Question:
I am a SAP MM consultant with no SAP security knowledge, so please forgive my ignorance. We have roles that were created by an earlier consultant and that is what we are using right now. My question is regarding authorization for purchasing group in creating a requisition. I want to restrict every user to use just one purchasing group based on his department. One way to do this is to create a role for each purchasing group and assign to the users depending on their departments.
Is there a different way to assign authorization to a purchasing group?I would like to have a solution where i would just need to create one role (or profile or something else) and I could change the value of the purchasing group when I assign it to a user. I do not know if this is feasible, so please advice.
Thanks.
Answer:
You're on the right track. Purchasing group is an org-level, so assuming you use a master-derived relationship you can create one role, then maintain the derived roles at the org-level value as you see fit.
Answer:
I want to restrict every user to use just one purchasing group based on his department. What is the risk and potential for loss to the company for this... Sounds like a training issue you are trying to solve with Security.
Have you ascertained the number of roles it would require to do this? The impact on long term maintenance? Who supports all these and makes the specific assignments and reassignments as people move?
A simple detective report wold surfice IF there is a loss to the company. Without the details it would appear you will be spending 100's to protect little.
Answer:
Further to John's comment what does the purchasing group do for you anyway? Does it keep the costs associated with a particular cost center, order or project? no Does it keep someone from buying something that they shouldn't?no Does it keep them from spending more that their authorization limit? no
So what is the benefit of securing this way?
I am not saying there may not be one and if you find one please share.
Answer:
Thanks for your replies and comments.
While defining release strategies for Requisitions I want the first level of approval as the reporting manager. I tried using the name of the requisitioner to pick up the reporting manager and found that this would cause a lot of maintenance in the future whenever a new person is authorized to create requisitions. The advantage of using the Purchasing group is that when a new person comes into the organization he will be authorized to use just the purchasing group of his department and thus a strategy will still be assigned to him without having to include his name in each and every strategy.
I hope this answers the query that John and the others had.
Thanks
Answer:
another option is to leave the org level for pgroup blank in the role.
create second "data" role (derived for ease of maintenance)
put only the objects in it that relate to pgroups for the requisitioner role
put the pgroup value in the org level of the data role and assign to the user when assigning the requisitioner role
end up with two roles instead on 1 but you can swap and add extra pgroups to the users as required - no menu on the data role
ie user has pgroup 001 - needs also 002 and 003. You'd either have to build another requistioner role for all 3 or assign another two requisitioner roles - meaning duplicate user menu possibly?