you must specify the value 'Q' together with 'R' and 'W'.
The authorization field AUTHP
In the field AUTHP the value for the personnel number check must be
defined.
Value Authorization for:
O Own personnel number only
E All personnel numbers except own
All personnel numbers
If the authorizations in the AUTHP field have the value 'O' or 'E', theassignment user name/personnel number must be defined in the HR Infotype 0105 (communication), subtype 0001 (system user name SAP system).
Note 574467 will also help as BAdi for other requirements and please have a look at also at the following User Roles in PFCG. You can see also the documentation in SAP Help->http://help.sap.com-> Financial Accounting->Travel Management->Roles in Travel Management.
SAP_FI_TV_ADMINISTRATOR Travel Management Administrator
SAP_FI_TV_ADVANCE_PAYER Trip Advance Payer
SAP_FI_TV_MANAGER_GENERIC Trip Approval Manager
SAP_FI_TV_TRAVEL_ASSISTANT Travel Assistant
SAP_FI_TV_TRAVELER Traveler
SAP_FI_TV_TRAVEL_MANAGER Travel Manager
So for this if you assign the role of Traveler for the end user (creator) given them O and W authorizations only for the object and assign this to the role in PFCG, second person Trip approval manager role with E and A auth and 3rd advance payer role with whatever authorization is required.
Similar Messages
-
Authorisation restrictions on Customer Master
Hello all,
Within our organisation there is a request to restrict user access to certain views of the customer master. For example : one group of users are able to create/maintain address and control information, and another group of users are only allowed to maintain the marketing view for example.
I have tried using field groups by assigning fields of certain views to the field groups and then creating a new role and assigning the field group value to object F_KNA1_AEN. I have to say this has not been very successful.
Any ideas?
Any assistance would be greatly appreciated. By the way we are using version 4.6c.
Thank you
MelanieHi Melanie,
Scenario-
I have faced similar issue as you. Our requirement was to give authorize marketing department to only extend the customer master but authority to create customer must be with Finance department.
Solution-
I have given Authorisation of XD01 to Marketing department and deactivated General data and company code data form the authorisation object.
Result-
Unless customer number exists marketing department cannot do anything with customer master (cannot extend the customer) and only finance dept has created General and company code data Marketing dept will be allowed to extend the customer master.
I hope it helps.
Note: We are currently using ECC 6.0 -
PO, PR creation authorisation restriction based on Internal Order
Dear Forum
We have created a new Interla order type and want that only selective users can make a PO or PR in the Internal orders of that Intenal order type. Is there any way by which we can restrict creation of a PO or PR against an Internal Order, on the basis of Internal order number or internal order type
regards
Parag BhargavaHi,
look for an user exit (within enhancement project MEREQ001) when saving a PR / PO where you check SAP-user (maybe from a Z- table) against internal order type.
Best regards, Christian -
Authorisation restriction to change batch ( MSC2N ) by material type
Hi ,
We have a requirement wherein we want to restrict users from changing batch records ( MSC2N ) by material type. Viz. A user xyz should not have authorization to change batch for material type FERT.
We cannot use the authorization group ( BEGRU ) field of material master alongwith object M_MATE_CHG as this field is already being used for another purpose to restrict users by country for MM01,MM02 & MM03.
Please do let know if you know of any alternative method of doing so.Hi,
The new authorization object will work only if the corresponding changes are made in the related program.
Open the program code for the MSC2N transaction (via Se93), and search for the string "AUTHORITY-CHECK". You will find a piece of code that checks for the authorization object M_MATE_CHG and its related field values. This will need to be changed to Z_MATE_CHG and its corresponding values.
You will need an ABAP-er for this.
Only then will the authorization check work correctly. Once this is done add the object in the corresponding role (and also change SU24 entry for MSC2N accordingly if required).
Regards,
Sanju. -
V_V2 and VA02 authorisation restriction
Hi,
When we run the transaction V_V2 (rescheduling sales and stock transfer documents),once we get the open sales order document number the user is able to go to that particular sales order change mode by double click (VA02) changing the document i.e. he can change delivery block remove, Article QTY etcu2026
Can we restrict the user in transaction V_V2 should not allow to double click or change the document, as for some user we are not providing access to VA02.
Regards
RikinHi Eduardo,
No its not like that..i have two types of user..Power user and floor user. So those who are power user will have an access to Va02 and those who are floor user will not have an access to Va02 instead that only have an access to V_v2.
But these user are missing using the functionality of V_v2 and from there they are changing few fields like qty and removing delivery block etc..
So i want to restrict Va02 to floor user even via V_v2.
Regards
Rikin -
T code QA11, quantity can not be posted to blocked stock
For Inspection lot with system status is INSP RREC SPRQ, when user tries to perform QA 11 to post stock to blocked stock the system does not allow as "to blocked stock field" is greyed out and also can not chnage the storage location on that screen.
I have checked the material already exists in the WH/storage location also inspection charachterstics are corrct not sure what else to check.please advise.Does not seem like authorisation restriction since user is able to process other QA11 for the same plant/WH and storage location. Does not seem like customisation either since all " Quantity to be posted "options and storage location are greyed out under inspection lot stock Tab
After Accept atleast system should allow posting to "unrestricted stock " but thats not available either.
For the same material/plant/WH, I am able to sucessfully post stock when system status is -REL CALC SPRQ but in this case the status is -INSP RREC SPRQ, what does this signify.Please help -
Pi71,Error while creating processcompoent model in folder
Hi Friends,
we are creating folders under modelling.once the folder is created we are trying to create Process component models under this folder.Its throwing an Access error.
" write access needed to complete this operation".Do we need to edit any role for this to work.
Regards
chandra dasariHi
check the below
1) what application profile have you selected (or set as default) while you log-in to ESR - Builder?
Try to use 'unsrestricted' mode & see if it works.
if other option was already set as default then, you can change that within ESR menu. follow link to change.
http://help.sap.com/saphelp_nwpi71/helpdata/en/46/8b081f8a9c01dde10000000a1553f7/content.htm
2) is there any authorisation restriction set on these objects??
check this
http://help.sap.com/saphelp_nwpi71/helpdata/en/45/18edbad26321a1e10000000a1553f6/frameset.htm
3) does any other user can perform this?? if so compare the UIDs & set necessary access/ roles to yours.
Regards
Vishnu -
Dear all,
In the trial balance selection criteria window - the option to choose BP or GL A/c's not appearing (the small tick box not appearing) so that trial balance cant be viewed.Hi Suda,
Thank you for your response.Now the issue is solved.
I'm using Version -2005B PL32.
When i'm trying in superuser id - its working .I think that may b'cos of authorisation restriction.But ma doubt is why it is not giving authorisation restriction message instead in that selection criteria itself its not appearing(ie, that G/L & BP selection check box).
Thanks
Suresh Kannan -
Hi All,
In my project, we are using mix of CRM and BI queries for Segmentation. Some attribute lists have Data source Infosets with direct table read from CRM tables, some using ADS table(for Vehicle- BI update this table which is actually in CRM and has iobject linked. This was done to normalise all the vehicle data in BI and then update the Z table in CRM with harmonised information ) and some BI Infosets.
We are also indexing the Attribute Lists for which source is CRM tables using TREX. Since it is a global project so for authorisation restriction, we have created Segmentation basis for each market and then scheduled background TREX update report and Segmentation Basis update report(country distribution).
Issue is that If we do segmentation without Segmentation Basis, count is different as compared to the segmentation with Segmentation Basis although I tried just after updating the index and Segmentation Basis. Moreover, If I create new Segmentation Basis and Index it, count is correct(same as that comes without Segmentation Basis).
Any ideas what could be wrong??HI,
You can use a segmentation basis to restrict your selection to relevant business partners, thus excluding non-relevant business partners from the selection while creating Targer group. For e.g. you can make Segmentation basis for specific country say USA that means when you create target group for USA customer using this sementation basis system will only search the data from USA segment and not from all CRM BP database.
Please refer [Link|http://help.sap.com/saphelp_crm70/helpdata/en/46/35e07f86e01421e10000000a1553f6/content.htm] to get more details on Segmentation Basis.
Regards,
Dipesh. -
PM module fine tuning in materail consumption level
Dear all
I would like to shart the things and same expecting from you all
Basically problems with PM module to give the good preference in organisations , we can say as materails consumptions is big problems .
In mostly organisations has 1 main stores (ware house) , the materails will be stores and issued thro that dept only.
Mostly it is distance from the some equipments, in non availablity of stores ( night ) technicains laziness & breakdown times taking thro PM order is somewhat hard.
Mostly they are following to consuming most the matearils thro 201 movements and storing into thier own locations . Here they are keeping materails for stock,.
while requirement they are easily replacing the same .
how we can avoid this in sap wise? beacuse of this mtc actvity completion dont take more time .
We are given options is present client
1. creation of sub stores (all thier purchase materails shifted there) when requirements they are getting against the orders.
2. Authorisation restrictions 201 movement in PM log in.
This sucess in batch industry, but my another one client is continious.
Please give your idea & share , how we can sucuess for continious & big organisations with one main stores
Thennadear
Yes if the client not interest to go substores (expenses in all the way, admin risk) . Then what will be the options we can provide in Pm modules ?
201 movemnet restrictions will take mtc tasks delay and productions affection.
My interest is we take the override for all modules. but we need this (materails) in proper way
All can put your suggestions here -
For APP (F110) Authorisation to be restricted by vendor account group
Hi,
My requirement is to restrict the users to post the automatic payment program by vendor account group.
Can anybody tell me the authorisation object name which can be restricted in rolls.
Regards
K KhatriHi Ken,
unfortunately no solutions found.
Here is a reminder of the "business case"
Within our company code we have different regional divisions with their individual A/P and Treasury departments running their F110 payment runs to pay "their" invoices. In our model this "regional division" is depicted as an SAP Business Area (GSBER).
Internal Controllers and auditors argue that one Business Areas should not be authorized to run one anothers F110 to avoid paying one another's invoices. That's wehre the idea of using L_LFA1_GRP came about.
regards,
Luis -
Restricted Backflush Authorisation Object C_BFLS_L is NOT working!
Hi,
We are using the IS-MILL version of SAP 4.7. We are trying to restrict the authorisation of users for Tcode MFBF only to a few. As suggested in the SPRO help files we tried useing the 'Authorisation Object' [bC_BFLS_L]</b> Restricted Backflush but it is giving an error message <b>"This object is out-of-date and is no longer checked from Release 4.6A".</b>
KINDLY ADVISE ON WHICH AUTHORISATION OBJECT IS TO BE USED and also HOW TO RESTRICT USAGE OF MFBF ONLY TO A FEW USERS if this does not work!
<u>With Best Regards,</u>
<b>V.NAGARAJ,</b>Hi Enrico,
Thanks a ton for your advice. We did check the authorisation object mentioned by you <b>(C_BFLS)</b>. But the following message is displayed -<b> "This object is out of date and is no longer checked from 4.6A"</b>. KINDLY ADVISE, PLEASE! -
Restricting the change or display authorisation of quotation
Hi,
Once the pricing is done at quotation level. It is sent for review to head of department. He will add some profit margin by adding another header surcharge on it. Once the quotation is saved by the department head, no one else can change or display that quotation with the help of restricting the authorization.
How can I restrict the even the original creator of the quotation (Estimator) as well as others from seeing the quotation. Because once the profit margin is added by department head, they want to keep it secret. Is there any user exit for it?
Regards
SumanHi Suman,
Give the Quatation change and disply authorisation to only head of the department person.
Regard,
Murali. -
Authorisation Object - for specific functins to restrict access
Hi,
I have to use Authorisation Object in my program to restrict the access by all users.
Only those users with the zcxbilllock security role will be able to perform the functions like 'Lock/Unlock', 'Delete', and 'Recosting' ..
How do I code this.... Can anybody please help.... I would really appreciate...
INCLUDE YFMXBOMCL1.
INCLUDE YFMXBOMO01.
INCLUDE YFMXBOMI01.
INCLUDE YFMXBOMF01.
*-At selection screen
AT SELECTION-SCREEN.
AUTHORITY-CHECK OBJECT 'Z_PP_XBILL'
ID 'ACTVT' FIELD '02'.
*SY-SUBRC = 0.
*IF SY-SUBRC <> 0.
AUTHORITY-CHECK OBJECT 'Z_PP_XBILL'
ID 'ACTVT' FIELD '16'
ID 'ACTVT' FIELD '95'.
IF SY-SUBRC <> 0.
MESSAGE E010(AD) WITH TEXT-A01.
ENDIF.
Here 16 -
>execute
and 95 is unlock.
Thanks a lot in Advance
JayaHi jaya
Evaluate sy-subrc right after authorization object call.
sy-subrc = 0 : user is authorized for the activities defined in authorization object
sy-subrc ! = 0: no authorization.
To understand more about authorization object creation and there usage refre this link.
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
Thanks
Vishal Kapoor -
Restrict Authorisation not to change a field in IO master
Hi,
I want to know how to restrict authorisation for few users not to change the 'Profit Center' field in the IO master eg user1 should have authorisation to change IO master other than 'Profit Center' field. .
The t-code is KO02 (change Internal Order) and in the assignment tab there is a field for 'Profit Center' and I want to restrict the user from changing this field but should be able to change other fields.
Please let me know how this can be achieved.
Thanks
V.SHi VS,
You can try this yourself, try giving full access of tcode KO02 to a test Id and put a trace on it. And now try to login with this test Id and change the "Profit Centre" field, now looking at the trace file you will get to know which is the authorization object being cheked during this whole process.
Now try restricting those objects and continue negative testing with the test Id till you acheive your objective.
Maybe you are looking for
-
How do I remove (unknown) user in permissions & sharing, please?
I re-installed OS X with archive install. I am reinstalling preferences, etc... using Time Machine and my archived Previous System folder. However, many folders are marked and I have an (unknown) user with Read&Write Priveleges in Sharing & Permiss
-
Background image for RootUIElementContainer or Transparent Container
Hello All I would like to set a back ground umage for the root ui container element and then place controls on that. Can I do that and if yes how can I? Thanks and Regards Manoj Kumar.
-
N8: I cannot believe it! Will we face same scenari...
N8: I cannot believe it! Will we face same scenario of N97?!!! Actually I'm observing what's going on since the first launch of N8 because the handset is still not available in my country so far. What really drives me crazy is that I see again the wo
-
Make is compiling files multiple times causing a compilation error
I'm trying to compile Wine ver 1.3.13 using Solaris Studio 12.3 with the default tools and I'm getting very peculiar results. dmake: defaulting to parallel mode. See the man page dmake(1) for more information on setting up the .dmakerc file. config.s
-
Unable to move print to preview pane for printing in Lightroom 4.Tried deleting agprefs file and restart with no success! Thanks in advance.