Search This Blog

Monday, June 13, 2011

SAP Note 1235367 - Missing authority check in APO transaction.

Symptom
For maintenance of planning-relevant characteristic combinations only display and change rights can be checked (object C_APO_FUN, function S_CHARC and C_CHARC), there is no possibility to limit user rights for deletion.


Other terms
 maintain CVCs, C_APO_FUN


Reason and Prerequisites
 It might be useful to limit user rights for deletion of CVCs.


Solution
 A new authorization object C_APO_CVC is created with fields ACTVT and APO_PSTRU. The following activities can be set: create CVCs, display CVCs, delete CVCs.
This authorization object is added to the objects checked by function module /SAPAPO/MCP_PERMISSION_CHECK2.
The behaviour of characteristic combination maintenance won't change if the new object C_APO_CVC is not assigned to any user, since the original object C_APO_FUN with function S_CHARC/C_CHARC is still checked. In addition the new object C_APO_CVC is also checked.

Note 1262016 has been created to check C_APO_CVC at other points where user might be able to maintain CVCs.

If the system doesn't allow to create the new authorization object (SAP namespace), you can import the attached files (102842.zip contains K102842.A3P and R102842.A3P) that contain the authorization object. The procedure is described in note 13719.

Manual activities:
Start transaction SU21, select object class 'APO', from context menu select 'Create Authorization Object'.

Enter
Object = C_APO_CVC
Text   = APO Authorization Object: CVC Maintenance

Choose fields
ACTVT Activity
APO_PSTRU Planning Object Structure ID

Maintain 'Permitted Activities', marking the following entries:
01 Create or generate
03 Display
06 Delete

Maintain 'Authorization Object Documentation':
Definition
'You can use the authorization object C_APO_CVC to specify whether a user can maintain characteristic value combinations of a planning object structure in Demand Planning.

The rights that you assign here refer to all CVCs of a planning object structure, and not to individual CVCs.'

Defined fields
'The ACTVT field is available for maintaining the authorization object C_APO_CVC. You can choose the following activities for the ACTVT field:

01 (Create): Create CVCs

03 (Display): Display CVCs

06 (Delete): Delete CVCs


The APO_PSTRU field defines the planning object structure for which the user is allowed to execute the activities maintained in ACTVT.'





Affected Releases
Software
Component
Release
From
Release
To
Release
And
subsequent
SCM
410
410
410
 
SCM
500
500
500
 
SCM
510
510
510
 
SCM
700
700
700
 

Correction delivered in Support Package
Support
Packages
Release
Package
Name
SCM
410
SCM
500
SCM
500
SCM
510
SCM
700

Corrections Instructions
Correction
Instruction
Valid
from
Valid
to
Software
Component
Last
Modifcation
510
510
SCM
09.10.2008  10:37:23
410
410
SCM
21.10.2008  09:49:21
700
700
SCM
28.07.2008  14:34:53
500
500
SCM
29.07.2008  13:51:16





Direct Link : https://service.sap.com/sap/support/notes/1235367
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)