Restricting Users based on GL Authorization Group

Similar Messages

• Restrict users based on Customers

  Hi ,
  In ECC system, we have general requirements to restrict users based on customer account group where customer account group is represented as Site/Store.
  Possible values for Customer Account group -
  - Reference Store
  - Head Store
  - Wholly Owner Store etc.
  Till this point everything is fine. However, Client has few additional External Stores which are represented as one Dummy Site and Customers belonging to that store are actual external Stores.
  Example, we have additional Value for Customer Account Group -
  - Dummy Site
  And now all the Customers part of dummy site is actual stores and we are needed to drill down our restriction to this Customer (So called Stores).
  To restrict used based on customer account group/Stores, we can utilize F_KNA1_GRP with filed KTOKD (Customer Account Group). However, is it possible to create roles based on individual customers of these Stores?
  If yes, how can we do that? 
  P.S. I had a look at authorization object F_KNA1_BED with filed BRGRU. Can this object help us in fulfilling our requirement? Or there is any other SAP provided authorization object which can help us to restrict on Customer values?
  Thanks,
  Sheenam

  You could use F_KNA1_BED, I guess - but that would mean excessive maintenance of both: BEGRU and customers, if I understood your scenario correctly and you really, really want to break that down to single customers.
  It would be even more excessive to utilize F_KNA1_GRP. Can be done, though.
  Both solutions are completely un-elegant and I am not happy proposing them. But I am curious as a cat: what exactly is the business process expecting you to restrict access to customer data down to a single customer?
  Edited by: Mylène Dorias on Mar 24, 2010 8:39 AM

• FD32 restrict users based on a schedule of authority

  All,
  I have a requirement within FD32 to restrict users based on a schedule of authority.  For example, only allowing credit limits to be changed in a user's authorized dollar range.  I was able to restrict the Credit Limit field (change/display) by using field groups, but I have an extension of the requirement for a schedule of authority.  Can someone please  help?

  You could use F_KNA1_BED, I guess - but that would mean excessive maintenance of both: BEGRU and customers, if I understood your scenario correctly and you really, really want to break that down to single customers.
  It would be even more excessive to utilize F_KNA1_GRP. Can be done, though.
  Both solutions are completely un-elegant and I am not happy proposing them. But I am curious as a cat: what exactly is the business process expecting you to restrict access to customer data down to a single customer?
  Edited by: Mylène Dorias on Mar 24, 2010 8:39 AM

• Populate the EmployeeID attribute of a user, based on their security group membership in Active Directory

  Hey guys, I need to create a script that assigns a value to the EmployeeID of every user that is a member of a particular AD security group.
  For example, there are the following groups - Accounting_01, Accounting_02, Accounting_03. The script has to read what members there are in these groups and assign to the people of Accounting_01 an EmployeeID of 01, to the people of Accounting_02 an EmployeeID
  of 02, and to the people of Accounting_03 an EmployeeID of 03.
  I have a script that adds a user to a security group, based on the value of a certain attribute, but not the other way around. Have you written such a script? Thanks in advance

  I haven't tried the code, because I don't have AD cmdlets.
  But I see some discrepancies between the documentation and your code.
  Looking at http://technet.microsoft.com/en-us/library/hh852287.aspx (Set-ADUser cmdlet) we can read for the
  -Replace<Hashtable> parameter: ... Use this parameter
  to replace one or more values of a property that cannot be modified using a cmdlet parameter ...
  But the OP referred to EmployeeID, which is a Set-ADUser cmdlet parameter (look for -EmployeeID),
  thus, cannot be used with -Replace<Hashtable> parameter (as per the documentation).
  Also, the documentation states for this same
  -Replace<Hashtable> parameter: ... To modify
  an object property, you must use the LDAP display name ...
  And the LDAP display name for EmployeeID is employeeID, and not employeeid as in your code (although I'm
  not sure if LDAP display name
  is case sensitive).
  As you say your code works correctly, I
  suspect that you created a new property named employeeid, which is not the same referenced by the parameter
  -EmployeeID.
  The documentation merely says that it can be used to modify attributes that do not have their own parameter. If they were to include a parameter for every AD attribute the list would be huge. It doesn't imply that -replace cannot be used instead of the defined
  parameters.
  I must admit that I didn't realise that -EmployeeID could be used as I didn't consult the documentation before I wrote the code but I can confirm that using the method I posted the employeeID attribute was modified. It didn't create a second attribute with
  different letter casing.

• Restricting user based on Delivery Block in VA02

  Hi ,
       As per my bussiness team I am suppose to restrict the user  depening on delivery block in transaction VA02 .There are no SAP pre-defined feilds to restrict at delivery block level from PFCG .Please kindly help .Thanks in advance .

  Hi,
  Can you please assist, with the Issue below?
  1)     Tcode : VA02
  2)     I have created authorization Object for field level authorizations for
  Delivery Block   ---&#61664; LIFSK
  Billing Block  -
  &#61664;  FAKSK
                             Maintained Field Level SD Authorizations                                ZV_FIELD
  Maintained Field Level SD Authorizations                                T-ED49128000
                      Activity                       02, 03                                                                      ACTVT
                      Billing block in SD document   Z3                                                                          FAKSK
                      Delivery block ( document heade ZH                                                                          LIFSK
  3)     Now I want to restrict to a particular Delivery Block and  a Billing Block, but I am able to change to other  Delivery Block and Billing Blocks even though I have restricted to Z3 and ZH ( this case)

• Is it possible to restrict user based on personal information workset ?

  Hi Experts,
  I have a requirement in which I need to allow other worksets in ESS to be accessed only if one workset "Personal Information" is completed.
  In this workset "Personal Information", there is an iView "Certify Own Data". In this ivew there are couple of checkboxes which need to be ticked and saved. this checkboxes will automatically be checked when the user enters required data in other related ivews such as "Address", "Family Details", "communications" etc.
  All I want to achieve is to allow the user only if he fills all his personal information and certify's his own data. After clicking on SAVE button only he would be able to access other worksets such as "Attendence".
  Please someone suggest me how to achive this functionality. Do i need to develop new application or i can achieve this functionality by just maintaining some kind of iview validation.
  Earlier response would be much appreciated.
  Thanks
  Uday

  you can do a badi validation
  BADI HRPAD00INFTYBL and HRPAD00INFTYDB for new framework of  infotype.
  Please refer the SAP Note 864910 BADI HRPAD00INFTYBL and HRPAD00INFTYDB
  But to control the workset would be difficult in standard, probably you can do a modification
  you can control services using proxy classes though

• Determine if user belongs to Authorization Group.

  My requirement is I have a authorization group (BRGRU) and I need to check if the logged in user belongs to that authorization group. Is there any FM for this or a Database table where in I can get list of users belonging to a particular authorization group.

  Hi
  check the tables
  UST12
  AGR_1252
  and check the Tcode SU21
  see the doc about authorizations:
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Reward points if useful
  Regards
  Anji

• Restrict printers based on security groups

  We have set up all of our printers on a server and deployed them via group policy.  I am looking for a way to restrict printing based on which security group the user is in.  We have got it working by setting permissions in the printer security tab
  in the server.  But I would like a more elegant solution, since the printers that the user can't print to are greyed out with an X over the icon.  I would like to have the printer not even show up in the printer list if that user isn't allowed to
  print there.
  Is this possible?
  We are running Windows Server 2008 R2 and our clients are all Windows 7.
  Thank you.

  Hi,
  Based on your description, we can use Security Filtering to apply the printer deployment GPO polices to the specific groups.
  Regarding this point, the following articles can be referred to for more information.
  Security filtering using GPMC
  http://technet.microsoft.com/en-us/library/cc781988(v=WS.10).aspx
  Filter using security groups
  http://technet.microsoft.com/en-us/library/cc779291(v=WS.10).aspx
  Besides, we can choose to deploy printers via GPP and use Item-level Targeting to filter out users who don’t need the printers.
  Regarding this point, the following blog can be referred to for more information.
  Deploying Printers with Group Policy Preferences (Complete Guide)
  http://deployhappiness.com/deploying-printers-with-group-policy-preferences/
  Regarding Item-level Targeting, the following articles can be referred to for more information.
  Preference Item-Level Targeting
  http://technet.microsoft.com/en-us/library/cc733022.aspx
  Security Group Targeting
  http://technet.microsoft.com/en-us/library/cc772471.aspx
  Best regards,
  Frank Shen

• Authorization group in Z-Table and user assignment

  Hello,
  I have created Z table which stores sensitive data and have created maintenance view. I want particular users only to have change access to this table through SM30 and for that I have created my own autorization group. Now my question is: How I can assign user names to this authorization group? how does it work? Is this through Role assignment to user profile? I dont have any basis support help for me for this task and hence trying to do it myself in sandbox system.
  Since this is not my domain step by step help will be appreciated.
  Thanks.
  Agasti..

  HI,
  useful link
  http://www.richardsantos.net/2009/03/16/sap-how-to-create-and-use-the-authorization-objects-in-abap/
  Thanks
  Sudheer

• How to Restrict users to change password

  Hi All,
   I would like to restrict user to change password only defined number of times in a day, Is it possible to do it through group policies.
  Please note i am already aware of "Minimum Password age" feature, however i do not want to use it as the minimum value that i can set here is 1 day. I would like to restrict users based on password reset threshold e.g. User can reset his password
  in a day only twice or thrice.
  Thanx & Regards,
  Wasim Parkar

  If you want to limit the user to have his/her password changed for a specific number of time every day, I have to say
  NO thats not possible. PSO's as other mentioned,can be used to have different password policies. Maybe you can set the msDS-MinimumPasswordAge
  to 00:04:00:00 which is equal to 4 hours. It means every 4 hours a user will be able to change his/her password. So in each day a user can change the password 6 times, since a day is 24 hours.
  Do not forget a day start from 00:00 AM up to 11:59 PM. So in a 9 to 5 job, a user may change the password 2-3 times.
  Hope it helps.
  Mahdi Tehrani Loves Powershell
  Please kindly click on Propose As Answer or to mark this post as
  and helpfull to other poeple.

• Authorization Group

  Dear Friends,
  I know I can restrict two user "A" & "B"  who create DIR  " 1001" & "1002" respectively under same document Type say "DRW". Means they cannot display the DIR created by each other  by Authorization Object "C_SIGN_BGR".
  I have tried this and works perfect.
  But my question is can I maintain these Authorization Groups so that  when user enters any wrong Authorization group, it should not allow him to enter in Authorization Group Field.
  If I Maintain the setting in SPRO in DMS>Approvals>Define Authorization groups, will my maintained  values will be validated with the values I enter in Authorization Group field.
  Also I know the developement mentioned under link.
  [https://wiki.sdn.sap.com/wiki/display/PLM/F4forAuthorization+group]
  But I want to avoid this developement.
  Waiting for your reply.
  With warm Regards
  Mangesh

  Hi Mangesh,
  To achieve this I suggest you to Update domain BEGRU as mentioned in the link
  http://wiki.sdn.sap.com/wiki/display/PLM/UsingAuthorizationGroupfieldin+DMS
  values can be maitained in ztable
  You can also have search help for BEGRU, by adding search help in DRAW table for BEGRU.
  also go through post - Re: Authorization Group in CV01n Document Data tab
  Auth object C_DRAW_BGR has field value reference to data element BEGRU
  Regards
  Surjit

• Authorization Group in T-Code: OB52

  Hi,
  I need to maintain 2 Auth. Group in T-Code: OB52, my requirment is below:
  for some users (nearly 25) needs to post the transaction in June Month and for some users (nearly 10)should have to post for selected GL in the month of June.
  So we decide to create two roles and assign the Auth Group in F_BKPF_BUP Auth. group. But i need to know whether the system will allow to assign two Auth. Group for one Company code (ie., 2 Auth. Group and all common users)
  Please revert ASAP.
  Regards
  JS

  The help on AuGr field in OB52 is good.  Here it is
  Authorization Group
  The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. The authorization groups usually occur in authorization objects together with an activity.
  Use
  A posting period can be made available to only a limited set of users using the authorization group.
  Procedure
  If only a limited set of users is to be able to post in a particular posting period, proceed as follows:
  Add the posting period authorization (authorization object F_BKPF_BUP) to the authorizations of the selected users. Assign an authorization group (e.g. '0001').
  Enter the account type '+' for the posting period variant to which the restriction is to apply. Enter the period(s) whose use is to be restricted in the first period, those which are available to all users in the second period, and the authorization group (e.g. '0001') in the last column.
  Examples
  A posting period can be successively restricted. If, e.g. 10 users have the posting period authorization with authorization group '0001', and 3 of these 10 users also with authorization group '0002'.
  If the period is only to be accessible to the 10 selected users the authorization group '0001' is entered in the posting period variant. Access can later be restricted to the remaining 3 users by entering '0002'.
  I guess your requirement can very well be met, as explained in the example above.  Also implement the following SAP Note to be able to assign the authorization group at document header level (account type '+') and at line item level in Transaction OB52.
  https://service.sap.com/sap/support/notes/891505
  Srikanth
  PS: I have seen in a reply above that AuGr controls only special periods, which is not a correct statement.  AuGr controls postings in the period specified in From per.1/Year To period/Year in OB52.

• How can we restrict users from marking service orders as deleted

  Hi,
  Please guide me :
  Is it possible to restrict users (who are having authorization of marking service orders as deleted) from marking some service orders as deleted, if they have not created these service orders?
  In other words, requirement is : only the person creating the Service Order should be authorized to delete.
  Please guide.
  Thanks and Regards

  There are many BADI and EXITS available, you have find the appropriate place to put your code.
  USER - EXITS
  CNEX0013  Order: Cust. enhancement: Default item category comp. assgmt
  CNEX0026  Customer enhancement for general inspection of material
  CNEX0027  Customer enhancement: Plant, storage loc. finding for comp.
  IWO10004  Maintenance order: Customer check for order completion
  IWO10005  Maintenance order: Cust.-specif. determination of profit ctr
  IWO10006  Maint. order: Fcode exclusion through cust. enhancement
  IWO10007  Maint.order: Customer enhancement - permits in the order
  IWO10008  Cust. enhancement: Determination of tax jurisdiction code
  IWO10009  PM Order: Customer Check for 'Save' Event
  IWO10010  Maint. order: Cust. enhancement for determining WBS element
  IWO10011  Maint. order: Customer enhancement for component selection
  IWO10015  Maintenance order: F4 Help for user fields on operation
  IWO10016  PM Order: Cust. enhancement to check operation user fields
  IWO10017  Determine external order number by customer logic
  IWO10018  Maintenance order: User fields on order header
  IWO10020  Maintenance order: Automatically include task list
  IWO10021  Automatic task list transfer when creating order from notif.
  IWO10022  Determine calendar from user exit
  IWO10023  Service order: Change header data for advance shipment doc.
  IWO10024  Service order: Changes to items for advance shipment
  IWO10025  PM/SM order: Finding responsible cost center
  IWO10029  Inclusion of bill of material in PM/SM order
  IWO10030  Preset Fields for Event Object
  IWO10031  Hide personnel number in PM/SM order
  BADI
  Name of a BAdI Definition
  ARC_PM_ORDER_CHECK
  ARC_PM_ORDER_DELETE
  ARC_PM_ORDER_PREPROCESSING
  ARC_PM_ORDER_WRITE
  ARC_PM_QMEL_CHECK
  ARC_PM_QMEL_DELETE
  ARC_PM_QMEL_PREPROCESS
  ARC_PM_QMEL_WRITE
  IWO1_ORDER_BADI
  IWO1_PREQ_BADI
  IWO1_SCREEN_MODIFY
  IWO1_TL_INTEGRATION
  IWO1_TL_INTEGRATION2
  Edited by: Manish  Bisht on Jul 11, 2009 9:27 AM
  Edited by: Manish  Bisht on Jul 11, 2009 9:28 AM

• Check available authorization groups

  Hi ,
  if a custom table needs to be assigned to an authorization group in SAP.
  Which is the transaction to check users assigned to an authorization group?
  Currently i have an idea that Assigning and Creating authorization groups are dealt in SE54 but i cannot find a way to check
  whether users are assigned to an authorization group...!!!
  thanks
  kritika

  Checking Assignment of Authorization Groups to Tables:
  You can also assign authorization groups to tables to avoid users accessing tables using general access tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must also have authorization to be permitted to access tables with the relevant group assignments. For this case, we deliver tables with predefined assignments to authorization groups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.
  You can assign a table to authorization group Z000. (Use transaction SM30 for table TDDAT) A user that wants to access this table must have authorization object S_TABU_DIS in his or her profile with the value Z000 in the field DICBERCLS (authorization group for ABAP Dictionary objects).
  See also:
  ·        SAP Notes 7642, 20534, 23342, 33154, and 67766
  ·        Documentation for RSCSAUTH
  Hope this helps.... if not check the following link
  If you still don't find, search google 'table authorization groups in sap' - There are good info on web.
  You can assign the authorization group to any custom table via SE11 - table - display - utilities - assign authorization group and rest follow the sap help (where to maintain and how to assign) .This is a developer and security persons work.

• Could you restrict purchase orders based upon Vendor / Material Group?

  Hey everyone - I've got a general "could this be done" kind of question. 
  We would like to add on to the vendor purchasing view to include "valid" material groups.  This would then have what material groups could be purchased for which company code for that vendor.  Then in the purchase order creation / modification we would like to be able to validate this purchase order against this vendor / company code / material group combination.
  Obviously with enough custom code this could be done.  My question is whether it could be done without out introducing too much custom code - how would you construct such a solution to this problem?
  We are a SAP 4.7 shop.
  Thanks!   Ken Little

  >
  Ken Little wrote:
  > Hey everyone - I've got a general "could this be done" kind of question. 
  >
  > We would like to add on to the vendor purchasing view to include "valid" material groups.  This would then have what material groups could be purchased for which company code for that vendor.  Then in the purchase order creation / modification we would like to be able to validate this purchase order against this vendor / company code / material group combination.
  >
  > Obviously with enough custom code this could be done.  My question is whether it could be done without out introducing too much custom code - how would you construct such a solution to this problem?
  >
  > We are a SAP 4.7 shop.
  >
  > Thanks!   Ken Little
  By include "valid" material groups i think it means you are introducing a new field or some value in already existing field in vendor master.
  1) Now to restrict PO based upon material group a small custom code is needed.
      Use BAdI ME_PROCESS_PO_CUST....here write a code with help of your ABAP person that system will first select the 
      LIFNR (vendor code) entered in the PO...then it will check the same LIFNR in LFM1 table...here it will check the material
      group in the customized field & if found that it is within the list of previous listed material group then it will allow to process
      further or otherwise give a customized error message.
  or
  2) Use the field Group in OMSF...here maintain a common group against the material groups you want to do the purchase cycle.Now ask your BASIS person to use this group in carry out a specific activity, the user must have authorization for the combination of the activity and the authorization group.
  Regards,
  Indranil