Assigning of authorization object to authorization group

Similar Messages

• Define and assign user authorization groups in FI

  Hi All,
  In order to allow some specific group of users to post in AUGR allowed periods, how do I define and assign user authorization groups in FI?
  Thanks,
  Teo

  Hi Teo,
  Here i am giving some authorisations in fi
  F_AVIK_BUK FI Payment Advice: Authorization for Company Codes
  F_BKPF_BED FI Accounting Document: Account Authorization for Customers
  F_BKPF_BEK FI Accounting Document: Account Authorization for Vendors
  F_BKPF_BES FI Accounting Document: Account Authorization for G/L Accounts
  F_BKPF_BLA FI Accounting Document: Authorization for Document Types
  F_BKPF_BUK FI Accounting Document: Authorization for Company Codes
  F_BKPF_BUP FI Accounting Document: Authorization for Posting Periods
  F_BKPF_GSB FI Accounting Document: Authorization for Business Areas
  F_BKPF_KOA FI Accounting Document: Authorization for Account Types
  F_BKPF_VW FI Acc. Document: Change/Display Default Vals for Doc.Type/PKey
  F_BL_BANK FI Authorization for House Banks and Payment Methods
  F_BNKA_BUK FI Banks: Authorization for Company Codes
  I hope it will help.
  BR,
  Satya

• SE54: Assigning an authorization group to table &SM31&

  Has anyone out there tried to assign an authorization group to the symbolic table &SM31& in transaction SE54?
  Any success in using it?
  Cheers,
  Julius

  Thanks Bernhard!
  > But what I did find was [SAP Note 42563|https://service.sap.com/sap/support/notes/42563] .
  > ...-->it's from 1997....!!
  Note that the SM31 refered to in the note is not the SM31 we know today. It looks like SAP renamed it to SM31_OLD and replaced by a new SM31 (and the current settings option). The alternative having been changing miles of code, this seems reasonable but can be confusing (release dependently).
  > Don't know if this is still used, as the check is in Rep.s SAPMSTBM, which is used in TX SM31_OLD, SM32, SM33 only.....
  My rule of thumb is: If something is possible, then someone out there is either already doing it, or still doing it...
  Cheers,
  Julius

• ASSIGN AN AUTHORIZATION GROUP TO MANY TABLE

  Hello,
  I have several hundreds table to assgin an authorization group zaut.
  Is there any easy way to do it?
  I do not want to go se54 and change all table authorization group one by one.
  Please help.
  Thanks,
  Jeongbae

  Use Tcode SM30V_DDAT to assign the Authorization Group to multiple tables.
  Regards,
  Naimesh Patel

• Assigning the Authorization group to particular transaction code

  Hi,
    How do we Assign the Aughorization group to particular Transaction code with authorization object. Is there any transaction code ?
  if anyone know, please let me know.
  With Regards,
  Prasad.

  The Tcode is tied to a Program & you can assign the Program to an Authorization Group via its attributes. I don't think there is an option to directly attach a Tcode to an Authn Group.
  ~Suresh

• Authorization group restriction

  Hi ,
  I would like to know how to restrict authorization group FCAR and FCAP.We could see it is related to F_BKPF_BES object .It seems the same authorization object should be given the following access
  --display access for documents asigned to authorization group FCAP
  --should not allow display for documents assigned to authorization group FCAR
  If we restrict using FCAP (displays access)the second condition works fine but the first one it displays line items only for G/L accounts.Vendor line items does not get displayed.
  Please let me know your thoughts on this.

  Hi Mekha,
  You can add another object F_BKPF_BES manually and in the first one give
  display access for documents asigned to authorization group FCAP  and in another no display for documents assigned to Auth group FCAR
  **Reward points accordingly
  Junaid

• Check available authorization groups

  Hi ,
  if a custom table needs to be assigned to an authorization group in SAP.
  Which is the transaction to check users assigned to an authorization group?
  Currently i have an idea that Assigning and Creating authorization groups are dealt in SE54 but i cannot find a way to check
  whether users are assigned to an authorization group...!!!
  thanks
  kritika

  Checking Assignment of Authorization Groups to Tables:
  You can also assign authorization groups to tables to avoid users accessing tables using general access tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must also have authorization to be permitted to access tables with the relevant group assignments. For this case, we deliver tables with predefined assignments to authorization groups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.
  You can assign a table to authorization group Z000. (Use transaction SM30 for table TDDAT) A user that wants to access this table must have authorization object S_TABU_DIS in his or her profile with the value Z000 in the field DICBERCLS (authorization group for ABAP Dictionary objects).
  See also:
  ·        SAP Notes 7642, 20534, 23342, 33154, and 67766
  ·        Documentation for RSCSAUTH
  Hope this helps.... if not check the following link
  If you still don't find, search google 'table authorization groups in sap' - There are good info on web.
  You can assign the authorization group to any custom table via SE11 - table - display - utilities - assign authorization group and rest follow the sap help (where to maintain and how to assign) .This is a developer and security persons work.

• Abap report attributes : Authorization group

  Hello,
  I would like to know if there is an enhancement to force the developer to assign an authorization group to the new created abap report, when filling the attributes
  Thank you by advance
  Philippe

  Hello,
  Thank you all for your answers.
  In both FUNCTIONs , EXIT_SAPDSAHD_010 (include ZXSEUU09) and
  EXIT_SAPLSEDTATTR_010 (include ZXSEUU20), I inserted a break <sy-uname>.
  When creating a new abap report (i.e. a local object), I reach only the
  break in include ZXSEUU20, and never after having filled up the program
  attributes popup, always before.
  My initial goal was to force the developer to enter a value in the authorization
  group.
  Do you have an idea of what is going wrong or is it the normal behaviour?
  Thank you,
  Philippe

• Authorization Group in se38

  Hi everybody,
  what is the use of Authorization group in se38 attribute? can we create and assign our own one?
  The actual scenerio which i am facing here is My report should not be viewed by some grop of  users. My friend is saying i can do that through the above said one. But i know i can do that using AUTHORITY-CHEK.  What i am asking here is can i accomplish this task by the above said attributes.
  Points will be awarded.
  Thanx in advance.
  Gladiator

  Hi,
  Authorization Checks
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  The following actions are subject to authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid:
  ·Starting SAP transactions (authorization object S_TCODE)
  Starting reports (authorization object S_PROGRAM)
  Calling RFC function modules (authorization object S_RFC)
  Table maintenance with generic tools (S_TABU_DIS)
  Checking at Program Level with AUTHORITY-CHECK
  Applications use the ABAP statement AUTHORITY-CHECK, which is inserted in the source code of the program, to check whether users have the appropriate authorization and whether these authorizations are suitably defined; that is, whether the user administrator has assigned the values required for the fields by the programmer. In this way, you can also protect transactions that are called indirectly by other programs.
  AUTHORITY-CHECK searches profiles specified in the user master record to see whether the user has authorization for the authorization object specified in the AUTHORITY-CHECK. If one of the authorizations found matches the required values, the check is successful.
  The access protection system must ensure that only authorized individuals have access to the system and to particular data. For achieving precise application security concerning authorization and to protect confidential data against unauthorized access it is very important to focus on the use of authorization groups.
  The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. They usually occur in authorization objects together with an activity.
  The table that contains all authorization objects is TOBJ.
  The table that contains all activities is TACT.
  The table that contains definition of all authorization groups is TBRG.
  TBRG -- Contains all authorization groups and gives information about relation between authorization object and authorization group. The description of the authorization groups is defined in table TBRGT.
  The field name for authorization group -- BRGRU -- is used to make additional restrictions on authorizations /e.g. for document maintenance/. In authorization objects and authorization checks, there are fields which are checked to verify user authorizations. Customizing objects are combined in authorization groups, and the authorization group is one of the two authorization fields, for example, in authorization object S_TABU_DIS which is in the object class BC_A (Basis - Administration). This object is for displaying or maintaining tables. It controls access using the standard table maintenance tool (transaction SM31), enhanced table maintenance (SM30) or the Data Browser (SE16), including access in Customizing.
  Authorization object S_TABU_DIS has the following fields: DICBERCLS - Authorization group, maximum field length is four characters; and ACTVT - Activity (02: Add, change or delete table entries, 03: Only display table contents).
  Generally, SAP standard tables are assigned to authorization groups. These assignments can be changed. You can then assign tables manually to a suitable authorization group. To do this, start Transaction SM30 for maintenance view V_DDAT, and create an entry for each of these tables. In V_DDAT is stored the assignment of Tables/Views to Authorization Groups. V_DDAT is cross-client; therefore, it can be viewed and used in all clients.
  Note: If you don't make a selection, all tables maintained in Customizing transactions are assigned to authorization groups.
  Reward If Helpfull,
  Naresh.

• Authorization Group in T-Code: OB52

  Hi,
  I need to maintain 2 Auth. Group in T-Code: OB52, my requirment is below:
  for some users (nearly 25) needs to post the transaction in June Month and for some users (nearly 10)should have to post for selected GL in the month of June.
  So we decide to create two roles and assign the Auth Group in F_BKPF_BUP Auth. group. But i need to know whether the system will allow to assign two Auth. Group for one Company code (ie., 2 Auth. Group and all common users)
  Please revert ASAP.
  Regards
  JS

  The help on AuGr field in OB52 is good.  Here it is
  Authorization Group
  The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. The authorization groups usually occur in authorization objects together with an activity.
  Use
  A posting period can be made available to only a limited set of users using the authorization group.
  Procedure
  If only a limited set of users is to be able to post in a particular posting period, proceed as follows:
  Add the posting period authorization (authorization object F_BKPF_BUP) to the authorizations of the selected users. Assign an authorization group (e.g. '0001').
  Enter the account type '+' for the posting period variant to which the restriction is to apply. Enter the period(s) whose use is to be restricted in the first period, those which are available to all users in the second period, and the authorization group (e.g. '0001') in the last column.
  Examples
  A posting period can be successively restricted. If, e.g. 10 users have the posting period authorization with authorization group '0001', and 3 of these 10 users also with authorization group '0002'.
  If the period is only to be accessible to the 10 selected users the authorization group '0001' is entered in the posting period variant. Access can later be restricted to the remaining 3 users by entering '0002'.
  I guess your requirement can very well be met, as explained in the example above.  Also implement the following SAP Note to be able to assign the authorization group at document header level (account type '+') and at line item level in Transaction OB52.
  https://service.sap.com/sap/support/notes/891505
  Srikanth
  PS: I have seen in a reply above that AuGr controls only special periods, which is not a correct statement.  AuGr controls postings in the period specified in From per.1/Year To period/Year in OB52.

• What is authorization group?

  Hi all,
  Can anyone tell me what is authorization group? I always come across this when I am inside pfcg and look into the authorization object.
  I know that authorization object groups authorization fields together. And authorization is an instance of authorization object. But how does authorization group fit into this model?
  I have read parts of the help manual that mention auth. group is used to manage Z tables, but they never mention the above relationship.
  Thanks.

  HI Jockey,
  The access protection system must ensure that only authorized individuals have access to the system and to particular data. For achieving precise application security concerning authorization and to protect confidential data against unauthorized access it is very important to focus on the use of authorization groups.
  The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. They usually occur in authorization objects together with an activity.
  The table that contains all authorization objects is TOBJ.
  The table that contains all activities is TACT.
  The table that contains definition of all authorization groups is TBRG.
  TBRG -- Contains all authorization groups and gives information about relation between authorization object and authorization group. The description of the authorization groups is defined in table TBRGT.
  The field name for authorization group -- BRGRU -- is used to make additional restrictions on authorizations /e.g. for document maintenance/. In authorization objects and authorization checks, there are fields which are checked to verify user authorizations. Customizing objects are combined in authorization groups, and the authorization group is one of the two authorization fields, for example, in authorization object S_TABU_DIS which is in the object class BC_A (Basis - Administration). This object is for displaying or maintaining tables. It controls access using the standard table maintenance tool (transaction SM31), enhanced table maintenance (SM30) or the Data Browser (SE16), including access in Customizing.
  Authorization object S_TABU_DIS has the following fields: DICBERCLS - Authorization group, maximum field length is four characters; and ACTVT - Activity (02: Add, change or delete table entries, 03: Only display table contents).
  Generally, SAP standard tables are assigned to authorization groups. These assignments can be changed. You can then assign tables manually to a suitable authorization group. To do this, start Transaction SM30 for maintenance view V_DDAT, and create an entry for each of these tables. In V_DDAT is stored the assignment of Tables/Views to Authorization Groups. V_DDAT is cross-client; therefore, it can be viewed and used in all clients.
  Note: If you don't make a selection, all tables maintained in Customizing transactions are assigned to authorization groups.
  Check these links too..
  http://help.sap.com/saphelp_crm50/helpdata/en/52/671285439b11d1896f0000e8322d00/frameset.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67129f439b11d1896f0000e8322d00/frameset.htm
  http://www.sap4.com/contentid-39.html
  Thanks,
  Susmitha
  Dont forget to reward points for useful answers.
  Message was edited by: Susmitha Thomas

• AUTHORIZATION GROUP IN BP

  Hi All,
  Morning I posted this question. I wanted to know what is the use of the field authorization group in control tab of BP.
  I knw how to give value but what is the importance
  Thanx
  SARAVANA

  Hi Redek,
  Thanx for ur answer. I hv created the role and in that screen there is a tab like menu if i go to that menu there I can assign to that rle what will be the functionality by clicking on sap menu. second thing if I go to the authorization tab of role screen there I can choose the manual data by clicking on change authorization data and assign the user.
  Lets say I had created an role as sales manager. If I create an bp as a person and role how can I assign the role to that bp and what is the use of that field authorization group in control tab of bp.
  If I supposed to assign the authorization group in that how can I do this?
  Thanx
  Saravana

• Assigning Authorization group to ZTcode

  Hi All,
  I have created one Authorization group to one Zprogram by running the program RSCSAUTH and want to assign it to custom ZTcode.
  But if we go to SE93 there it asking Authorization object, wt is Auth.object and how can i assign Auth.group to ZTcode.
  Anybody help me in this....
  Balu.
  Edited by: Bala Chandar on Sep 2, 2008 4:46 PM
  Edited by: Bala Chandar on Sep 2, 2008 5:01 PM

  How can i create a role and assign Auth.object to it using PFCG tcode, can u explain in detail plz..
  We can create Auth.object from SU21.than assign Auth.object  to specific role which can be maintain with PFCG.Often we need not to create many roles as SAP already provide Roles we just need to use them and assign to our Authorization obj which created by SU21
  For more help just go thru SAP help which is already there for PFCG just press Ctrl+F3 in PFCG.
  Amit.

• Association of authorization group with authorization object

  Dear Colleagues,
  We are using ECC 6.0 system. There is a transaction EMMAC2 where in the user would pick the case categories & view/make changes as required in the cases.
  However, we would like to have a user to pick only those case categories for which he/she is authorized & view/change the data.
  This EMMAC2 is controlled by authorization object B_EMMA_CAS & this authorization object has field BRGRU (Authorization Group) along with ACTVT (activity).
  We would like to control this via authorization groups
  We would like to create authorizations groups based on case categories & those authorization groups would be assigned in this BRGRU field.
  Meaning, the end result should be such that, when that new authorization group is added in BRGRU field & that role is assigned to an end user, the user should be able to see data only for those case categories for which the new authorization group has been created
  If I use SE54 to create authorization group, it automatically associates itself with authorization object S_TABU_DIS & this does not solve my purpose.
  But we would like to create a new authorization group & associate it with authorization object B_EMMA_CAS.
  Can someone please let me know the steps on how to achieve it or any other method to achieve it(for above underlined text)?
  Does a developer or functional consultant also need to be involved in this?
  PS: I tried to search in Google & our forums but could not get any answers

  Dear Aninda,
  Thanks for the help.
  I created an auth group via SE16 in table TBRG & associated to B_EMMA_CAS
  A case category was then assigned to this auth group
  We tested it - below are the results:-
  1. The user is allowed to 'change' and 'display' the case for the case category for which the user is authorized: this works as per requirement.
  2. The user is not allowed to 'change' case for the case category for which the user is not authorized: this works as per requirement.
  3. However, he is able to 'display' cases for the case category for which the user is not authorized: this we do not want.
  If I remove activty 03 (display), then the user is unable to display the case for the case category for which the user is  authorized.
  How to resolve this?

• Authorization group in Z-Table and user assignment

  Hello,
  I have created Z table which stores sensitive data and have created maintenance view. I want particular users only to have change access to this table through SM30 and for that I have created my own autorization group. Now my question is: How I can assign user names to this authorization group? how does it work? Is this through Role assignment to user profile? I dont have any basis support help for me for this task and hence trying to do it myself in sandbox system.
  Since this is not my domain step by step help will be appreciated.
  Thanks.
  Agasti..

  HI,
  useful link
  http://www.richardsantos.net/2009/03/16/sap-how-to-create-and-use-the-authorization-objects-in-abap/
  Thanks
  Sudheer