Filter Document Type based on Authorization Object
Hello Everyone,
I have a requirement where i was asked to filter the document type based on authorization object M_BEST_BSA in transaction /KCP/2,ME21N, ME22N and ME23N.
When I create or modify a purchase order, I dont want to be lost in choosing the PO type. I want the field EKKO-BSART displays only the values authorized for the user(me).
Thanks a lot
RE is standard for MIRO .This is SAp standard .
Please clarify what u require .
Did you need other RE for example LE for miro doc type in your co code 1130 and miro doc type EE for your co code 1145.
like wise
Edited by: manu m on Jul 13, 2009 7:53 AM
Similar Messages
-
Role creation and authorization objects in sap
Hi
i want to know the full relationship between creation of roles , authorization objects ,authorizations in web as abap
Please explain the process in detail the use of PFCG and all its options and how to create Z rolesAlthough, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
- Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
- The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
For e.g. If a user wants to create a PO we can restrict him on:
u2022 Activity : Create/Change/Display
u2022 Org elements like Company Code, Plant, Purchase Organization etc
u2022 Document type etc.
- Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
- Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
- An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
- Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
- Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM -
Restrict the user based on document type on migo transaction-prepare GRN
Hi,
We are running ECC6.0 R/3 system.We had a requirement as follows
In MIGO transaction , we want to restrict the user on document type i.e. we want that a particular user can prepare GRN for document type STO only. He cannot prepare GRN for other document type.
We checked SU24->maintain check indicators for transaction codes->enter migo->execute->check indicator.This returned us the authorisation objects present in Migo transaction.We checked the help of all these objects,but none of them we found suitable for above mentioned requirement.We were planning to find out the proper authorisation object to add to Profile generater.
The following is the objects which we have checked for.
A_B_ANLKL--> Asset Postings: Company Code/Asset Class
A_B_BWART--> Asset Postings: Asset Class/Transaction Type
B_USERSTAT--> Status Management: Set/Delete User Status
B_USERST_T--> Status Management: Set/Delete User Status using Process
C_AFKO_AWK--> CIM: Plant for order type of order
C_CACL_DSG--> Interface Design
C_DRAW_BGR--> Authorization for authorization groups
C_DRAW_DOK--> Authorization for document access
C_DRAW_TCD--> Authorization for document activities
C_DRAW_TCS--> Status-Dependent Authorizations for Documents
C_KLAH_BKP--> Authorization for Class Maintenance
C_STUE_BER--> CS BOM Authorizations
C_STUE_WRK--> CS BOM Plant (Plant Assignments)
C_TCLA_BKA--> Authorization for Class Types
C_TCLS_BER--> Authorization for Org. Areas in Classification System
C_TCLS_MNT--> Authorization for Characteristics of Org. Area
F_BKPF_BUK--> Accounting Document: Authorization for Company Codes
F_BKPF_BUP--> Accounting Document: Authorization for Posting Periods
F_BKPF_KOA--> Accounting Document: Authorization for Account Types
F_FICA_FOG--> Funds Management: authorization group of fund
F_FICA_FSG--> Funds Management: authorization group for the funds center
F_FICB_FKR--> Cash Budget Management/Funds Management FM Area
F_KNA1_APP--> Customer: Application Authorization
F_LFA1_APP--> Vendor: Application Authorization
F_SKA1_BUK--> G/L Account: Authorization for Company Codes
G_GLTP --> Spec. Purpose Ledger Database (Ledger, Record Type,
Version)
J_1IDEP_SL--> Authorization object for depot sale transaction
J_1IEXC_OT--> Authorization object for Other Excise Invoice Create
J_1IEX_PST--> Autorization object for posting Other Excise invoice
J_1IGRPT1--> Auth. for PART1 at GR
J_1IINEX --> Incoming Excise Invoice
J_1IRG23D--> Authorisation object for Depo Transactions
K_CCA--> CO-CCA: Gen. Authorization Object for Cost Center
Accounting
K_CSKS --> CO-CCA: Cost Center Master
K_CSKS_SET--> CO-CCA: Cost Center Groups
K_PCA--> EC-PCA: Responsibility Area, Profit Center
L_TCODE--> Transaction Codes in the Warehouse Management System
M_ANFR_BSA--> Document Type in RFQ
M_ANFR_EKG--> Purchasing Group in RFQ
M_ANFR_EKO--> Purchasing Organization in RFQ
M_ANFR_WRK--> Plant in RFQ
M_BEST_BSA--> Document Type in Purchase Order
M_BEST_EKG--> Purchasing Group in Purchase Order
M_BEST_EKO--> Purchasing Organization in Purchase Order
M_BEST_WRK--> Plant in Purchase Order
M_MATE_CHG--> Material Master: Batches/Trading Units
M_MATE_STA--> Material Master: Maintenance Statuses
M_MATE_WRK--> Material Master: Plants
M_MRES_BWA--> Reservations: Movement Type
M_MRES_WWA--> Reservations: Plant
M_MSEG_BMB -->Material Documents: Movement Type
M_MSEG_BWA--> Goods Movements: Movement Type
M_MSEG_BWE--> Goods Receipt for Purchase Order: Movement Type
M_MSEG_BWF--> Goods Receipt for Production Order: Movement Type
M_MSEG_LGO--> Goods Movements: Storage Location
M_MSEG_WMB--> Material Documents: Plant
M_MSEG_WWA--> Goods Movements: Plant
M_MSEG_WWE--> Goods Receipt for Purchase Order: Plant
M_MSEG_WWF--> Goods Receipt for Production Order: Plant
M_RAHM_BSA--> Document Type in Outline Agreement
M_RAHM_EKG--> Purchasing Group in Outline Agreement
M_RAHM_EKO--> Purchasing Organization in Outline Agreement
M_RAHM_WRK--> Plant in Outline Agreement
Q_TCODE QM --> Transaction Authorization
S_ADMI_FCD--> System Authorizations
S_ALV_LAYO--> ALV Standard Layout
S_BDS_DS--> BC-SRV-KPR-BDS: Authorizations for Document Set
S_BTCH_ADM--> Background Processing: Background Administrator
S_BTCH_JOB--> Background Processing: Operations on Background Jobs
S_CTS_ADMI--> Administration Functions in Change and Transport System
S_DATASET--> Authorization for file access
S_DEVELOP--> ABAP Workbench
S_DOKU_AUT--> SE61 Documentation Maintenance Authorization
S_GUI--> Authorization for GUI activities
S_OC_DOC--> SAPoffice: Authorization for an Activity with Documents
S_OC_ROLE--> SAPoffice: Office User Attribute
S_OC_SEND--> Authorization Object for Sending
S_PACKSTRU--> Internal SAP Use: Package Structure
S_PRO_AUTH--> IMG: New authorizations for projects
S_RFC--> Authorization Check for RFC Access
S_SCD0 --> Change documents
S_SPO_DEV--> Spool: Device authorizations
S_TABU_DIS--> Table Maintenance (via standard tools such as SM30)
S_TCODE --> Transaction Code Check at Transaction Start
S_TRANSLAT--> Translation environment authorization object
S_TRANSPRT--> Transport Organizer
S_WFAR_OBJ--> ArchiveLink: Authorizations for access to documents
V_LIKP_VST-->Delivery: Authorization for Shipping Points
V_VBAK_AAT-->Sales Document: Authorization for Sales Document Types
V_VBAK_VKO-->Sales Document: Authorization for Sales AreasHave you executed a trace while a functional user executes the transaction code for the specific parameters? (i.e. document type). The trace will then show which objects are being checked; then look at the object documentation in txn Su21 to determine if there are any ways to restrict on the particular value; in some cases, if the authorization group field is being checked, additional configuration is needed in order to implement the security (Su21 will explain in detail for the particular object).
-
Document Type - Object link to be made mandatory
hi All,
We are having a requirement that - For a particular 'Document Type' Object link shall be made mandatory.
Ex: For Doc. Type: ABC - 'Sales Document - Item' is MANDATORY
For Doc. Type: XYZ - 'WBS Element' as Object link is MANDATORY
How do I achieve this?. Pl. advise.
-thanksHi ,
In DC10 define document type and assign sap object links . To make fields as mandatory its an risky in DMS customization it will effect on other sap object links like BOM item,BOM header. why beacuse for an BOM item you cannot assign values directly on CV02N.So that you need to create DIR first and than assign BOM item from user t-code .
Regards,
chandu. -
Number range based on different business area for same document type
Hi All,
The scenario is my client wants to give the different number range for a particular document type based on different business area.
Is there any user exit by which I can restrict the same.
Regards,
MeenakshiHello,
Document number ranges are created per company code and fiscal year. You cannot create / restrict the document number ranges per business area.
Business areas a independent of all organizational values, they cut across all company codes.
Regards,
Ravi -
Authorization Object for using Object Services
Can you tell me how to limit a users authorization to create or delete attachements using the object services functionality? We'd like to control the addition and deletion of the attachments. Is there a specific authorization object for this functionality?
Thank you, JulieHi julie;
I hope that following are the solution for you problem. Check wheather this is helpful to you or not.
Authorization Object C_DRAW_BGR (Authorization Group)
The following table shows authorization object C_DRAW_BGR. This authorization object allows you to limit access to individual documents.
Fields Possible Values Description
BEGRU (Authorization group) 0000 - ZZZZ Used to restrict the authorizations for document maintenance further.
Authorization object C_DRAW_BGR can be used to restrict access to individual documents. It works like a simple on/off switch. If the check of object C_DRAW_BGR is fine, the user's authorization can be further restricted by checking C_DRAW_TCD (check only based on the document type) or C_DRAW_TCS (check of the
combination of document type and status). At the fifth level there is a BADI called DOCUMENT_AUTH01, which you can use to design your own authority check.
Authorization Object C_DRAW_DOK (Document Access)
The following table shows authorization object C_DRAW_DOK. This authorization object controls which original data of a specific document type there are access authorizations for.
Fields Possible Values Description
ACTVT (Activity) 52 53 54 55 56 57 Change application start Display application start Display archive application Change archive application Display archive Store archive
DOKAR (Document type) Here you enter the document type that access to original data is allowed for.
Authorization Object C_DRAD_OBJ (Object Link)
The following table shows authorization object C_DRAD_OBJ. This object controls which users can process which document info records, based on a combination of activity, object, and status.
Fields Possible Values Description
ACTVT (Activity) 01 02 03 06 Create Change Display Delete
DOKOB (Object) You must enter the data base table for the objects here (for example, MARA for material record).
STATUS (Document status)
if useful rewards points.
Regards,
nitin
Edited by: nitin bhagat on Feb 18, 2008 6:23 AM -
Hi,
I need to create one authorization object which contain only one field as sy-uname.
I carry out the following stapes:
1. I went to SU21
2. Create a class
3. create a authorization object
4. Add a field sy-uname in the field
Now , my query is that,
1. is it allowed to add sy-uname in there in the field or i have to put just 'uname' there. or what??
2. Is there any other steps required after adding the field in the authorization object
3. Do any one has some document on how these authorization object work execpt the F1 help on the 'AUTHORITY-CHECK' in the editor???Hi
In general different users will be given different authorizations based on their role in the orgn.
We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
USe SUIM and SU21 T codes for this.
Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
You program the authorization check using the ABAP statement AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use.
Reward points if useful
Regards
Anji -
Grant Master field group control based on authorization - hide fields
Hi,
The Grant Master field group control settings are based on grant type settings. So you can hide fields and tabs etc based on the grant's lifecycle status.
Does anyone know if this can be configured based on authorization objects / authorization roles?
We wish certain fields to be hidden in all life cycle statuses for all general users, but for central finance users we wish those fields to be visible.
There is a customizing transaction GMS103 in the SPRO/IMG path
IMG > Public Sector Management > Grants Management > Grantee Management > Master Data > Grant > GM Grant Control : Field group for Authorizations
The documentation for this transaction says:
GM Grant Control: Field Group for Authorizations
It is possible to group fields together for authorization purposes. Use this step to specify such groups in Grants Management (GM).
Standard settings
We deliver the groups you can enter here, as standard.
Activities
Choose New Entries and enter the ID for the group you want to add. When you save, the system displays the longer description for the group.
Further notes
Authorization to a group allows access to all the fields in the group for users with the appropriate authorization. Only allow access to those you know need it for the whole group.
This table is empty on our system. Has anyone used this part of the customizing and can they let me know how it links into the basis roles / authorizations etc.
Thanks
Paul AbrahamsonI found this authorization object F_GMGT_FDG
The documentation for the authorization object states:
Definition
With this authorization object, you can define authorizations for individual field groups in grants management maintenance. You thereby define which fields in grant master maintenance can be maintained or viewed by a user.
Notes
This authorization is optional. You do not have to assign authorization if there are no field groups that require special protection and consequently no field groups requiring authorization were defined in Customizing.
Defined fields
The object consists of the fields "Field group" and "Activity":
Field group
Here you define which field groups require authorization.
Activity
Here you define which activities are permitted:
02 = Change
03 = Display
* = All activities
Procedure
Proceed as follows if you want to use this authorization:
1. Determine the field groups of the fields that you want to protect.
2. In Customizing, define that these field groups require authorization.
3. For each field group, define the authorization that you wish to assign to selected users.
4. Assign this authorization using the corresponding profile.
I'll try this out and update this message again later -
dear all,
I have a requirement ,In S_ALR_87012271 report i want to filter the values based on document type , but there is not characteristic
in available characterstics of the field .
path,
go to fsi2 -select the report of above tcode double click on it .go to display icon
now double click on any one of the 'item'.we will get a popup.
now in that popup i want to add one more field in 'available characteristics' ie document type ,
based on document type also i want to filter the data.
kindly guide me.
regards,
padmaja.Hello Friend,
Select on the pop-up screen and press F1
you will able to see the screen no and program..
check that screen and you will be able to see it is using ALV / Table control..
and add the code for extra column
Hope it will help you..
Rgrds
Krish -
Authorisation combined with document type, activity and status
I want to create a role for a user who is only allowed to create and change document type ZDI in status IW .
Which object authorization can provided this check ?
The object authorization C_DRAW_TCD control only the activity (create/modify) and the document type (ZDI).
The object authorization C_DRAW_STA control only the document type (ZDI) and the status of the document (IW).
But I need the combination of the both authorization. Does a possibility exist in standard to do it without create a client new authorisation?
Thanks in advance for your help.
AmandeThanks for your response.
But it doesn't works as I want.
The object authorisation C_DRAW_TCS is checked before the save but not after save with the changed values.
for example :
the user has the following authorizations in the modification role:
C_DRAW_TCS activity 02 document type ZDI document status IW
C_DRAW_TCD document type ZDI activity 02
C_DRAW_STA document type ZDI status IW
The user has also the autorisation C_DRAW_STA document type ZDI status FI in the display role
With this configuration the user can modify the document ZDI in status IW and change the status into FI . I don't want that the user can change the status into FI. Does exist a possibility to avoid this?
Of course, after storing this change of the status , the user can't access to the document ZDI with status FI.
SAP doesn't check the authorization C_DRAW_TCS activity 02 document type ZDI document status FI after status change.
Thanks in advance
Amande -
Document type during Goods Receipt in Intercompany Transfer flow
Hi,
We create a PO, Delivery and GI in company A
We do a Goods Receipt in company B.
Can we customize that FI document type ZZ is used during Goods Receipt in company B?
Document type ZZ may only be used in the Intercompany flow.
Where can I customize this setting?
Thank you in advance,
Best regards,
Eric van Zundert.Hi,
The following are the standard steps to create an accounting document type and assign it to a transaction.
1) In T-code OBF4, click on "Financial accounting document types" and create a new document type.
2)On the same T-code, Click on "Goods receipt document type" and assign the document type to the transaction.
3)On the same T-code, Click on "Financial accounting No range" and assign the number range for each document type based on company code and fiscal year.
Thanks and Regards,
Maheshwari -
Document Type: Purchase Order
Dear All,
We have configured the following Document Type:
NB - Standard PO
UB - Stock transport ord.
ZIMP - Import PO
While creating the Purchase Order (ME21N), all these three Document Types are visible to all the Users for Transaction across all Plants/ Company Code.
Is there is any possibility where in we can restrict the Display based on the Plants?
For example, we want the Users of Plant 1002 to use the UB - Stock transport ord. Type.
It does not sound good, yet for clarification, I am putting my doubt across u.
Is the Document Type Configuraion anywhere related with Plant?
Thanks & Regards,
P K KarnHi,
I think there is not such configuration available to default the PO document type based on the Plant.
The only solution for this is to use default document type at the PO header level.
Hope this helps you.
Cheers
Umakanth... -
Maintain payment Terms according to PO Document Types
Hi,
We want to maintain Payment Terms according to PO Doc. type. Now in our system PO have disable Payment Terms.
But we have a requirement that for 1 Doc. Type they should be changeable.
How it is possible???Hi,
Document type concept is used to differentiate the differentiate procurement processes like example:
YNB: For Standard procurement
YIMP: For Import
YSUB: For Sub Contracting
YSER: For Service
A company may have 10 payment terms and one should not use document type based on payment term. Payment term is maintained in vendor master and from vendor master payment tem flow to purchase order.
For each payment term, if one creates document type, then imagine how many document types will be created to meet business process requirement. Consultant should think & simplify business with proper designing for uses of minimum document types for procurement processes.
Regards,
Biju K -
How to add authorization field to a standard authorization object
Hi All,
I'm trying to limit user to can only create & change X type of order type in PM module. This can be fullfill by creating suer with assigned role with only allow X type of order type.
But when I assigned a display role which has authorization to display all order type (maintained as authorization object), now my user can create and change all order type.
How to limit user to can only create & change X order type and only display the rest of order type?
I assume by adding authorization field: AUFART(order type) in authorization object: I_TCODE will solve the problem, is it right? and is it possible to do that?
regards,
AndreHi,
your assumption is incorrect. First of all, adding a new field to standard authorization object is a bad idea. You would have to modify all checks for that object. For standard SAP object it means that you would have to modify many SAP programs.
The authorization object I_TCODE is checked in PM transactions. It gives you authorization to run that transactions. That object can't be used to limit what you do in that transaction or what order type you can process. You are looking for some other authorization object(s). You need to go to SU24 which gives you what authorization objects are checked in particular transaction. It does not have to cover all objects but it's a good starting point.
Cheers -
Multiple PO document types/transaction types in Extended Classic scenario
Hi All,
We are on SRM_SERVER 550, Extended Classic Scenario.
We have a requirement where we need to create multiple PO document types (based on certain criteria).
I have noticed that in standard, there are only 2 transaction types provided for SRM PO - ECPO and ECDP.
We need more document types and these should be triggerred automatically after SC is approved.
I understand that we need to maintain all the PO transaction types in SRM, number ranges in SRM then maintain the same transaction types as PO document types in R/3 and same number ranges in R/3.
I also understand that the change for document type needs to be done in BBP_DOC_CHANGE_BADI.
I have 2 specific questions:
1. We need to maintain attribute BSA for the users. Here we need to mention the document type and source system. What should be the source system mained in attribute BSA for ECS? Should it be the SRM system or R/3 system?
2. In BBP_DOC_CHANGE_BADI to change the PO document type/transaction type in ECS scenario, which field should be changed? Should it be ET_ITEM- BE_DOC_TYPE?
Regards,
SrivatsanSrivatsan,
To create new transaction type:
Supplier Relationship Management --> SRM Server --> Cross-Application Basic Settings --> Define Transaction Types
To create new number range:
Supplier Relationship Management --> SRM Server --> Cross-Application Basic Settings --> Number Ranges --> SRM Server Number Ranges --> Define Number Range for Local Purchase Orders
You can define to create automatic PO when a SC was created in: Supplier Relationship Management --> SRM Server --> Sourcing --> Define Sourcing for Product Categories
Rgs,
Pedro Marques
Maybe you are looking for
-
Calling a report from oracle form 10g
how to call a report from oracle form 10g
-
Here's my Vent of the Day - How about one topic/thread per subject?
I see lots of topics/threads started that are exactly the same as ones already out there, and many of those could be answered if the OP would just search what's already been said, or read generally available information before posting. And then there
-
HT4059 How do the summary is the first page when you open the book?
Hello! I've done a book in the iBooks author, but when I'm testing it, the fisrt page is not the summary... it's another chapter from the book (and it's not the first chapter.) Tks for any help!
-
Dynamic proxy, several instances, same name, diff ids?
I'm using a dynamic proxy with a simple invocation handler. Using the proxy for several instances of the target object should yield multiple instances of the proxy. In the debugger, each proxy instance is named $proxy0 with different ids. Can someone
-
Help! I used to be able to sync my iphone as soon as I plugged it in. Now sync does not appear in the menu nor does photos. How do I get these opti ons back??