1. Introduction
As part of the internal change management process at Schluchseewerk in the context of S/4HANA, the functionality "Notifications" in the SAP module EAM is utilized. For the operational implementation of this process, we have planned the use of OP notifications. A permission concept has been created for these and partially implemented technically.

During the implementation, an individual role Z_EAM_NOTIFICATION_OP was created, tailored to specific permissions within the notification processing framework.

2. Justification
To ensure a clean and controlled change management process, it is imperative that only authorized users with specific roles have access to OP notifications. In particular, it must be prevented that users without the appropriate authorization can:
- create (transaction IW21),
- View (transaction IW23), or
- change (transaction IW22) OP notifications with the code group (QMGRP) "OP-Change."

Adhering to this restriction is central to quality assurance, traceability of changes, and minimizing potential errors in the change management process.

3. Objective
The goal is to adjust the permissions in SAP so that notifications with the code group OP-Change can only be created, viewed, or changed by authorized individuals. For users with the appropriate permissions for the role, the following restrictions should apply:
- The code group OP-Change should not be visible in the catalog selection,
- it should not be used for creating notifications,
- existing notifications of this group should neither be displayed nor edited unless the user has the appropriate permissions.

4. Technical Issue
In the course of the previous permission check, the authorization object Q_GP_CODE – Use of group codes was already employed. This made it possible to hide the code group OP-Change in the catalog selection and thus prevent the creation of corresponding notifications. However, it remains technically possible to display or change notifications of this code group via IW22 and IW23.

When an OP notification with the coding OP-ART is opened and the user attempts to manually enter the value into the OP-CHANGE field (since the code group OP-Change is already hidden in the catalog selection), the following error message still occurs: When saving in IW22, the system only accesses the authorization object I_QMEL – PM/QM: Notification types, which does not allow restriction at the code group level.

Thus, there is currently a lack of a permission check that ensures at the code group level that notifications with the group "OP-Change" can only be displayed or changed by authorized users.

5. Expectation / Next Steps
We request an examination of how permission control at the code group level for the mentioned transactions can be implemented – either through a suitable combination of existing authorization objects or through alternative technical measures (e.g., user exits, BAdIs, etc.).

The goal is a clean and audit-proof implementation of the requirement to restrict the editing and visibility of "OP-Change" notifications to the defined roles.