Show TOC Entering content frame

Background documentation Authorization in Supply Network and Demand Planning Locate the document in its SAP Library structure

Supply Network Planning and Demand Planning (SDP) use the standard SAP authorization functionality to control access to applications. The Structure linkSAP Authorization Concept topic provides an overview of the objects involved. For more information about authorizations, see Structure linkUsers and Roles (BC-SEC-USR) and its related documentation, as well as Structure linkChecking Authorizations.

See below for an overview of the authorization objects used in SDP and other information specific to authorizations in SDP. It assumes that you are familiar with the basic principles involved (see above).

Authorization Objects

The following authorization objects are used in APO SDP. They are also available for customer enhancements. These objects are described in more detail (in particular, the fields that are available together with their possible values) in the online documentation in the relevant maintenance transactions.


C_APO_MAC - Execution of macros

C_APO_ ADV- Maintenance of macros

C_APO_ADVN- Macro name check

Master Data

C_APO_LOC - Master data, location

C_APO_PROD - Master data, product

C_APO_RES - Master data, resource

C_APO_TLAN - Transportation lanes

Planning Area, Book

C_AP0_PB - Planning book

C_APO_SEL3 - Selections in planning books


Authorization objects C_APO_SELE (Release 2.0) and C_APO_SEL2 (Release 3.0 up to Support Package 9) still exist in the system. They are however obsolete. If C_APO_SEL2 has been assigned to a profile, set all field values to "*".

C_APO_IOBJ – Key figure

C_APO_CPY – Copy function in data realignment

C_APO_ RLG – Realignment, maintain realignment table

General Demand Planning

C_APO_DPPR – Product

As opposed to C_APO_PROD,which checks the authorization for the master data object product, C_APO_DPPR checks against the values of the characteristic that you have defined as the product in the master planning object structure. The location is not required in the authorization check, which means that the same user can work independently of a location in DP and restricted to a location in SNP.


CA_APO_PRPF – Forecast profile

CA_APO_TSID – Time series (weighting profile, and so on)


C_APO_PROM – Promotion

Lifecycle Planning

C_APO_LIKE – Lifecycle profile

SDP Functions

C_APO_FUN - Functions in SDP

General APO Functions

C_APO_MOD - Model

C_APO_VERS - Version

Authorization Checks for Characteristics in SAP NetWeaver Usage Type Business Intelligence (BI)

For more information, see Using the BI Authorization Concept in Demand Planning.

Authorization Checks in SDP

All authorization checks in SDP are performed by the function module /SAPAPO/MCP_PERMISSION_CHECK2 for individual data objects and /SAPAPO/MCP_PERMISSION_SELECT for a range (table) of objects such as products, locations, or planning books. This second function module incorporates the first one.

If you want to adjust the result of the check, or program your own authorization check, you can do so by using user exit /SAPAPO/SAPLMCPR_015 in function group XDMUSER.

Interactive Planning

Working with Selections

Authorization for working with selections is checked using object C_APO_FUN and the functions C_SELCTION and C_SELORG. If the user has not been assigned the C_SELCTION function, the selection icon does not appear when they open a planning book. As a result, the user cannot use the shuffler to make their own selections, but have to choose predefined selections from the list of selections.

The C_SELORG function permits the user to administer selections, that is to save selections and assign them to users.

The system checks the authorizations for both of these functions when the user calls up Interactive Planning.

Individual Selections

The user requires authorization via object C_APO_FUN for functions C_SELE and S_SELE to execute a 'free' selection. To load a saved selection, they must have authorization for function S_SELE and for authorization object C_APO_SEL3 (C_APO_SEL2), and they need the relevant selection.

During the transfer of the objects contained in the selection, the system first checks the authorization for the selected version (C_APO_VERS). In Demand Planning, authorization checks are only performed for the objects version (C_APO_VERS), product (C_APO_PROD), and location (C_APO_LOC) for selections in the standard system. In SNP, you can check the objects version (C_APO_VERS), product (C_APO_PROD), location (C_APO_LOC), location product (C_APO_PROD), resource (C_APO_RES), and transportation lane (C_APO_TLAN). Additional authorization checks, in particular those concerning other characteristics in the selection (such as sales organizations in DP) are not provided in the standard system.

You can run additional checks if necessary by using the user exit for authorizations. With this user exit or the BAdI method 'SELECTION_CHECK' (BAdI '/SAPAPO/SDP_SELECTOR'), you can, for example, force a user to make a selection for a certain characteristic. During the authorization check in DP, only the objects specified in the selection condition are checked.

During these authorization checks for objects, the activity 'Display' (03) is used. For the objects mentioned above (in Demand Planning product and location, in SNP product, location, location product, resource, and transportation lane), the system carries out an authorization check in the SDP selector for the hit list entries. If the user does not have at least display authorization for an object, this object is not displayed in the hit list.

Loading Data in Interactive Planning

When you actually load one or more objects, the permitted activities are checked. If you are in change mode, the activity 'Execute'(16) is used for all checked authorization objects. If no change authorization is available, the corresponding checks are continued with the activity 'Display'(03). The transaction switches to display mode if the data may only be displayed. If no authorization for displaying the data exists, an appropriate error message appears. No data is displayed.

Background Processing

When the system carries out authorization checks in background jobs, it checks the authorizations of the user who created the job.  You can use the method SET_USER in BAdI /SAPAPO/SDP_BATCH to assign the job to another user.

If you have activated the BW authorization concept, the system checks all selected characteristic value combinations before it starts any other processes. If the user has no authorization for one characteristic value, the system stops the complete job and writes the corresponding messages into the log. You can check that you (or the background job user defined in the BAdI) have the necessary authorizations when creating the planning job by choosing the This graphic is explained in the accompanying text icon with the quick info Check Authorization for Characteristic Values.


Leaving content frame