We are trying to restrict users by plant in transaction code IW32 and have this in the organization level. It is not working. I have looked at all the objects using SU24 and reviewing the access, but no luck. Where else can I look?
You should certainly use SAP's very robust authorization trace function in transaction ST01 to help you understand whether plant level security is available. My own rudimentary analysis suggests that if the maintenance plant is provided in the location tab in transaction IW32 then object I_SWERK, which includes maintenance plant, will be checked. This may require that you configure the transaction so that maintenance plant is a required field. If the authorization check is not invoked in a part of the process that is meaningful for your security objectives then consider using user exits. Look at the exits starting with CONF* in transaction SMOD and work with a developer and a functional PM expert to determine whether any of these are called in a way that will satisfy your security requirements.
Dig Deeper on SAP security
A SearchSAP.com reader wants to know how to grant a user access to cost centers, as well as access to one cost element across all cost centers.
Learn how to stop SAP users from displaying HR table contents in an SAP table without restricting access to an SE16N transaction.
A SearchSAP.com reader who stores user email addresses within the SAP SU01 transaction code and wants to know where to locate the data.