Setting Up Authorization Verification

In this procedure, two users are always required to be able to create or change an infotype's data. The users do not have the same authorizations, which is why the process is called asymmetrical. User A is granted authorizations with the authorization level E ("enqueue"), R ("read") and M ("matchcode") for the P_ORGIN (or P_ORGXX) authorization object instead of complete write authorizations (authorization level W or *). These authorizations allow the user to create, change or delete locked records only.

User B is granted authorizations with the authorization level D ("dequeue"), R and M for the authorization object P_ORGIN (or P_ORGXX) instead of complete write authorizations. These authorizations allow the user to unlock locked records (or lock unlocked records) only.

New data is entered by user A and unlocked by user B. Existing data can be changed in two ways: User B locks the data, user A changes the data, and user B unlocks the data again. Alternatively, user A creates a locked copy from the unlocked data and changes this copy. User B then unlocks the data. To delete unlocked data, user B locks the data, which is then deleted by user A.

In this process, user A is always responsible for entering and changing data and user B for approving the changes.

In this procedure, two users are always required to be able to create or change an infotype's data. The users have the same authorizations for this. The procedure is as follows: Both users are granted authorizations with the authorization level S ("symmetrical"), R ("read") and M ("matchcode") for the P_ORGIN (or P_ORGXX) authorization object instead of full write authorizations (authorization level W or *). These authorizations allow each user to create locked data records, change locked data records, and relock unlocked data records. In addition, each user can unlock data as long as he or she is not the last person to have changed the locked data. Neither user can delete data.

New data is created by user A (or user B) and locked by user B (or user A).

To change existing data: user A (or user B) locks and changes the data and user B (or user A) unlocks the data.

Another user must be consulted to delete existing data.

You want to ensure that the Additional Payments infotype (0015) can only be edited by two administrators together. To achieve this, you want to set up the asymmetrical double verification principle where one of the administrators is responsible for recording the data and the other administrator is responsible for controlling the process.

The administrator responsible for recording the data requires the authorization for the P_ORGIN authorization object shown on the left in the figure Example: Double Verification Principle. The administrator responsible for controlling the data requires the authorization on the right in the figure Example: Double Verification Principle.