Restricting sales org in a query
Hi,
I've been asked to investigate how to restrict users from accessing different sales orgs in a query report. Is there an easy way? I have looked at the code and found where I can add some authorisation checks on the infocube but that seems a very roundabout way of doing it?
Any ideas?
Thanks,
Gill
OK, bad news is that auths aren't included in queries unless they are based on a Logical Database & there are checks in the LDB. I suppose this is because query is for quick & dirty reporting.
Good news is that you can restrict but from what you are saying I think you have worked out how to do it already. The only way I am aware of is to add AUTHORITY-CHECK into the record processing part of the infoset code.
Another alternative is to create queries that only select for a particular sales org and only assign those queries to users who need to be restricted.
Similar Messages
-
Urgent, Restricting Sales org & Distribution Channel
I'm having two users and one is from US and other MEXICO
If user from US LOG'S into SAP ,He should only his Sales org(US01) & Distribution Channel(001) & Mexico User log ,then he should be able to see only his Sales org(ME01).
My Question is there a way where we can restrict US / MEX Through Security , if not Can we restrict through abap if so Please send me some details , Which table /code .
any inputs will be appreciated ,Hi
One way is as below.
DATA: BEGIN OF lt_tvko OCCURS 0,
vkorg TYPE vkorg,
bukrs TYPE bukrs,
END OF lt_tvko.
SELECT vkorg bukrs FROM tvko INTO TABLE lt_tvko
WHERE vkorg IN lr_vkorg.
IF sy-subrc NE 0.
MESSAGE e085(wv).
ENDIF.
* Check all retrieved co.codes
SORT lt_tvko BY bukrs.
DELETE ADJACENT DUPLICATES FROM lt_tvko COMPARING bukrs.
LOOP AT lt_tvko.
* Error Message: No authorization for sales organization &1
PERFORM f_bukrs_auth_chk_p USING lt_tvko-bukrs 'ICC_FI_CN' 'E' '010'
lt_tvko-vkorg '' '' ''.
ENDLOOP.
FORM f_bukrs_auth_chk_p USING value(lc_bukrs) TYPE bukrs
value(lc_msgid) LIKE sy-msgid
value(lc_msgty) LIKE sy-msgty
value(ln_msgno) LIKE sy-msgno
value(lc_msgv1)
value(lc_msgv2)
value(lc_msgv3)
value(lc_msgv4).
AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
ID 'BUKRS' FIELD lc_bukrs
ID 'ACTVT' FIELD '03'.
IF sy-subrc NE 0.
MESSAGE ID lc_msgid TYPE lc_msgty NUMBER ln_msgno
WITH lc_msgv1 lc_msgv2 lc_msgv3 lc_msgv4.
ENDIF.
ENDFORM. "f_bukrs_auth_chk_p
Select the sales organization mapping to Company code and then restrict.
Hope this can help you.
Kind Regards
Eswar -
Restrict SaTy for 1 Customer in a Sales Org
Hello,
I have a scenario where a specific sales document type is to be restricted for 1 customer. All other customers for the particular Sales Org / Dist Channel / Division are to use this sales document type except for this customer, and my user would like a hard stop to be enforced (i.e. stop message) when attempting to enter an order in this specific sales document type for this customer. If a different sales document type is specified prior to sales order entry, the order should be created for the customer.
Is there any master data or standard configuration that could allow this scenario to work?hi andy;
you have three options here:
1. create a Z table for the same the same with fields SALES ORGN/DISTRIBUTION CHANNEL/DIVISION/CUSTOMER NUMBER & SALES DOCUMENT TYPE which you want to restrict - this re usable any number of times because you will maintain in MAINTAINCE view inside Z table.
2. HARD CODE these SALES ORGN/DISTRIBUTION CHANNEL/DIVISION/CUSTOMER NUMBER & SALES DOCUMENT TYPE which you want to restrict & this is permanent setup but when ever you want to change it you need to go to the program MV45AFZZ : USEREXIT_SAVE_DOCUMENT_PREPARE will trigger to throw an E - ERROR message.
functionally :
3. block the customer with respect to the sales area in Go To T-code XD02-->
Extras-->bloc the customer or you can use XD05 for the same. but here blocing will not happen basing on the sales document.
please choose for which one you want to go with.
hope this clears this issue
balajia -
Restrict BP Master search based on Sales Org
Dear All,
I would like to assign different Sales Rep to different sales org. My requirement is to restrict Sales Rep from searching BP records of customers which are extended to their Sales org. How is this possible? Can I use auth object CRM_BP_SA to do the same?
Regards,
VivekAccess Control Engine?
-
While executing the query sales org not given in Selection screen but still
Hi ,
while am executing a query even though am not giving any sales organization input in selection sceen , and execute , the query will run and pop up windows displays as ' you do not Authorization to read Zsales organization,
same query i executed last days before , it worked fine, but now its not working, plz adviceHi,
you might made Sales org Info object as Auth relevant, hence it is giving that error.
Eirther disable the authorization relevant check in the infoobject maintainance in Bex explorer tab...
Or create a auth variable for the infoobject and use it in the query..
Regards,
Rangz -
Restrict F4 search results for specific plants / sales org / purchasing org
Hello All,
We have a project where a particular plant / sales org / purchasing org needs to be restricted because of the top secret data for that business. We would like to be able to restrict the search results that are displayed based on sales org / plant / purchasing org in the F4 help. If a user does not have access to the data / documents related a plant / sales org / purchasing org, we do not want the user to be able to see doc numbers, ship-to's, material numbers etc... My question is where do we restrict F4 results for the Sales and Distribution, Finance, Materials Management, Production Planning, Logistics, etc... modules? Thanks in advance for the help.
JordanWe can set authorization for specific plants and other organization levels,contact the basis team and discuss about the authorization
-
Restrict (hide) text type by sales org when creating notes for accounts
Hi
I have created 5 new text object IDs in text determination procedure BUT000. There are now approximately 40 text IDs in total. These 5 new text object IDs will only be used for 1 sales org. The other 35 will be used for various other sales org. When I go to create a note for the Business Partner in the WebClient UI (6.0) I have to select from a drop down list of 40 text types. As each user can only belong to 1 sales org, the user will never create a note of any other type apart from the 5 I created.
Therefore, is it possible to just show the 5 text types that I created? If so how do I go about doing this?
Regards
DeclanHi Declan,
I am not sure whether I have understood you correctly. If the user will never create a note to any other type of text apart from those 5 you have created then in Definition of procedure you can delete the rest 35 and then you will have only 5 text types.
the path is SPRO -> CRM -> BF -> Text Management -> Define Text Det. Procedure -> Select BUT000 -> Double click on folder Procedure -> here you can create Text. Det. Procedure and assign the text types you want.
Hope this will help.
Thanks,
Vikash. -
Restrict the values in the Query Designer
Hi Gurus,
I want to Restrict PLANT or SALES ORG values in the Query Designer, in the Query, PLANT has selected in the rows and having variable and SALES ORG is display attribute of the PLANT. In this scenario How can we Restrict the values?
Thanks in Advance,
Ravi.Hi Ravi,
You cannot restrict values on the display attributes. Better change it to navigational attribute and check the box as navigational in the cube.
Regards
Ram -
Sales org 2 view in material master
hi gurus,
Iam not able to see all fields in sales org 2 view in material master and i would like to know how to configure to restrict end users not to change it . thank you in advance.
regards,
GopioHi naga gopathi
go to Spro->logistics general ->materials management-> there you select the options of material feilds and select the material type and click on till you reach the sales orgn 2 view , .
In MMR settigs you can see table wise so i think it should me MARA table. for sales orgn 2 view
There you check the feilds wat you want is in display or supress mode
Regards
Srinath -
Hi SAP Gurus,
My (retail) client is implementing SAP (FICO) without MM & SD in the first phase. All sales / accounts receivable/ accounts payable data will flow in SAP through an interface. I have the following query:
If we want COPA, can we capture sales data without having a sales organisation?
Please advice.
Regards,
SangeetaHi,
COPA: Is Management tools where one can do complete marginal analysis of the data for decision making. In COPA the data flows from different modules like SD,MM,FI and CO etc. and stores in the form of Characteristics (Co.code,Sales.org,plat,division,customer hierarchy,product hierarchy,product etc) and value fields (Sales qty,sales revenue,cost of goods sold,expenses etc). Once the data flows into COPA tables here we can do the complete data analysis with respect to different prof. segments (the combination of more than two characteristics) and drill down analysis for management decision.
Here only the P&L accounts are flown to COPA.
Ex: the revenue for product xyz+division (Retail) is 100,000.
Segments: This is the feature in New G/L accounting, while posting in G/L the system derives the Segment based on configuration, for Segment financial reporting purpose, here both P&L, BS items are posted to Segments.
Regards -
Authorisations based on Sales Orgs in crm 2007 Web Client
I have a requirement to restrict the visibility of data (both masterdata and transactional data) based on a specific sales org. For a specific business role i need to restrict visibility for our account managers utilising the web client application to business partners from a specific sales org and also fortransactionsal data from the sames sales org.
I have been using the following authorisation objects to effect this but with limited success:
CRM_ORD_OP
CRM_ORD_LP
CRM_ORD_PR
CRM_ORD_OE
Whilst i can restrict users from viewing some of the specific data 9based on sales org), the transactional data and indeed customer master data still appears on the web client searches. What needs to happen to ensure that the data does not even appear in the relevant searches. The same requirement for searches of customers should also be
Has anyone met this type of requirement and if so what dod they do to implement it.Eddie,
Are you familiar with Access Control Engine (ACE)?
Go through this -> http://help.sap.com/saphelp_crm50/helpdata/en/04/0177f9bb67ac4cafb84bb4d4c1d8fc/content.htm.
and https://websmp205.sap-ag.de/~sapdownload/011000358700002121742006E.
Authorizations in CRM are controlled through ACE.
Hope this helps.
Amar. -
Ship to party should be editable for export sales org only
Hi,
i am copying quatation to order and that time ship to party is coming non editable.
i want to make this field editable specific for one sales organisation only so pls help me in this.
Edited by: Monty garg on May 19, 2011 6:37 AMDear Monty,
The Ship-to-Party editable is being controlled by the Partner function assignment settings.
If you want to restrict the change of Ship-to-Party in the Sales Order then the setting needs to be done in the following path
SPRO--> Sales and Distribution --->Master Data -->Basic Functions -->Partner Determination -->Set Up Partner Determination --->Set Up Partner Determination for Sales Document Header. Here for the PDP select the partners in the procedure and against the Partner Function SH maintain the tick against Not Modifiable.
Please note this depends on the PDP assignment to Sales document type and not on the Sales Org. If you have separate account group PDP and Sales Doc type for the Export sales then you can control based on the above settings.
Regards,
Karthik Krishnan -
One employee in several Sales Orgs?
Hello experts,
We have sales assistants that are sometimes assigned to several Sales Orgs. Unfortunately it looks like in C4C an Employee can only be assigned to one Sales Org.
Is someone aware of a scoping parameter/question that we missed that would allow us to do this? Or does someone have an idea of a potential work around for that?
They would need to access My Team's Accounts, My Team's Activities etc. for all teams they are assigned to for their daily jobs. This is why we were trying to assign them to multiple sales orgs.
Thanks,
JB.As an update, it worked with the Territories even with a higher level, so we could do what we needed.
The trick was just to use the Recommended restriction view in the Access Restriction of the role assigned to the user and make sure it was properly updated after the background job. Also I put the assistants higher in the Sales Orgs to avoid any conflicts due to the Employee/Manager relationship.
The Assistants are now associated to a Sales Region (in the territory management part this is one level before the last - Sales Territory), as any Sales Managers, and are associated to multiple Regions.
They can see all relevant Activities and only those.
At the same time, due to the Org Structure they can see all Accounts under their Org Struct which is consistent with our rights there as well.
Bottom line: Territory Management and Org Management are really close when it comes to right management, and in the end they work well together as long as you make sure your access restrictions are set up correctly and that your users' roles are properly updated.
Thanks for your help guys,
JB. -
Sales Org authorization errror in Allocation
Dear Experts ,
I am getting an error or authorization of a particular sales organization while running tcode WA03 .
It is a Vendor PO & Not an STO . Henece there is no sales org involved in the transaction .
Please tell me where in Aloocation will VKORG that is alses org be involved ?
Regards
Laxman .Hi,
for bw 3.x you can create a authorization object with at least salesorg + 0TCTAUTHH. Create 15 different profiles for every sales org one profile. In the query you use a new created authorization variable. The user has to have one or more of the mentioned profiles. When U now run the report, the authorization of the profile will be retrieved. As a result you will see only data for the auhtoriced salesorg in the profiles. IMHO there is now way to have a solution w/o changing the query.
Regards,Maik. -
HI,
Can anyone tell me how to get the sales ORG from the sales org attribute value. I was able to get the value using RHGA_FIND_ATTRIBUTES for non-range values but since postal code is maintained as a value range, I was unable to find the sales org for a particular zipcode.
Any help is appreciated
thanksHi Sujay,
If i understood ur query properly then the table HRP1028 should solve the problem.
Regards
Sidd
Maybe you are looking for
-
My HP ENVY dv4 windows 8 camera is not working and it cannot be found on the device manager.
I am using a HP Envy dv4 on Windows 8 and trying to use the 'Cyberlink Youcam ' Webcam which is not working. When I went to find it in the device manager, it was not present. I have restarted my computer already. Product Number: D5F96PA#AB4 Serial Nu
-
This bug makes the program virtually unusable for anyone using Windows 8.1. I have a dual screen setup : 1920 x 1200 and 1920 x 1080 on the other, AMD Radeon HD 5700 Series drivers (Latest versions), running on a Windows 8.1 Pro OS. When you attemp
-
Export to pdf is failing InDesign CS5
We have a large book (1000+ pages, 4000+ images) we are exporting to pdf to send to the printer. It takes a couple hours to process. It has worked in the past (we have beautiful 1000 page pdfs for previous edited versions). Now, however, (that we are
-
Non reading embeded audio file
Unable to read embeded audio file (mp3) in Windows seven with reader x (10.1.3) when I clickon it pdf file close immediately. Video files are read ok. Thnks in advance for answer.
-
MBean getAttribute throw NullPointerException
Weblogic:10.3.5 JDK: 1.6.0_29 64bit Please help me figure it out: RuntimeException thrown by rmi server: javax.management.remote.rmi.RMIConnectionImpl.getAttribute(Ljavax.management.ObjectName;Ljava.lang.String;Ljavax.security.auth.Subject;) <Mar 21,