AG Security Roles in the logic of AC Rules

Dart, Jocelyn jocelyn.dart at sap.com
Thu Nov 11 19:54:47 EST 2004 

Hi Mark and Maorriyan,
Ok so you want to use Security roles for Responsible agents.
Easy done.
There are some BAPIs/pseudo BAPis that will return all users linked to a given activity group.
Look at function modules beginning with PRGN, e.g. PRGN_READ_USERS.
There are BAPIs to determine the activity groups linked to a user - look at function modules beginning with BAPI_USER.
There are also function modules AUTHORITY_CHECK and SUSR_AUTHORITY_CHECK_SIMULATE that will let you check the authorities for a particular user.
 
But even better than that you may want to try out the function SUSR_GET_USERS_WITH_SPEC_AUTHS and similar.
 
You should also start looking at PERSONALIZATION KEYS - transaction PERSREG and the like.  This is a very useful way of assigning data to security roles that can be read again later.  Great for approval limits in particular, e.g. everyone with this security role has this approval limit.  Very free in what sort of data, simple to complex, many formats, can be associated with a security role.
Regards,
Jocelyn
 
-----Original Message-----
From: SAP Workflow [mailto:Owner-SAP-WUG at MITVMA.MIT.EDU] On Behalf Of Mark Pyc
Sent: Thursday,11 November 2004 9:30 PM
To: SAP-WUG at MITVMA.MIT.EDU
Subject: AG Security Roles in the logic of AC Rules
 
G'day Wuggers,
 
System 46C.
 
I appreciate the elegance of using Security Roles (AG) for determination of
Possible Agents but does anyone use them to help determine Responsible
Agents??
 
For example send the release of a PReq with Rel Code R2 to users with
security access to Rel Code R2.
 
It's not a case of using the Roles as possible agents since there is one
task for all Rel Codes. In fact it may not be a particular AG Role I want to
check against, but a coding equivalent to Authority-Check.
 
Is there a function that will return all users with a given level of access
to a particular authorization object?
 
My situation is surrounding Cost Centre based responisibilities for
Requestion Approval, Invoice Certification and Invoice Approval (2 stage
process). Ideally I'd like to keep maintenance to a minimum by creating an
association with a Cost Centre (ideally via linkages to Org Units) and then
use a combination of Security Access to determine the Responsible Agent in
each case.
 
Is this possible? Is this a reasonable approach??
 
Have fun,
Mark

More information about the SAP-WUG mailing list