3571050 - Business User Is Able to Create Supplier Invoice Even With Restricted Access Rights

A business user assigned with a business role which has restricted access rights for supplier invoicing is able to create a supplier invoice, and the system prompts with "You are not authorized to change the data", but the user can still successfully create the invoice.

SAP Business ByDesign

1. Log in with the user credentials.
2. Navigate to the Supplier Invoicing work center and then to the Invoices and Credit Memos view.
3. Select the relevant purchase order.
4. Click on New Invoice and post the invoice. The user successfully posts the invoice despite the warning message: "You are not authorized to change the data".

• The user is assigned with business role ABC (ABC represents the business role ID) and business role ABC has restricted access rights for work center views SRM_INVOICESANDCREDITMEMOS and SRM_INVOICEENTRY. However, work center views SRM_INVOICESANDCREDITMEMOS and SRM_INVOICEENTRY are not assigned to the user, which causes access restrictions set in business role ABC does not take effect for the user. 
• The user is also assigned with access right SRM_SIV_TASKS or SRM_WORK which will also guarantee the user to create supplier invoice.

Case 1:

Assigned the respective work center views SRM_INVOICESANDCREDITMEMOS and SRM_INVOICEENTRY to the business user, and then access restrictions set in business role will work for the user.

Case 2:

Remove the write access of access right SRM_SIV_TASKS or SRM_WORK.

Access Rights, Supplier Invoice, Restricted Access, Invoice Creation, SRM_SIV_TASKS, SRM_WORK. SRM_INVOICESANDCREDITMEMOS, SRM_INVOICEENTRY , KBA , SRD-CC-IAM , Identity & Access Management , SRD-SRM-SI , Supplier Invoicing , Problem