To restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.

Similar Messages

• To restrict authorization of tcode MEK1,MEK2,MEK3,MEK4 at plant level

  Hi,
  We have  a requirement where we need to restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.
  Presently we can restrict authorization at Purchasing organization level but not at Plant level.
  Any pointer please!
  Regards,
  Chetan

  Hi,
  You can restrict the users for the authorization of these T-Codes on their  User ID. Take help of  Basis who controls Roles & Profiles. (T-Code PFCG)
  Hope this helps,
  Best regards
  Amit Bakshi

• BASIS--to restrict authorization for a PO document type & 122 movement type

  Dear All,
  Plz guide me how to restrict authorization for a PO document type & for a movement type 122 i.e. for eg. if a user has authorization for PO document type IC then he should not be able to rum movement type 122 for any T-code he runs.
  Thanks in advance
  Arpit
  Basis

  Hi,
  Your request was not too clear to me.. As per my unde
  Here is some details of Authorization object related to Purchase Order:
  Document Type in Purchase Order( M_BEST_BSA )
  Purchasing Group in Purchase Order (M_BEST_EKG )
  Purchasing Organization in Purchase Order  (M_BEST_EKO)
  Plant in Purchase Order  (M_BEST_WRK )
  Document Type in Outline Agreement (M_RAHM_BSA )
  Purchasing Group in Outline Agreement (M_RAHM_EKG )
  Purchasing Organization in Outline Agreement ( M_RAHM_EKO )
  Plant in Outline Agreement ( M_RAHM_WRK )
  This can be helpfull to you to restrict authorization to PO..
  In Organization Level, it can be restricted by Purchasing group, Purchasing organization and plant..
  Regards,
  Sandip

• How to restrict authorization for OBC4

  Dear all
  How to restrict authorization for obc4( field status) for user id wise
  Regards
  nasa

  Hi Nasa
  You try to use the S_TABU_LIN object. With this object you can control access to tables (called from maintenance views, SM30 etc) based on the database key for the table.
  And as far as I cant see, the OBC4 transaction is just a couple of maintenance views for V_T004V andf V_T004F.
  You can find a small how-to [here|http://www.mhn-consulting.com/s_tabu_lin.html]
  Regards
  Morten Nielsen

• How to restrict authorization for MMBE

  Hi,
  I need to restrict the authorization for t-code MMBE according to plant wise. Can anybody tell me about the procedure and authorization object used.
  Regards

  M_MATE_WRK Material Master: Plants is the object that is used to control teh display of data at plant level in tcode MMBE

• Restrict authorizations for payment item transaction

  Hi All,
  This is regarding authorizations for a banking system.
  The requirement is the users need to be restricted for the following transaction based on the Bank Posting Area or the contract managing unit.
  BCA_PAYMITEM_CREATE
  When the user goes to create payment item the user should be allowed to enter an account which has been created with the contract managing Unit ZSUM007 or Bank Posting area ZSUM. The user should not be allowed to go in for any other values of contract managing unit and Bank Posting Area
  BCA_PAYMITEM_MAINTN
  The user should be allowed to enter an account which has been created with the contract managing Unit ZSUM007 or Bank Posting area ZSUM .The user should not be allowed to go in for any other values of contract managing unit and Bank Posting Area.
  I checked the transactions in SU24 and found only authorization object S_TCODE associated with the transcations BCA_PAYMITEM_CREATE and BCA_PAYMITEM_MAINTN.
  Can someone please suggest a way to acheive this.
  Regards,
  Thamarai.

  Hi Shiva,
  I tried assigning the org unit using PFCG ORGFIELD CREATE.
  Now the org unit in pfcg shows Org. level Contract-Managing Organizational Unit (Encrypted) but there is no coresponding field in the authorization objects in the role.
  Can you please help since the project is very critical.
  Regards,
  Thamarai.

• Restricting Authorization for a specific Info-object

  Dear All,
  I have a scenario where I have to restrict the account managers by specific channels.
  I have 2 info-objects, Sold-to party and Sales Channel. Sales Channel is defined as attribute of the the Sold-To Part info-object.
  I was exploring the BI authorizations concept in SCM 2007.
  I created a authorization called "Test" and assigned the info-object Sales Channel in the authorization and restricted it for one value. This authorization along with 0BI_ALL I have added to the role under BI authorizations.
  However in interactive demand planning, I cannot restrict by the sales channel. It allows me to load data for all the channels.
  If I remove 0BI_ALL object, then I cannot load anything in interactive planning.
  Does anyone have a step by step proceedure for using the BI authorization concept?
  Regards,
  Kedar

  Yes, 0TCAACTVT (activity), 0TCAIPROV (InfoProvider) and 0TCAVALID (validity) have to be made authorization relevant. For the info objects you want to use to control security, also make them authorization relevant in RSD1, imagine the object you want relevant is ZZ_VKORG (sales organization).
  Then use RSCEADMIN transcation and 0BI_ALL will include the objects from above, copy 0BI_ALL into a object such as Z_1000 and then change the value for the specific info object that you want to control, imagine that you want sales org 1000 only to be allowed within Z_1000.
  Now, you have 2 choices: You can use the normal security maintenance (SU01, PFCG) and you can asssign RSRS_AUTHBIAUTH and set BIAUTH requal to Z_1000 or you can use user maintenance directly within RSCEDAMIN and assign Z_1000 to the user. Either way, it becomes part of the authorization of the user.
  You may find that you need to introduce colon authorization concept ( for mixed levels of data and that is just a matter of adding a second line to the allowable values and setting it like "EQ :".
  Things to consider:
  1. This authorization concept is water tight and will do everything you need, but will do at the expense that if you don't model it first, you will kill yourself trying to make it right. This becomes evident when you trace a security issue (via RSCEADMIN) because the way BI7.0 works is that it will build a minimized superset of authorizations, so it is best to know where you want to get to, rather than starting off by where you know you need to go.
  2. To control change or display mode, you will need to influence 0TCAACTVT, even though you might think to use C_APO_SEL3 for ACTVT, the BI7.0 concept works within the BI space and 0TCAACTVT doesn't impact it.
  3. If you activate more info objects, 0BI_ALL will get updated automatically but your custom  authorization objecst will not. So, it is best to activate them all at the same time so that you don't have to manually change them.
  4. Do the work in development and transport it to the TEST/QA/PROD environments, there are transprt tools within the RSCEADMIN.
  This is probably enough to get you going, reply back if you have specific questions or issues.
  I've been thru this in a painful way, sometimes the best things learned are learned the hard way

• Restrict authorizations for loads from HR to BW for certain data

  Hi,
  our customer wants protect some data in the HR productive system. This data are defined/restricted by certain personal areas.
  It is not enough to use reporting authorizations in BW to restrict presentation in queries or use filters in infopackets during load to avoid this data.
  The requirement is to make load of such data from HR to BW absolutely impossible, even BW administrator cannot see them and must not be able to load them.
  We will probably have to somehow limit ALEREMOTE users authorizations in BW. I do not know how and I even doubt, that extractors in HR source system perform authorizations checks for fields.
  Is there any way to do this?
  Thank you very much,
  Petr

  Hi Petr,
  Create a general enhancement program (restricted authorization) with generic name, which should be called dynamically for every datasource.
  Refer-
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/2d99121a-0e01-0010-e78c-b1ae566a2413?overridelayout=true
  Not personally tested but check following.
  In that program, you may try applying following logic:
  1) You may need to use TYPE ANY field symbols
  2) In While Loop until all fields of C_T_DATA checked, may be a counter based on total number of fields.
      DELETE C_T_DATA where <TYPE_ANY1> EQ (OR use IN) specific value(s) of Personnel Area
      DELETE C_T_DATA where <TYPE_ANY1> CS (Contains, check pattern) specific value(s) of Personnel Area
  ENDWHILE.
  Optionally: For Standard Daatsources in the same program you can add logic based on standard field only "WERKS".
  Note: You may need to research on dynamic pointing using field symbols for every field.
  Thanks
  Arun Purohit

• Remove authorization for Tcode: ME21 and ME22 from certain users

  Hi Guys,
  I'm new to BASIS.
  My requirement is to: Remove authorization to Tcodes ME21/ME22 from a list of users.
  How do I acheive this? We run on SAP 4.0B version.
  Hoping to get this resolved as soon as possible.
  Thanks
  SAPUser

  dear friend,
  1.
  run SU01
  goto Information-Information system
  select node Roles-By Transaction Assignment
  type ME21, ME22
  execute report
  see the roles displayed
  2.
  then find user who have these roles (usually company uses z-roles copied from standard)
  just highlight the role and hit user assignment (Cntrl-Shift-F9)
  you see all users who have this role. that means they are able to run these transactions.
  3.
  let's remove the role(s) we found.
  open second session, run SU01 type one of the user , goto Roles tab and delete the particular role you found.
  save user and test it (ask hem/her to log in sap and run ME21 and ME22). if needed adjust it again (may be another role to be deleted)
  say, fix completely one user/test it and then do the same things for other. test them.
  good luck!

• Help in bdc for tcode MEK1

  Hi,
  I am creating a recording for transaction MEK1. Based on the condition type specified , the next screen comes based on key combination. I want to check in the program that out of all the key combination user have selected which combination.
  For ex. for conditon type ZAVS the key combination comes as
  1) county/region/material
  2) country/region/vendor
  3) vendor
  If the vendor selects key as vendor then how to take the value for BDC program.
  Thanks,
  Anil N.

  Hi..,
  That option wl be selection indicator. Right?
  Then pass the value 'X', to select reuired one.
  While recording this screen, after entering the condition type , click on key combination.and then you wl get new pop up with radio buttons.
  just select one by one radio button from top to bottom.
  (here prefer the combination which is having more choices)
  and then you should get code like this..,
  perform bdc_field       using 'RV130-SELKZ(01)'
                                'record-SELKZ_01_002
  perform bdc_field       using 'RV130-SELKZ(02)'
                                record-SELKZ_02_003.
  perform bdc_field       using 'RV130-SELKZ(03)'
                                record-SELKZ_03_004.
  perform bdc_field       using 'RV130-SELKZ(04)'
                                 record-SELKZ_04_005.
  perform bdc_field       using 'RV130-SELKZ(05)'
                                 record-SELKZ_05_006.
  So here pass the X value in one of this where ever you want depeneding on your reuirement.
  With above code you can select any one of given five, to select one of from given six we have to add one more field, thats why while recording only you have to record the combination which is having more records.
  With in the loop you can implement the logic with if condition to pass the X value to reuired one.
  Thanks,
  Naveen.I

• Authorizations for Tcode Execution

  Hi. 
  I understand that users assigned a particular Tcode eg. PFCG might not be able to execute this Tcode if he is not assigned the corresponding Authorization object and related activity field values for the PFCG transaction to work.
  One tedious method of verifying that the user does indeed have authorization is to require the user to login and execute the transaction PFCG itself.
  Is there a faster way for the Administrator to check if the end-users does have the relevant authorizations/authorization_objects to support the execution of a tcode PFCG? This applies to all other tcodes.
  Thank you very much.

  Hi Chong,
  SAP delivers the tables USOBX and USOBT.
  Table USOBX defines which authorization checks are to be performed within a
  transaction and which not. This table also determines which authorization checks are maintained in the Profile Generator.
  Table USOBT defines for each transaction and for each authorization object which
  default values an authorization created from the authorization object should have
  in the Profile Generator.
  The tables are maintained in transaction <b>SU24</b>. This transaction displays the check indicators of a transaction. Check indicators determine if an authorization check will run within the transaction or not. Any object with CM(Check/Maintain) status will be pulled into PFCG when you add a transaction.
  To check this:
  Enter transaction SU24-->Enter any transaction which you want to check in "Transaction Code"->execute->Display check indicator-->Display field values.
  This would show you the authorzation objects along with there field values which will be pulled into a role when you add a transaction.
  Hope it helps.
  Please award points if it is useful.
  Thanks & Regards,
  Santosh

• Restricting Authorizations for GL Account

  Hi
  We have created 2 profit centers in our company code (Profit Center 1000 and profit center 2000). User for both the profit centers are different. User1 is responsible for profit center 1000 and user2 is responsible for profit center 2000.
  There are 5 bank accounts and we create separate GL accounts for the all 5 bank accounts. (1 main bank account and 2 sub accounts).
  Out of 5 bank accounts, 3 bank accounts pertains to profit center 1000 and 2 bank accounts pertains to profit center 2000.
  But by mistake user2 posts in bank of profit center 1. So i want to restrict the access of GL accounts of profit center 1000 to user2 and vice a versa. Please tell me how we can restrict the authorizations.
  I tried with some field as "authorization group" in GL master data - FS00. But i am unable to use it properly. Please help me and let me know how to use "authorization group" in GL master data - FS00.

  Hello,
  If it is a matter of authorization. the Atif's answer is right.
  If it is a mater of validation.
  To restrict G/L Account(s) with Profit center(s)
  You need to use GGB0 Validation in Accounting Documents.
  then you need to activate it through this path:
  SAP Customizing Implementation Guide - Financial Accounting (New) - Financial Accounting Global Settings (New) - Tools -Validation/Substitution - Validation in Accounting Documents.
  Note event is very important you can make it on line item level
  Regards,
  Edited by: Tarek Elkiki on Dec 11, 2011 10:51 AM

• Restrict authorization for saving BI query bookmark on BEx Portfolio

  Hi experts,
  I would like to find a way to control the saving query bookmark  functionality on BEx Portfolio. The problem is that every BI user can save in the BEx Portfolio which is observable to every user at global level. Is there a functionality to restrict the authorization so that only Power users are allowed to save bookmarks under BEx portofolio and where as non power user are allowed to access them
  Thanks

  Hi All,
  i'm also having same requirement, please reply with solution if any one did it,
  http://scn.sap.com/message/13836154
  Thanks
  Naga

• Restricting Authorization for movement types for Storage Location

  Hi Xperts
  I have a requirement that 313 & 315 material movements should not have any BBD/SLED check.However , 314 & 316 should have BBD/SLED check.
  Suppose there are two storage locations : A(Good Stock) & B(Blocked Stock).
  I want one User-ID should be authorized to perform 313 & 315 from A to B.However the same USER-ID should not be authorized to perform 313 & 315 from B to A.They should be authorized only to perform 314 & 316 from B to A.
  All the above trasnactions will be performed either via MIGO or via MB1B.
  How to achieve this.Pls suggest.
  Regards,
  Soumick

  Hi Soumick,
  You can try by creating 2 roles as given below.
  Role A - Tcode Migo
  BWART - 313 and 315
  for object M_MSEG_LGO field LGORT - give only A
  Role B - Tcode Migo
  BWART - 314 and 316
  for object M_MSEG_LGO field LGORT - give only B
  Try assigning both the roles to user and see... Not 100% sure...but u can try out.... You need to have such scenarios tested very thoroughly.
  With Regards
  Nishad Showkath

• Restrict authorization for particular authorization obj with resp to roles

  HI All,
  Example:  I am having below three release roles for purchase order.
  Role 1: Regional Commercial Head
       Below objects are assigned to it.
       M_BEST_WRK u2013 Plant 1000 with value 02
       M_EINK_FRG u2013 with release code A1
  Role 2: Regional Commercial Head
       Below objects are assigned to it.
       M_BEST_WRK u2013 Plant 2000 with value 02
       M_EINK_FRG u2013 with release code A1
  Role 3: National Commercial Head
       Below objects are assigned to it.
       M_BEST_WRK u2013 All plants with value 02
       M_EINK_FRG u2013 with release code B1
  All the roles are for releasing a purchase order.  My requirement is I had assigned 1st and 3rd roles to a user.  That user should not be able to release a purchase order with release code A1 for plant 2000.
  Kindly give a possible solution.
  Regards,
  Madhu Kumar

  Hi,
  As per your query you have to copy of role no 3 and mentioned all the plant except plant no 2000 in this role and assign to new user roale no1 and copy of role no 3 which is created newly without plant no. 2000. If you have only one user who have role no 3 and wants to role no 1 also then you edit role no 3 and modify the same where plant no 2000 not to assign.
  I hope this is clear to you. If you have any doubt pls mentioned here the error or issue you find.
  Anil