How to Restrict Access to EWM RF Transactions

Tushar Shukla, SAP EWM Consultant, Bristlecone

Warehouse operators use EWM RF transactions to perform daily warehouse operations – picking, packing, putaway, physical inventory counting, etc. – and enable real-time handling and visibility.

EWM RF transactions can be accessed in SAP by navigating the EWM RF menu or by using a short access code. An EWM RF menu consists of sub-menu items and/or RF logical transactions. Access control of EWM RF transactions is required for several reasons, including:

  • Security and GRC Policy
  • Assigning the Right RF Transaction to the Right People







Transaction Codes and EWM RF Transactions – What’s the Difference?
SAP transaction codes are created through SE93 transactions, whereas logical transactions are made through SAP RF configuration.

Restricting Access to EWM RF Transactions
These are the options for those who need to restrict access to RF transactions by different user groups, such as Inbound, Outbound, Internal, etc.

1. EWM RF Configuration: Create a separate menu for each group of users and assign these different menus to dedicated groups of users. An example follows.

2. Authorization Object /SCWM/RFLT: This is an alternative to creating separate RF menus and assigning them to different user groups. A single RF menu is usually created with all available RF transactions, but authorization control is necessary to access the RF transaction. There are various reasons why warehouse operations may select this option –

  • Warehouse operators are hired temporarily
  • Simplifying the training document
  • Need to automate the access control through SAP authorization roles – for example, a warehouse operator working in inbound logistics should not be allowed to handle outbound logistics transactions

Authorization Object /SCWM/RFLT in SAP
SAP provides authorization object /SCWM/RFLT. This authorization is checked when you call a logical transaction from the menu, or a logical transaction is called from another logical transaction. The authority check on object /SCWM/RFLT is technically executed in method /SCWM/CL_RF_BLL_SRVC=>START_LTRANS.

How to restrict user access to specific logical transactions:

  • Create a separate role for each different set of users
  • Assign the permitted RF logical transactions to Field /SCWM/RFLT of authorization object /SCWM/RFLT







/SCWM/RFLT Authorization Object

A single RF menu and access control via RF logical transaction authorization provide various benefits:

  • Access control automation can be assigned during the creation of a new role for a warehouse worker
  • Reduces the effort to maintain the EWM RF master data and assign to new warehouse operators
  • Single RF menu simplifies the creation of training content