Executive Summary
The requirement is to have two separate roles for staff and manager regarding MIR4 tcode. Staff should only have the authorization to “Park” the document and manager only the authorization to view the document and “Post”. SAP provided authorization objects can limit the staff from posting and manager from parking.
But if these authorization objects are used, manager cannot view the document if “Park” authorization is not provided and staff cannot post in other transactions as well which may be undesirable. Also, once the authorization is provided, manager is able to both Park and Post. The goal of the whitepaper is to let the manager view and post the document without being able to park it and limit the posting ability of the staff.
Also, note that this is required only for the purpose of MIR4 tcode and the customer is not using WorkFlow for any of purposes in the project. As confirmed by the security consultant, the authorization objects to achieve this are not tcode specific and playing with them messes up the activities of other tcodes as well.
Introduction
The following steps can be used to limit a user to only viewing and posting a material invoice document even when having the authorization to Park. The solutionhas 3 parts:
- Custom Enhancement in standard include LMR1MF0D
- Custom Enhancement in standard include LMR1MF4J
Following are the options a user can opt to park a document from MIR4
Simulate Subscreen :
While exiting the Tcode
Solution :
- Let us create an enhancement in SAP standard include LMR1MF0D to control this
- Once created write code in the enhancement such as this:
ENHANCEMENT 154 ZMIR4_PARK_STOP_TEST_2. "active version
DATA: v_agrname TYPE agr_name.
SELECT SINGLE agr_name FROM agr_users INTO v_agrname
WHERE uname EQ sy-uname
AND agr_name EQ 'Z_MANAGER_ROLE.
IF sy-subrc EQ 0.
IF sy-tcode EQ 'MIR4'.
CLEAR OK-CODE.
MESSAGE 'You are not allowed to perform this function.' TYPE 'E'.
ENDIF.
ENDIF.
- This enhancement stops Parking from the Simulate subscreen:
- Finally to take care of the Parking at the time of exiting let us create an enhancement in SAP standard include LMR1MF4J.
- In the include write code as following:
ENHANCEMENT 153 ZMIR4_PARK_STOP_TEST. "active version
DATA: v_agrname TYPE agr_name.
if f_answer EQ 'J'.
SELECT SINGLE agr_name FROM agr_users INTO v_agrname
WHERE uname EQ sy-uname
AND agr_name EQ 'Z_MANAGER_ROLE’.
IF sy-subrc EQ 0.
IF sy-tcode EQ 'MIR4'.
if rbkpv-rbstat <> c_rbstat_batch and
rbkpv-rbstat <> c_rbstat_error.
CLEAR rbkpv.
endif.
IF sy-calld IS INITIAL.
PERFORM tree_clear.
SET SCREEN 0. LEAVE SCREEN.
* PERFORM tree_clear.
ELSE.
LEAVE.
ENDIF.
ENDIF.
ENDIF.
ENDIF.
ENDENHANCEMENT.
- This will cause the tcode to exit without Parking. If you want the tcode to not exit, just write:
DATA: v_agrname TYPE agr_name.
if f_answer EQ 'J'.
SELECT SINGLE agr_name FROM agr_users INTO v_agrname
WHERE uname EQ sy-uname
AND agr_name EQ 'Z_MANAGER_ROLE'.
IF sy-subrc EQ 0.
IF sy-tcode EQ 'MIR4'.
CLEAR ok-code.
ENDIF.
ENDIF.
ENDIF.
Thus by following the steps above steps we can stop a user from parking a document from MIR4 despite having Parking authorization.
Limit the posting access for Staff:
- Following are the options for posting in MIR4 transaction:
- Create an enhancement in standard include LMR1MF4Y
- Write code in the enhancement as below:
ENHANCEMENT 155 ZMIR4_PARK_STOP_TEST_3.
"active version
DATA: v_agrname TYPE agr_name.
SELECT SINGLE agr_name FROM agr_users INTO v_agrname
WHERE uname EQ sy-uname
AND agr_name EQ 'Z_STAFF_ROLE’.
IF sy-subrc EQ 0.
IF sy-tcode EQ 'MIR4'.
IF ok-code EQ 'BU'. “This prevents the user from posting
MESSAGE 'You are not allowed to perform this function' Type 'E'.
e_subrc = 4.
ENDIF.
ENDIF.
ENDIF.
ENDENHANCEMENT.
- Posting is then Prohibited for Staff: