However, to do this we have had to add certain authorizations (e.g. A_S_ANLKL etc.) to the Goods Receipting role. This in itself is not an issue but when a user has other asset-related roles the additive effect of autorizations presents a security problem.
In attempting to overcome this we have created a new authorization object ZA_S_ANLKL that is effectively a copy of A_S_ANLKL. This authorization object has been assigned to transaction AS02 via SE93. This allows me to add an extra check for activity=02 but it does not allow me to put the relevant classes and company codes in a role. Is there a better approach?
I would use a customer exit in the ABAP behind MIGO to check for the specified values in your custom authorization object. Additionally, you should determine if there is a similar exit to comment out the A_S_ANLKL check that is undesired.
Dig Deeper on SAP security
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.