Show TOC
Release
Information
Description
In the standard analyses of the Logistics
Information System, it is possible to carry out authorization checks at the
characteristic values level.
In this way, you can prevent the employees of
an organizational unit (for example, purchasing organization, plant, sales
organization) from displaying the key figures of other organizational
units.
Since the information structures - and,
therefore, the requirements of the authorization check - are very different,
you can call up a form routine which you developed yourself (in addition to
the authorization checks which come with the standard SAP system) and in which
you can carry out authorization checks according to your
requirements.
If you do not want to use the standard SAP
authorization checks because, say, you want to use your own authorization
objects, you can override the standard authorization checks.
Authorization checks for the following
domains :
Domain Authorization object
DISPO MRP controller
M_IS_DISPO
EKGRP Purchasing
group M_IS_EKGRP
EKORG Purchasing
organization M_IS_EKORG
SPART Division
M_IS_SPART
VKBUR Sales office
M_IS_VKBUR
VKORG Sales
organization M_IS_VKORG
VTWEG Distribution
channel M_IS_VTWEG
WERKS Plant
M_IS_WERKS
The fields of the authorization objects are the
information structure and the characteristic.
Set up authorizations and profiles for these
authorization objects.
To set up a user-defined authorization check
for an information structure, proceed as follows:
1. create
program ZMCREPAU as a subroutine pool (type "S").
2. Declare the
tables you require for the authorization check via TABLES: ... (see
example).
3. Define for
every domain to which you want to create an authorization check, rank over
RANGES: RA_HLP?????????? FOR .... (see example).
?????????? stands
for the name of the domain for which an authorization check should be carried
out.
4. Include a
form routine AU_CHECK_?????????? for the authorization check for
characteristics with the domain ?????????? (see example).
5. Carry out
the required authorization checks in this form routine for fields with the
domain ??????????.
You have two
possible reactions:
- If a user only has limited authorizations,
send an error message which requests this user to restrict his/her selection
to characteristic values for which he/she has authorization.
- Insert entries in the selection option that
was transferred to the form routine AU_CHECK_?????????? These entries should
exclude characteristic values for which the user has no
authorization.
In this case, we
recommend that you inform the user via an online message.
The interface for a form routine of the
authorization check must look as follows:
FORM
AU_CHECK_??????????
TABLES AX_??????????
STRUCTURE RA_HLP_?????????? "SELECT-OPTION
"for
characteristic
USING AX_MCINF "Info
structure
CHANGING
AX_FLG_ACTIVE. "check active
If you created a user-defined authorization
check in this way, and then allocate the value "X" to the parameter
AX_FLG_ACTIVE, any existing standard SAP check will not be carried
out.
Example for the domain VKORG
(sales organization) with the authorization object V_VBAK_VKO
PROGRAM
ZMCREPAU.
TABLES:
TVKO.
RANGES: RA_HLP_VKORG
FOR TVKO-VKORG.
...
FORM
AU_CHECK_VKORG
TABLES AV_VKORG
STRUCTURE RA_HLP_VKORG "SELECT-OPTION sales org.
USING
AV_MCINF.
CHANGING
AV_FLG_ACTIVE.
DATA: BEGIN OF
AV_HLP_TVKO OCCURS 20.
INCLUDE STRUCTURE
TVKO.
DATA: END OF
AV_HLP_TVKO.
DATA:
AV_FLG_RESTRICT.
AV_FLG_ACTIVE = 'X'.
"Activate check and deactivate the
"standard SAP
check
CLEAR
AV_FLG_RESTRICT.
* Check whether
authorization exists for the sales organizations
SELECT * FROM TVKO
INTO TABLE AV_HLP_TVKO
WHERE VKORG IN
AV_VKORG.
LOOP AT
AV_HLP_TVKO.
AUTHORITY-CHECK
OBJECT 'V_VBAK_VKO'
ID 'VKORG' FIELD
AV_HLP_TVKO-VKORG
ID 'VTWEG' DUMMY
"not a check
ID 'SPART' DUMMY
"not a check
ID 'ACTVT' FIELD
'71'. "analyze
IF SY-SUBRC <>
0.
* no authorization
=> exclude sales organization
CLEAR
AV_VKORG.
AV_VKORG-SIGN =
'E'.
AV_VKORG-OPTION =
'EQ'.
AV_VKORG-LOW =
AV_HLP_TVKO-VKORG.
COLLECT
AV_VKORG.
AV_FLG_RESTRICT =
'X'.
ENDIF.
ENDLOOP.
IF AV_FLG_RESTRICT =
'X'.
MESSAGE ID 'M2' TYPE
'I' NUMBER '280' WITH 'V_VBAK_VKO'.
ENDIF.
ENDFORM.
Further
notes
In the section
Maintain authorizations of the Implementation Guide for the
Logistics Information System, you can maintain authorizations. A description
is also given here of how to do this.