Question:
We are trying to restrict the access to the transaction MRBR. However, it offers only two authorization objects : M_RECH_EKG (Purchase Group) and M_RECH_SPG(BLockig reason).
Is there anyway we could add the authorization for company code to restrict at that level?
Answer:
Make an SE93 change to MRBR transaction. Add your company code auth object in the "Authorization object" field. By making this change, you make sure that the new auth object is checked everytime the tcode is executed by someone.
Answer:
Make an SE93 change to MRBR transaction. Add your company code auth object in the "Authorization object" field. By making this change, you make sure that the new auth object is checked everytime the tcode is executed by someone.While this will require the user to have the object EVERYTHING is hard coded so there is no way to discriminate based on the company code the user selects or is related to the document. The SE93 authorization check is the precursor to S_TCODE and should all bit be abandoned from use.
You need to look for a user exit to add code to check for the co code.
Answer:
Will this mean that if I insert the line "AUTHORITY-CHECK" together with the name of the object in the user exit, I will be able to restrict the authorization.
Do I have to maintain some other tables/linkages in this case?
Answer:
Are other companies not facing the same problem? Because in my case, a user has accidently released all the blocked invoices for all the company code. To worsen the problem, the invoices were picked up by the payment program and paid too !!
Is there anything I could do today to ensure that no more errors of this kind happen?
Answer:
Have you ST01'ed the tcode in authorization mode to see what your options are? Also have you looked to see if the user status control can be used (B_USERSTAT)? It will not show up inthe ST01 authorizaiton trace unless configured . Downside is the tcode you are trying to control may not user statuses.
SAP's response might be... working as designed... this is a training issue...
Other thatn this you may need to search SMOD for a user exit.
Answer:
It will not show up inthe ST01 authorizaiton trace unless configured.
Hmm... is this a dark thing?
You imply that there are check indicators or hardcoded checks which do not appear in ST01?
Or do you mean that there is a way to capture a discarded check (or perhaps at the update... nah?) caused from data which may be lost when it was previously not saved?
Or do you refer to a check from a C function which needs to be selected to show up in ST01?
Your statement makes me nervous. There seems to be no end...
Answer:
B_USERSTAT uses auth groups, exept for table acess if an auth group is blank SAP does not perform the check and so nothing show up in ST01. you configure the statuses adding an auth group to each and they will show up in ST01.