Filter Document Type based on Authorization Object

Similar Messages

• Role creation and authorization objects in sap

  Hi
  i want to know the full relationship between  creation of roles , authorization objects ,authorizations in web as abap
  Please explain the process in detail the use of PFCG and all its options and how to create Z roles

  Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
  - Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
  - The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
  For e.g. If a user wants to create a PO we can restrict him on:
  u2022     Activity : Create/Change/Display
  u2022     Org elements like Company Code, Plant, Purchase Organization etc
  u2022     Document type etc.
  - Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
  - Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
  - An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
  - Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
  - Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
  Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM

• Restrict the user   based on document type on migo transaction-prepare GRN

  Hi,
  We are running ECC6.0 R/3 system.We had a requirement as follows
  In MIGO transaction , we want to restrict the user on document type i.e. we want that a particular user can  prepare GRN for document type  STO only. He cannot prepare GRN for other document type.
  We checked  SU24->maintain check indicators for transaction codes->enter migo->execute->check indicator.This returned us the authorisation objects present in Migo transaction.We checked the help of all these objects,but none of them we found suitable for above mentioned requirement.We were planning to find out the proper authorisation object to add to Profile generater.
  The following is the objects which we have checked for.
  A_B_ANLKL-->     Asset Postings: Company Code/Asset Class
  A_B_BWART-->     Asset Postings: Asset Class/Transaction Type
  B_USERSTAT-->     Status Management: Set/Delete User Status
  B_USERST_T-->     Status Management: Set/Delete User Status using Process
  C_AFKO_AWK-->     CIM: Plant for order type of order
  C_CACL_DSG-->     Interface Design
  C_DRAW_BGR-->     Authorization for authorization groups
  C_DRAW_DOK-->     Authorization for document access
  C_DRAW_TCD-->     Authorization for document activities
  C_DRAW_TCS-->     Status-Dependent Authorizations for Documents
  C_KLAH_BKP-->     Authorization for Class Maintenance
  C_STUE_BER-->     CS BOM Authorizations
  C_STUE_WRK-->     CS BOM Plant (Plant Assignments)
  C_TCLA_BKA-->     Authorization for Class Types
  C_TCLS_BER-->     Authorization for Org. Areas in Classification System
  C_TCLS_MNT-->     Authorization for Characteristics of Org. Area
  F_BKPF_BUK-->     Accounting Document: Authorization for Company Codes
  F_BKPF_BUP-->     Accounting Document: Authorization for Posting Periods
  F_BKPF_KOA-->     Accounting Document: Authorization for Account Types
  F_FICA_FOG-->     Funds Management: authorization group of fund
  F_FICA_FSG-->     Funds Management: authorization group for the funds center
  F_FICB_FKR-->     Cash Budget Management/Funds Management FM Area
  F_KNA1_APP-->     Customer: Application Authorization
  F_LFA1_APP-->     Vendor: Application Authorization
  F_SKA1_BUK-->     G/L Account: Authorization for Company Codes
  G_GLTP  -->       Spec. Purpose Ledger Database (Ledger, Record Type, 
                                 Version)
  J_1IDEP_SL-->     Authorization object for depot sale transaction
  J_1IEXC_OT-->     Authorization object for Other Excise Invoice Create
  J_1IEX_PST-->     Autorization object for posting Other Excise invoice
  J_1IGRPT1-->     Auth. for PART1 at GR
  J_1IINEX  -->            Incoming Excise Invoice
  J_1IRG23D-->     Authorisation object for Depo Transactions
  K_CCA-->                     CO-CCA:  Gen. Authorization Object for Cost Center 
                                  Accounting
  K_CSKS     -->                CO-CCA:  Cost Center Master
  K_CSKS_SET-->     CO-CCA: Cost Center Groups
  K_PCA-->                    EC-PCA: Responsibility Area, Profit Center
  L_TCODE-->                    Transaction Codes in the Warehouse Management System
  M_ANFR_BSA-->     Document Type in RFQ
  M_ANFR_EKG-->     Purchasing Group in RFQ
  M_ANFR_EKO-->     Purchasing Organization in RFQ
  M_ANFR_WRK-->     Plant in RFQ
  M_BEST_BSA-->     Document Type in Purchase Order
  M_BEST_EKG-->     Purchasing Group in Purchase Order
  M_BEST_EKO-->     Purchasing Organization in Purchase Order
  M_BEST_WRK-->     Plant in Purchase Order
  M_MATE_CHG-->     Material Master: Batches/Trading Units
  M_MATE_STA-->     Material Master: Maintenance Statuses
  M_MATE_WRK-->     Material Master: Plants
  M_MRES_BWA-->     Reservations: Movement Type
  M_MRES_WWA-->     Reservations: Plant
  M_MSEG_BMB     -->Material Documents: Movement Type
  M_MSEG_BWA-->     Goods Movements: Movement Type
  M_MSEG_BWE-->     Goods Receipt for Purchase Order: Movement Type
  M_MSEG_BWF-->     Goods Receipt for Production Order: Movement Type
  M_MSEG_LGO-->     Goods Movements: Storage Location
  M_MSEG_WMB-->     Material Documents: Plant
  M_MSEG_WWA-->     Goods Movements: Plant
  M_MSEG_WWE-->     Goods Receipt for Purchase Order: Plant
  M_MSEG_WWF-->     Goods Receipt for Production Order: Plant
  M_RAHM_BSA-->     Document Type in Outline Agreement
  M_RAHM_EKG-->     Purchasing Group in Outline Agreement
  M_RAHM_EKO-->     Purchasing Organization in Outline Agreement
  M_RAHM_WRK-->     Plant in Outline Agreement
  Q_TCODE     QM -->         Transaction Authorization
  S_ADMI_FCD-->     System Authorizations
  S_ALV_LAYO-->     ALV Standard Layout
  S_BDS_DS-->     BC-SRV-KPR-BDS: Authorizations for Document Set
  S_BTCH_ADM-->     Background Processing: Background Administrator
  S_BTCH_JOB-->     Background Processing: Operations on Background Jobs
  S_CTS_ADMI-->     Administration Functions in Change and Transport System
  S_DATASET-->     Authorization for file access
  S_DEVELOP-->     ABAP Workbench
  S_DOKU_AUT-->     SE61 Documentation Maintenance Authorization
  S_GUI-->                     Authorization for GUI activities
  S_OC_DOC-->     SAPoffice: Authorization for an Activity with Documents
  S_OC_ROLE-->     SAPoffice: Office User Attribute
  S_OC_SEND-->     Authorization Object for Sending
  S_PACKSTRU-->     Internal SAP Use: Package Structure
  S_PRO_AUTH-->     IMG: New authorizations for projects
  S_RFC-->                     Authorization Check for RFC Access
  S_SCD0     -->                Change documents
  S_SPO_DEV-->     Spool: Device authorizations
  S_TABU_DIS-->     Table Maintenance (via standard tools such as SM30)
  S_TCODE     -->                Transaction Code Check at Transaction Start
  S_TRANSLAT-->     Translation environment authorization object
  S_TRANSPRT-->     Transport Organizer
  S_WFAR_OBJ-->     ArchiveLink: Authorizations for access to documents
  V_LIKP_VST-->Delivery: Authorization for Shipping Points
  V_VBAK_AAT-->Sales Document: Authorization for Sales Document Types
  V_VBAK_VKO-->Sales Document: Authorization for Sales Areas

  Have you executed a trace while a functional user executes the transaction code for the specific parameters? (i.e. document type). The trace will then show which objects are being checked; then look at the object documentation in txn Su21 to determine if there are any ways to restrict on the particular value; in some cases, if the authorization group field is being checked, additional configuration is needed in order to implement the security (Su21 will explain in detail for the particular object).

• Document Type - Object link to be made mandatory

  hi All,
  We are having a requirement that - For a particular 'Document Type' Object link shall be made mandatory.
  Ex: For Doc. Type: ABC - 'Sales Document - Item' is MANDATORY
        For Doc. Type: XYZ - 'WBS Element' as Object link is MANDATORY
  How do I achieve this?. Pl. advise.
  -thanks

  Hi ,
  In DC10 define document type and assign sap object links . To make fields as mandatory its an risky in DMS customization it will effect on other sap object links like BOM item,BOM header. why beacuse for an BOM item you cannot assign values directly on CV02N.So that you need to create DIR  first and than assign BOM item from user t-code . 
  Regards,
  chandu.

• Number range based on different business area for same document type

  Hi All,
  The scenario is my client wants to give the different number range for a particular document type based on different business area.
  Is there any user exit by which I can restrict the same.
  Regards,
  Meenakshi

  Hello,
  Document number ranges are created per company code and fiscal year. You cannot create / restrict the document number ranges per business area.
  Business areas a independent of all organizational values, they cut across all company codes.
  Regards,
  Ravi

• Authorization Object for using Object Services

  Can you tell me how to limit a users authorization to create or delete attachements using the object services functionality?  We'd like to control the addition and deletion of the attachments.  Is there a specific authorization object for this functionality?
  Thank you, Julie

  Hi julie;
  I hope that following are the solution for you problem. Check wheather this is helpful to you or not.
  Authorization Object C_DRAW_BGR (Authorization Group)
  The following table shows authorization object C_DRAW_BGR. This authorization object allows you to limit access to individual documents.
  Fields      Possible Values      Description
  BEGRU (Authorization group)      0000 - ZZZZ      Used to restrict the authorizations for document maintenance further.
  Authorization object C_DRAW_BGR can be used to restrict access to individual documents. It works like a simple on/off switch. If the check of object C_DRAW_BGR is fine, the user's authorization can be further restricted by checking C_DRAW_TCD (check only based on the document type) or C_DRAW_TCS (check of the
  combination of document type and status). At the fifth level there is a BADI called DOCUMENT_AUTH01, which you can use to design your own authority check.
  Authorization Object C_DRAW_DOK (Document Access)
  The following table shows authorization object C_DRAW_DOK. This authorization object controls which original data of a specific document type there are access authorizations for.
  Fields      Possible Values      Description
  ACTVT (Activity)      52 53 54 55 56 57      Change application start Display application start Display archive application Change archive application Display archive Store archive
  DOKAR (Document type)            Here you enter the document type that access to original data is allowed for.
  Authorization Object C_DRAD_OBJ (Object Link)
  The following table shows authorization object C_DRAD_OBJ. This object controls which users can process which document info records, based on a combination of activity, object, and status.
  Fields      Possible Values      Description
  ACTVT (Activity)      01 02 03 06      Create Change Display Delete
  DOKOB (Object)            You must enter the data base table for the objects here (for example, MARA for material record).
  STATUS (Document status)
  if useful rewards points.           
  Regards,
  nitin
  Edited by: nitin bhagat on Feb 18, 2008 6:23 AM

• Query on  authorization object

  Hi,
          I need to create one authorization object which contain only one field as sy-uname.
  I carry out the following stapes:
  1. I went to SU21
  2. Create a class
  3. create a authorization object
  4. Add a field sy-uname in the field
  Now , my query is that,
  1. is it allowed to add sy-uname in there in the field or i have to put just 'uname' there. or what??
  2. Is there any other steps required after adding the field in the authorization object
  3. Do any one has some document on how these authorization object work execpt the F1 help on the 'AUTHORITY-CHECK' in the editor???

  Hi
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Reward points if useful
  Regards
  Anji

• Grant Master field group control based on authorization - hide fields

  Hi,
  The Grant Master field group control settings are based on grant type settings. So you can hide fields and tabs etc based on the grant's lifecycle status.
  Does anyone know if this can be configured based on authorization objects / authorization roles?
  We wish certain fields to be hidden in all life cycle statuses for all general users, but for central finance users we wish those fields to be visible.
  There is a customizing transaction GMS103 in the SPRO/IMG path
  IMG > Public Sector Management > Grants Management > Grantee Management > Master Data > Grant > GM Grant Control : Field group for Authorizations
  The documentation for this transaction says:
  GM Grant Control: Field Group for Authorizations
  It is possible to group fields together for authorization purposes. Use this step to specify such groups in Grants Management (GM).
  Standard settings
  We deliver the groups you can enter here, as standard.
  Activities
  Choose New Entries and enter the ID for the group you want to add. When you save, the system displays the longer description for the group.
  Further notes
  Authorization to a group allows access to all the fields in the group for users with the appropriate authorization. Only allow access to those you know need it for the whole group.
  This table is empty on our system. Has anyone used this part of the customizing and can they let me know how it links into the basis roles / authorizations etc.
  Thanks
  Paul Abrahamson

  I found this authorization object F_GMGT_FDG
  The documentation for the authorization object states:
  Definition
  With this authorization object, you can define authorizations for individual field groups in grants management maintenance. You thereby define which fields in grant master maintenance can be maintained or viewed by a user.
  Notes
  This authorization is optional. You do not have to assign authorization if there are no field groups that require special protection and consequently no field groups requiring authorization were defined in Customizing.
  Defined fields
  The object consists of the fields "Field group" and "Activity":
  Field group
  Here you define which field groups require authorization.
  Activity
  Here you define which activities are permitted:
  02 = Change
  03 = Display
  * = All activities
  Procedure
  Proceed as follows if you want to use this authorization:
  1. Determine the field groups of the fields that you want to protect.
  2. In Customizing, define that these field groups require authorization.
  3. For each field group, define the authorization that you wish to assign to selected users.
  4. Assign this authorization using the corresponding profile.
  I'll try this out and update this message again later

• Adding document type

  dear all,
  I have a requirement ,In S_ALR_87012271 report i want to filter the values based on document type , but there is not characteristic
  in available characterstics of the field .
  path,
  go to fsi2 -select the report of  above tcode double click on it .go  to display icon
  now double click on any one of the 'item'.we will get a popup.
  now in that popup i want to add one more field  in 'available characteristics' ie document type ,
  based on document type also i want to filter the data.
  kindly guide me.
  regards,
  padmaja.

  Hello Friend,
  Select on the pop-up screen and press F1
  you will able to see the screen no and program..
  check that screen and you will be able to see it is using ALV / Table control..
  and add the code for extra column
  Hope it will help you..
  Rgrds
  Krish

• Authorisation combined with document type, activity and status

  I want to create a role for a user who is only allowed to create and change document type ZDI  in status IW .
  Which object authorization can provided this check ?
  The object authorization C_DRAW_TCD  control only the activity (create/modify) and the document type (ZDI).
  The object authorization C_DRAW_STA control only  the document type (ZDI) and the status of the document (IW).
  But I need the combination of the both authorization. Does a possibility exist in standard to do it without create a client new authorisation?
  Thanks in advance for your help.
  Amande

  Thanks for your response.
  But it doesn't works as I want.
  The object authorisation C_DRAW_TCS  is checked before the save but not after save with the changed values.
  for example :
  the user has the following authorizations in the modification role:
    C_DRAW_TCS  activity 02 document type ZDI  document status IW 
    C_DRAW_TCD document type ZDI  activity 02
    C_DRAW_STA document type ZDI status IW
  The user has also the autorisation C_DRAW_STA document type ZDI status FI  in the display role
  With this configuration the user can modify the document ZDI in status IW and change the status into FI . I don't want that the user can change the status into FI. Does exist a possibility to avoid this?
  Of course, after storing this change of the status , the user can't access to the document ZDI with status FI.
  SAP doesn't check the authorization C_DRAW_TCS  activity 02 document type ZDI  document status FI  after status change.
  Thanks in advance
  Amande

• Document type during Goods Receipt in Intercompany Transfer flow

  Hi,
  We create a PO, Delivery and GI in company A
  We do a Goods Receipt in company B.
  Can we customize that FI document type  ZZ is used during Goods Receipt in company B?
  Document type ZZ may only be used in the Intercompany flow.
  Where can I customize this setting?
  Thank you in advance,
  Best regards,
  Eric van Zundert.

  Hi,
    The following are the standard steps to create an accounting document type and assign it to a transaction.
  1) In T-code OBF4, click on "Financial accounting document types" and create a new document type.
  2)On the same T-code, Click on "Goods receipt document type" and assign the document type to the transaction.
  3)On the same T-code, Click on "Financial accounting No range" and assign the number range for each document type based on company code and fiscal year.
  Thanks and Regards,
  Maheshwari

• Document Type: Purchase Order

  Dear All,
  We have configured the following Document Type:
  NB - Standard PO
  UB - Stock transport ord.
  ZIMP - Import PO
  While creating the Purchase Order (ME21N), all these three Document Types are visible to all the Users for Transaction across all Plants/ Company Code.
  Is there is any possibility where in we can restrict the Display based on the Plants?
  For example, we want the Users of Plant 1002 to use the UB - Stock transport ord. Type.
  It does not sound good, yet for clarification, I am putting my doubt across u.
  Is the Document Type Configuraion anywhere related with Plant?
  Thanks & Regards,
  P K Karn

  Hi,
  I think there is not such configuration available to default the PO document type based on the Plant.
  The only solution for this is to use default document type at the PO header level.
  Hope this helps you.
  Cheers
  Umakanth...

• Maintain payment Terms according to PO Document Types

  Hi,
  We want to maintain Payment Terms according to PO Doc. type. Now in our system PO have disable Payment Terms.
  But we have a requirement that for 1 Doc. Type they should be changeable.
  How it is possible???

  Hi,
  Document type concept is used to differentiate the differentiate procurement processes like example:
  YNB: For Standard procurement
  YIMP: For Import
  YSUB: For Sub Contracting
  YSER: For Service
  A company may have 10 payment terms and one should not use document type based on payment term. Payment term is maintained in vendor master and from vendor master payment tem flow to purchase order.
  For each payment term, if one creates document type, then imagine how many document types will be created to meet business process requirement. Consultant should think & simplify business with proper designing for uses of minimum document types for procurement processes.
  Regards,
  Biju K

• How to add authorization field to a standard authorization object

  Hi All,
  I'm trying to limit user to can only create & change X type of order type in PM module. This can be fullfill by creating suer with assigned role with only allow X type of order type.
  But when I assigned a display role which has authorization to display all order type (maintained as authorization object), now my user can create and change all order type.
  How to limit user to can only create & change X order type and only display the rest of order type?
  I assume by adding authorization field: AUFART(order type) in authorization object: I_TCODE will solve the problem, is it right? and is it possible to do that?
  regards,
  Andre

  Hi,
  your assumption is incorrect. First of all, adding a new field to standard authorization object is a bad idea. You would have to modify all checks for that object. For standard SAP object it means that you would have to modify many SAP programs.
  The authorization object I_TCODE is checked in PM transactions. It gives you authorization to run that transactions. That object can't be used to limit what you do in that transaction or what order type you can process. You are looking for some other authorization object(s). You need to go to SU24 which gives you what authorization objects are checked in particular transaction. It does not have to cover all objects but it's a good starting point.
  Cheers

• Multiple PO document types/transaction types in Extended Classic scenario

  Hi All,
  We are on SRM_SERVER 550, Extended Classic Scenario.
  We have a requirement where we need to create multiple PO document types (based on certain criteria).
  I have noticed that in standard, there are only 2 transaction types provided for SRM PO - ECPO and ECDP.
  We need more document types and these should be triggerred automatically after SC is approved.
  I understand that we need to maintain all the PO transaction types in SRM, number ranges in SRM then maintain the same transaction types as PO document types in R/3 and same number ranges in R/3.
  I also understand that the change for document type needs to be done in BBP_DOC_CHANGE_BADI.
  I have 2 specific questions:
  1. We need to maintain attribute BSA for the users. Here we need to mention the document type and source system. What should be the source system mained in attribute BSA for ECS? Should it be the SRM system or R/3 system?
  2. In BBP_DOC_CHANGE_BADI to change the PO document type/transaction type in ECS scenario, which field should be changed? Should it be ET_ITEM- BE_DOC_TYPE?
  Regards,
  Srivatsan

  Srivatsan,
  To create new transaction type:
  Supplier Relationship Management --> SRM Server --> Cross-Application Basic Settings --> Define Transaction Types
  To create new number range:
  Supplier Relationship Management --> SRM Server --> Cross-Application Basic Settings --> Number Ranges --> SRM Server Number Ranges --> Define Number Range for Local Purchase Orders
  You can define to create automatic PO when a SC was created in: Supplier Relationship Management --> SRM Server --> Sourcing --> Define Sourcing for Product Categories
  Rgs,
  Pedro Marques