Stopping A User From Parking and Posting Invoice Document In MIR4 Tcode

Executive Summary

The requirement is to have two separate roles for staff and manager regarding MIR4 tcode. Staff should only have the authorization to “Park” the document and manager only the authorization to view the document and “Post”. SAP provided authorization objects can limit the staff from posting and manager from parking.

But if these authorization objects are used, manager cannot view the document if “Park” authorization is not provided and staff cannot post in other transactions as well which may be undesirable. Also, once the authorization is provided, manager is able to both Park and Post. The goal of the whitepaper is to let the manager view and post the document without being able to park it and limit the posting ability of the staff.

Also, note that this is required only for the purpose of MIR4 tcode and the customer is not using WorkFlow for any of purposes in the project. As confirmed by the security consultant, the authorization objects to achieve this are not tcode specific and playing with them messes up the activities of other tcodes as well.

Introduction

The following steps can be used to limit a user to only viewing and posting a material invoice document even when having the authorization to Park. The solutionhas 3 parts:

• Custom Enhancement in standard include LMR1MF0D
• Custom Enhancement in standard include LMR1MF4J

Following are the options a user can opt to park a document from MIR4

Simulate Subscreen :

While exiting the Tcode

Solution :

• Let us create an enhancement in SAP standard include LMR1MF0D to control this

• Once created write code in the enhancement such as this:

ENHANCEMENT 154  ZMIR4_PARK_STOP_TEST_2.    “active version
DATA: v_agrname TYPE agr_name.
SELECT SINGLE agr_name FROM agr_users INTO v_agrname
WHERE uname EQ sy-uname
AND   agr_name EQ ‘Z_MANAGER_ROLE.
IF sy-subrc EQ 0.
IF sy-tcode EQ ‘MIR4’.
CLEAR OK-CODE.
MESSAGE ‘You are not allowed to perform this function.’ TYPE ‘E’.

ENDIF.
ENDIF.

• This enhancement stops Parking from the Simulate subscreen:

• And the main MIR4 screen

• Finally to take care of the Parking at the time of exiting let us create an enhancement in SAP standard include LMR1MF4J.

• In the include write code as following:

ENHANCEMENT 153  ZMIR4_PARK_STOP_TEST.    “active version

DATA: v_agrname TYPE agr_name.
if f_answer EQ ‘J’.
SELECT SINGLE agr_name FROM agr_users INTO v_agrname
WHERE uname EQ sy-uname
AND   agr_name EQ ‘Z_MANAGER_ROLE’.
IF sy-subrc EQ 0.
IF sy-tcode EQ ‘MIR4’.
if rbkpv-rbstat <> c_rbstat_batch and
rbkpv-rbstat <> c_rbstat_error.
CLEAR rbkpv.
endif.
IF sy-calld IS INITIAL.
PERFORM tree_clear.
SET SCREEN 0. LEAVE SCREEN.
*       PERFORM tree_clear.
ELSE.
LEAVE.
ENDIF.
ENDIF.
ENDIF.
ENDIF.
ENDENHANCEMENT.

• This will cause the tcode to exit without Parking. If you want the tcode to not exit, just write:

DATA: v_agrname TYPE agr_name.
if f_answer EQ ‘J’.
SELECT SINGLE agr_name FROM agr_users INTO v_agrname
WHERE uname EQ sy-uname
AND   agr_name EQ ‘Z_MANAGER_ROLE’.
IF sy-subrc EQ 0.
IF sy-tcode EQ ‘MIR4’.

CLEAR ok-code.
ENDIF.
ENDIF.
ENDIF.

Thus by following the steps above steps we can stop a user from parking a document from MIR4 despite having Parking authorization.

Limit the posting access for Staff:

• Following are the options for posting in MIR4 transaction:

• Create an enhancement in standard include LMR1MF4Y
• Write code in the enhancement as below:

ENHANCEMENT 155  ZMIR4_PARK_STOP_TEST_3.    “active version
DATA: v_agrname TYPE agr_name.
SELECT SINGLE agr_name FROM agr_users INTO v_agrname
WHERE uname EQ sy-uname
AND   agr_name EQ ‘Z_STAFF_ROLE’.
IF sy-subrc EQ 0.
IF sy-tcode EQ ‘MIR4’.
IF ok-code EQ ‘BU’. “This prevents the user from posting
MESSAGE ‘You are not allowed to perform this function’ Type ‘E’.
e_subrc = 4.
ENDIF.
ENDIF.
ENDIF.
ENDENHANCEMENT.

• Posting is then Prohibited for Staff: