AW: Authorizations to Transactions only through workflow ?
Susan R. Keohan
skeohan at mit.edu
Thu Aug 7 08:47:04 EDT 2003
Hello Matthias,
Thank you very much for the help. What we did was to remove authorizatio=
ns to transaction MIR4 from=20
the common profile, and created a role with the MIR4 authorization object=
s. This can be found, as=20
you may know, using transaction SU24. With this methodology, which I am =
not claiming that SAP=20
endorses, we are able to block the user from accessing MIR4 through the O=
K code box, but allow them=20
to display the invoice through a custom method (which displays a custom s=
creen, and has 'Display=20
Invoice' as an option).
I believe you are also correct that this solution will not work for all t=
ransactions. We have a=20
similar situation with ME23N, and the newer transactions are much more po=
werful, and therefore much=20
more dangerous. This 'simple' solution will not work in this case, but w=
e have handled it in a=20
different way.
Again, thank you for your help,
Sue
Flaig Matthias wrote:
> Hi Susan,
>=20
> it may be that the solution is quite easy:
> Lets have a look at BUS2081 (Incomming Invoice), especially method disp=
lay (which calls MIR4):
>=20
> begin_method display changing container.
> SET PARAMETER ID 'RBN' FIELD object-key-invoicedocnumber.
> SET PARAMETER ID 'GJR' FIELD object-key-fiscalyear.
> CALL TRANSACTION 'MIR4' AND SKIP FIRST SCREEN.
> end_method.
>=20
> The point is, that the ABAP statement call transaction(*) does not perf=
orm an authority check on object S_TCODE, you always have to program an a=
uthority check manually when using call transaction(**).=20
>=20
> So it may work just to give the user all authorizations needed for MIR4=
except the one for S_TCODE. Then try to execute IncommingInvoice.display=
from within a workflow and it should work, but the user will not bee abl=
e to enter MIR4 manually.
>=20
> regards,
> Matthias
>=20
> (*) the behavior was changed between different R/3 releases...
> (**) some transaction do a check on s_tcode themselves wihtinn theri co=
de, but i couldn't find it in MIR4
>=20
> Mit freundlichen Gr=FC=DFen
>=20
> Matthias Flaig
> TIO
>=20
> ProMinent Dosiertechnik GmbH
> Im Schuhmachergewann 5-11
> D-69123 Heidelberg
> Germany
>=20
> http://www.prominent.de
> Email: m.flaig at ProMinent.de
> Tel.: +49 (6221) 842-547
> Fax: +49 (6221) 842-553
>=20
>=20
>=20
>>-----Urspr=FCngliche Nachricht-----
>>Von: Susan R. Keohan [mailto:skeohan at mit.edu]
>>Gesendet: Montag, 4. August 2003 14:10
>>An: SAP-WUG at MITVMA.MIT.EDU
>>Betreff: Authorizations to Transactions only through workflow ?
>>
>>
>>Hi all,
>>
>>Now please don't laugh.
>>
>>I have a requirement to deliver MIR4 (Display Invoice)=20
>>through workflow (no problem) but to prevent
>>access to the same transaction through the GUI. MIR4 is very=20
>>nice in that it doesn't give the users
>>the ability to switch to another invoice or anything harmful.=20
>> The business process people are
>>worried that some intrepid user will access MIR4 through the=20
>>transaction box and go hunting for
>>invoices that they should not see.
>>
>>So, is there a way to prevent the users from entering MIR4=20
>>through any means except through their
>>workflow tasks ? I'm thinking that the only way to simulate=20
>>this is to code a method that displays
>>everything MIR4 does(lots of coding!), and take away the MIR4=20
>>transactional authorizations, but am
>>hoping there are brighter minds out there than mine.
>>
>>Thanks!
>>Sue
>>--
>>Susan R. Keohan
>>SAP Workflow Developer
>>MIT Lincoln Laboratory
>>244 Wood Street
>>LI-200
>>Lexington, MA. 02420
>>781-981-3561
>>skeohan at mit.edu
>=20
>=20
--=20
Susan R. Keohan
SAP Workflow Developer
MIT Lincoln Laboratory
244 Wood Street
LI-200
Lexington, MA. 02420
781-981-3561
skeohan at mit.edu
More information about the SAP-WUG
mailing list