Question:
I want to restrict access to customer master data. I only want users to be able to see customers specific to the company they work in. I.e. user a should only be able to see customers within company code 0001. How do i go about restricting this
Answer:
F_KNA1_BUK
Answer:
I have tried that, but customer stills appear in matchcode search. I have created a test user with one role accessing CoCo 0001, but the user is still able to search for customers in other company. It doesn't allow display access which is good, but I don't want the users to be able to search other company codes.
E.g. user in company code 0001 runs trx XD03, selects the customer by company code tab, and search for BBC limited in company 0009. I will like the search to display an authorisation error or return a blank search. At the moment it returns BBC limited in company code 0009 but errors when user try to display.
Any help will be greatly appreciated
Answer:
I have tried that, but customer stills appear in matchcode search. I have created a test user with one role accessing CoCo 0001, but the user is still able to search for customers in other company. It doesn't allow display access which is good, but I don't want the users to be able to search other company codes.
E.g. user in company code 0001 runs trx XD03, selects the customer by company code tab, and search for BBC limited in company 0009. I will like the search to display an authorisation error or return a blank search. At the moment it returns BBC limited in company code 0009 but errors when user try to display.
Any help will be greatly appreciated
Answer:
Working as designed...
Customer header record is not company code dependant so SAP does not care if there is one of not. Company code data is a subset of the customer record and you can control on that peice only.
Further What risk and potential loss to the company is present that you would need to restrict the list from the user seeing? Security is not a substitute for training or to implement "wants". it is ti mitigate risk and loss to the company.
In some cases the match code can be configured to include an auth check and this may be possible in this case, HOWEVER if they do not user the COmpany code match code there is no check and they will see all the customers.
Answer:
Thanks John. I had a feeling it maybe working as designed, but our auditors seem to be insisting on restricting search access to only authorised COmpany Code only. Guess i will have to give them some bad news. Could it be done through Auth Group?
Answer:
Thanks John. I had a feeling it maybe working as designed, but our auditors seem to be insisting on restricting search access to only authorised COmpany Code only. Guess i will have to give them some bad news. Could it be done through Auth Group?
If that's what they are suggesting then they should be recommending how you do it. I have done plenty of audits recently and cannot recall this being anything I have come across in a work program and certainly not a standard important audit point.
They should also tell you what the risk is. If you can mitigate the risk in another way then that should satisfy them. Stripping it down to it' sbarest minimum the auditors should be looking for things which could affect the accuracy of financial statements. That employees could spend a long time getting a list of customers is not a fraud matter.
You may be able to do this through auth groups, have a play in your sandbox and see if it works??
Answer:
Auth groups will not work unless there is a GROUP of customer's the user is not to see, like all defense department customers.
The Customer and vendor record concept is to have ONE header record for every customer or vendor so when you look at your customer/vendor base you do not have ExxonMobil, The ExxonMobil Co., Exxon, Mobil, etc; all representing the same Customer or vendor. There are occasions when there are Company specific needs and that record is unique. If you created Multiple EXXON mater records just to give them a Company-code Auth group then your customer analysis reports will be grosely in error.
When you do customer Credit analysis you do not want to have to remember EVER possible word combination to represent "Exxon" for credit evaluation and make WRONG business discisions!
If they are looking for customer's with certain company codes records then search as such DO NOT USE BLANKS in the search criteria.
Answer:
Thanks for the reply. i will be having a meeting with the auditors this morning and giving them the bad news. I have spent the past week trying to sort this out. Thanks once again
Answer:
We have similar requirement. Our problem is one of our subsidiaries could have a competitive advantage by using the parent company's customers for marketing purposes.
I can't think of a way round it except having a separate client. Is this feasible?
Thanks