Supply Network Planning (SNP) and Demand Planning (DP) use the standard SAP authorization functions to control access to applications. For more information about authorization functions, see Identity Management of the Application Server ABAP.
See below for an overview of the authorization objects used in DP and SNP and other information specific to authorizations in DP and SNP. It assumes that you are conversant with the basic principles involved.
The following authorization objects are used in DP and SNP. They are also available for customer enhancements. These objects are described in more detail (in particular, the fields that are available together with their possible values) in the online documentation in the relevant maintenance transactions.
C_APO_MAC - Execution of macros
C_APO_ ADV- Maintenance of macros
C_APO_ADVN- Macro name check
C_APO_LOC - Master data, location
C_APO_PROD - Master data, product
C_APO_RES - Master data, resource
C_APO_TLAN - Transportation lanes
Planning Area, Book
C_AP0_PB - Planning book
C_APO_SEL3 - Selections in planning books
Authorization objects C_APO_SELE (Release 2.0) and C_APO_SEL2 (Release 3.0 up to Support Package 9) still exist in the system. They are however obsolete. If C_APO_SEL2 has been assigned to a profile, set all field values to "*".
C_APO_IOBJ – Key figure
C_APO_CPY – Copy function in data realignment
C_APO_ RLG – Realignment, maintain realignment table
General Demand Planning
C_APO_DPPR – Product
As opposed to C_APO_PROD, which checks the authorization for the master data object product, C_APO_DPPR checks against the values of the characteristic that you have defined as the product in the master planning object structure. The location is not required in the authorization check, which means that the same user can work independently of a location in DP and restricted to a location in SNP.
CA_APO_PRPF – Forecast profile
CA_APO_TSID – Time series (weighting profile, and so on)
C_APO_PROM – Promotion
C_APO_LIKE – Lifecycle profile
DP and SNP Functions
C_APO_FUN – Functions in DP and SNP
General APO Functions
C_APO_MOD - Model
C_APO_VERS - Version
Authorization Checks for Characteristics in SAP Netweaver Usage Type Business Intelligence (BI)
For more information, see Using the BI Authorization Concept in Demand Planning.
Authorization Checks in DP and SNP
All authorization checks in DP and SNP are performed by the function module /SAPAPO/MCP_PERMISSION_CHECK2 for individual data objects and /SAPAPO/MCP_PERMISSION_SELECT for a range (table) of objects such as products, locations, or planning books. This second function module incorporates the first one.
If you want to adjust the result of the check, or program your own authorization check, you can do so by using user exit /SAPAPO/SAPLMCPR_015 in function group XDMUSER.
Working with Selections
Authorization for working with selections is checked using object C_APO_FUN and the functions C_SELCTION and C_SELORG. If the user has not been assigned the C_SELCTION function, the selection icon does not appear when they open a planning book. As a result, the user cannot use the shuffler to make their own selections, but have to choose predefined selections from the list of selections.
The C_SELORG function permits the user to administer selections, that is to save selections and assign them to users.
The system checks the authorizations for both of these functions when the user calls up Interactive Planning.
The user requires authorization via object C_APO_FUN for functions C_SELE and S_SELE to execute a 'free' selection. To load a saved selection, they must have authorization for function S_SELE and for authorization object C_APO_SEL3 (C_APO_SEL2), and they need the relevant selection.
During the transfer of the objects contained in the selection, the system first checks the authorization for the selected version (C_APO_VERS). In Demand Planning, authorization checks are only performed for the objects version (C_APO_VERS), product (C_APO_PROD), and location (C_APO_LOC) for selections in the standard system. In SNP, you can check the objects version (C_APO_VERS), product (C_APO_PROD), location (C_APO_LOC), location product (C_APO_PROD), resource (C_APO_RES), and transportation lane (C_APO_TLAN). Additional authorization checks, in particular those concerning other characteristics in the selection (such as sales organizations in DP) are not provided in the standard system.
You can run additional checks if necessary by using the user exit for authorizations. With this user exit or the BAdI method 'SELECTION_CHECK' (BAdI '/SAPAPO/SDP_SELECTOR'), you can, for example, force a user to make a selection for a certain characteristic. During the authorization check in DP, only the objects specified in the selection condition are checked.
During these authorization checks for objects, the activity 'Display' (03) is used. For the objects mentioned above (in DP product and location, in SNP product, location, location product, resource and transportation lane), the system carries out an authorization check in the DP or SNP selector for the hitlist entries. If the user does not have at least display authorization for an object, this object is not displayed in the hit list.
Loading Data in Interactive Planning
When you actually load one or more objects, the permitted activities are checked. If you are in change mode, the activity 'Execute'(16) is used for all checked authorization objects. If no change authorization is available, the corresponding checks are continued with the activity 'Display'(03). The transaction switches to display mode if the data may only be displayed. If no authorization for displaying the data exists, an appropriate error message appears. No data is displayed.
When the system carries out authorization checks in background jobs, it checks the authorizations of the user who created the job. You can use the method SET_USER in BAdI /SAPAPO/SDP_BATCH to assign the job to another user.
If you have activated the BW authorization concept, the system checks all selected characteristic value combinations before it starts any other processes. If the user has no authorization for one characteristic value, the system stops the complete job and writes the corresponding messages into the log. You can check that you (or the background job user defined in the BAdI) have the necessary authorizations when creating the planning job by choosing (Check Authorization for Characteristic Values).