Authorisation group

Similar Messages

• Can I filter search by authorisation group?

  We have 5 sales orgs e.g. Z001, Z002, Z003, Z004, Z005. Each employee belongs to one sales org only. When the user searches on accounts I want to filter the search by the sales org the employee belongs to.
  To test this I maintained the business partners and assigned the authorisation group Z001 to 5 of our customers in one sales org. I have also assigned the authorisation group Z002 to 5 of our customers in another sales org that I do not want displayed. For others I have left empty. I did this because it is not a practical solution for us to maintain an authorization group for every customer.
  In transaction PFCG I have maintained the authorization group B_BUPA_GRP with the entry Z001 as this is the sales org I want displayed for this role.
  When I search for the customers (with no search criteria) it does not appear to do any filtering at all as more than 5 records were found, which is not correct.
  When I run the trace (ST01) I find that for the 5 customers that have the authorization group Z001, it is allowed. This is correct. For the 5 customers with authorization group Z002, it is not allowed. This is correct. However for the customers without any authorisation group assigned it is allowed. This is not correct.
  How is it possible to not display customers without an authorisation group?
  Regards
  Declan

  Well Declan..you have to note this thing before going for this solution.
  The field you want to add as a hidden search parameter , should not be available on UI.
  Otherwise controlling the user will be very difficult.(Nevertheless, you can achieve it, but have to take lot of pains.)
  For example if you want to display partners belonging to a particular country say 'US',then add a record to GT_HIDDEN_PARAMETERS.
  DATA: ls_params   TYPE genilt_selection_parameter.
      ls_params-attr_name = 'COUNTRY'.
      ls_params-sign      = 'I'.
      ls_params-option    = 'EQ'.
      ls_params-low      = 'US'.
      APPEND ls_params TO gt_hidden_parameters.
  Implement this code in EH_ONSEARCH and then call super class. Standard code by default reads this gt_hidden_parameters.
  This is proprietary to BP_HEAD_SEARCH Component. If you have to implement this for some other componet then you should create an attribute gt_hidden_parameters and then read this internal table manually and manipulate the search criteria as is being done in standard code of method EH_ONSEARCH of BP_HEAD_SEARCH/SearchHelp.
  As I mentioned earlier COUNTRY attribute should not be available on UI.
  If Country was  available on UI, then imagine a case if user enters 'UK' as country and you have hard-coded inside to get only 'US'
  Then the result list have partners of 'US' despite user entering 'UK'. I mean to say the hidden parameters should not be available on UI.
  This way you can any valid hidden attributes by looking at the search object of the serach page in Model Browser.
  Cheers,
  Masood Imrani S.

• How to create cutom authorisation group for custom table?

  Hi,
  I created once custom table.
  i want to allow only some users to create entries.
  how can i achieve this?
  if with creation of z authorisation group tell me procedure
  thanks in advance.

  Hi,
     See to this link it may help you.
     How to create Authorization group
     Custom Authorization Objects

• Authorisation group and document type

  Dear Experts
  I want our users who are using transaction F.14 to be able to process document type ZF only. I have created a role and in the authorisation object F_BKPF_BLA
  i can see field authorisation group and activity. What value i should put in the authorizatuion group object which will allow me to restrict users to work in document type ZF only
  <removed_by_moderator>
  Edited by: Julius Bussche on Apr 30, 2008 4:53 PM

  Hi All,
  Didnt know whether to start a new post or continue this one.  Basically I have the same problem but I seem to be missing something fundamental (and I think it must be obvious!).
  Dev Team:-
  1) New transaction code created ZF10 by which amongst other things should only process the newly created document type ZF.
  Myself (Security Team):-
  1) All of our document types are defined in OBA7. 
  2) The specific document type is ZF that we want to restrict access to.
  3) In V_TBRG I have defined the custom authorisation group ZDTF against object F_BKPF_BLA.
  4) In SU24 I have defined against the custom transaction code ZF10 the authorisation object F_BKPF_BLA to be inserted with Activity values 01, 02, 03; and Authorisation Group ZDTF.
  5) Create new role and add ZF10 which then populates the auth object and values above.
  What I cant see / understand is how the document type is then restricted to ZF in the role as it isnt defined anywhere that the authorisation group ZDTF only allows access to document type ZF.
  Any help on this will be greatly appreciated.  PS Should I have created a new thread for this ?
  Cheers
  Steve

• Authorisation Group and Reports

  Hi experts,
  I need to maintain a new authorisation group for a new report that I am creating. I know authorisation group can be maintained in the table TPGP and can be assigned from there. But I wanted to know if there is any other way of linking a report to a particular Authorisation group.
  Thanks,
  Kumar

  Hi Max,
  Thanks for the reply. An already created Authorisation group can be assigned in the attributes. But what I wanted to know was to create that authorisation group, Is the only way possible is maintain it in table TPGP or is there any other way?
  Thanks,
  Kumar

• Table authorisation group for a group of user ?

  Hi all,
  Is it possible to give read only authorisation for my ztable to enduser. i dont want to give tcode. Is it possible to do anything in Authorisation group .( normally is use &nc& ) can i create authorisation group and do something in that ? if yes can you people tel me how to do it ?
  thanks,
  Siva

  Hi Neelima,
  Is this the source of ur answer
  http://www.saptechies.com/how-to-assigncreate-authorization-group-for-a-table/
  Stop copying pasting answers from different sources, If u know the answer then only reply
  кu03B1ятu03B9к

• Reasign authorisation group at table maintenance generator

  Hi All,
        I have a table, assigned with authorisation group as &NC&. Now I need to change to authorisation group created newly.
  If i change with newly created authorisation group in table maintenance generator level.
  My Qus:1. Need to generate the table maintenance generator for this again.
  2. Will it affect the users assigned to authorisation group.
  3. Wht i need to do to change this, and wht are its effects if i change the authorisation group.

  Hi,
  If the user is not assigned for the role he has to be assigned for that role.
  one role is assigned to authorization group.
  basis consultants will add the role of that group to that particular user.
  otherwise he cant change the entries of the table.
  so consult basis consultant for security role assignment.
  Thanks
  Parvathi

• Material Authorisation group - Reg

  Dear ,
  Plz explain the purpose of  Material Authorisation group ( MM01- Basic data-1) , is there any customising required , Where its been used.
  Regards,
  Suresh

  Hi Suresh,
  following info. will helps you to better understand of your requirement:
  Maintain Authorizations and Authorization Profiles
  In this IMG activity, you can:
  a. Check the authorization objects defined for individual material master functions in the standard system, and create or change authorizations for these objects
  b. Check the authorization profiles defined in the standard system, and create new ones as required
  Note
  I
  t is not possible to change the existing SAP-defined authorization profiles in the standard system.
  The following list shows which authorization objects are checked for each material master function.
  Functions... Authorization object
  Create, display, change 
  M_MATE_BUK--> Company code --->  material display.
  M_MATE_MAN (Data at client level)
  M_MATE_MAR (Material type)
  M_MATE_MAT (Material)
  M_MATE_MEX (Foreign trade)
  M_MATE_MZP (Customs tariff pref. data)
  M_MATE_NEU (Create)
  M_MATE_STA (Maintenance status)
  M_MATE_VKO (Sales org./distr. channel)
  M_MATE_WGR (Material group)
  M_MATE_WRK (Plant)
  Change material type 
  M_MATE_MAR (Material type)
  M_MATE_MAT (Material)
  M_MATE_STA (Maintenance status)
  M_MATE_WGR (Material group)
  Flag for deletion 
  M_MATE_BUK (Company code)
  M_MATE_MAN (Data at client level)
  M_MATE_MAR (Material type)
  M_MATE_MAT (Material)
  M_MATE_STA (Maintenance status)
  M_MATE_VKO (Sales org./distr. channel)
  M_MATE_WGR (Material group)
  M_MATE_WRK (Plant)
  Close period, allow posting to previous period 
  M_MATE_PER (Period closing program)
  In the standard system, authorizations are defined for all authorization objects in the material master. In the standard system, the authorization profile containing all maintenance authorizations for the material master is M_MATE_ALL. The authorizations in this profile allow data to be maintained and displayed for all organization units.
  In this step, you can create roles and use the profile generator to generate authorization profiles.
  Hope this piece of info. will help you.
  Cheers
  Manoj

• Campaign creation  with authorisation group in crm_mktpl

  Hi ,
  Can anyone suggest me how to create a campaign in the marketing planner with an authorization given to it.
  Whether I need to configure any authorization group inorder to display that particular authorization group in the marketing planner in the Tab field Basic data Authorisation group List box.
  Please say the procedure how to maintain it.
  Thanks in Advance.
  Priya

  Hi Priya,
  If you want to use the authorization groups to restrict access to campaigns, follow these steps
  1. Define the authorization groups in
  IMG->Customer Relationship Management->Marketing->Marketing Planning and Campaign Management->General settings->Define Authorization Group
  2. Use these values in the "Authorization Group" field of the "Basic Data" tab in Marketing planner.
  3. Create a role and use the authorization object CRM_CPGAGR to restrict access to certain authorization groups for the user
  This should help you to restrict the access to campaign based on the authorization groups.
  Prakash
  Assign points if this helps.

• Authorisation Group in transaction CV01N

  Greetings,
  I have created a new document type (AER) and status network.
  I am now trying to create a new DIR to test my new document type.
  In transaction CV01N on the Document Data tab - for the Authorisation Group field there is no value to select on the dropdown menu (it is blank) and I cannot proceed because this is a required field.
  I have looked at other document types and I see that there are two choices when it comes to Authorisation Group i.e. "Management Restricted" and "Company Restricted".
  Please advise on what I have to do to enable the selection choice of "Management Restricted" and "Company Restricted" in the Authorisation Group dropdown menu when I try and create a new AER DIR.
  Regards,
  Keith
  Edited by: Keith Kibuuka on Feb 15, 2010 12:40 PM

  Dear Keith
  In transaction CV01N on the Document Data tab - for the Authorisation Group field there is no value to select on the dropdown menu (it is blank)
  It'll not show. It's SAP standard feature.
  and I cannot proceed because this is a required field.
  Because in DC10, for Document type AER you have set, Authorization Group as Required Field ( Double click on AER document type in DC10, you can see your configuration for details of your configuration )
  Just Follow the steps mentioned below:
  1. Decide whether you want to set Authorization group mandatory field or optional.
  2. If you decide to make mandatory/ optional, then In DC10, for Document type AER you configure, Authorization Group according your decision/ requirement
  3. Next in PFCG , Go to Authorizations tab & change authorization data. Under Document management define/ enter the Authorization code of your choice ( maximum 4 chars ) in C_DRAW_BGR  object. Then define your document type in C_DRAW_DOK object. Save & assign this role to the user whom you want to give access. ( The user must remember this authorization code, as there is no F4 help for authorization group field in CV01N )
  4. Now in CV01N, create the DIR with doc type AER, enter the authorization code you defined in PFCG.
  That's all. You are done.
  Good luck
  Amaresh Makal

• Authorisation Groups and SQL Queries

  I want to give some employees access to certain SQL queries in SAP1.
  I've created a Category Name and have ticked the Authorisation Group 1. Within this Category I've saved my queries that I want users to access.
  I've then gone to Authorisations, General Authorisations, Selected the Employee, then Reports, Query Generator, and then allowed full authorisation to Saved Queries Group No. 1 and Read Only rights to Query Manager.
  When user goes to Tools Queries, and selects Category name and any SQL query therein, cannot open.
  I've tried allowing them full authorisation to Query Manager but this gives users access to ALL queries.
  Any thoughts anyone?
  D

  Where is your Query Manager Authorisation ? I could only find Query Generator.  If the same apply to you, then you don't need to assign any right to this category but only the selected group to full. Query Generator Authorisation will automatically become Various Authorisation.
  Thanks,
  Gordon

• OB52 authorisation group (close&open posting periods only for partic users

  Dear FI-CO Guru's
  In ob52- I want open postin periods
  1)Certain group of user will allow for posting only normal periods
  and
  2) Certain group of users will allow for posting normal and special periods
  this is our business requirement kindly suggest how can I maintain
  Regards
  GuruPrsad

  Hi Guru,
  If only a limited set of users is to be able to post in a particular
  posting period, proceed as follows:
  Add the posting period authorization (authorization object
  F_BKPF_BUP) to the authorizations of the selected users. Assign an
  authorization group (e.g. '0001').
  Enter the account type '+' for the posting period variant to which
  the restriction is to apply. Enter the period(s) whose use is to be restricted in the first period, those which are available to all
  users in the second period, and the authorization group (e.g.
  '0001') in the last column.
  For this you need to consult with Basis people authorization matrix.
  Regards,
  Teja

• Authorisation group and Material group

  Hi Guys,
                When a user create a PO, The material group assigned to Authorization group, is allowing the user user to create PO, whose role is not assigned to the authorization group.
  I am looking for solution, to restrict user from creating PO, whose role is not assigned to authorization group.
  Is there any user exit available to solve this issue.
  Thanks

  HI,
  In PR and PO transaction, there is no authorization object that check
  the material group.
  Only the following objects are checked in ME21N :
  M_BEST_BSA
  M_BEST_EKG
  M_BEST_EKO
  M_BEST_WRK
  To fulfill your requirement, you could consider the following
  suggestions :
  - in txn ME21n and Me51n , enter the value of the material group under
    personal setting. (in txn ME21n, click on personal setting, select
    default value   > PO item, fill in the corresponding material group
    click on always propose)
  - in the customization of purchasing (spro  > material management   >
    purchasing   > Purchase order   > Define screen layout at document
    level , select field selection akth and akte and aktv, double click
    on basic data, item. for field material group, select display only
    instead of optional!
  With the above setting, the material group will always defaulted for
  users and the screen will be grey off, do not allow user to change it.
  The only setback of this suggestion is you will have to setup personal
  setting for every new user.
  If you want only restricted GroupS to be displayed as defined in a role,
  there is no workaround in the standard design. To achieve this, you
  have to modify the standard coding and add an extra authority check for
  your authorization object (eg; Z_BEST_WGR). The standard program, in
  which the authorization check for the PO position takes place is
  "MM06EF0B_Berechtigungen_Kopf".
  The attached OSS note 20534 will explain in detail, how the
  authorization check works and also provides an example of the necessary
  coding to implement the authorization check for your own authorization
  object:
  EXAMPLE :
    authority-check object 'F_KNA1_BUK'
         id 'BUKRS' field '01'
         id 'ACTVT' field '03'.
    if sy-subrc <> 0.
      message e...   "Nicht berechtigt um ...
    endif.
  BUT please take into account, that ANY changes to the standard coding is
  a modification.
  There´s no user exit available.
  I hope this helps!
  Best Regards,
  Arminda Jack

• Assign posting periods to authorization group in tcode S_ARL_87003642

  Hello,
  I want to restrict posting periods for some users. Therefore, I have created 2 functions associated to 2 authorization groups.
  In transaction S_ARL_87003642, when I try to assign different posting periods to each authorization group to the same company code (Posting Period Variant) it appears a message saying u2018Target key must be different from source keyu2019.
  What am I doing wrong? Do you know how can I restrict posting periods for some users?
  Thanks and regards
  Ana Rita

  Dear,
  You simply have to define authorisation groups in OB52 and assign this group to F_bkpf_bup in SU01 against user proflie as desired. Take basis help.
  Regards

• Authroisation group in posting periods

  Dear Sapians,
  Kindly help me in this issue
  I have an authorisation group in open and closed posting periods(OB52), so that i am maintaining posting periods in INterval 1 as from 09 to 09 which is applicable for  authorisation grouo users. in inerval 2 i am maintaining posting periods as 10 to 10 which is applicable for all, that means who doesnt contains the authorisation group.
  But here the problem is the user who dont have an authorisation group is able to post in posting period 09.
  kindly look in to this issue, it is very  important for me.
  And the user who is posting 9 th period can only post to some g/l accounts.
  regards
  T N R

  Dear TNR,
  Can you please list out the transactions which you are using, this because the object F_BKPF_BUP does not selected by all the transactions while executing the object is selected only for few transactions below.
  AB01
  ABCO
  AW01
  AW01N
  F.80
  F.81
  FB05_OLD
  FB09D
  FB15
  FB1S
  FB21
  FB41
  FBA7_OLD
  FBA8_OLD
  FBB1
  FBL4
  FBRA
  FBRC
  FBU8
  FBWD
  FBWE
  FOMZ
  GB01
  GB06
  GB11
  GB16
  GJGB
  GJGP
  GP12
  GP13
  WLFN
  Regards,
  SANDEEP