Restrict a user from approving the PO that he had created

Similar Messages

• How to users from releasing a contract that they have created

  Hi,
  can someone tell me how tp stop users from releasing a contract that they have created and or changed.  It should be released by a different user.
  I've been doing some investigation, and it looks as if function module EXIT_SAPLEBND_002 (SAP Enhancement M06E0004) might be the User-Exit that I may need. Does anyone know if this is correct?
  John

  Hi,
  You posted your query to wrong forum, should be posted to MM forum.
  Anyway probably your users have the authority of transaction code ME35K (Release) and authority object M_EINK_FRG (Release Code and Group (Purchasing)) to be able release contract that they created.
  Regards

• How to restrict a user from using the transaction code SU01?

  How can I grant a profile to a user with the profile SAP_ALL except running the transaction code SU01?
  I know how to lock the transaction code using SM01 but is there any other way to do it.

  Go to S_TCODE
  Double click on it and give the combinations like        A*  -   X*
                                                                               SU00
                                                                               SU02 - Z*
                       Try this one definately it will work.

• Apps that arbitrarily restrict which users may use the App, such as by location or carrier, may be rejected

  Hello,
  I have an inquiry, this section:
  Apps that arbitrarily restrict which users may use the App, such as by location or carrier, may be rejected
  We have an mBanking app to be built and the Bank is insisting on forcing a mandatory update when there is a need
  and the user should be restricted from logging in in such case (as a security update or important bug fixes).
  Does the above fit in what will be rejected? Will the application be rejected in such a case? if so are there any workarounds?
  Thanks
  nsawaya

  No, no, and no.
  Sorry, but this is Apple we’re talking about here.
  Bob

• Restrict Standard User from not removing the COM-Addins registered under HKLM with Admin rights.

  Hello,
  I have developed a COM-Addin for word 2013 by VS 2013 and installed it under the HKLM with Admin rights. Now from an non-admin account, ie Standard User I'm able to uncheck that addin from the COM-Addins dialog and remove it also. Previously I have done the
  same thing for word 2007 addins and if a non-admin user tries to uncheck it the warning "The
  connected state of Office Add-ins registered in HKEY_LOCAL_MACHINE cannot be changed" pops
  up. But this is not happening for office 2013 apps(basically word, excel and powerpoint). 
  This is happening for all Add-Ins installed under HKLM.
  How can a Standard User be restricted from unchecking and removing the Office Addins registered under HKEY_LOCAL_MACHINE with same warning "The
  connected state of Office Add-ins registered in HKEY_LOCAL_MACHINE cannot be changed" in
  a pop-up box?
  Regards, Sayan

  Hi,
  The behavior is changed since Office 2010. Office 2010 and Office 2013 allows a standard user to turn a per-machine add-in off by unchecking the add-in in the COM Add-ins dialog.
  To restrict Standard User from not removing the COM Add-ins, we can try to add the add-in to
  the Group Policy option: List of managed add-ins in the Office Group Policy template.
  Word for example, the policy is under:
  User Configuration\Administrative Templates\Microsoft Word 2013\Miscellaneous
  To enable this policy setting, provide the following information for each add-in:
  In "Value name", specify the programmatic identifier (ProgID) for COM add-ins, or specify the file name of Word add-ins.
  To obtain the ProgID for an add-in, use Registry Editor on the client computer where the add-in is installed to locate key names under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins.
  To obtain the file name of an add-in, click the File menu in the application where the add-in is installed. Click Options, click Add-ins, and then use the Location column to determine the file name of the add-in.
  In "Value," specify the value as follows:
  To specify that an add-in is always enabled, type 1.
  Hope this helps.
  Regards,
  Steve Fan
  TechNet Community Support

• Is their any way to restrict user from overriding  the graphs in SAP APO?

  Dear All,
  As we know, we can copy the graphs to other users using /n/sapapo/sdp_graph. But is their any way to restrict user from overriding the graph to particular user.
  Scenarios:
  In a project we have super user and semi-super user, whenever super user uses above t-code to copy graph to all users (he has included semi-super user id to target user list) but semi-super user does not want to override his graph by super user.
  Do we have such function in APO to restrict?
  Hope it is clear to understand.
  Regards,
  Pravin Tikar

  Hi Amol,
  thanks,
  I have checked SP Note 400434 - Authorizations in APO demand planning Also.
  Will check the authorization and will update the same.
  regards,
  Pravin Tikar

• How to prevent multiple users from updating the same data in coherence

  Hi,
  I have a Java Web Application and for data cache am using coherence 3.5. The same data maybe shared by multiple users which maybe in hundreds. Now how do I prevent multiple users from updating the same data in coherence i.e. is there something in coherence that will only allow one user a time to update. If one user is in a process of updating a data in coherence and some other user also tries to update then the second user should get an error.
  Thanks

  I have a question on the same line. How can I restrict someone from updating a cache value when I a process is already working on it. I tried locking the cache key but it does not stop other process to update it , it only does not allow other process to get lock on it.

• GPO to prevent users from accessing the root folder of their profile doesn't work

  Hi,
  Here's the scenario:
  In a Windows 2012 RDS I created two groups called RemoteApp users and remote desktop users.
  These groups are defined in the collection for the corresponding RD Session hosts.
  These groups are not included in any other group, but they are located under an OU -called  Remote Users.
  In the domain controller I have created a GPO named "Restrict access to root drive"  which is linked to the Remote Users OU.
  The GPO I selected is - "Prevent users from adding files to the root of their users files folder"
  This doesn't seem to work. I have waited more than a few hours to allow the 90 minutes update, plus used the gpupdate /force
  but when a user clicks on the RemoteApp (Excel in this example) then access to the C: drive (which is the root folder of the user's profile) is enabled, and the user can create folders and save files under C:.
  I tried to run gpresult for the specific user but the GPO I created wasn't mentioned.
  I thought this would be a straight forward mechanism, but somehow it looks like something is missing.
  I have read about loopback and expanding, but not sure if this is what needs to be done, and if yes - I'd appreciate if I can get  step by step instructions. Everything I found so far was VERY vague.
  Thanks !
  One more detail that may be relevant - the DC is a Windows Server 2012, and the session host is a Windows 2012 R2.

  > These groups are not included in any other group, but they are located
  > under an OU -called  Remote Users.
  >
  > In the domain controller I have created a GPO named "Restrict access to
  > root drive"  which is linked to the Remote Users OU.
  >
  The USER accounts need to be in the OU your GPO is linked to. Despite
  their name, GPOs do NOT apply to groups, but to users (and computers).
  Groups only provide an additional layer of filtering...
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• How to restrict a user from deleting a PO

  Dear All,
  I have to restrict some users from deleting a line item in PO. They will be authorised to create & change the PO but they must not be able to delete the line item.
  Further it would be more helpful if it is possible to restrict them from deleting one perticular type of  PO(ex-Capex PO). They can change a capex PO but can not delete it.
  Any of the answars will be highly appreaciated.
  Regards
  Rutabhadra Panda

  Hello,
  Speak to your basis guy, put if you have created Capex PO as a particular document type, then maintain authorisation object M_BEST_BSA (Document Type in Purchase Order) and activity 06 delete.
  You may find that delete is still possible through activity 02 change, so you might need to maintain different roles depending on what you need.
  Thanks.

• Prevent User from Editing the Credit Limit Field

  Hi
  I would like to find out if there is a way to restrict user that has full authorisation to BP Master Data from changing a specific field on the Master Data.
  The scenario is that we allow an user to edit BP Master Data but would like to prevent the user from changing the credit/committment limit fields as it has financial risk and only managers can do so.
  If there any way within the stand SAP authorization that can achieve this requirement?
  BR,
  Jimmy

  Hi Jimmy,
  This would not be achievable through standard authorization.  You may try SP_Transaction_Notification instead.  Search within forum, there are many threads discussing this SP.
  Thanks,
  Gordon

• Restrict A User From Changing A Payment Term While Adding A/R Invoice

  Dear Experts,
  We want to restrict our users from changing payment terms while adding A/R Invoice.
  We use SAP B1 2007 b.
  Thanking  you
  Pradnya

  Hi,
  try below code in transaction notification procedure:
  if (@object_type = '13') and (@transaction_type IN ('A', 'U'))
  BEGIN
  IF exists (select T0.DocEntry FROM OINV T0 Inner Join OCRD T1 on T0.CardCode=T1.CardCode Where T0.GroupNum  !=T1.GroupNum and T0.DocEntry =@list_of_cols_val_tab_del)
            Begin
                 SET @error = 30
                 SET @error_message =N'You are not authorized to change payment terms'     
            end
  END
  for how the transaction notification works or how to use :
  check How to use Transaction Notification
  Thanks,
  Neetu

• Is there any way to prevent non-root users from rebooting the system?

  This question seems to be addressed many times on the web, but the problem is that none of the wannabe-howtos work on my system. In particular, this doesn't work and this doesn't work either, because (1) I need to keep policykit installed for udisks and other dependencies to function and (2) renaming (or removing) the file /usr/share/polkit-1/actions/org.freedesktop.login1.policy has (again) no effect on the users' ability to reboot and shut down the system. Even more surprisingly, adding the following to /etc/polkit-1/rules.d/20-disable-shutdown.rules has no effect at all:
  polkit.addRule(function(action, subject) {
  if (
  action.id == "org.freedesktop.login1.power-off" ||
  action.id == "org.freedesktop.login1.reboot" ||
  action.id == "org.freedesktop.login1.suspend" ||
  action.id == "org.freedesktop.upower.suspend" ||
  action.id == "org.freedesktop.login1.hibernate" ||
  action.id == "org.freedesktop.upower.hibernate"
  return polkit.Result.NO;
  As a result, ordinary users (not in the wheel group and with no special permissions) can simply reboot the machine by typing reboot. I remember that a simple polkit rule (as proposed on the Fedora forum) worked fine just a few months ago, but this doesn't work nowadays. The action IDs mentioned there are no longer listed in pkaction, so it's quite obvious that some changes (and bugs) have been introduced since then. I just need to prevent the users from rebooting the machine and to keep policykit installed. Is there any way to do this?

  karol wrote:Do said users have the ability to push the Power or Reset buttons?
  No, they don't.
  But come on, access permissions are a matter of principle rather than a matter of what you can possibly do with a hammer in your hand. That makes your question somewhat irrelevant to this issue. Imagine someone asking: "How can I protect my home directory from access by other users?" You would then probably ask: "Do said users have the ability to pull out the hard drive and mount it on their computer?"
  Even if the users had physical access to the ACPI buttons, rebooting the computer by mistake (via software) would still be much more likely than pressing (or even holding) the ACPI buttons by mistake.
  If I call rm -Rf / as a normal user, nothing should happen to the system in terms of availability to other users. Only my home directory and temporary files would vanish, but that's all. This is what permissions are there for. Similarly, when I type reboot as a normal user (no matter if I'm on SSH, on a local terminal or logged into KDE), it should be possible to simply disallow rebooting.
  The idea that users logged in locally can restart the computer may be fine for laptops under certain conditions, but it is a bad idea in almost all other cases. In a "kiosk" type environment, for example, the ability to reboot and get to the bootloader can be a huge security hole, unless all your disks are encrypted, and a huge "reliability hole" in any case. Suppose you use a desktop as a home server. You want everyone to be able to log in and to connect a USB flash drive (using polkit and udisks). But you simply don't want the machine to be rebooted. Why is such a simple thing so hard to do?
  Last edited by andrej.podzimek (2014-03-10 02:15:35)

• Is there a way to prevent a user from using the graph cursor legend to delete a cursor?

  I would like to have 2 cursors on a graph that can't be deleted by the user.

  Hi Dennis,
  I'm having this problem as well, and found your post. Are you referring to the Enabled State of the entire graph?  If so, this prevents the user from moving the cursor at all while the VI is running, which, of course, defeats the purpose of having a cursor at all.  Ideally, I would like to show the cursor palette and disable it's run-time shortcut menu.  This doesn't appear to be possible.   One workaround would be to hide the palle and instead include some indicators that show the cursors' values.  I'd prefer to show the palette to keep the program simpler.
  Any other solutions?
  Thanks,
  Alan
  Alan Blankman, Technical Product Marketing Manager and LabVIEW Developer
  LeCroy Corporation
  800-553-2769 x 4412
  http://www.lecroy.com
  [email protected]

• How to prevent a portal user from using the BEx Analyzer ?

  Hi,
  we have different type of users : most users may use the portal as well
  as the analyzer ;
  we have one special user with extended authorizations : this user
  should use the portal , where he has a limited set of queries to run
  with hardcoded filters ==> this user should not be able to use the
  analyzer however, since he then would be able to call all other queries
  by using the find function ;
  how can we make sure this user cannot use the analyzer , using SAP
  authorizations ?
  best regards,
  Erwin Van Giel.

  Hi,
  if I remove the complete S_RFC authorization for the user then the BEx Analyzer cannot connect anymore to the BW system, but neither can the user run reports from the portal : it needs the S_RFC with 'SYST'.
  If I only remove the RRMX from the S_TCODE and from the S_RFC, it does not prevent the user from starting the BEx Analyzer and connecting to the BW system. It only stops the user if he would start the RRMX transaction from within an SAPGUI session.
  Perhaps there should be a value in the S_RFC that allows connections from the portal but not from the BEx Analyzer .... ?
  so not solved yet ....
  best regards,
  Erwin.

• Prevent users from printing the List of Business Partner window

  Hi All
  I have had this request and not sure if it possible.
  He wants to prevent the users from printing the List of business partner.
  That is when you do a search on the marketing documents.
  when do a search it brings up the window, List of Business Partners.
  they can go to file print...choose table and print the list of BP.
  is there anyway to prevent that?
  Thank you
  Jerusha

  is it a smartform
  You have to disable from ADOBE end
  sfpoutputparams-NOPRINT = X
  when calling the function module FP_JOB_OPEN.
  Unfortunately the PDF converter, which converts the output
  of a Smartform, does not allow to disable the print button.
  Please see note 841850 about this. Only the PDF-based forms
  support this features (class CL_FP_PDF_OBJECT also belongs
  to the PDF-based forms).