Authorization Group & TBRG
Hello. I wonder what case should I create records into TBRG for.
Generally, authorization group works when I set it to master record (e.g.vendor, customer,account code) and role (from PFCG).
But, in some case, It is required to insert authorization group and its text to TBRG.
Please tell me weather TBRG setting is essencial or not .
Edited by: Julius Bussche on Dec 28, 2009 6:13 PM
Table name corrected.
Hi Yugo,
Table TBRG - Contains all authorization groups and gives information about relation between authorization object and authorization group. Hence its very much necessary you maintain the authgroups in this table.
Also if you want it to appear as a pick list when you click F4 in the DICBERCLES field in object S_TABU_DIS then you should have those valuse maintained in table:TBRG.
There are several threads based on your query which are already answered. just search by "TBRG Auth Groups" in the same forum.
Hope it helps.Let us know if you need any more information from our side.
Similar Messages
-
Authorization Groups and table TBRG
In our system we have tables which are using custom authorization group ZEXC. I am looking at this via SE11 Table Maintenance Generator or SE54 Assign Authorization Group.
I can also see that it is assigned to roles by using SUIM -->Roles-->By Authorization values -->entry auth object (S_TABU_DIS) and click on entry values.
What I am not seeing is that the authorization group is defined in table TBRG.
So my question is.... An authorization group does not need to be defined in order to attach it to a table or assign it to a role? If the authorization group was created then deleted is it still valid to have it attached to tables and roles?Hi Sharon,
Assign the authorization to user and make it inactive mode.Then authorization will be deactived to tat particular user's. -
Creation of Authorization group
Hello All,
I have a requirement from FI consultant for creation of new authorization group. This auth. group we want to use in FI objects like F_BKPF_BEK. so that for few end users they should not change any vendor data in FK02.
I have gone through several posts, but not able to get / understand clear steps for creation of auth group and assignment.
One of the post i found is below:
[How to create Authorization group;
i tried to do few steps but not in right direction. Request you some one please suggest me the steps for cration.
Rgds,
Durga.Julius,
Thanks for the update. As suggested by you i have inserted one entry of auth group in TBRG table against FI object with SE16.
Now how do we maintain the view of V_TBRG. Is it from SE11?, if yes then i should do this step from ABAP login.
But what i heard is, this activity is purely involved by Basis people.
Please suggest.
Rgds,
Durga. -
Use of Authorization Group in OB52
Dear Experts,
I have updated Authorization Group as "OB52" in the last column of OB52 T-Code against each posting period variant with account type + , A,D,K,S,M etc with normal period 1 to 12 and special period 13 to 16.
The same Authorization Group "OB52" is updated in one of FI users say Mr X Role profile under authorization object F_BKPF_BUP.
Now as per the SAP standard practice the special period 13-16 should open for the user Mr X and block for all other users. But system is allowing to do transaction with special period 13-16 for other users also.
Please advise where I am wrong.
Regards,
AlokDear,
I will explain you the step involved for auth Mr.X to post for the particular period.
Let take an example that Mr.X has to be allowed to post between the period 1 to 11 and other user only for the period 11(Apr - March as fiscal year).
Now,for valuation variant with account ' +' for the first period, you enter from period as '1' and to period as '10' and in second period, you enter from period '11' and to period '11', provide the auth group (eg KU - key user) in the last column.
For other accounts (A,D,M,K,S) change the first period from '1' to '12' and dont assign any auth group.
Now you goto se16n and check in TBRG table whether your auth group KU is available for the object F_BKPF_BUP,if not maintain it.
The last step is to assign "KU" to Mr.X profile or role against the object F_BKPF_BUP.
Once you made the change"generate" and save it.
Now the system will permit Mr.X to post for the periods between 1 to 11 and other user only for 11 period.
Hope that i am ab;le to clear your boubt.
Do revert for any further assistance.
Take care
God Bless
Regards -
Hi everybody,
what is the use of Authorization group in se38 attribute? can we create and assign our own one?
The actual scenerio which i am facing here is My report should not be viewed by some grop of users. My friend is saying i can do that through the above said one. But i know i can do that using AUTHORITY-CHEK. What i am asking here is can i accomplish this task by the above said attributes.
Points will be awarded.
Thanx in advance.
GladiatorHi,
Authorization Checks
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
The following actions are subject to authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid:
·Starting SAP transactions (authorization object S_TCODE)
Starting reports (authorization object S_PROGRAM)
Calling RFC function modules (authorization object S_RFC)
Table maintenance with generic tools (S_TABU_DIS)
Checking at Program Level with AUTHORITY-CHECK
Applications use the ABAP statement AUTHORITY-CHECK, which is inserted in the source code of the program, to check whether users have the appropriate authorization and whether these authorizations are suitably defined; that is, whether the user administrator has assigned the values required for the fields by the programmer. In this way, you can also protect transactions that are called indirectly by other programs.
AUTHORITY-CHECK searches profiles specified in the user master record to see whether the user has authorization for the authorization object specified in the AUTHORITY-CHECK. If one of the authorizations found matches the required values, the check is successful.
The access protection system must ensure that only authorized individuals have access to the system and to particular data. For achieving precise application security concerning authorization and to protect confidential data against unauthorized access it is very important to focus on the use of authorization groups.
The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. They usually occur in authorization objects together with an activity.
The table that contains all authorization objects is TOBJ.
The table that contains all activities is TACT.
The table that contains definition of all authorization groups is TBRG.
TBRG -- Contains all authorization groups and gives information about relation between authorization object and authorization group. The description of the authorization groups is defined in table TBRGT.
The field name for authorization group -- BRGRU -- is used to make additional restrictions on authorizations /e.g. for document maintenance/. In authorization objects and authorization checks, there are fields which are checked to verify user authorizations. Customizing objects are combined in authorization groups, and the authorization group is one of the two authorization fields, for example, in authorization object S_TABU_DIS which is in the object class BC_A (Basis - Administration). This object is for displaying or maintaining tables. It controls access using the standard table maintenance tool (transaction SM31), enhanced table maintenance (SM30) or the Data Browser (SE16), including access in Customizing.
Authorization object S_TABU_DIS has the following fields: DICBERCLS - Authorization group, maximum field length is four characters; and ACTVT - Activity (02: Add, change or delete table entries, 03: Only display table contents).
Generally, SAP standard tables are assigned to authorization groups. These assignments can be changed. You can then assign tables manually to a suitable authorization group. To do this, start Transaction SM30 for maintenance view V_DDAT, and create an entry for each of these tables. In V_DDAT is stored the assignment of Tables/Views to Authorization Groups. V_DDAT is cross-client; therefore, it can be viewed and used in all clients.
Note: If you don't make a selection, all tables maintained in Customizing transactions are assigned to authorization groups.
Reward If Helpfull,
Naresh. -
Table for Role & Authorization group
Hi Gurus,
I am looking for a table or FM to get all roles for Authorization group.
I tried in SUIM tcode but could not able to find exact DB table for these.
Giri
P.S.: To Moderator:
My earlier thread was locked for the same question, I was searching in SDN and google from last 3 days and could not able to find enough information on it. AGR_USERS, TBRG, TACT are the tables i found. But still there is a link missed between Role & Authorization Group.Thomas,
My report have selection screen with Auth group and user.
If user provides Auth. Group then need to find all roles linked to auth group and users assigned to that role.
In my investigation, there is link between Auth. Group <--> Auth. object.
Also Auth. Object <--> Role.
but still there is a fine link missing between Auth Group <--> Role.
For Eg: Auth Object S_TABU_DIS will be associated to all Auth. Groups but assigned to only limited roles.
I tried to debug the SUIM transaction multiple times but couldn't find the tables to find the link and not able to find the FM's.
if anybody have any idea to find that link between Auth. Group & Role then it will be helpful....
Giri -
Re: Transporting Authorization Groups From QA To PROD
All,
We have some custom Authorization groups tied to custom tables on QA(testing) and the same custom tables exist on PROD(production) too but without the custom auth groups.
Is there a way to transport just the custom authorization groups from QA to PROD. Any pointers on this would be appreciated.
Thanks
-MuraliHi Murali,
Please do the following:
1. Call SE11.
2. Put whatever Z table name and change.
3. On menu 'Utilities' --> 'Table maintenance generator'.
4. On menu 'Environment' --> 'Authorization' --> 'Authorization groups'.
5. Click on the auth group that would be transported.
6. On menu 'Table view' --> 'Transport'. Then save the transport.
7. Click 'Include in request'. Then you will get a message 'Entry flagged for ......" on bottom-left of the screen.
8. Save the change.
9. Click 'Back' until out of SE11.
If you check the transport request, you will see some entries in table TBRG and TBRGT: <client>S_TABU_DIS<authgrp>, <client>1S_TABU_DIS<authgrp> and <client>ES_TABU_DIS<authgrp>.
Hope it helps.
Regards,
Agoes -
Association of authorization group with authorization object
Dear Colleagues,
We are using ECC 6.0 system. There is a transaction EMMAC2 where in the user would pick the case categories & view/make changes as required in the cases.
However, we would like to have a user to pick only those case categories for which he/she is authorized & view/change the data.
This EMMAC2 is controlled by authorization object B_EMMA_CAS & this authorization object has field BRGRU (Authorization Group) along with ACTVT (activity).
We would like to control this via authorization groups
We would like to create authorizations groups based on case categories & those authorization groups would be assigned in this BRGRU field.
Meaning, the end result should be such that, when that new authorization group is added in BRGRU field & that role is assigned to an end user, the user should be able to see data only for those case categories for which the new authorization group has been created
If I use SE54 to create authorization group, it automatically associates itself with authorization object S_TABU_DIS & this does not solve my purpose.
But we would like to create a new authorization group & associate it with authorization object B_EMMA_CAS.
Can someone please let me know the steps on how to achieve it or any other method to achieve it(for above underlined text)?
Does a developer or functional consultant also need to be involved in this?
PS: I tried to search in Google & our forums but could not get any answersDear Aninda,
Thanks for the help.
I created an auth group via SE16 in table TBRG & associated to B_EMMA_CAS
A case category was then assigned to this auth group
We tested it - below are the results:-
1. The user is allowed to 'change' and 'display' the case for the case category for which the user is authorized: this works as per requirement.
2. The user is not allowed to 'change' case for the case category for which the user is not authorized: this works as per requirement.
3. However, he is able to 'display' cases for the case category for which the user is not authorized: this we do not want.
If I remove activty 03 (display), then the user is unable to display the case for the case category for which the user is authorized.
How to resolve this? -
Hi all,
Can anyone tell me what is authorization group? I always come across this when I am inside pfcg and look into the authorization object.
I know that authorization object groups authorization fields together. And authorization is an instance of authorization object. But how does authorization group fit into this model?
I have read parts of the help manual that mention auth. group is used to manage Z tables, but they never mention the above relationship.
Thanks.HI Jockey,
The access protection system must ensure that only authorized individuals have access to the system and to particular data. For achieving precise application security concerning authorization and to protect confidential data against unauthorized access it is very important to focus on the use of authorization groups.
The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. They usually occur in authorization objects together with an activity.
The table that contains all authorization objects is TOBJ.
The table that contains all activities is TACT.
The table that contains definition of all authorization groups is TBRG.
TBRG -- Contains all authorization groups and gives information about relation between authorization object and authorization group. The description of the authorization groups is defined in table TBRGT.
The field name for authorization group -- BRGRU -- is used to make additional restrictions on authorizations /e.g. for document maintenance/. In authorization objects and authorization checks, there are fields which are checked to verify user authorizations. Customizing objects are combined in authorization groups, and the authorization group is one of the two authorization fields, for example, in authorization object S_TABU_DIS which is in the object class BC_A (Basis - Administration). This object is for displaying or maintaining tables. It controls access using the standard table maintenance tool (transaction SM31), enhanced table maintenance (SM30) or the Data Browser (SE16), including access in Customizing.
Authorization object S_TABU_DIS has the following fields: DICBERCLS - Authorization group, maximum field length is four characters; and ACTVT - Activity (02: Add, change or delete table entries, 03: Only display table contents).
Generally, SAP standard tables are assigned to authorization groups. These assignments can be changed. You can then assign tables manually to a suitable authorization group. To do this, start Transaction SM30 for maintenance view V_DDAT, and create an entry for each of these tables. In V_DDAT is stored the assignment of Tables/Views to Authorization Groups. V_DDAT is cross-client; therefore, it can be viewed and used in all clients.
Note: If you don't make a selection, all tables maintained in Customizing transactions are assigned to authorization groups.
Check these links too..
http://help.sap.com/saphelp_crm50/helpdata/en/52/671285439b11d1896f0000e8322d00/frameset.htm
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67129f439b11d1896f0000e8322d00/frameset.htm
http://www.sap4.com/contentid-39.html
Thanks,
Susmitha
Dont forget to reward points for useful answers.
Message was edited by: Susmitha Thomas -
Assign posting periods to authorization group in tcode S_ARL_87003642
Hello,
I want to restrict posting periods for some users. Therefore, I have created 2 functions associated to 2 authorization groups.
In transaction S_ARL_87003642, when I try to assign different posting periods to each authorization group to the same company code (Posting Period Variant) it appears a message saying u2018Target key must be different from source keyu2019.
What am I doing wrong? Do you know how can I restrict posting periods for some users?
Thanks and regards
Ana RitaDear,
You simply have to define authorisation groups in OB52 and assign this group to F_bkpf_bup in SU01 against user proflie as desired. Take basis help.
Regards -
Authorization Group for G/L Account
Hi,
What?
- I wish to restrict the 'posting' of a G/L account to be done by certain users only
How?
- What I have done was...
a) From FS00, I have added a free-text (BANK) into the Authorization Group for a G/L account
b) From PFCG, a new role was created to allow these 2 Authorization Objects, F_BKPF_BES and F_SKA1_BES
c) 'BANK' was entered for the Authorization Group for both these 2 Authorization Objects
d) From there, I have assigned this new role to the user that I wish to allow Posting of the G/L account
Problem?
- Other users still can do Posting for this G/L account
- Any steps which I have missed out here or done wrongly?
Thanks,
BrandonHi,
Some other roles of the users may override and cause the users to post against this GL account.
Check all the roles relevant for the restricted users.
Use SUIM t-code to find if the auth object mentioned above is included in any other role.
If it be, restrict that again.
Generally if one role as no restriction against this auth and not all, this issue tends to happen.
Regards,
Sridevi -
Restrict Vendor line items display by Vendor authorization group
Hi Gurus,
I have a requirement to restrict Vendor line item diplay for Tcode FBL1N, I have updated the Authorization object F_LFA1_BEK, its work fine if all the vendors have authorization, However it also display vendors whose auth. group is "BLANK" or "SAPCE",
Is there a way that I can slove this issue, is there any SAP notes of other object which needs to be updated ?Hi,
this problem has been discussed on this forum last week. Basically, SAP does not perform authorization check if the authorization group is blank. Hence you need to assign authorization object to all vendors.
Cheers -
Hi,
I have a role that has the authorization group in the authorization objects F_BKPF_BES , F_SKA1_BES updated only with 'AUTH' but the same role is also able to access GL accounts with authorization group 'REST'.
I want to restrict the role to access GL Accounts only with authorization group 'AUTH'.
How to do it.Kindly advise.
Thanks.GL account Authorization
Re: How to create authorization groups for G/L Accounting
Thanks
Javed -
Authorization group in GL A/C using FB01
HI, We have activated the authorization Group in GL A/c. Using the authorization object F_BKPF_BES we were able to create restrictions on other tcodes like F-28 . However when using the u201CFB01u201D tcode, the authorization check does not have any effect. I have already check the authorization in SU24 for fb01 and status is set to YES. I have also created a trace(using ST01) for this transaction but ST01 does not show any authorization trace for F_BKPF_BES.
Hello,
Authorization object:F_BKPF_BES should be checked when you run FB01.
In your case,please try to check the following points:
1.Authrization group was assigend to G/.L master data correctly.
2.Authrization group was assigend to object:F_BKPF_BES correctly.
3.Avtivity was defined in this object correctly.
4.Role was assgined to user correctly.
5.SAP_ALL authorization was deleted from the user profile.
Note: it is impossible to define the authorization group as ' '(space) in object:F_BKPF_BES,
if ' ' was defined, system will consider there are no any setting existed.
Hope the above infor. could help you to solve this issue.
Best Regards, -
Customer Master Data and Line Items Balances Display - Authorization Group
One autorization group was created and assigned to some customer masters in General, Company Code and Sales Area's.
User is restricted to one authorization group. When executing FBL5N, all customer balances are displayed i.e. including blank authorization group customer. It is not restricted to authorization group customer! Why?Kindly check the authorization objects assigned in the user profile. You may ask your basis to help you with the authorization.
Maybe you are looking for
-
Line item Shipping data missing in STO
Hi, I am making an STO ( same company code ). I have added 4 line items in the STO. For three line items, everything is ok. But when I added the fourth line item , the system gives an information message that sales org data and shipping data could no
-
CONNE_IMPORT_WRONG_FIELD_TYPE with exception CX_SY_IMPORT_MISMATCH_ERROR
Hi, I'm implementing IS-Retail in our landscape. After the EhP4 update I've activated the SAP retail framework and when I'm trying to execute the program RSBRAN03 to change the short text after importing the latest update as per the nore 897714, I'm
-
Hi Expert, As you might aware about the SAP's new product Nakisa. i am going to implement Nakisa. this is something very new for me. can some one guide me and share me for end to end implementation. what are the major things need to take care of in O
-
I keep getting this error message: Time Machine could not complete the backup. 'The backup disk image "/Volumes/FreeAgent Drive/xxx MacBook Pro.sparsebundle" is already in use. How do I remedy this so it starts backing up again?
-
Facade design pattern example?
Can someone point me to a LabVIEW example of this OOP design? I am learning OOP in LabVIEW and my task is to create an example program using the facade design pattern. I can't find an example to study. Solved! Go to Solution.