Question:
Hi All,
I am having difficulty limiting authorization access to vb01/vb02 based on the key combination (specifically by Division).
Same goes for VB11/VB12.
The only standard auth obj. that is checked is V_KOND_VEA which doesn't allow this limitation as demanded by my customer.
Any helpq/idea would be highly appreciated
Answer:
Then you have to ask the tough questions.
1. What risk or potential loss to the company are you trying to mitigate?
2. How much does it cost to control it?
3. Is the risk comensurate with the cost to control?
4. Is this a training issue you are trying to control with security?
5. Who is trying to abdicate their responsibility and getting Security to do their job?
6. Is there a user exit or business partner function available to add the check if it is justified?
7. Has there been a ST01 authorization trace done on the tcodes to see if the check is there but turned off in SU24?
The answers to 1 to 5 will probably lead to move on to something more important to control.
_________________
John A. Jarboe
Answer:
Hi John,
I like your way of thinking and it has played a major role in the way i manage the authorizations at customers' locations in the past, but this time the demand is quite legitimate as the customer i am currently working for genuinly needs these partitions amongst it's employees in order to keep separation of valuable information between the divisions in the company.
Therefore questions 1-5 have already been answered and now i am stuck on question 6... I can't seem to to find a standard solution nor a the proper user exit. As for SU24/ST01, from what i was able to see, i could not find any auth objects which serve the purpose...
your help is greatly appreciated, i hope you can bring me further in the thought process in finding a standard solution for this issue...
Thanx,
Yoyosha
Answer:
THere are several feature in Sales and distribution that allows you to control using Structural authorizations tied to the HR org structure. If you have "Divisions" in the Sales org then they shoudl be reflected in the HR org structure. If there are no user exits then PD profiles might give you the control you need.
You can look for business partner functions using BF03 or user exits using SMOD.
_________________
John A. Jarboe