Enterprise Resource Planning Blogs by Members
Gain new perspectives and knowledge about enterprise resource planning in blog posts from community members. Share your own comments and ERP insights today!
Showing results for 
Search instead for 
Did you mean: 
In a recent project I had the requirement to control authorization for SD-Documents (sales orders and billing documents) based on the sales office (VBAK-VKBUR).

Neither in ERP nor in S/4HANA SAP provides a suitable authorization object, although it seems to be a common requirement, so the only way is to develop it on your own. The object might look like this (defintion from SU21):

There is an identical Z-object that is used to control billing documents instead of sales orders.

Keep in mind, that this is an extension to the common authorization objects V_VBAK_VKO and V_VBRK_VKO and you need to adapt your roles otherwise the whole process won't work anymore.

There is SAP Note 3046057, which is based on a customer connection project, that gives a few hints and implementation examples on this issue, but no out-of-the-box-solution.

Those changes have the intention to only enable a user to create, change, view or print certain documents within the SD-Application based on his sales office assignments. The incompleteness check is setup for sales office to be checked, so leaving it empty prevents the document from being checked but also from being processed further.

All changes could also be used for checking the sales group, but it's not covered here.

The following table shows different applications and locations where the object is being checked. There might be some more places to implement a check, e.g. in search helps, apps or transactions.


Activity Application When ABAP Object Type Object Comments
Create Sales Order VA01 At Saving Userexit MV45AFZZ / save_document_prepare
Create Sales Order VA01 Before Creation Implicit Enh. MV45AF0B_BERECHTIGUNG_PRUEFEN Necessary if BAPI is used for creation
Create with Reference VA01 Before Creation VOFM Depends on copy routines
Change Sales Order VA02 Before Display Userexit MV45AFZZ / move_field_to_vbak
Change Sales Order VA02 Before Save Userexit MV45AFZZ / save_document_prepare
Display Sales Order VA03 Before Display Userexit MV45AFZZ / move_field_to_vbak
Manage Sales Order Fiori Execute List CDS Access Control C_SalesOrderWl_F1873
Track Sales Orders Fiori Execute List CDS Access Control C_SlsDocFlfmntAnalyzer
List Sales Orders VA05 Execute List Userexit BADI_SDOC_WRAPPER_MASS
Create Invoice VF01 Before Creation Userexit RV60AFZC Include Creation via VF04
Change Invoice VF02 Before Display Implicit Enh. RV_INVOICE_DOCUMENT_READ
Manage Invoices Fiori Execute List CDS Access Control C_BillingDocument_F0797
Billing due List VF04 Execute List Implicit Enh. SDBILLDL / additional_filter_vkbur_ernam
Cancel Invoice VF11 Before Execute not done yet
Manage Credit Memo request Fiori Execute List CDS Access Control C_CreditMemoRequestWL_F1989
Create Credit Note with Reference VA01 Before Creation VOFM depends on VOFM outine
Print invoice VF31 Before print depends on your print program includes print preview

A typical authorization check in ABAP for creating or changing a sales order might look like this:

If the new object should be integrated into Fiori-apps, then it's very likely to extend the CDS' access control by creating a new access control object that inherits from the existing one.

All changes were made with regards to survive an upgrade of the system and not cause high effort by adjusting modifications in SPAU.

Hope this helps, feel free add some comments.


1 Comment
Labels in this area