The SAP Fan Club Forums

[AIZ]

All,

Iam facing the following issue in ECC 6

raised from Security side as we don’t have possibility on restricting the below transactions on either Plant level or some of the organizational level.
QE03, QI03, MBGR, ZQM_ORDER_COG, BMBC, COHVPI, COR2, QA05, QA10L, QI01, QI02, MIGO_GI, MIGO_GR, QPR1, QPR2, LT05, QS21, QS23, QS33, QS31, QS32, QS22, QS23, QDV1, QDV2, QDV7, CV02N, CC01, CC02

Any ideas on how security can be used to restrict the QM transactions listed here .

We arent getting WERKS( Plant ) when we do PFCG for these transactions.

Thanks

[Craig]

Are you saying you can't use plant level because it is not available because of SAP or you can't use it becasue of your business processes?

Several of those transactions should have plant level security available to them.

Some of the transactions don't typically get security on the transaction as security is handled at a different level, i.e. BMBC. The transactions available via BMBC are used to control access.

LT05 should have security down to the warehouse level.

I only glanced at a few.

Maybe you can elaborate a bit.

Craig

[AIZ]

Craig,

Thanks for the reply. The transactions listed below cannot be restricted at the plant level. We checked for some of the QM transactions and during testing user A can view inspection methods in plant A and plant B. We are not able to restrict at the plant level. We also checked the security settings using PFCG , there is no plant field( WERKS) , so we cannot restrict based on plant using PFCG.

Kindly let me know if you have any past experiences or tech details which can help me out here. We are currently using ECC 6.0

[thx4allthefish]

Did you go through an updgrade to get to ECC 6.0?

Have you done your SU25 afterwards? And - of course, your SU24? Did you adjust all your roles and load the objects?

This is definitely an issue on your system - I went through an upgrade a couple of weeks ago and during the (ongoing) tests I can at least say for LT05 that it is leveled at LGNUM (not plant, though).

BMBC is (actively) checking these objects:

C_CACL_DSG
C_CLAS_UTI
C_DRAD_OBJ
C_KLAH_BKP
C_KLAH_BSE
C_TCLA_BKA
C_TCLS_BER
C_TCLS_MNT
M_MATE_BIC
M_MATE_BWT
M_MATE_CHG
M_MATE_MAN
M_MATE_MAT
M_MATE_WGR
M_MATE_WRK <--- plant
M_MATE_ZST
M_MSEG_BWA
M_MSEG_LGO <--- storage location (if this check is configured in customising)
M_MSEG_WMB
M_MSEG_WWA

Migo_GI checks on:

M_MATE_STA
M_MSEG_BMB
M_MSEG_WMB <-- plant
M_MSEG_WWE <-- plant

I have been tracing MIGO, all checks are performed.

Unfortunately I cannot check on the QM-transactions, since we don't have QM implemented ...

Please do the following: ask one of your test-users to have a session with you and run a ST01 on her/him whilst she/he is going through the transactions you mentioned. Check the objects you find positively processed against the ones proposed in SU24. Try to sort out the missing ones. Then have your Sec-team take a look at the whole thing again.

BTW. I am going to move this to the security forum. Folks there might have still more insights they can share.

[Craig]

I asked Fish to pop over from the security forum to address this posting. She was gracious enough to do so.

Thanks Fish!!!!!

Craig