In a recent project I had the requirement to control authorization for SD-Documents (sales orders and billing documents) based on the sales office (VBAK-VKBUR).
Neither in ERP nor in S/4HANA SAP provides a suitable authorization object, although it seems to be a common requirement, so the only way is to develop it on your own. The object might look like this (defintion from SU21):
There is an identical Z-object that is used to control billing documents instead of sales orders.
Keep in mind, that this is an extension to the common authorization objects V_VBAK_VKO and V_VBRK_VKO and you need to adapt your roles otherwise the whole process won’t work anymore.
There is SAP Note 3046057, which is based on a customer connection project, that gives a few hints and implementation examples on this issue, but no out-of-the-box-solution.
Those changes have the intention to only enable a user to create, change, view or print certain documents within the SD-Application based on his sales office assignments. The incompleteness check is setup for sales office to be checked, so leaving it empty prevents the document from being checked but also from being processed further.
All changes could also be used for checking the sales group, but it’s not covered here.
The following table shows different applications and locations where the object is being checked. There might be some more places to implement a check, e.g. in search helps, apps or transactions.
|Activity||Application||When||ABAP Object Type||Object||Comments|
|Create Sales Order||VA01||At Saving||Userexit||MV45AFZZ / save_document_prepare|
|Create Sales Order||VA01||Before Creation||Implicit Enh.||MV45AF0B_BERECHTIGUNG_PRUEFEN||Necessary if BAPI is used for creation|
|Create with Reference||VA01||Before Creation||VOFM||Depends on copy routines|
|Change Sales Order||VA02||Before Display||Userexit||MV45AFZZ / move_field_to_vbak|
|Change Sales Order||VA02||Before Save||Userexit||MV45AFZZ / save_document_prepare|
|Display Sales Order||VA03||Before Display||Userexit||MV45AFZZ / move_field_to_vbak|
|Manage Sales Order||Fiori||Execute List||CDS Access Control||C_SalesOrderWl_F1873|
|Track Sales Orders||Fiori||Execute List||CDS Access Control||C_SlsDocFlfmntAnalyzer|
|List Sales Orders||VA05||Execute List||Userexit||BADI_SDOC_WRAPPER_MASS|
|Create Invoice||VF01||Before Creation||Userexit||RV60AFZC||Include Creation via VF04|
|Change Invoice||VF02||Before Display||Implicit Enh.||RV_INVOICE_DOCUMENT_READ|
|Manage Invoices||Fiori||Execute List||CDS Access Control||C_BillingDocument_F0797|
|Billing due List||VF04||Execute List||Implicit Enh.||SDBILLDL / additional_filter_vkbur_ernam|
|Cancel Invoice||VF11||Before Execute||not done yet|
|Manage Credit Memo request||Fiori||Execute List||CDS Access Control||C_CreditMemoRequestWL_F1989|
|Create Credit Note with Reference||VA01||Before Creation||VOFM||depends on VOFM outine|
|Print invoice||VF31||Before print||depends on your print program||includes print preview|
A typical authorization check in ABAP for creating or changing a sales order might look like this:
If the new object should be integrated into Fiori-apps, then it’s very likely to extend the CDS’ access control by creating a new access control object that inherits from the existing one.
All changes were made with regards to survive an upgrade of the system and not cause high effort by adjusting modifications in SPAU.
Hope this helps, feel free add some comments.