Skip to Content

Executive Summary

The requirement is to have two separate roles for staff and manager regarding MIR4 tcode. Staff should only have the authorization to “Park” the document and manager only the authorization to view the document and “Post”. SAP provided authorization objects can limit the staff from posting and manager from parking.

But if these authorization objects are used, manager cannot view the document if “Park” authorization is not provided and staff cannot post in other transactions as well which may be undesirable. Also, once the authorization is provided, manager is able to both Park and Post. The goal of the whitepaper is to let the manager view and post the document without being able to park it and limit the posting ability of the staff.

Also, note that this is required only for the purpose of MIR4 tcode and the customer is not using WorkFlow for any of purposes in the project. As confirmed by the security consultant, the authorization objects to achieve this are not tcode specific and playing with them messes up the activities of other tcodes as well.

 

Introduction

The following steps can be used to limit a user to only viewing and posting a material invoice document even when having the authorization to Park. The solutionhas 3 parts:

  • Custom Enhancement in standard include LMR1MF0D
  • Custom Enhancement in standard include LMR1MF4J

Following are the options a user can opt to park a document from MIR4

Simulate Subscreen :

While exiting the Tcode

 

Solution :

  • Let us create an enhancement in SAP standard include LMR1MF0D to control this

 

  • Once created write code in the enhancement such as this:

 

ENHANCEMENT 154  ZMIR4_PARK_STOP_TEST_2.    “active version
DATA: v_agrname TYPE agr_name.
SELECT SINGLE agr_name FROM agr_users INTO v_agrname
WHERE uname EQ sy-uname
AND   agr_name EQ ‘Z_MANAGER_ROLE.
IF sy-subrc EQ 0.
IF sy-tcode EQ ‘MIR4’.
CLEAR OK-CODE.
MESSAGE ‘You are not allowed to perform this function.’ TYPE ‘E’.

ENDIF.
ENDIF.

 

  • This enhancement stops Parking from the Simulate subscreen:

  • And the main MIR4 screen

  • Finally to take care of the Parking at the time of exiting let us create an enhancement in SAP standard include LMR1MF4J.

 

  • In the include write code as following:

 

ENHANCEMENT 153  ZMIR4_PARK_STOP_TEST.    “active version

DATA: v_agrname TYPE agr_name.
if f_answer EQ ‘J’.
SELECT SINGLE agr_name FROM agr_users INTO v_agrname
WHERE uname EQ sy-uname
AND   agr_name EQ ‘Z_MANAGER_ROLE’.
IF sy-subrc EQ 0.
IF sy-tcode EQ ‘MIR4’.
if rbkpv-rbstat <> c_rbstat_batch and
rbkpv-rbstat <> c_rbstat_error.
CLEAR rbkpv.
endif.
IF sy-calld IS INITIAL.
PERFORM tree_clear.
SET SCREEN 0. LEAVE SCREEN.
*       PERFORM tree_clear.
ELSE.
LEAVE.
ENDIF.
ENDIF.
ENDIF.
ENDIF.
ENDENHANCEMENT.

 

  • This will cause the tcode to exit without Parking. If you want the tcode to not exit, just write:

DATA: v_agrname TYPE agr_name.
if f_answer EQ ‘J’.
SELECT SINGLE agr_name FROM agr_users INTO v_agrname
WHERE uname EQ sy-uname
AND   agr_name EQ ‘Z_MANAGER_ROLE’.
IF sy-subrc EQ 0.
IF sy-tcode EQ ‘MIR4’.

CLEAR ok-code.
ENDIF.
ENDIF.
ENDIF.

 

Thus by following the steps above steps we can stop a user from parking a document from MIR4 despite having Parking authorization.

Limit the posting access for Staff:

 

  • Following are the options for posting in MIR4 transaction:

 

  • Create an enhancement in standard include LMR1MF4Y
  • Write code in the enhancement as below:

ENHANCEMENT 155  ZMIR4_PARK_STOP_TEST_3.    “active version
DATA: v_agrname TYPE agr_name.
SELECT SINGLE agr_name FROM agr_users INTO v_agrname
WHERE uname EQ sy-uname
AND   agr_name EQ ‘Z_STAFF_ROLE’.
IF sy-subrc EQ 0.
IF sy-tcode EQ ‘MIR4’.
IF ok-code EQ ‘BU’. “This prevents the user from posting
MESSAGE ‘You are not allowed to perform this function’ Type ‘E’.
e_subrc = 4.
ENDIF.
ENDIF.
ENDIF.
ENDENHANCEMENT.

  • Posting is then Prohibited for Staff:

To report this post you need to login first.

8 Comments

You must be Logged on to comment or reply to a post.

  1. Pablo Casamayor

    Hi,

    “SAP provided authorization objects can limit the staff from posting and manager from parking.

    But if these authorization objects are used, manager cannot view the document if “Park” authorization is not provided and staff cannot post in other transactions as well which may be undesirable. Also, once the authorization is provided, manager is able to both Park and Post. The goal of the whitepaper is to let the manager view and post the document without being able to park it and limit the posting ability of the staff

     

    Could you provide more detail about the autorization objects mentioned in the above statement?

     

    Best regards,

    Pablo

     

    (0) 
  2. Pablo Casamayor

    Hi,

    with all the authorizations available…is it not possible to achieve that requirement via authorizations?

    e.g.

    https://launchpad.support.sap.com/#/notes/395471
    395471 – M_RECH_WRK: Missing authorization check

    https://launchpad.support.sap.com/#/notes/136740
    136740 – Authorizations for invoice verification in MM

    https://launchpad.support.sap.com/#/notes/133658
    133658 – Logistics invoice verification: Authorizations

    https://launchpad.support.sap.com/#/notes/399953
    399953 – Authorization for co code in Logistics Invoice Verification

    …etc

    Best regards,

    Pablo

     

    (0) 
  3. Soumyajit Dasmazumdar Post author

    It is somewhat possible. But as it was communicated to me, the authorizations are not geared towards a particular tcode and have a blanket effect on multiple other tcodes. Which is why this enhancement was needed.

     

    Thanks,

    Soumyajit

    (0) 
  4. Soumyajit Dasmazumdar Post author

    Hi Pablo,

    I have checked it. But please note, that is only one side of the story. In this thread, they want the user to be able to park but not post. But my blog also deals with users being able to post and not park.

    As it happens, the user who has to post also needs additional accesses to view/change etc for the whole scenario to work and that allows him to park as well. This causes the whole muddle.

    Thanks.

    Soumyajit

    (0) 
  5. Pablo Casamayor

    Hi,

    1.- regarding this:

    if rbkpv-rbstat <> c_rbstat_batch and
    rbkpv-rbstat <> c_rbstat_error.
    CLEAR rbkpv.
    endif.

    1.1.- what is the value of  c_rbstat_batch and c_rbstat_error?

    1.2.- why are you clearing rbkpv?

     

    2.- regarding this:

    PERFORM tree_clear.

    2.1.- what are you doing in that routine?

     

    Best regards,

    Pablo

    (0) 
  6. Soumyajit Dasmazumdar Post author

    Good catch, actually that is not my code at all. That is SAp standard code. Let me explain:

     

    1. This scenario is for when you make some changes to the tcode and try to exit it. System asks if you want to save the document with three options, “Yes” , “No” and “Cancel”.
    2. Pressing Yes will park the document.
    3. SAP has 3 sets of standard code based on the choice. Code to Park when you press yes, Code to cancel and Code if you press No.
    4. If you want to control Parking for certain users, what I did was if the User has certain roles (Manager), I just copied the code for “No” or “Cancel” to replace the Code for “Yes”.
    5. So if manager presses Yes to save the document, based on the choice you make, it will just behave as “No” or “Cancel”.

    Thanks,

    Soumyajit

    (0) 

Leave a Reply