One of the clients has a unique requirement of providing different types of authorizations for Stock Transport Orders (STOs) and Purchase Orders (POs) such that they should be able to change the STOs at the shipping location and the POs at the receiving location. The rationale behind such a requirement is that the shipping location can only initiate the changes to the stock transfer orders, and the receiving Location can only make changes to the external purchase orders (to the suppliers). They need this type of access to primarily support the exception scenarios on the shop floor during inbound and outbound processing in timely fashion and not to delegate these tasks to the super user with a broad access of all locations, and the same user should not be granted for more than one Location. They use standard SAP Purchase order T-codes (ME21N, ME22N, and ME23N) to view, create, and change POs and STOs. For example, a user at the Atlanta location should be able to modify the stock transfer orders with Atlanta as the shipping location and  the purchase orders with Atlanta as the receiving Location.

SAP Note 751129 details the Authorizations in Purchasing T-codes of ME21N, ME22N, and ME23N.

The standard SAP logic checks for the following Authorization Objects

- M_BEST_BSA (document type in PO)

- M_BEST_EKG (purchasing group in PO)

- M_BEST_EKO (purchasing organization in PO)

- M_BEST_WRK (plant in PO)

With  M_BEST_WRK authorization object, the standard logic checks for "WERKS" (receiving Location) of the purchase order document (either STO or PO) as shown below.

i.e., If the access is granted to the users at Atlanta location, they can change any purchase order document ( both STO and PO) with Atlanta as the "receiving location". However, as mentioned above, the requirement is to have the user should only change the STOs with Atlanta as a' shipping location' but not as a 'receiving location'. 

In summary, this requirement cannot be met using the standard SAP authorization objects.

Solution:   This requirement can be realized by implementing the suggestions mentioned in the same SAP Note 751129, using the custom authorization objects, and implementing the Authorization checks in one of the BADis- ME_PROCESS_REQ_CUST and ME_PROCESS_PO_CUST.

Here are the details:  

It consist of three steps -

Configuration of Custom Authorization Object:

Step 1: Create a new custom Authorization Object "ZM_BEST_WK" with two fields – ACTVT and WERKS, like the M_BEST_WRK auth object using SU21 T-code. For reference, here are the details of the standard authorization object M_BEST_WRK.

Implement BADi logic:

Step 2: In one of the BADis, implement the following logic –

Check the custom Auth object with "Receiving Location" for PO documents and "Shipping Location" for STO documents.

Here is the sample pseudo logic:

If is_ekko-bsart  = "???" (/*** Here Document type is used to differentiate between the STO and POs)

AUTHORITY-CHECK OBJECT ' ZM_BEST_WK'
           ID 'ACTVT' FIELD '02' (change access)
           ID 'WERKS' FIELD  is_ekpo-werks.  (werks attribute has the receiving location value)

ELSE  /*  for STO documents  (/*

  AUTHORITY-CHECK OBJECT ' ZM_BEST_WK'
           ID 'ACTVT' FIELD '02' (change access)
           ID 'WERKS' FIELD  is_ekpo-reswk.  (reswk attribute has the shipping location value)

ENDIF.

If auth check fails, throw an error

Authorization Set up:   

Step3: (i) Grant access to all locations for Users for M_BEST_WRK Auth Object, thus voiding the standard M_BEST_WRK auth object checks in the standard SAP logic.

(ii) Grant LOC level access to Users for ZM_BEST_WK Auth Object as the custom BADi implementation validates the authorization check on it.

Final Note:

After these changes, if access is given to a user at Atlanta location for the ZM_BEST_WK auth object, then he/she can change "STO" documents with Atlanta as the Shipping location and "PO" documents with Atlanta as the receiving Location. He/she cannot change any other STO or PO documents of other locations.

Thank you and hope you find this blog useful!