Stopping A User From Parking and Posting Invoice Document In MIR4 Tcode
Executive Summary
The requirement is to have two separate roles for staff and manager regarding MIR4 tcode. Staff should only have the authorization to “Park” the document and manager only the authorization to view the document and “Post”. SAP provided authorization objects can limit the staff from posting and manager from parking.
But if these authorization objects are used, manager cannot view the document if “Park” authorization is not provided and staff cannot post in other transactions as well which may be undesirable. Also, once the authorization is provided, manager is able to both Park and Post. The goal of the whitepaper is to let the manager view and post the document without being able to park it and limit the posting ability of the staff.
Also, note that this is required only for the purpose of MIR4 tcode and the customer is not using WorkFlow for any of purposes in the project. As confirmed by the security consultant, the authorization objects to achieve this are not tcode specific and playing with them messes up the activities of other tcodes as well.
Introduction
The following steps can be used to limit a user to only viewing and posting a material invoice document even when having the authorization to Park. The solutionhas 3 parts:
- Custom Enhancement in standard include LMR1MF0D
- Custom Enhancement in standard include LMR1MF4J
Following are the options a user can opt to park a document from MIR4
Simulate Subscreen :
While exiting the Tcode
Solution :
- Let us create an enhancement in SAP standard include LMR1MF0D to control this
- Once created write code in the enhancement such as this:
ENHANCEMENT 154 ZMIR4_PARK_STOP_TEST_2. “active version
DATA: v_agrname TYPE agr_name.
SELECT SINGLE agr_name FROM agr_users INTO v_agrname
WHERE uname EQ sy-uname
AND agr_name EQ ‘Z_MANAGER_ROLE.
IF sy-subrc EQ 0.
IF sy-tcode EQ ‘MIR4’.
CLEAR OK-CODE.
MESSAGE ‘You are not allowed to perform this function.’ TYPE ‘E’.
ENDIF.
ENDIF.
- This enhancement stops Parking from the Simulate subscreen:
- And the main MIR4 screen
- Finally to take care of the Parking at the time of exiting let us create an enhancement in SAP standard include LMR1MF4J.
- In the include write code as following:
ENHANCEMENT 153 ZMIR4_PARK_STOP_TEST. “active version
DATA: v_agrname TYPE agr_name.
if f_answer EQ ‘J’.
SELECT SINGLE agr_name FROM agr_users INTO v_agrname
WHERE uname EQ sy-uname
AND agr_name EQ ‘Z_MANAGER_ROLE’.
IF sy-subrc EQ 0.
IF sy-tcode EQ ‘MIR4’.
if rbkpv-rbstat <> c_rbstat_batch and
rbkpv-rbstat <> c_rbstat_error.
CLEAR rbkpv.
endif.
IF sy-calld IS INITIAL.
PERFORM tree_clear.
SET SCREEN 0. LEAVE SCREEN.
* PERFORM tree_clear.
ELSE.
LEAVE.
ENDIF.
ENDIF.
ENDIF.
ENDIF.
ENDENHANCEMENT.
- This will cause the tcode to exit without Parking. If you want the tcode to not exit, just write:
DATA: v_agrname TYPE agr_name.
if f_answer EQ ‘J’.
SELECT SINGLE agr_name FROM agr_users INTO v_agrname
WHERE uname EQ sy-uname
AND agr_name EQ ‘Z_MANAGER_ROLE’.
IF sy-subrc EQ 0.
IF sy-tcode EQ ‘MIR4’.
CLEAR ok-code.
ENDIF.
ENDIF.
ENDIF.
Thus by following the steps above steps we can stop a user from parking a document from MIR4 despite having Parking authorization.
Limit the posting access for Staff:
- Following are the options for posting in MIR4 transaction:
- Create an enhancement in standard include LMR1MF4Y
- Write code in the enhancement as below:
ENHANCEMENT 155 ZMIR4_PARK_STOP_TEST_3. “active version
DATA: v_agrname TYPE agr_name.
SELECT SINGLE agr_name FROM agr_users INTO v_agrname
WHERE uname EQ sy-uname
AND agr_name EQ ‘Z_STAFF_ROLE’.
IF sy-subrc EQ 0.
IF sy-tcode EQ ‘MIR4’.
IF ok-code EQ ‘BU’. “This prevents the user from posting
MESSAGE ‘You are not allowed to perform this function’ Type ‘E’.
e_subrc = 4.
ENDIF.
ENDIF.
ENDIF.
ENDENHANCEMENT.
- Posting is then Prohibited for Staff:
Hi,
"SAP provided authorization objects can limit the staff from posting and manager from parking.
But if these authorization objects are used, manager cannot view the document if “Park” authorization is not provided and staff cannot post in other transactions as well which may be undesirable. Also, once the authorization is provided, manager is able to both Park and Post. The goal of the whitepaper is to let the manager view and post the document without being able to park it and limit the posting ability of the staff"
Could you provide more detail about the autorization objects mentioned in the above statement?
Best regards,
Pablo
Hello Pablo,
As per the SAP Securities consultant, there are many auth objects regarding this. Two of them are:
F_BKPF_KOA
F_BKPF_BUK
Thanks,
Soumyajit
Hi,
with all the authorizations available…is it not possible to achieve that requirement via authorizations?
e.g.
https://launchpad.support.sap.com/#/notes/395471
395471 – M_RECH_WRK: Missing authorization check
https://launchpad.support.sap.com/#/notes/136740
136740 – Authorizations for invoice verification in MM
https://launchpad.support.sap.com/#/notes/133658
133658 – Logistics invoice verification: Authorizations
https://launchpad.support.sap.com/#/notes/399953
399953 – Authorization for co code in Logistics Invoice Verification
…etc
Best regards,
Pablo
It is somewhat possible. But as it was communicated to me, the authorizations are not geared towards a particular tcode and have a blanket effect on multiple other tcodes. Which is why this enhancement was needed.
Thanks,
Soumyajit
Hi,
have you read Erika Szanto ´s answer in the following thread? (it´s quite interesting).
MIR7 posting issue
Best regards,
Pablo
Hi Pablo,
I have checked it. But please note, that is only one side of the story. In this thread, they want the user to be able to park but not post. But my blog also deals with users being able to post and not park.
As it happens, the user who has to post also needs additional accesses to view/change etc for the whole scenario to work and that allows him to park as well. This causes the whole muddle.
Thanks.
Soumyajit
Hi,
1.- regarding this:
if rbkpv-rbstat <> c_rbstat_batch and
rbkpv-rbstat <> c_rbstat_error.
CLEAR rbkpv.
endif.
1.1.- what is the value of c_rbstat_batch and c_rbstat_error?
1.2.- why are you clearing rbkpv?
2.- regarding this:
PERFORM tree_clear.
2.1.- what are you doing in that routine?
Best regards,
Pablo
Good catch, actually that is not my code at all. That is SAp standard code. Let me explain:
Thanks,
Soumyajit