You can have a purchase group as part of the release strategy --and to make PO always released by the buyer first --level 1 approval can lie with the user.
You can use the purchase group authorization object to restrict who can -suppress Purchase group authorizations in PO create or change roles -- Create a role for each purchase group and use them to give authorization. What this means Purchase group authorization to create or change should come from the singular role of the purchase group authorization object to supply this auth. The Auth. object should not have * if you really want to restrict these t-codes in any other PO create or change roles.
Speak to your security consultant about the approach and you will be able to find the right solution.
Bluesky
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.