Show TOC

Release Information

Description

In the standard analyses of the Logistics Information System, it is possible to carry out authorization checks at the characteristic values level.

In this way, you can prevent the employees of an organizational unit (for example, purchasing organization, plant, sales organization) from displaying the key figures of other organizational units.

Since the information structures - and, therefore, the requirements of the authorization check - are very different, you can call up a form routine which you developed yourself (in addition to the authorization checks which come with the standard SAP system) and in which you can carry out authorization checks according to your requirements.

If you do not want to use the standard SAP authorization checks because, say, you want to use your own authorization objects, you can override the standard authorization checks.

Authorization checks for the following domains :

Domain Authorization object
DISPO MRP controller M_IS_DISPO
EKGRP Purchasing group M_IS_EKGRP
EKORG Purchasing organization M_IS_EKORG
SPART Division M_IS_SPART
VKBUR Sales office M_IS_VKBUR
VKORG Sales organization M_IS_VKORG
VTWEG Distribution channel M_IS_VTWEG
WERKS Plant M_IS_WERKS

The fields of the authorization objects are the information structure and the characteristic.

Set up authorizations and profiles for these authorization objects.

To set up a user-defined authorization check for an information structure, proceed as follows:

1. create program ZMCREPAU as a subroutine pool (type "S").
2. Declare the tables you require for the authorization check via TABLES: ... (see example).
3. Define for every domain to which you want to create an authorization check, rank over RANGES: RA_HLP?????????? FOR .... (see example).
?????????? stands for the name of the domain for which an authorization check should be carried out.
4. Include a form routine AU_CHECK_?????????? for the authorization check for characteristics with the domain ?????????? (see example).
5. Carry out the required authorization checks in this form routine for fields with the domain ??????????.
You have two possible reactions:
In this case, we recommend that you inform the user via an online message.

The interface for a form routine of the authorization check must look as follows:

FORM AU_CHECK_??????????
TABLES AX_?????????? STRUCTURE RA_HLP_?????????? "SELECT-OPTION
"for characteristic
USING AX_MCINF "Info structure
CHANGING AX_FLG_ACTIVE. "check active

If you created a user-defined authorization check in this way, and then allocate the value "X" to the parameter AX_FLG_ACTIVE, any existing standard SAP check will not be carried out.

Example for the domain VKORG (sales organization) with the authorization object V_VBAK_VKO

PROGRAM ZMCREPAU.
TABLES: TVKO.
RANGES: RA_HLP_VKORG FOR TVKO-VKORG.
...
FORM AU_CHECK_VKORG
TABLES AV_VKORG STRUCTURE RA_HLP_VKORG "SELECT-OPTION sales org.
USING AV_MCINF.
CHANGING AV_FLG_ACTIVE.
DATA: BEGIN OF AV_HLP_TVKO OCCURS 20.
INCLUDE STRUCTURE TVKO.
DATA: END OF AV_HLP_TVKO.
DATA: AV_FLG_RESTRICT.
AV_FLG_ACTIVE = 'X'. "Activate check and deactivate the
"standard SAP check
CLEAR AV_FLG_RESTRICT.
* Check whether authorization exists for the sales organizations
SELECT * FROM TVKO INTO TABLE AV_HLP_TVKO
WHERE VKORG IN AV_VKORG.
LOOP AT AV_HLP_TVKO.
AUTHORITY-CHECK OBJECT 'V_VBAK_VKO'
ID 'VKORG' FIELD AV_HLP_TVKO-VKORG
ID 'VTWEG' DUMMY "not a check
ID 'SPART' DUMMY "not a check
ID 'ACTVT' FIELD '71'. "analyze
IF SY-SUBRC <> 0.
* no authorization => exclude sales organization
CLEAR AV_VKORG.
AV_VKORG-SIGN = 'E'.
AV_VKORG-OPTION = 'EQ'.
AV_VKORG-LOW = AV_HLP_TVKO-VKORG.
COLLECT AV_VKORG.
AV_FLG_RESTRICT = 'X'.
ENDIF.
ENDLOOP.
IF AV_FLG_RESTRICT = 'X'.
MESSAGE ID 'M2' TYPE 'I' NUMBER '280' WITH 'V_VBAK_VKO'.
ENDIF.
ENDFORM.

Further notes

In the section Maintain authorizations of the Implementation Guide for the Logistics Information System, you can maintain authorizations. A description is also given here of how to do this.