Authorization Group in se38

Hi everybody,
what is the use of Authorization group in se38 attribute? can we create and assign our own one?
The actual scenerio which i am facing here is My report should not be viewed by some grop of  users. My friend is saying i can do that through the above said one. But i know i can do that using AUTHORITY-CHEK.  What i am asking here is can i accomplish this task by the above said attributes.
Points will be awarded.
Thanx in advance.
Gladiator

Hi,
Authorization Checks
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
The following actions are subject to authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid:
·Starting SAP transactions (authorization object S_TCODE)
Starting reports (authorization object S_PROGRAM)
Calling RFC function modules (authorization object S_RFC)
Table maintenance with generic tools (S_TABU_DIS)
Checking at Program Level with AUTHORITY-CHECK
Applications use the ABAP statement AUTHORITY-CHECK, which is inserted in the source code of the program, to check whether users have the appropriate authorization and whether these authorizations are suitably defined; that is, whether the user administrator has assigned the values required for the fields by the programmer. In this way, you can also protect transactions that are called indirectly by other programs.
AUTHORITY-CHECK searches profiles specified in the user master record to see whether the user has authorization for the authorization object specified in the AUTHORITY-CHECK. If one of the authorizations found matches the required values, the check is successful.
The access protection system must ensure that only authorized individuals have access to the system and to particular data. For achieving precise application security concerning authorization and to protect confidential data against unauthorized access it is very important to focus on the use of authorization groups.
The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. They usually occur in authorization objects together with an activity.
The table that contains all authorization objects is TOBJ.
The table that contains all activities is TACT.
The table that contains definition of all authorization groups is TBRG.
TBRG -- Contains all authorization groups and gives information about relation between authorization object and authorization group. The description of the authorization groups is defined in table TBRGT.
The field name for authorization group -- BRGRU -- is used to make additional restrictions on authorizations /e.g. for document maintenance/. In authorization objects and authorization checks, there are fields which are checked to verify user authorizations. Customizing objects are combined in authorization groups, and the authorization group is one of the two authorization fields, for example, in authorization object S_TABU_DIS which is in the object class BC_A (Basis - Administration). This object is for displaying or maintaining tables. It controls access using the standard table maintenance tool (transaction SM31), enhanced table maintenance (SM30) or the Data Browser (SE16), including access in Customizing.
Authorization object S_TABU_DIS has the following fields: DICBERCLS - Authorization group, maximum field length is four characters; and ACTVT - Activity (02: Add, change or delete table entries, 03: Only display table contents).
Generally, SAP standard tables are assigned to authorization groups. These assignments can be changed. You can then assign tables manually to a suitable authorization group. To do this, start Transaction SM30 for maintenance view V_DDAT, and create an entry for each of these tables. In V_DDAT is stored the assignment of Tables/Views to Authorization Groups. V_DDAT is cross-client; therefore, it can be viewed and used in all clients.
Note: If you don't make a selection, all tables maintained in Customizing transactions are assigned to authorization groups.
Reward If Helpfull,
Naresh.

Similar Messages

  • Use of Authorization groups - do we need check on S_PROGRAM as well?

    Hi!
    As a rule we always implement authorization group in the attributes of our ABAP programs. We also insert an include which contains a check:
    AUTHORITY-CHECK OBJECT 'S_PROGRAM'
           ID 'P_GROUP' FIELD  W-SECU
           ID 'P_ACTION' DUMMY.
    where W_SECU is the given authorization group.
    My question is : do we really need this check in saperp2005 systems? I have a feeling that this check is included in the SE38 transaction already now.   Why I think this: someone forgot th copy the content of the mentioned include into our upgraded system, and if I try to run a program with a specfied authorization group I do not have access to , I get a message about this automatically from SE38.
    Regards, Tine

    Hi,
    that must be wrong. You must differentiate between calling transaction SE38 (for which you need an authorization) and executing the program (which you insert as an include). On one side, transaction SA38 is the one your users must call for this. On the other side, I´m also working with MySAP 2005 and SE38 does not check the authority for the program.

  • Assign posting periods to authorization group in tcode S_ARL_87003642

    Hello,
    I want to restrict posting periods for some users. Therefore, I have created 2 functions associated to 2 authorization groups.
    In transaction S_ARL_87003642, when I try to assign different posting periods to each authorization group to the same company code (Posting Period Variant) it appears a message saying u2018Target key must be different from source keyu2019.
    What am I doing wrong? Do you know how can I restrict posting periods for some users?
    Thanks and regards
    Ana Rita

    Dear,
    You simply have to define authorisation groups in OB52 and assign this group to F_bkpf_bup in SU01 against user proflie as desired. Take basis help.
    Regards

  • Authorization Group for G/L Account

    Hi,
    What?
    - I wish to restrict the 'posting' of a G/L account to be done by certain users only
    How?
    - What I have done was...
    a) From FS00, I have added a free-text (BANK) into the Authorization Group for a G/L account
    b) From PFCG, a new role was created to allow these 2 Authorization Objects, F_BKPF_BES and F_SKA1_BES
    c) 'BANK' was entered for the Authorization Group for both these 2 Authorization Objects
    d) From there, I have assigned this new role to the user that I wish to allow Posting of the G/L account
    Problem?
    - Other users still can do Posting for this G/L account
    - Any steps which I have missed out here or done wrongly?
    Thanks,
    Brandon

    Hi,
    Some other roles of the users may override and cause the users to post against this GL account.
    Check all the roles relevant for the restricted users. 
    Use SUIM t-code to find if the auth object mentioned above is included in any other role.
    If it be, restrict that again.
    Generally if one role as no restriction against this auth and not all, this issue tends to happen.
    Regards,
    Sridevi

  • Restrict Vendor line items display by Vendor authorization group

    Hi Gurus,
    I have a requirement to restrict Vendor line item diplay for Tcode FBL1N, I have updated the Authorization object F_LFA1_BEK, its work fine if all the vendors have authorization, However it also display vendors whose auth. group is "BLANK" or "SAPCE",
    Is there a way that I can slove this issue, is there any SAP notes of other object which needs to be updated ?

    Hi,
    this problem has been discussed on this forum last week. Basically, SAP does not perform authorization check if the authorization group is blank. Hence you need to assign authorization object to all vendors.
    Cheers

  • Authorization group in GL A/C

    Hi,
        I have a role that has the authorization group in the authorization objects  F_BKPF_BES , F_SKA1_BES  updated only with 'AUTH' but the same role is also able to access GL accounts with authorization group 'REST'.
       I want to restrict the role to access GL Accounts only with authorization group 'AUTH'.
    How to do it.Kindly advise.
    Thanks.

    GL account Authorization
    Re: How to create authorization groups for G/L Accounting
    Thanks
    Javed

  • Authorization group in GL A/C using FB01

    HI, We have  activated the authorization Group in GL A/c. Using the authorization object F_BKPF_BES we were able to create restrictions on other tcodes like F-28 . However when using the u201CFB01u201D tcode, the authorization check does not have any effect. I have already check the authorization in SU24 for fb01 and status is set to YES. I have also created a trace(using ST01) for this transaction but ST01 does not show any authorization trace for F_BKPF_BES.

    Hello,
    Authorization object:F_BKPF_BES should be checked when you run FB01.
    In your case,please try to check the following points:
    1.Authrization group was assigend to G/.L master data correctly.
    2.Authrization group  was assigend to object:F_BKPF_BES correctly.
    3.Avtivity was defined in this object correctly.
    4.Role was assgined to user correctly.
    5.SAP_ALL authorization was deleted from the user profile.
    Note: it is impossible to define the authorization group as '  '(space) in object:F_BKPF_BES,
    if '  ' was defined, system will consider there are no any setting existed.
    Hope the above infor. could help you to solve this issue.
    Best Regards,

  • Creation of Authorization group

    Hello All,
    I have a requirement from FI consultant for creation of new authorization group. This auth. group we want to use in FI objects like F_BKPF_BEK. so that for few end users they should not change any vendor data in FK02.
    I have gone through several posts, but not able to get / understand clear steps for creation of auth group and assignment.
    One of the post i found is below:
    [How to create Authorization group;
    i tried to do few steps but not in right direction. Request you some one please suggest me the steps for cration.
    Rgds,
    Durga.

    Julius,
    Thanks for the update. As suggested by you i have inserted one entry of auth group in TBRG table against FI object with SE16.
    Now how do we maintain the view of V_TBRG. Is it from SE11?, if yes then i should do this step from ABAP login.
    But what i heard is, this activity is purely involved by Basis people.
    Please suggest.
    Rgds,
    Durga.

  • Customer Master Data and Line Items Balances Display - Authorization Group

    One autorization group was created and assigned to some customer masters in General, Company Code and Sales Area's.
    User is restricted to one authorization group. When executing FBL5N, all customer balances are displayed i.e. including blank authorization group customer. It is not restricted to authorization group customer! Why?

    Kindly check the authorization objects assigned in the user profile. You may ask your basis to help you with the authorization.

  • Authorization Group (BEGRU) search help  required in Easy DMS

    Hi all,
    I had defined some value in authorization group (BEGRU) in SAP. When i opened the Document using CV01N/ CV02N transaction, then F4 help is available to me.
    but when i opened the same document via SAP Easy DMS 7.0, Search help functionality is not there.
    How could i activate this.
    Pls.. Suggest.
    Regards,
    S Anand

    Hello Sheo,
      EasyDMS does not provide search help for Authorization object as of  the latest release. The search help achieved by customization of the domain BEGRU does not reflect in EasyDMS.
    To achieve this, you can enhance easydms interface by using either easydms plugins or EasyDMS custom tab.
    refer:
    http://wiki.sdn.sap.com/wiki/display/PLM/EasyDMSPlugin%28Addin%29-Advanced+Development
    note: 1355293
    Regards
    Surjit

  • Use of Authorization Group in OB52

    Dear Experts,
    I have updated Authorization Group as "OB52" in the last column of OB52 T-Code against each posting period variant with account type + , A,D,K,S,M etc with normal period 1 to 12 and special period 13 to 16.
    The same Authorization Group "OB52" is updated in one of FI users say Mr X Role profile under authorization object F_BKPF_BUP.
    Now as per the SAP standard practice the special period 13-16 should open for the user Mr X and block for all other users. But system is allowing to do transaction with special period 13-16 for other users also.
    Please advise where I am wrong.
    Regards,
    Alok

    Dear,
    I will explain you the step involved for auth Mr.X to post for the particular period.
    Let take an example  that Mr.X has to be allowed to post between the period 1 to 11 and other user only for the period 11(Apr - March as fiscal year).
    Now,for valuation variant with account  ' +'  for the first period, you enter from period as '1' and to period as '10' and in second period, you enter from period '11' and to period '11', provide the auth group (eg KU - key user)  in the last column.
    For other accounts (A,D,M,K,S) change the first period from '1' to '12' and dont assign any auth group.
    Now you goto se16n and check in TBRG table whether your auth group KU is available for the object F_BKPF_BUP,if not maintain it.
    The last step is to assign "KU" to Mr.X profile or role against the object F_BKPF_BUP.
    Once you made the change"generate" and save it.
    Now the system will permit Mr.X to post for the periods between 1 to 11 and other user only for 11 period.
    Hope that i am ab;le to clear your boubt.
    Do revert for any further assistance.
    Take care
    God Bless
    Regards

  • BAPI to create bp with name, search term, address and Authorization Group

    Hi
      which BAPI could be used to create Business Partner (type organazation) with names, search term, address and the Authorization Group field.
      ths

    Hello ,
    You can use : BAPI_BUPA_CREATE_FROM_DATA
    In case you need to update additional fragments just search in trn code SE37  for BAPI_BUPA_*CREATE.
    For example BAPI_BUPA_FRG0040_CREATE - Create classification data for BP , etc'.
    Additional you can use XIF :CRMXIF_PARTNER_SAVE to create business partners
    Rika

  • Authorization Group

    Dear Friends,
    I know I can restrict two user "A" & "B"  who create DIR  " 1001" & "1002" respectively under same document Type say "DRW". Means they cannot display the DIR created by each other  by Authorization Object "C_SIGN_BGR".
    I have tried this and works perfect.
    But my question is can I maintain these Authorization Groups so that  when user enters any wrong Authorization group, it should not allow him to enter in Authorization Group Field.
    If I Maintain the setting in SPRO in DMS>Approvals>Define Authorization groups, will my maintained  values will be validated with the values I enter in Authorization Group field.
    Also I know the developement mentioned under link.
    [https://wiki.sdn.sap.com/wiki/display/PLM/F4forAuthorization+group]
    But I want to avoid this developement.
    Waiting for your reply.
    With warm Regards
    Mangesh

    Hi Mangesh,
    To achieve this I suggest you to Update domain BEGRU as mentioned in the link
    http://wiki.sdn.sap.com/wiki/display/PLM/UsingAuthorizationGroupfieldin+DMS
    values can be maitained in ztable
    You can also have search help for BEGRU, by adding search help in DRAW table for BEGRU.
    also go through post - Re: Authorization Group in CV01n Document Data tab
    Auth object C_DRAW_BGR has field value reference to data element BEGRU
    Regards
    Surjit

  • Authorization Groups

    Hi Experts,
    If I have values NPD,R&D etc. for authorization groups. How to maintain these values in SAP DMS? Is there any t-code or spro configuration for maintaining these values? I know it's basis activity.
    I hope you understood the question properly, how to set the authorization groups and where to maintain the values for them?
    Regards,
    Ravindra

    Hi,
    In DMS auth grp is  free field and we can maintain any value for it.
    But to control access we must assign these value to auth obj  c_DRAW_BGR.
    This auth obj  will be assigned to role and role to user.
    So user who has auth value R&D in his role can enter this auth obj value while creating a dir and at the same time he can access a DIR with this auth obj value created by other user having same auth obj in his role.
    Plz note that this auth ob c_Draw_bgr works with other auth obj in DMS.
    Regards
    Abhijit

  • Hide price in ALL Tx accg to material authorization group or material group

    Hello,
    I'm currently working on a customer's need which consists in hiding the material price in all transactions (MM, SD, FI...), according to the material master authorization group OR the material group.
    The difficulty remains on the fact that users manage the transactions for other materials for which they can see the price.
    I've tested some solutions posted on the forum (Tx OMET + user parameter EFB, use of authorization objects M_BEST_EKG + M_BEST_EKO + M_BEST_BSA) but none is satisfying enough.
    Please tell me you have an idea that would prevent me from doing transaction variants + enhancements!!
    Thanks for your help
    Annabelle

    > I am unable to find out the Material or the Material Type that is linked with a material authorization group (QMATAUTH).
    >
    > Do we have a table where I can find the Material Types or the Materials contained in each material Authorization Group (Q_MATERIAL -> QMATAUTH).
    You can get teh details on QM authorization group through table TQ01D. YOu can go through the following post for list of QM tables and tcodes.
    QM Tables and T codes
    Thanks.
    Anjan

Maybe you are looking for

  • File Recovery

    How can I repair the file bthusb from the recovery partition (Windows 7)?

  • What's wrong with the anchor

    I would like to have the component in the following code on the top but it is always in the center, what is wrong with my anchor? Thanks for any help! private JPanel createParameterPanel(JLabel label, Component value) { JPanel panel = new JPanel(); G

  • Switching off selected devices

    Hi, I wonder if anyone can help. I have a BT Home Hub 3 and I heard that you can switch off selected devices at various times of the day, i.e. switching off my son's xbox without the rest of the familiy suffering with a lack of internet. Is this faci

  • Sending email comes back saying sent folder is full and the email doesn't get sent,except sometimes

    Hi, two problems: 1. When i send an email i get an error message saying "sent folder is full ..." and the email doesn't go through. Except if i send myself a test it works. Help? 2. IN my stored folders the subject remains for many files but the cont

  • Importing error AE CC: "MXFF" is damaged or unsupported Canon XF300

    After shooting on Canon's XF300, I get an error while importing the footage. Premiere Pro reads the native footage without any issues, but if I open a AE and try importing the raw footage, I get an error? Is After Effects CC not compatible with foota