Authorization group class maintenance

Similar Messages

• What is the Authorization group in Cash Journal View Maintenance (FBCJC0)

  Question 1: In Cash Journal View Maintenance (Tcode: FBCJC0), what is the Authorization group? 
  Question 2: How / Where can I define this Authorization group?
  As per the F1 Help  document in SAP :
  The authorization group enables you protect access to certain objects.
  In order to carry out a specific activity, the user must have authorization for the combination of the activity and the authorization group.

  Hi,
  Authorisation in Cash journal is meant for controlling of FBCJ transaction with an user ID. 
  For example, if you have a multiple cash book (Cash journal) or you are maintaining a cash book according to Business Area wise, Plant wise, etc.,
  In this case, you don't want to allow the other people to view / transact your cash book, then you can assign some unique identification in the authorisation group column against the each of your cash journal.
  These unique identification can be of any thing eg. 1001, 1002, 1ABC, ABC, etc.,  After this, the indentification has to be assigned in the respective user profiles in the below mentiond objects,
  F_BKPF_BED
  F_BKPF_BEK
  F_BKPF_BES
  F_BKPF_BLA
  F_FBCJ
  Hope it helps
  Saravanan.A

• Authorization group for table maintenance view

  I  need to create table maintenence view for a custom table, client provide name for auth. group, but no clue how to create auth. group.
  can someone provide the steps to do this?

  Hi,
  Follow below steps to create table maintenance for a table and to assign authorization group to a table:
  step1: Go to SE11 enter the table name
  step2: In the standard toolbar you will find UTILITIES
  Go to UTILITIES -> TABLE MAINTENANCE GENERATOR
  You will go to first screen of Table maint. gen.
  Here you will find to enter authorization group.
  Thanks and Regards,
  Shravan G.

• Authorization Group in se38

  Hi everybody,
  what is the use of Authorization group in se38 attribute? can we create and assign our own one?
  The actual scenerio which i am facing here is My report should not be viewed by some grop of  users. My friend is saying i can do that through the above said one. But i know i can do that using AUTHORITY-CHEK.  What i am asking here is can i accomplish this task by the above said attributes.
  Points will be awarded.
  Thanx in advance.
  Gladiator

  Hi,
  Authorization Checks
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  The following actions are subject to authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid:
  ·Starting SAP transactions (authorization object S_TCODE)
  Starting reports (authorization object S_PROGRAM)
  Calling RFC function modules (authorization object S_RFC)
  Table maintenance with generic tools (S_TABU_DIS)
  Checking at Program Level with AUTHORITY-CHECK
  Applications use the ABAP statement AUTHORITY-CHECK, which is inserted in the source code of the program, to check whether users have the appropriate authorization and whether these authorizations are suitably defined; that is, whether the user administrator has assigned the values required for the fields by the programmer. In this way, you can also protect transactions that are called indirectly by other programs.
  AUTHORITY-CHECK searches profiles specified in the user master record to see whether the user has authorization for the authorization object specified in the AUTHORITY-CHECK. If one of the authorizations found matches the required values, the check is successful.
  The access protection system must ensure that only authorized individuals have access to the system and to particular data. For achieving precise application security concerning authorization and to protect confidential data against unauthorized access it is very important to focus on the use of authorization groups.
  The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. They usually occur in authorization objects together with an activity.
  The table that contains all authorization objects is TOBJ.
  The table that contains all activities is TACT.
  The table that contains definition of all authorization groups is TBRG.
  TBRG -- Contains all authorization groups and gives information about relation between authorization object and authorization group. The description of the authorization groups is defined in table TBRGT.
  The field name for authorization group -- BRGRU -- is used to make additional restrictions on authorizations /e.g. for document maintenance/. In authorization objects and authorization checks, there are fields which are checked to verify user authorizations. Customizing objects are combined in authorization groups, and the authorization group is one of the two authorization fields, for example, in authorization object S_TABU_DIS which is in the object class BC_A (Basis - Administration). This object is for displaying or maintaining tables. It controls access using the standard table maintenance tool (transaction SM31), enhanced table maintenance (SM30) or the Data Browser (SE16), including access in Customizing.
  Authorization object S_TABU_DIS has the following fields: DICBERCLS - Authorization group, maximum field length is four characters; and ACTVT - Activity (02: Add, change or delete table entries, 03: Only display table contents).
  Generally, SAP standard tables are assigned to authorization groups. These assignments can be changed. You can then assign tables manually to a suitable authorization group. To do this, start Transaction SM30 for maintenance view V_DDAT, and create an entry for each of these tables. In V_DDAT is stored the assignment of Tables/Views to Authorization Groups. V_DDAT is cross-client; therefore, it can be viewed and used in all clients.
  Note: If you don't make a selection, all tables maintained in Customizing transactions are assigned to authorization groups.
  Reward If Helpfull,
  Naresh.

• What is authorization group?

  Hi all,
  Can anyone tell me what is authorization group? I always come across this when I am inside pfcg and look into the authorization object.
  I know that authorization object groups authorization fields together. And authorization is an instance of authorization object. But how does authorization group fit into this model?
  I have read parts of the help manual that mention auth. group is used to manage Z tables, but they never mention the above relationship.
  Thanks.

  HI Jockey,
  The access protection system must ensure that only authorized individuals have access to the system and to particular data. For achieving precise application security concerning authorization and to protect confidential data against unauthorized access it is very important to focus on the use of authorization groups.
  The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. They usually occur in authorization objects together with an activity.
  The table that contains all authorization objects is TOBJ.
  The table that contains all activities is TACT.
  The table that contains definition of all authorization groups is TBRG.
  TBRG -- Contains all authorization groups and gives information about relation between authorization object and authorization group. The description of the authorization groups is defined in table TBRGT.
  The field name for authorization group -- BRGRU -- is used to make additional restrictions on authorizations /e.g. for document maintenance/. In authorization objects and authorization checks, there are fields which are checked to verify user authorizations. Customizing objects are combined in authorization groups, and the authorization group is one of the two authorization fields, for example, in authorization object S_TABU_DIS which is in the object class BC_A (Basis - Administration). This object is for displaying or maintaining tables. It controls access using the standard table maintenance tool (transaction SM31), enhanced table maintenance (SM30) or the Data Browser (SE16), including access in Customizing.
  Authorization object S_TABU_DIS has the following fields: DICBERCLS - Authorization group, maximum field length is four characters; and ACTVT - Activity (02: Add, change or delete table entries, 03: Only display table contents).
  Generally, SAP standard tables are assigned to authorization groups. These assignments can be changed. You can then assign tables manually to a suitable authorization group. To do this, start Transaction SM30 for maintenance view V_DDAT, and create an entry for each of these tables. In V_DDAT is stored the assignment of Tables/Views to Authorization Groups. V_DDAT is cross-client; therefore, it can be viewed and used in all clients.
  Note: If you don't make a selection, all tables maintained in Customizing transactions are assigned to authorization groups.
  Check these links too..
  http://help.sap.com/saphelp_crm50/helpdata/en/52/671285439b11d1896f0000e8322d00/frameset.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67129f439b11d1896f0000e8322d00/frameset.htm
  http://www.sap4.com/contentid-39.html
  Thanks,
  Susmitha
  Dont forget to reward points for useful answers.
  Message was edited by: Susmitha Thomas

• How to create authorization group in SE11

  Hello experts,
  I need to create a new authorization group for my custom table so that only users in this group will be allowed to maintain my ztable in SM30(table maintenance).
  Again, thank you guys and have a nice day!

  Re: Standard FM for table maint.
  su21 is used for maintenance of authority objects:
  http://www.sap-img.com/basis/useful-sap-system-administration-transactions.htm
  http://sap.ittoolbox.com/groups/technical-functional/sap-r3-basis/please-how-to-create-an-authorization-object-386391

• Authorization group in Marekting planner

  Hi
  There ia a field 'Authorization group' in the basic tab while creating a marketing plan. Now, this authorization group decides which all users can perform particular actions on this marketing plan like change, display etc. So this authorization group must have some users attached to it. Moreover these users must be having their own authorization objects under role maintenance. So how can a particular user have limited access just on the basis of this group. Is this group having some atauthorization objects under it, if yes then where? My question is where do we assign the users to this group. Any pointers will be helpful.

  Sunil Sir,
  Authorization Groups are defined in SPRO under Cross Applications Comp ->SAP B P ->Basic Settings ->Authorization Mgmt ->Maintain Author Grps.
  And you assign Authorization groups to each relevant Business Partner. while creating a BP you can assign auth. gp under Identification tab.
  if you r satisfied with the answer pls assign the reward points i will be opening my account with your valued points
  good to c ur msg..
  cheers!
  Rishi

• User group [$CLASS] not an Org level field in IA, whereas it is in DA

  Hi All,
  We have an authorization problem that we faced while SAP Upgrade. In the development system while we upgraded all the roles, we did not face any issue. User group field [$CLASS] was actually an org level field in that system and the roles were upgraded based on that condition.
  When the Integration system was up and the upgraded roles were transported to IA, we noticed that they ended with a warning. On checking the logs we found out that User group [CLASS] actually was not an Org level value in the INtegration system, whereas it was an org level field in the development system.
  Can someone tell me the reason why it is different? Is there any settings we have to change to make User group  an org level field in IA. Thanks a lot for your help.
  Vijith

  Hello, I ran into this also and found these notes to explain why this is suddenly an org value and how to fix it:
  http://search.sap.com/notes?id=0001580048
  http://search.sap.com/notes?id=0001739055
  Basically, GRC 10 add-on makes the user group an org value and the note instructs how to undo this manually, but there is a required pre-requisite because you cannot modify this for SAP delivered fields normally.
  You know what else would be nice.... maybe there's a note that explains why Account Type is an org value.  It REALLY should not be, IMO.

• Authorization Groups and table TBRG

  In our system we have tables which are using custom authorization group ZEXC.  I am looking at this via SE11 Table Maintenance Generator or SE54 Assign Authorization Group.
  I can also see that it is assigned to roles by using SUIM -->Roles-->By Authorization values -->entry auth object (S_TABU_DIS) and click on entry values.
  What I am not seeing is that the authorization group is defined in table TBRG.
  So my question is....  An authorization group does not need to be defined in order to attach it to a table or assign it to a role?  If the authorization group was created then deleted is it still valid to have it attached to tables and roles?

  Hi Sharon,
  Assign the authorization to user and make it inactive mode.Then authorization will be deactived to tat particular user's.

• Checking BOM Authorization Group

  Hai Friends,
  I have developed a mulitilevel BOM display report. End users have been assigned to 2 Authorization Group as A1 and A2.
  If a user has A1 authorization i have to explode the BOM fully else i have stop to a certain class. How do i identify that a user has A1 authorization or not?. Is there any FM?. if so what all are the parameters needs to be passed.

  Hi T,
  First you need to get authorization object for BOM. You can use transaction ST05 to trace the object.
  Then you can use command AUTHORITY-CHECK OBJECT in your program to check against the object whether the user have authorization or not.
  Regards,
  Chaiphon

• Ho regarding authorization group...

  hi all...
     i need to create authorization group for the report programs.....i tries in se54 but this is for only tables..how can we create the authorization group for the report programs....pls guided me in this

  hi
  In actvt maintain new field value.then create your own authorization object under new authorization class.
  then in each report,just do AUTHORITY-CHECK for this object and field.transaction code a SU20, SU21 are used for this purpose.
  the command AUTHORITY-CHECK OBJECT is used in all the programs where you want control.
  hope this helps
  regards
  Aakash Banga

• KOB1 authorization group mising

  Hi,
  when i'm excuting KOB1 i'm getting the output report shows all the line items as per given selection in quality system,
  when i'm using the different user ID and same quality its not showing the line items some authorizations missing .
  how can i check and how can i fix this issue.
  thanks in advance.

  hi,
    There are authorization given for  many transaction  .
    Developer don't have that authorization  tell your FUNCTIONal  Member  about this and Get it done from basis TEAM .
  SAP AUTHORIZATION OBJECT TABLE
  Table Name  Description
  TOBJ Authorization Objects
  TACT Activities which can be Protected (Standard activities authorization fields in the system)
  TACTZ Valid activities for each authorization object
  TDDAT Maintenance Areas for Tables
  TSTC SAP Transaction Codes
  TPGP ABAP/4 Authorization Groups
  USOBT Relation transaction > authorization object
  USOBX Check table for table USOBT
  USOBT_C Relation Transaction   > Auth. Object (Customer)
  USOBX_C Check Table for Table USOBT_C
  USR01 User master record (runtime data)
  USR02 Logon data
  USR03 User address data
  USR04 User master authorizations
  USR05 User Master Parameter ID
  USR06 Additional Data per User
  USR07 Object/values of last authorization check that failed
  USR08 Table for user menu entries
  USR09 Entries for user menus (work areas)
  USR10 User master authorization profiles
  USR11 User Master Texts for Profiles (USR10)
  USR12 User master authorization values
  USR13 Short Texts for Authorizations
  USR14 Surchargeable Language Versions per User
  USR30 Additional Information for User Menu
  USH02 Change history for logon data
  USH04 Change history for authorizations
  USH10 Change history for authorization profiles
  USH12 Change history for authorization values
  UST04 User masters
  UST10C User master: Composite profiles
  UST10S User master: Single profiles
  UST12 User master: Authorizations
  Regards
  Deepak.
  Edited by: Deepak Dhamat on Oct 2, 2010 7:00 AM
  Edited by: Deepak Dhamat on Oct 2, 2010 7:04 AM

• Re: Transporting Authorization Groups From QA To PROD

  All,
  We have some custom Authorization groups tied to custom tables on QA(testing) and the same custom tables exist on PROD(production) too but without the custom auth groups.
  Is there a way to transport just the custom authorization groups from QA to PROD. Any pointers on this would be appreciated.
  Thanks
  -Murali

  Hi Murali,
  Please do the following:
  1. Call SE11.
  2. Put whatever Z table name and change.
  3. On menu 'Utilities' --> 'Table maintenance generator'.
  4. On menu 'Environment' --> 'Authorization' --> 'Authorization groups'.
  5. Click on the auth group that would be transported.
  6. On menu 'Table view' --> 'Transport'. Then save the transport.
  7. Click 'Include in request'. Then you will get a message 'Entry flagged for ......" on bottom-left of the screen.
  8. Save the change.
  9. Click 'Back' until out of SE11.
  If you check the transport request, you will see some entries in table TBRG and TBRGT: <client>S_TABU_DIS<authgrp>, <client>1S_TABU_DIS<authgrp> and <client>ES_TABU_DIS<authgrp>.
  Hope it helps.
  Regards,
  Agoes

• SE54 Change Authorization Group

  Hi all,
  I have an immediate need -- a previous developer created a table view and generated a function group for maintenance. The authorization group they assigned was incorrect so I need to change it. How can I do this?
  I went to SE54, changed the authorization group, then hit the "Change" button. It pops up asking for a "Reason for Change". My questions:
  1. Will this overwrite the funciton group and generate a new one? I do not want this to happen.
  2. Does it matter what reason I choose? There is not one for authorization group change.
  Thanks in advance. Points will be awarded for helpful answers.
  Message was edited by:
          John S

  Has anyone else encountered this problem? I have still not been able to find a solution.
  A recap:
  1. A previous developer created a custom table and a maintenance view to edit that table. Using the table maintenance generator he also developed some custom functionality and created a custom transaction to call this in SM30.
  2. The table and maintenance view were created with &NC& authorization group.
  3. We created a new authorization group that we need to assign to the maintenance view.
  4. Somehow the auth group for the custom table was changed to the new auth group.
  5. We have been unable to change the auth group for the maintenance view using a variety of ways.
  Does anyone have any suggestions?

• Authorization group,function group

  friends while creating a table maintenance view  it's asking  authorization group
  and function group ,what are those things and what to provide there.plesae tell me
  in detail.

  Hi,
  You can assign authorization groups to tables to avoid users accessing tables using general access tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must also have authorization to be permitted to access tables with the relevant group assignments. For this case, we deliver tables with predefined assignments to authorization groups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.
  You can assign a table to authorization group Z000. (Use transaction SM30 for table TDDAT) A user that wants to access this table must have authorization object S_TABU_DIS in his or her profile with the value Z000 in the field DICBERCLS (authorization group for ABAP Dictionary objects).
  Function group to which the maintenance modules are to belong. One function group can contain maintenance modules for several tables or views.
  – Authorization group
  – Maintenance type (one or two-step)
  – Maintenance screen(s) (one or two-step maintenance type, resp.) numbers
  Regards,
  Ferry Lianto