Authorization group/Authorization object
Hello Friends,
I have a situation where one site accountant is posting on other sites cost
So If we restrict the user from posting to other WBS which is not his site, this will sort out the problem
Please advise what to do in this case.
Thanks.
Sunil.
Hi,
Quite so... What is your requirement then? Do you want this restriciton or not? And if you want it, how do you expect someone to post cross-site?
Regards,
Eli
Similar Messages
-
Where we check the authorization group & authorization object?
Hi all,
i have a std program & tcode like fb03 . now i want to know the authorization group & authorization object. so where we will check..?
help me.
thanks.
VipinHi,
Use transaction SU21 & SU22 for Auth Objects & Class -
I'm trying to restrict material creation by material type, but with no positive results.
First I created an authorization group via SE54 and then asigned it to the material type via T134. Then I add the authorization group in object M_MATE_MAR to the role but this didn't work.
I appreciate your help!
Thanks in advance.
Rosina FernandezHi Rosina,
Just to clarify, do you want for the role in question to only allowed creation of material of type "WERB" in group "ZMM1" and no other material types?
if so, the other materials types also need to be added to a authorisation group. If no authorisation group is assigned to a material type, that material type will not be checked for M_MATE_MAR access.
i.e. assign materials types that shouldn't be created by this role in group ZMM0 and provide access to this group in roles that should be allowed.
Hope this make sense.
John. -
Assigning of authorization object to authorization group
I have created an authorization object and I have assigned this to already exsiting authorization group.I would like to assign the authorization object to a new authorization group.Please confirm how to create an authorizaton group and assigning a authorization object to this new authorization group.
hi,
I have got a pdf related to this.
I shall send that to you if i can get ur mail id.
I too havent tried this. I dont have any authorizations to do with my server.
Plz follow the following steps:
1. Create a user (for example for SAP DEV, TEST, or PRD systems).
2. Open the SAP Profile Generator (transaction PFCG) available in SAP R/3 versions 4.6 and above.
3. Create an Activity group (Role since SAP 4.6C), for example ZBODI_ROLE.
4. Enter a description for the role.
5. Go to the Authorizations tab and click Change authorization data.
6. On the Change Role: Authorizations screen, click the Manually,toolbar icon.
7. The Manual Selection of Authorizations window opens.
8. Type in the following authorization objects.
S_ADMI_FCD*
S_BTCH_JOB
S_DEVELOP*
S_DATASET
S_PATH
S_RFC
S_TABU_DIS
S_TCODE
S_RS_ADMWB for SAP BW
9. Click OK
10. Return to the Change Role: Authorizations screen.
11. Manually configure components by entering the values that support Data Integrator operations include:
Administration
Batch
BW loading
Development
File access
File system access
RFC calls
RFC calls in BW
Table source access
Transactions
12. To complete the security profile, click the Back icon (or press F3), select
the User tab, enter your SAP user ID for Data Integrator and click the Save icon.
Regards,
Sailaja. -
Association of authorization group with authorization object
Dear Colleagues,
We are using ECC 6.0 system. There is a transaction EMMAC2 where in the user would pick the case categories & view/make changes as required in the cases.
However, we would like to have a user to pick only those case categories for which he/she is authorized & view/change the data.
This EMMAC2 is controlled by authorization object B_EMMA_CAS & this authorization object has field BRGRU (Authorization Group) along with ACTVT (activity).
We would like to control this via authorization groups
We would like to create authorizations groups based on case categories & those authorization groups would be assigned in this BRGRU field.
Meaning, the end result should be such that, when that new authorization group is added in BRGRU field & that role is assigned to an end user, the user should be able to see data only for those case categories for which the new authorization group has been created
If I use SE54 to create authorization group, it automatically associates itself with authorization object S_TABU_DIS & this does not solve my purpose.
But we would like to create a new authorization group & associate it with authorization object B_EMMA_CAS.
Can someone please let me know the steps on how to achieve it or any other method to achieve it(for above underlined text)?
Does a developer or functional consultant also need to be involved in this?
PS: I tried to search in Google & our forums but could not get any answersDear Aninda,
Thanks for the help.
I created an auth group via SE16 in table TBRG & associated to B_EMMA_CAS
A case category was then assigned to this auth group
We tested it - below are the results:-
1. The user is allowed to 'change' and 'display' the case for the case category for which the user is authorized: this works as per requirement.
2. The user is not allowed to 'change' case for the case category for which the user is not authorized: this works as per requirement.
3. However, he is able to 'display' cases for the case category for which the user is not authorized: this we do not want.
If I remove activty 03 (display), then the user is unable to display the case for the case category for which the user is authorized.
How to resolve this? -
Authorization Group for G/L Account
Hi,
What?
- I wish to restrict the 'posting' of a G/L account to be done by certain users only
How?
- What I have done was...
a) From FS00, I have added a free-text (BANK) into the Authorization Group for a G/L account
b) From PFCG, a new role was created to allow these 2 Authorization Objects, F_BKPF_BES and F_SKA1_BES
c) 'BANK' was entered for the Authorization Group for both these 2 Authorization Objects
d) From there, I have assigned this new role to the user that I wish to allow Posting of the G/L account
Problem?
- Other users still can do Posting for this G/L account
- Any steps which I have missed out here or done wrongly?
Thanks,
BrandonHi,
Some other roles of the users may override and cause the users to post against this GL account.
Check all the roles relevant for the restricted users.
Use SUIM t-code to find if the auth object mentioned above is included in any other role.
If it be, restrict that again.
Generally if one role as no restriction against this auth and not all, this issue tends to happen.
Regards,
Sridevi -
Restrict Vendor line items display by Vendor authorization group
Hi Gurus,
I have a requirement to restrict Vendor line item diplay for Tcode FBL1N, I have updated the Authorization object F_LFA1_BEK, its work fine if all the vendors have authorization, However it also display vendors whose auth. group is "BLANK" or "SAPCE",
Is there a way that I can slove this issue, is there any SAP notes of other object which needs to be updated ?Hi,
this problem has been discussed on this forum last week. Basically, SAP does not perform authorization check if the authorization group is blank. Hence you need to assign authorization object to all vendors.
Cheers -
Authorization group in GL A/C
Hi,
I have a role that has the authorization group in the authorization objects F_BKPF_BES , F_SKA1_BES updated only with 'AUTH' but the same role is also able to access GL accounts with authorization group 'REST'.
I want to restrict the role to access GL Accounts only with authorization group 'AUTH'.
How to do it.Kindly advise.
Thanks.GL account Authorization
Re: How to create authorization groups for G/L Accounting
Thanks
Javed -
Authorization group in GL A/C using FB01
HI, We have activated the authorization Group in GL A/c. Using the authorization object F_BKPF_BES we were able to create restrictions on other tcodes like F-28 . However when using the u201CFB01u201D tcode, the authorization check does not have any effect. I have already check the authorization in SU24 for fb01 and status is set to YES. I have also created a trace(using ST01) for this transaction but ST01 does not show any authorization trace for F_BKPF_BES.
Hello,
Authorization object:F_BKPF_BES should be checked when you run FB01.
In your case,please try to check the following points:
1.Authrization group was assigend to G/.L master data correctly.
2.Authrization group was assigend to object:F_BKPF_BES correctly.
3.Avtivity was defined in this object correctly.
4.Role was assgined to user correctly.
5.SAP_ALL authorization was deleted from the user profile.
Note: it is impossible to define the authorization group as ' '(space) in object:F_BKPF_BES,
if ' ' was defined, system will consider there are no any setting existed.
Hope the above infor. could help you to solve this issue.
Best Regards, -
Creation of Authorization group
Hello All,
I have a requirement from FI consultant for creation of new authorization group. This auth. group we want to use in FI objects like F_BKPF_BEK. so that for few end users they should not change any vendor data in FK02.
I have gone through several posts, but not able to get / understand clear steps for creation of auth group and assignment.
One of the post i found is below:
[How to create Authorization group;
i tried to do few steps but not in right direction. Request you some one please suggest me the steps for cration.
Rgds,
Durga.Julius,
Thanks for the update. As suggested by you i have inserted one entry of auth group in TBRG table against FI object with SE16.
Now how do we maintain the view of V_TBRG. Is it from SE11?, if yes then i should do this step from ABAP login.
But what i heard is, this activity is purely involved by Basis people.
Please suggest.
Rgds,
Durga. -
Customer Master Data and Line Items Balances Display - Authorization Group
One autorization group was created and assigned to some customer masters in General, Company Code and Sales Area's.
User is restricted to one authorization group. When executing FBL5N, all customer balances are displayed i.e. including blank authorization group customer. It is not restricted to authorization group customer! Why?Kindly check the authorization objects assigned in the user profile. You may ask your basis to help you with the authorization.
-
Authorization Group (BEGRU) search help required in Easy DMS
Hi all,
I had defined some value in authorization group (BEGRU) in SAP. When i opened the Document using CV01N/ CV02N transaction, then F4 help is available to me.
but when i opened the same document via SAP Easy DMS 7.0, Search help functionality is not there.
How could i activate this.
Pls.. Suggest.
Regards,
S AnandHello Sheo,
EasyDMS does not provide search help for Authorization object as of the latest release. The search help achieved by customization of the domain BEGRU does not reflect in EasyDMS.
To achieve this, you can enhance easydms interface by using either easydms plugins or EasyDMS custom tab.
refer:
http://wiki.sdn.sap.com/wiki/display/PLM/EasyDMSPlugin%28Addin%29-Advanced+Development
note: 1355293
Regards
Surjit -
Use of Authorization Group in OB52
Dear Experts,
I have updated Authorization Group as "OB52" in the last column of OB52 T-Code against each posting period variant with account type + , A,D,K,S,M etc with normal period 1 to 12 and special period 13 to 16.
The same Authorization Group "OB52" is updated in one of FI users say Mr X Role profile under authorization object F_BKPF_BUP.
Now as per the SAP standard practice the special period 13-16 should open for the user Mr X and block for all other users. But system is allowing to do transaction with special period 13-16 for other users also.
Please advise where I am wrong.
Regards,
AlokDear,
I will explain you the step involved for auth Mr.X to post for the particular period.
Let take an example that Mr.X has to be allowed to post between the period 1 to 11 and other user only for the period 11(Apr - March as fiscal year).
Now,for valuation variant with account ' +' for the first period, you enter from period as '1' and to period as '10' and in second period, you enter from period '11' and to period '11', provide the auth group (eg KU - key user) in the last column.
For other accounts (A,D,M,K,S) change the first period from '1' to '12' and dont assign any auth group.
Now you goto se16n and check in TBRG table whether your auth group KU is available for the object F_BKPF_BUP,if not maintain it.
The last step is to assign "KU" to Mr.X profile or role against the object F_BKPF_BUP.
Once you made the change"generate" and save it.
Now the system will permit Mr.X to post for the periods between 1 to 11 and other user only for 11 period.
Hope that i am ab;le to clear your boubt.
Do revert for any further assistance.
Take care
God Bless
Regards -
Dear Friends,
I know I can restrict two user "A" & "B" who create DIR " 1001" & "1002" respectively under same document Type say "DRW". Means they cannot display the DIR created by each other by Authorization Object "C_SIGN_BGR".
I have tried this and works perfect.
But my question is can I maintain these Authorization Groups so that when user enters any wrong Authorization group, it should not allow him to enter in Authorization Group Field.
If I Maintain the setting in SPRO in DMS>Approvals>Define Authorization groups, will my maintained values will be validated with the values I enter in Authorization Group field.
Also I know the developement mentioned under link.
[https://wiki.sdn.sap.com/wiki/display/PLM/F4forAuthorization+group]
But I want to avoid this developement.
Waiting for your reply.
With warm Regards
MangeshHi Mangesh,
To achieve this I suggest you to Update domain BEGRU as mentioned in the link
http://wiki.sdn.sap.com/wiki/display/PLM/UsingAuthorizationGroupfieldin+DMS
values can be maitained in ztable
You can also have search help for BEGRU, by adding search help in DRAW table for BEGRU.
also go through post - Re: Authorization Group in CV01n Document Data tab
Auth object C_DRAW_BGR has field value reference to data element BEGRU
Regards
Surjit -
Hide price in ALL Tx accg to material authorization group or material group
Hello,
I'm currently working on a customer's need which consists in hiding the material price in all transactions (MM, SD, FI...), according to the material master authorization group OR the material group.
The difficulty remains on the fact that users manage the transactions for other materials for which they can see the price.
I've tested some solutions posted on the forum (Tx OMET + user parameter EFB, use of authorization objects M_BEST_EKG + M_BEST_EKO + M_BEST_BSA) but none is satisfying enough.
Please tell me you have an idea that would prevent me from doing transaction variants + enhancements!!
Thanks for your help
Annabelle> I am unable to find out the Material or the Material Type that is linked with a material authorization group (QMATAUTH).
>
> Do we have a table where I can find the Material Types or the Materials contained in each material Authorization Group (Q_MATERIAL -> QMATAUTH).
You can get teh details on QM authorization group through table TQ01D. YOu can go through the following post for list of QM tables and tcodes.
QM Tables and T codes
Thanks.
Anjan
Maybe you are looking for
-
In BADI ME_PROCESS_PO_CUST about message?
I put some error message in implementation.It is executing fine,but even after resolving that particular problem,the message still comes. The implementation for transaction ME21N for validating plant. Here validation goes that the user cannot enter t
-
MBAM bitlocker-protected removable drives recovery keys saved on sql database not active directory
Hi Guys I need help in saving bitlocker protected removable drives on the sql database instead of active directory . I have tried to play around with the policy and I am not winning , currently my GPO : Choose how bitlocker-protected removable drives
-
Unrealized Fx Reval for GL Open Items, Incoming/Outgoing Banks, Cust & Vend
Experts, I know we should use tcode F.05 to run unrealized forex revaluation for the above objects, but does each of them have different selection parameter in the selection screen? I'm asking because my result is not as per expected especially on th
-
Default Color, Size and Font for all user.
Hi I have been looking around for the correct way to set some default styles for all Word users in a domain thrugh GPO. I just have some questions. So far i can only get it working if it set a "Workgroup templates path" under "User Configuration/Admi
-
Preview issue with software recording in Captivate
i have a software recording w/ intro slides - it look fine in the filmstrip view but after the intro slides (once in software recording) it cuts off a significant portion of the screen from view. I recorded the application window and it was a web bas