HRTRV_IF_MODIFY_TRIP - account authorization check in PR01?

Similar Messages

• Account Authorization Checks

  In SRM 4.0, we use the backend to determine what account authorization a user has.  This has worked pretty well until we applied SP12.
  All of our users were given the Employee job role in SRM in order to create carts.  If the user is considered a central user, they can create carts using any account.  After SP12, these users were only able to create carts to funds centers in their profile and it did not look at the fact that they also had central roles.
  Our programmer has modified his authority check function module.  However, this will look at users that have any central role.  We don't want that to happen.  Without completely modifying the function module, how do other organizations allow their central users to create carts using any account.  Are they given a separate role on the SRM side that differs from the departmental users?
  Would the separate role in SRM override their R3 security?
  Any help and advice would be greatly appreciated.  Thanks.
  Monique Stephens

  Monique,
  We do not limit g/l accounts by user per se.  That is a large task for a company of our size and we have too many exceptions to the rule.
  Instead, we created a custom table, overriden the search help and added custom edits to limit g/l accounts by material group (product catagory).  This guides the usage of g/l accounts which keeps our account group happy.
  BTW, we also doo addtional check for account assignments (orders, WBS elements, etc.) to prevent problems in R/3, which keeps our purchasing group happy.
  I hope this helps.
  Regards, Dean.

• Authorization checks for bank account number in vendor master

  I am trying to find a way to set up authorization checks for specific fields in the vendor master: LFBK-BANKL, LFBK-BANKN, LFBK-EBPP_ACCNAME and LFBK-EBPP_ACCNAME. I am tring to set ip up so that if you have access to transactions FK03 or XK03, you can view vendor master data except for the above fields.
  Does anyone know of a way to accomplish this? Your help will be greatly appreciated.
  Thanks
  -Peru

  HI Peru,
  To supress a field in FK03 u will have to check
  Financial Accounting (New)>Accounts Receivable and Accounts Payable>Vendor Accounts>Master Data>Preparations for Creating Vendor Master Data-->Define Screen Layout per Activity (Vendors)
  in that Display Vendor (Accounting) for FK03 and Display vendor (centrally) for Xk03
  But there bank account no is not there.
  Moreover there r no authorization objects for all the fields that u gave.
  So try creating screen variant/ transaction variant in SHD0.
  Regards,
  Kiran

• Set Up Authorization Check for G/L Accounts  into PO creation

  Dear friends !
  How could I activate check to the access to certain accounts into PO creation ?
  I know that is possible to activate this into Purchasing customizing under path
  SPRO > Materials management > Purchasing > Purchase order > Set Up Authorization Check for G/L Accounts
  But could I use it to give access only to certain GL Accounts by user ? Is this the purpose of this customizing ?
  If yes what´s the object should I use to link with user account !?
  best regards,
  Ale

  Hi ,
  After you setup the configuration in transaction OMRP, please setup up
  the authorisation group in the account code (FS02, the field is on the
  "Control", technical name is BEGRU).
  When a account assigned purchase order is created, the system checks for
  object F_BKPF_BES with values from the BEGRU and activity 01.

• Authorization check of Tcode FCH7 (reprint check) / FCHN (display check)

  Hello to you all,
  Does any of you know of an option of extended the authorization check of Tcode FCH7 (reprint check) / FCHN (display check) using authorization object F_BKPF_BEK / F_LFA1_BEK?
  Regards,
  yoav Bernstain

  Hi,
  Authroization: User need authroization to post Financial Accounting Document for Vendor
  Object: F_BKPF_BEK
  Activities: 01-Creat, 02-Change and 06-Deleter
  Authroization: User need authroization for vendor Master Data (03-Display activity can also work)
  Object: F_LFA1_BEK
  Activities: 01-Creat, 02-Change, 03-Display and 06-Deleter
  Regards,
  Prashant Rane

• Trying to purchase ibook, says "an error occurred while trying to confirm account info, check network connection" .

  says "an error occurred while trying to confirm account info, check network connection"
  i am connected to network, iphoto is updated, what else can i try?

  The following solution was reported by ASC member Troy Murray. I can't confirm that it works or that all the steps are necessary. Back up all data before making any changes.
  Step 1
  From the iBooks menu bar, select
  Store ▹ Deauthorize This Computer...
  Enter your Apple ID credentials when prompted and click Deauthorize. Quit iBooks.
  Step 2
  Follow the instructions in this support article under the heading "Remove the SC Info folder."
  Step 3
  Launch iBooks. From the menu bar, select
  Store ▹ Authorize This Computer...
  and authenticate again. Click Authorize. Then select
  Store ▹ Sign In

• Authorization check when searching for transactions

  Hi all,
  We have a requirement to show only those activities for which a user is authorized. A custom authorization object has been maintained and the check in CRMD_ORDER has been extended accordingly. When opening an activity, the check is executed correctly, but when searching for activities, ALL activities are still shown, so the check is not performed at that particular moment. I have tested with standard authorization objects as well, but none of them are taken into account. Does anyone of you know how we can have the authorization check executed before or during the search, so that only those activities are shown, that the user may maintain as well.
  Thanks in advance!
  Regards,
  Joost

  Hello Joost,
  Check if BADI CRM_ORDER_INDEX_BADI could not map your requirement.
  Regards,
  Frédéric

• Authorization check in BW

  Hi,
    I need to run authorization check  for another user in BW ..How can i do it
    if i run SU53 it is doing the authorization check for my account
  Thanks

  Hi Super,
                 You can check Authorization check in BW or in SAP using SU53 and enter user name of the already executed SU53 in the following way
  > enter SU53 -
  > then click on Copy button on left top side----
  > enter the user ID of executed user, you can see SU53 report this is one way you can retrive others SU53 reports. So in the BW authorization check can be done in the following way
  > enter RSSM----
  > in the bottom there is button of trace or error logs -
  > Enter user ID and run the trace or error logs
         Hope you understood, let me know if you need more details
  Thanks
  Qureshi

• Kanban authorization checks (SU24, PK13N, PK*)

  Hi,
  Does anyone know why the Kanban transactions (PK*) have mostly disabled authorization check indicators in SU24?
  In PK13N, for example, there is functionality to do a goods receipt (MIGO GR) and also functionality to create POs (and maybe more that I have not looked into yet).
  However, the related auth objects in SU24 are not enabled (check indicator = do not check).  This seems strange for these authorization objects.
  Especially in light of SoD.  Users could create POs or do Goods Receipt via PK13 without proper auth check and these 2 functions conflict already (using default GRC ruleset).
  But that's beside the point.  The question is: Is there a good reason why these are disabled and how is this NOT a secuty risk?
  Now, there is one object that is enabled: C_KANBAN
  But, I feel that this is insufficient to really secure the goods receipt action and the PO creation action.
  For reference, a list of disabled auth objects:
  C_STUE_WRK CS BOM Plant (Plant Assignments)
  C_TCLS_MNT Authorization for Characteristics of Org. Area
  F_BKPF_KOA Accounting Document: Authorization for Account Types
  F_FICA_CTR Funds Management Funds Center
  F_FICA_FTR Funds Management FM Account Assignment
  F_FICB_FKR Cash Budget Management/Funds Management FM Area
  F_FICB_FPS Cash Budget Management/Funds Management Commitment Item
  F_LFA1_APP Vendor: Application Authorization
  F_SKA1_BUK G/L Account: Authorization for Company Codes
  L_BWLVS Movement Type in the Warehouse Management System
  L_LGNUM Warehouse Number / Storage Type
  M_BANF_BSA Document Type in Purchase Requisition
  M_BANF_EKG Purchasing Group in Purchase Requisition
  M_BANF_EKO Purchasing Organization in Purchase Requisition
  M_BANF_WRK Plant in Purchase Requisition
  M_BEST_BSA Document Type in Purchase Order
  M_BEST_EKG Purchasing Group in Purchase Order
  M_BEST_EKO Purchasing Organization in Purchase Order
  M_BEST_WRK Plant in Purchase Order
  M_LPET_EKO Purchasing Org. in Scheduling Agreement Delivery Schedule
  M_MRES_BWA Reservations: Movement Type
  M_MRES_WWA Reservations: Plant
  M_MSEG_BWA Goods Movements: Movement Type
  M_MSEG_BWE Goods Receipt for Purchase Order: Movement Type
  M_MSEG_BWF Goods Receipt for Production Order: Movement Type
  M_MSEG_LGO Goods Movements: Storage Location
  M_MSEG_WMB Material Documents: Plant
  M_MSEG_WWA Goods Movements: Plant
  M_MSEG_WWE Goods Receipt for Purchase Order: Plant
  M_MSEG_WWF Goods Receipt for Production Order: Plant
  M_RAHM_BSA Document Type in Outline Agreement
  M_RAHM_EKG Purchasing Group in Outline Agreement
  M_RAHM_EKO Purchasing Organization in Outline Agreement

  Hi Steven
  Normally, when I submit OSS messages about security gaps the response is "working as designed", so I thought I'd try SCN first... perhaps it REALLY IS working as designed and there is a good reason why no auth checks should happen in this case.
  Unfortunately this is all too common. However, I have found a lot of the times it is a Level 1 Support person in SMP advising you of this. With perseverance and escalation to a the next level the chance of a fix is greater (still not a guarantee)
  It's a pity if working as per design they could explain why.
  MIGO can be used in display mode only. If PK13 and PK13N are meant to be display transaction and the SU24 allows you to perform change (i.e. none of the underlying auths are checked for change) then I would refuse to close the customer incident until SAP responds further. At the end of the day, if a display transaction allows modification then it isn't a display transaction
  I get the impression SU24 and some other security (e.g. authority check on '' instead of dummy) has been allowed to exist as customers give up and change the values themselves instead of getting SAP to fix their solution.
  You could also look at SE97 if call transaction can be switched to yes so users cannot jump from PK13N to MIGO (assuming the code was a CALL TRANSACTION)
  Regards
  Colleen
  P.s. - understand the comment with stale thread but take note of timezone and if you raise it on a Friday people may not see it until the following week. Although you did consider this, a lot of people on SCN put urgent in their question and then within the same day respond to their thread to "bump it" on the list

• Authorization Check during PR creation

  Hi,
  I would like to put authorization check in PR creation,particularly
  in the account assignment category. I have created a customized authorization object ZX with the field activity and knttp. My problem now is what userexit i can put this authorization check during PR creation/change...
  i have 2 kind of user, 1st is have access to all and 2nd user is create/change/display to kntpp = K. how can i accomplish this?
  appreciate all the help.points will be given. thanks
  she

  thanks. at the moment, we dont have abaper to work on the coding and to check userexit..so i was hitting this by all the help i can get from this forum. anyone had tried or worked with the same requirement? appreciate if i can have the abap coding at the same time the userexit being used.
  the requirement is to restrict user to create/edit PR to a certain account assignment KNTTP.
  i have created the customized auth object (knttp  -( actvy, knttp)..the customized auth object is maintained to each user role.
  Eg. user1 - knttp (acvtyt =*, knttp=KNTTP)
         user2- knttp(actvt = *, knttp=K)
  so if user2 try to create/change PR with account assigment not equal to K - cost center.
  error message will be trigger during authorization check.
  appreciate all the help.. thanks in advance.

• FBL3N - G/L account authorization

  Dear All
       can we add authorization check in G/L account in T.Code FBL3N ?
  example : user "X" must only display G/L account "112233" & "445566"
  what is the authorization object to control this issue .

  Hi Mohammed,
  You can add authorisation to check GLs.
  For this follow the following steps:
  1. Create a role with Authorisation object "F_BKPF_BES".
  2. Assign acitivity as 03 Display to the authorisation object.
  3. Assign the role created to the respective user IDs.
  4. Also in GL master Assign the Authorisation Group in "Control Data" tab.
  Kindly confirm if it work out.
  Regards,
  Gunjan

• Missing authorization check to display master data error..

  Hi,
  We are in SRM7.0.
  After adding content in my shopping cart, I am trying to change the Account Assignment in the Item Details from Network to Cost Center or GL Account.
  Under Item Overview, after changing the Account Assignment to Cost Center, I go to "Assign Number" to add a Cost center..On clicking the matchcode search box,  I get selection entries like Cost Center, Controlling area etc..If I click on the Search box without keying anything, I get a "Missing authorization check to display master data error".
  I get the same error, when I try to select Assets under Account Assignment area and use search under Assign number. I dont get any errors on searching networks.
  Am we missing any authorization check in the backend ?
  Regards,
  Rajan.K

  Hello Rajan,
  You could use transaction ST01 in SRM to perform some 'authorisation' trace.
  It might give you some pointers to the issue.
  Regards,
  Franz

• Cost element group authorization check on controlling area level

  Hi!
  When maintaining cost element groups (KAH1, KAH2, KAH3) is it possible to run an authorization check on controlling area level?
  We have one global chart of account but several controlling areas. When we create a cost element group it is created at chart of account level for all the controlling areas. When someone changes a cost element group it changes in all controlling areas. I cannot restrict user's authorization to be able to change cost element groups only in their own controlling area.
  Is it possible somehow?
  Thanks for your help.

  Hi,
  Like how the global chart of accounts is at the client level, the cost element groups are also independent of the controlling areas.  Infact, the cost element groups are created at the global COA level. 
  In such a case, I don't think it is possible to restrict the authorizations to amend the cost element groups at controlling area level.
  Thanks and Regards,
  Bhuvaneswari.S

• Authorization check (compagny code)

  Hi,
  For one user I'm trying to seperate access on two company codes:
  -For company Code A: User1 should be able to modify only Accounting Documents (Customers and Vendors)
  -For company Code B: User1 should be able to modify only Accounting Documents (G/L accounts)
  Does any one knows how can I separate such access for the same user.
  Thanks
  Kamel
  Edited by: Kamel Souilah on Dec 1, 2009 10:56 PM

  Thank you Julius for your reply,
  Most of the Tcodes used in this scenario are validating their authorization checks on the same objects. Hard to limit access using those objects. It could be feasible if F_BKPF_KOA has the field company code BURKS.
  I have to explore your suggestion regarding the subledgers so if you have more details about that point it would be appreciated.
  Thanks
  Kamel

• Issues with Analysis Authorization checks in APO

  Hi Friends,
  I am facing an issue with Analysis authorization checks in APO.
  We have setup user access based on Management Entity (Analysis authorization - AGMMGTENT and 0TCAACTVT) and core APO authorizations (based on the work profile - e.g: Demand Planner).
  Scenario: Consider User A has access to India and Australia Management Entities with 0TCAACTVT - *
  This user also has display access to all management Entities (AGMMGTENT - * and 0TCAACTVT - 03). This scenario works very well in Quality where the RSECADMIN trace shows check on both Characteristics. However in Production the RSECADMIN trace shows up only against AGMMGTENT (*) and by default takes 0TCAACTVT as (*).
  In Quality the Characteristics that get checked are as below : and it works as expected. Display access for Management Entities that are supposed to be displayed only and change access to only the Management Entities that it should.
  However the Trace for Production shows the following : As a result it is allowing the user to change access to all management Entities. Which is not desirable..
  Resultant trace results are as below: This should not happen..
  I have compared all Analysis Authorizations and it is same across both Instances. The Demand planner access is consistent too..
  Will it be possible for you to advise on what could I be missing.

  Hi All,
  If it helps, in Quality: the Authorization checks are listed as: Subselection (Technical SUBNR) 1
  while in Production it checks Subselection (Technical SUBNR) 1 in one place, however where it fails - the check happens as Subselection (Technical SUBNR) 0.
  Is there a way we can change this to SUBNR 1. Is there any table entry that I can look at to check if the Authorization check is functioning incorrectly..
  Please advise.. Thanks..
  Regards,
  Prakash