Question:
Hi,
I have a basic question:
we have 3 company codes in our system, BE10, BE20 and BE80.
Each finance department per company can post only in it's own company code.
One of those 3 companies is the head office (BE10), and they also need the access to display bookings from the other 2.
Now what I have done to get this going, is restrict the access on auth Object F_BKPF_BUK, to only the relevant company code.
Now my question is for the Head Office. If I set the auth in F_BKPF_BUK as follows:
ACTVT *
BUKRS BE10
ACTVT 03
BUKRS BE20, BE80
will it give me what I want? I'm afraid it won't, and it will allow them to post in BE20/BE80 as well...
What can I do best? Create a new, separate role with only this auth object in it, and put the display-permissions in that one?
Thanks in advance for your feedback!
Answer:
Now what I have done to get this going, is restrict the access on auth Object F_BKPF_BUK, to only the relevant company code.
Now my question is for the Head Office. If I set the auth in F_BKPF_BUK as follows:
ACTVT *
BUKRS BE10
ACTVT 03
BUKRS BE20, BE80
will it give me what I want? I'm afraid it won't, and it will allow them to post in BE20/BE80 as well...
What can I do best? Create a new, separate role with only this auth object in it, and put the display-permissions in that one?
This will give you what you want for all functions controlled by F_BKPF_BUK
One role with the update access to BE10 and a separate role for display access to BE20 and BE80 would work