Question:
Hi there,
I'm kinda a novice in this topic of authorisation, so, ... yeah, feel free to shoot down my question if it's too basic.
I would like to ask if it's possible to restrict authorisation by transaction code and plant.
I did the following:
Role A t-code LI21; org level restriction by plant 'MY01'
Role B other t-codes (e.g. MIGO, MB1B ...); org level restriction by plant 'MY01 to MY05'
Problem is, when I assign role A and role B to the same user, when LI21 is performed, it can be done for plant 'MY01 to MY05' instead of only plant MY01.
Is there a way of tying the t-code to a particular plant ?
thanks !
best regards, MayNee
Answer:
There are a couple of things here.....
1. Have you checked that LI21 performs a check against Plant? (via ST01)
2. Authorisation within transactions is controlled by authorisation objects.
Authorisation is additive
example:
Role A t-code LI21; org level restriction by plant 'MY01'
Plant auth is granted by M_MSEG_WWA Activity 02,03 Plant MY01
Role B other t-codes (e.g. MIGO, MB1B ...); org level restriction by plant 'MY01 to MY05'
Plant auth is granted by M_MSEG_WWA Activity 01,02,03 Plant MY01-MY05
If the 2 roles are in the same user master record, the user will have authorisation for activity 01,02,03 Plant MY01-MY05 for all transactions which checked that authorisation object. The highest level of access will take precedence in the User Master Record.
Hope that helps
Cheers
Al.
Answer:
Hi Al,
Thanks for the clear explanation !
You're right, MB11 (the IM t-code that LI21 calles) checks for the object M_MSEG_WWA, as does MB1B.
hmmm ... wonder if there's any sub-authorisation objects that can be used ?
best rgds, MayNee