cancel
Showing results for 
Search instead for 
Did you mean: 

SRM 4.0 Security Concept

former_member577095
Participant
0 Kudos

Hi all,

I am looking for documentation on implementing auth on SRM 4.0.

This is our approach:

- We have created a Org Structure. Some nodes have attributes on Company Code, Purchasing Group, Purchasing Organization, ....

- We are using users_gen to mass create users and attach them to Org Structure.

- We have create roles with PFCG. In the organizational levels of the role, we have written directly the IDs of organizational units of Org Structure.

At the moment it seems not working properly since the values present in the attributes of the nodes are not transferred to the users through the roles. A user can create Purchase Order for all Purchasing Organization....

Any experience on SRM ?

Where I can find infos on PFCG + PPOM_BBP + USERS_GEN ?

Thanks

Andrea

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Andrea,

This is due to a new design in SRM 4.0. Before the users where only able to create/edit or see documents according to their organizational units dependencies (which means only one Purch Org).

Now in SRM 4.0 new Authorization objects have been created, and one is for this specific purpose (I don't have the object code, but you can find it easily on the system in the authorization maintenance transaction).

Regards.

Vadim

former_member577095
Participant
0 Kudos

Ciao Vadim,

the object is BBP_PD_PO.

Even if the user has the authorization for create P.O. only on a specific Purchasing Group (reveived as attribute from a Organizational Unit), he is able to create P.O. for all Purchasing Groups.

My feeling is that this is a bug.

Do you know if there is documentation on it (I have yet seen help.sap.com)

Bye

Andrea

Former Member
0 Kudos

Hi,

Sorry, I don't know any documentation about that, but I don't think you need documentation, the object is quite simple isn't it.

Concerning your problem, I'd be surprised that it does not work: please check your user hasn't SAP_ALL ;).

PS: Please don't forget to reward points for the help.

Regards.

Vadim

former_member577095
Participant
0 Kudos

Ciao Vadim,

the user do not have SAP_ALL.

I have found today that HR structural profiles are related to this. Through tcodes OOSP and OOSB I have find a way to make some restrictions.

Bye

Andrea