Question:
I have been asked to limit the capacity to process certain types of IDocs in BD87. Using S_IDOCMONI i am able to do this with the Message Type field.
My problem is that i need to give access to display all the information in the IDoc without giving the capacity to process. Here is the Auth i am testing now.
M Activity 03
M Direction for IDoc transmissio 1, 2
M Message type A*-ZEINMS, ZEM_DATA-ZX_PLUS
M Partner number *
M Partner type *
M Transaction code WE*
As is, there is no processing capacity for ZEINPO and ZEINNP in Mess type, which is what i want. The problem is that the display capacity has also been removed when you drill down into the list of IDocs.
NB: If i add the 2 message types back in the appropriate field i am able to process, even though i only have ACT 03.
Has anyone else had that problem?
We're on R/3 4.6C .
Thanks!
Answer:
Let's try one step at a time:
1. Can you clarify "display capacity has also been removed when you drill down into the list of IDocs" does that mean just for the 2 you are trying to restict, ZEINPO and ZEINNP ?
2. RE: "If i add the 2 message types back in the appropriate field i am able to process, even though i only have ACT 03." - try taking out WE*, you should be ok with WE02, 05, 07, and 09, retest and see if it makes any difference.
Regards,
m.r.
Answer:
1 - That's right. The display capacity for the 2 types of IDoc (ZEINPO and ZEINNP) has been removed. TheIDocs do appear in the list, but selecting them and clicking on "Display IDoc" triggers a Not Authorized error message.
2 - OK. I'll experiment some more with the TCD field. I'm at home now but if i recall correctly it seems to be asking for WE02.
Thanks!
Answer:
Think i've found my answer: OSS note 380101.
Answer:
Well, that didn't work.
Does anyone know how to stop users from processing IDOCs in BD87, but only for ZEINPO and ZEINNP types (message type) of IDocs? The users wtill need to be able to display the Idocs.
Thanks!
Answer:
ok... so you ran off looking for an OSS note instead of working through the security problem alll the way through..
Try this:
The following settings allow users to view ALL Idocs, ALL message types but restricts the processing to only message type ZRETURNS (setting in the second instance of S_IDOCMONI). To allow changes to other message types, replace ZRETURNS with your desired message types.
S_IDOCDEFT
Activity 03, 35 ACTVT
Extension * EDI_CIM
Basic type * EDI_DOC
Transaction code WE30, WE60 EDI_TCD
S_IDOCMONI
Activity 03 ACTVT
Direction for IDoc transmissio 1, 2 EDI_DIR
Message type * EDI_MES
Partner number * EDI_PRN
Partner type * EDI_PRT
Transaction code WE02, WE05, WE07 EDI_TCD
S_IDOCMONI
Activity 02-03 ACTVT
Direction for IDoc transmissio 1, 2 EDI_DIR
Message type ZRETURNS EDI_MES
Partner number * EDI_PRN
Partner type * EDI_PRT
Transaction code WE02, WE05, WE07, WE09 EDI_TCD
Let us know if this works for you.
Regards,
m.r.
Answer:
Thanks for the advise, even though the rip was unnecessary in my opinion. It didn't work by the way. Just wondering: i'm on 4.6C. What version are you on?
Also: is anybody restricting access to BD87 but allowing users access to some of the WE transactions for the same purpose? Just a thought.
NB: If you look at the code change provided in the OSS note, you'll notice that the check on the ACT field wasn't changed as far as i can tell. Can anybody confirm?
Answer:
it was said in jest mate.. don't take it personal.. looks like i have to do some more digging to get to the bottom of this problem.. i'm in the same boat as you as we have to create roles to do exactly what you are trying to do.. i had one of our IDOC experts test the above scenario and it worked in our environment (4.6C)... according to him... but I don’t have the total solution yet as to why it works although i now have more pieces of the puzzle for you.. but not the whole picture.. yet
first.. it looks like we use a custom report which may be filtering the message types... call it Z5S_REPROCESS_IDOC which then passes the IDOC to the SAP program RBDMANI2 for manual processing.. but i have yet to get to the bottom of why the positive and negative test worked according to the my last posted settings and the result given by our tester (by the way.. the end user does not have access to BD87).. I will do some more testing and will get back to you when I have the whole puzzle figured out.
Here are some clues for the Z5S_REPROCESS_IDOC
* -------------------------------------------------------------------- *
* Report Z5S_REPROCESS_IDOC *
* This report lists the field names and field values for each segment *
* of the Idoc numbers entered on selection screen. The program was *
* designed to call a report and reprocess program specific to the idoc *
* message type if one has been created. *
* *
* To call an idoc Message Type specific report, create a report program*
* with the name Z5S_REPROCESS_IDOC_message_type. For example, *
* Z5S_REPROCESS_IDOC_ORDERS would display idocs of message type ORDERS.*
* *
* Within the report program, create a form routine called 'REPORT' *
* to format the idoc records for the specified message type. Also *
* create a form routine called 'POST' and include logic to handle *
* reprocessing the idoc. Then, create an entry in table TVARV (type P)*
* consisting of the constant value of sy-repid (ex. Z5S_REPROCESS_IDOC)*
* followed by '_message type'. Below is an example TVARV entry to *
* print a report and reprocess idocs of Message Type 'ORDERS' . *
* *
* TVARV-NAME Z5S_REPROCESS_IDOC_ORDERS *
* TVARV-TYPE P *
* TVARV-NUMB 0 *
* TVARV-SIGN *
* TVARV-OPTI *
* TVARV-LOW Z5S_REPROCESS_IDOC_ORDERS *
* TVARV-HIGH *
* *
* If no entry is found in TVARV for the message type entered on the *
* selection screen, the selected idocs will be displayed in a generic *
* (field name, field value) format. *
*
Answer:
We asked SAP and received this:
If you want to restrict some users to IDoc display only, you could
give them only access to transaction WE02 and not to BD87. If they
can not even call BD87, they could also not call its reprocessing
features.
I have received the following information from my colleagues in
development support:
we use activity '03' intentionally.
The reason for this is twofold:
The user should be able to process all IDocs (s)he can see; if there
would be a further selection according to authorization status, the
user would not understand what has happened.
A different authorization would not give you more security, because
the user could read the data from the IDoc display and call the
appropriate application transaction with this data, so why should it
not be possible to do this directly.
In existing releases we could not change anything in this area
anyway, because all customers now working with the existing
authorizations would experience changes. This is not feasible for a
support package.
Best Regards,
Louise Seagrave
Support Consultant
Global Support - Technology
SAP Active Global Support - Netweaver Web Application Server