What is the best way to restrict movement types within transactions for a particular activity group? For example, I have an activity group which contains transaction code MB1A. I want to restrict this to movement types 221, 222, for example. However when we test, other transactions within this activity group are now also restricted e.g. MB1B. So everything that uses MSEG_BWA is affected. This means that every single transaction within the activity group needs to be checked in case it uses this. In some cases, even transaction codes that are flagged as having no impact, do not work. Is there a better way to do this?
It's hard to imagine why you would restrict movement types for one transaction and not for all. However, the obvious choice is that you could brake MB1A out of the role, and include it in its own; but if you assign both roles (the ole role, and the MB1A role) to the same user... you will not receive the desired effect. Ultimately, you are caught in the "SAP Authorization Concepts" paradox; which simply means that authorizations over lap. Your best bet may be to explore a user exit in the CODE behind MB1A to add an additional authorization check for those movement types.
No silver bullets on this one...
This was first published in March 2002