Restricting Users based on GL Authorization Group
Gurus,
I have got requiremnt from our finance consultant/team for restricting users from accesing particular GL accounts in a company code. There are some GL which users are not supposed to view.
We have created authorization group in FS00 -Control data , but we cannot see that group in object F_BKPF_BES(Account authorization for GL accounts).
Please help.
Regards
Hi,
Step1: Create Tolerance Groups
Step2: Assign Users to Tolerance Groups
Step3: Remove/Add T Codes in Users Master Data (T Code: SU01)
Thanks
Chandra
Similar Messages
-
Restrict users based on Customers
Hi ,
In ECC system, we have general requirements to restrict users based on customer account group where customer account group is represented as Site/Store.
Possible values for Customer Account group -
- Reference Store
- Head Store
- Wholly Owner Store etc.
Till this point everything is fine. However, Client has few additional External Stores which are represented as one Dummy Site and Customers belonging to that store are actual external Stores.
Example, we have additional Value for Customer Account Group -
- Dummy Site
And now all the Customers part of dummy site is actual stores and we are needed to drill down our restriction to this Customer (So called Stores).
To restrict used based on customer account group/Stores, we can utilize F_KNA1_GRP with filed KTOKD (Customer Account Group). However, is it possible to create roles based on individual customers of these Stores?
If yes, how can we do that?
P.S. I had a look at authorization object F_KNA1_BED with filed BRGRU. Can this object help us in fulfilling our requirement? Or there is any other SAP provided authorization object which can help us to restrict on Customer values?
Thanks,
SheenamYou could use F_KNA1_BED, I guess - but that would mean excessive maintenance of both: BEGRU and customers, if I understood your scenario correctly and you really, really want to break that down to single customers.
It would be even more excessive to utilize F_KNA1_GRP. Can be done, though.
Both solutions are completely un-elegant and I am not happy proposing them. But I am curious as a cat: what exactly is the business process expecting you to restrict access to customer data down to a single customer?
Edited by: Mylène Dorias on Mar 24, 2010 8:39 AM -
FD32 restrict users based on a schedule of authority
All,
I have a requirement within FD32 to restrict users based on a schedule of authority. For example, only allowing credit limits to be changed in a user's authorized dollar range. I was able to restrict the Credit Limit field (change/display) by using field groups, but I have an extension of the requirement for a schedule of authority. Can someone please help?You could use F_KNA1_BED, I guess - but that would mean excessive maintenance of both: BEGRU and customers, if I understood your scenario correctly and you really, really want to break that down to single customers.
It would be even more excessive to utilize F_KNA1_GRP. Can be done, though.
Both solutions are completely un-elegant and I am not happy proposing them. But I am curious as a cat: what exactly is the business process expecting you to restrict access to customer data down to a single customer?
Edited by: Mylène Dorias on Mar 24, 2010 8:39 AM -
Hey guys, I need to create a script that assigns a value to the EmployeeID of every user that is a member of a particular AD security group.
For example, there are the following groups - Accounting_01, Accounting_02, Accounting_03. The script has to read what members there are in these groups and assign to the people of Accounting_01 an EmployeeID of 01, to the people of Accounting_02 an EmployeeID
of 02, and to the people of Accounting_03 an EmployeeID of 03.
I have a script that adds a user to a security group, based on the value of a certain attribute, but not the other way around. Have you written such a script? Thanks in advanceI haven't tried the code, because I don't have AD cmdlets.
But I see some discrepancies between the documentation and your code.
Looking at http://technet.microsoft.com/en-us/library/hh852287.aspx (Set-ADUser cmdlet) we can read for the
-Replace<Hashtable> parameter: ... Use this parameter
to replace one or more values of a property that cannot be modified using a cmdlet parameter ...
But the OP referred to EmployeeID, which is a Set-ADUser cmdlet parameter (look for -EmployeeID),
thus, cannot be used with -Replace<Hashtable> parameter (as per the documentation).
Also, the documentation states for this same
-Replace<Hashtable> parameter: ... To modify
an object property, you must use the LDAP display name ...
And the LDAP display name for EmployeeID is employeeID, and not employeeid as in your code (although I'm
not sure if LDAP display name
is case sensitive).
As you say your code works correctly, I
suspect that you created a new property named employeeid, which is not the same referenced by the parameter
-EmployeeID.
The documentation merely says that it can be used to modify attributes that do not have their own parameter. If they were to include a parameter for every AD attribute the list would be huge. It doesn't imply that -replace cannot be used instead of the defined
parameters.
I must admit that I didn't realise that -EmployeeID could be used as I didn't consult the documentation before I wrote the code but I can confirm that using the method I posted the employeeID attribute was modified. It didn't create a second attribute with
different letter casing. -
Restricting user based on Delivery Block in VA02
Hi ,
As per my bussiness team I am suppose to restrict the user depening on delivery block in transaction VA02 .There are no SAP pre-defined feilds to restrict at delivery block level from PFCG .Please kindly help .Thanks in advance .Hi,
Can you please assist, with the Issue below?
1) Tcode : VA02
2) I have created authorization Object for field level authorizations for
Delivery Block --- LIFSK
Billing Block -
 FAKSK
Maintained Field Level SD Authorizations ZV_FIELD
Maintained Field Level SD Authorizations T-ED49128000
Activity 02, 03 ACTVT
Billing block in SD document Z3 FAKSK
Delivery block ( document heade ZH LIFSK
3) Now I want to restrict to a particular Delivery Block and a Billing Block, but I am able to change to other Delivery Block and Billing Blocks even though I have restricted to Z3 and ZH ( this case) -
Is it possible to restrict user based on personal information workset ?
Hi Experts,
I have a requirement in which I need to allow other worksets in ESS to be accessed only if one workset "Personal Information" is completed.
In this workset "Personal Information", there is an iView "Certify Own Data". In this ivew there are couple of checkboxes which need to be ticked and saved. this checkboxes will automatically be checked when the user enters required data in other related ivews such as "Address", "Family Details", "communications" etc.
All I want to achieve is to allow the user only if he fills all his personal information and certify's his own data. After clicking on SAVE button only he would be able to access other worksets such as "Attendence".
Please someone suggest me how to achive this functionality. Do i need to develop new application or i can achieve this functionality by just maintaining some kind of iview validation.
Earlier response would be much appreciated.
Thanks
Udayyou can do a badi validation
BADI HRPAD00INFTYBL and HRPAD00INFTYDB for new framework of infotype.
Please refer the SAP Note 864910 BADI HRPAD00INFTYBL and HRPAD00INFTYDB
But to control the workset would be difficult in standard, probably you can do a modification
you can control services using proxy classes though -
Determine if user belongs to Authorization Group.
My requirement is I have a authorization group (BRGRU) and I need to check if the logged in user belongs to that authorization group. Is there any FM for this or a Database table where in I can get list of users belonging to a particular authorization group.
Hi
check the tables
UST12
AGR_1252
and check the Tcode SU21
see the doc about authorizations:
In general different users will be given different authorizations based on their role in the orgn.
We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
USe SUIM and SU21 T codes for this.
Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
This means you have to allocate an authorization object in the definition of the transaction.
For example:
program an AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT <authorization object>
ID <authority field 1> FIELD <field value 1>.
ID <authority field 2> FIELD <field value 2>.
ID <authority-field n> FIELD <field value n>.
The OBJECT parameter specifies the authorization object.
The ID parameter specifies an authorization field (in the authorization object).
The FIELD parameter specifies a value for the authorization field.
The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
You program the authorization check using the ABAP statement AUTHORITY-CHECK.
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
ID 'ACTVT' FIELD '02'
ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
'S_TRVL_BKS' is a auth. object
ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
This Authorization concept is somewhat linked with BASIS people.
As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
Take the help of the basis Guy and create and use.
Reward points if useful
Regards
Anji -
Restrict printers based on security groups
We have set up all of our printers on a server and deployed them via group policy. I am looking for a way to restrict printing based on which security group the user is in. We have got it working by setting permissions in the printer security tab
in the server. But I would like a more elegant solution, since the printers that the user can't print to are greyed out with an X over the icon. I would like to have the printer not even show up in the printer list if that user isn't allowed to
print there.
Is this possible?
We are running Windows Server 2008 R2 and our clients are all Windows 7.
Thank you.Hi,
Based on your description, we can use Security Filtering to apply the printer deployment GPO polices to the specific groups.
Regarding this point, the following articles can be referred to for more information.
Security filtering using GPMC
http://technet.microsoft.com/en-us/library/cc781988(v=WS.10).aspx
Filter using security groups
http://technet.microsoft.com/en-us/library/cc779291(v=WS.10).aspx
Besides, we can choose to deploy printers via GPP and use Item-level Targeting to filter out users who don’t need the printers.
Regarding this point, the following blog can be referred to for more information.
Deploying Printers with Group Policy Preferences (Complete Guide)
http://deployhappiness.com/deploying-printers-with-group-policy-preferences/
Regarding Item-level Targeting, the following articles can be referred to for more information.
Preference Item-Level Targeting
http://technet.microsoft.com/en-us/library/cc733022.aspx
Security Group Targeting
http://technet.microsoft.com/en-us/library/cc772471.aspx
Best regards,
Frank Shen -
Authorization group in Z-Table and user assignment
Hello,
I have created Z table which stores sensitive data and have created maintenance view. I want particular users only to have change access to this table through SM30 and for that I have created my own autorization group. Now my question is: How I can assign user names to this authorization group? how does it work? Is this through Role assignment to user profile? I dont have any basis support help for me for this task and hence trying to do it myself in sandbox system.
Since this is not my domain step by step help will be appreciated.
Thanks.
Agasti..HI,
useful link
http://www.richardsantos.net/2009/03/16/sap-how-to-create-and-use-the-authorization-objects-in-abap/
Thanks
Sudheer -
How to Restrict users to change password
Hi All,
I would like to restrict user to change password only defined number of times in a day, Is it possible to do it through group policies.
Please note i am already aware of "Minimum Password age" feature, however i do not want to use it as the minimum value that i can set here is 1 day. I would like to restrict users based on password reset threshold e.g. User can reset his password
in a day only twice or thrice.
Thanx & Regards,
Wasim ParkarIf you want to limit the user to have his/her password changed for a specific number of time every day, I have to say
NO thats not possible. PSO's as other mentioned,can be used to have different password policies. Maybe you can set the msDS-MinimumPasswordAge
to 00:04:00:00 which is equal to 4 hours. It means every 4 hours a user will be able to change his/her password. So in each day a user can change the password 6 times, since a day is 24 hours.
Do not forget a day start from 00:00 AM up to 11:59 PM. So in a 9 to 5 job, a user may change the password 2-3 times.
Hope it helps.
Mahdi Tehrani Loves Powershell
Please kindly click on Propose As Answer or to mark this post as
and helpfull to other poeple. -
Dear Friends,
I know I can restrict two user "A" & "B" who create DIR " 1001" & "1002" respectively under same document Type say "DRW". Means they cannot display the DIR created by each other by Authorization Object "C_SIGN_BGR".
I have tried this and works perfect.
But my question is can I maintain these Authorization Groups so that when user enters any wrong Authorization group, it should not allow him to enter in Authorization Group Field.
If I Maintain the setting in SPRO in DMS>Approvals>Define Authorization groups, will my maintained values will be validated with the values I enter in Authorization Group field.
Also I know the developement mentioned under link.
[https://wiki.sdn.sap.com/wiki/display/PLM/F4forAuthorization+group]
But I want to avoid this developement.
Waiting for your reply.
With warm Regards
MangeshHi Mangesh,
To achieve this I suggest you to Update domain BEGRU as mentioned in the link
http://wiki.sdn.sap.com/wiki/display/PLM/UsingAuthorizationGroupfieldin+DMS
values can be maitained in ztable
You can also have search help for BEGRU, by adding search help in DRAW table for BEGRU.
also go through post - Re: Authorization Group in CV01n Document Data tab
Auth object C_DRAW_BGR has field value reference to data element BEGRU
Regards
Surjit -
Authorization Group in T-Code: OB52
Hi,
I need to maintain 2 Auth. Group in T-Code: OB52, my requirment is below:
for some users (nearly 25) needs to post the transaction in June Month and for some users (nearly 10)should have to post for selected GL in the month of June.
So we decide to create two roles and assign the Auth Group in F_BKPF_BUP Auth. group. But i need to know whether the system will allow to assign two Auth. Group for one Company code (ie., 2 Auth. Group and all common users)
Please revert ASAP.
Regards
JSThe help on AuGr field in OB52 is good. Here it is
Authorization Group
The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. The authorization groups usually occur in authorization objects together with an activity.
Use
A posting period can be made available to only a limited set of users using the authorization group.
Procedure
If only a limited set of users is to be able to post in a particular posting period, proceed as follows:
Add the posting period authorization (authorization object F_BKPF_BUP) to the authorizations of the selected users. Assign an authorization group (e.g. '0001').
Enter the account type '+' for the posting period variant to which the restriction is to apply. Enter the period(s) whose use is to be restricted in the first period, those which are available to all users in the second period, and the authorization group (e.g. '0001') in the last column.
Examples
A posting period can be successively restricted. If, e.g. 10 users have the posting period authorization with authorization group '0001', and 3 of these 10 users also with authorization group '0002'.
If the period is only to be accessible to the 10 selected users the authorization group '0001' is entered in the posting period variant. Access can later be restricted to the remaining 3 users by entering '0002'.
I guess your requirement can very well be met, as explained in the example above. Also implement the following SAP Note to be able to assign the authorization group at document header level (account type '+') and at line item level in Transaction OB52.
https://service.sap.com/sap/support/notes/891505
Srikanth
PS: I have seen in a reply above that AuGr controls only special periods, which is not a correct statement. AuGr controls postings in the period specified in From per.1/Year To period/Year in OB52. -
How can we restrict users from marking service orders as deleted
Hi,
Please guide me :
Is it possible to restrict users (who are having authorization of marking service orders as deleted) from marking some service orders as deleted, if they have not created these service orders?
In other words, requirement is : only the person creating the Service Order should be authorized to delete.
Please guide.
Thanks and RegardsThere are many BADI and EXITS available, you have find the appropriate place to put your code.
USER - EXITS
CNEX0013 Order: Cust. enhancement: Default item category comp. assgmt
CNEX0026 Customer enhancement for general inspection of material
CNEX0027 Customer enhancement: Plant, storage loc. finding for comp.
IWO10004 Maintenance order: Customer check for order completion
IWO10005 Maintenance order: Cust.-specif. determination of profit ctr
IWO10006 Maint. order: Fcode exclusion through cust. enhancement
IWO10007 Maint.order: Customer enhancement - permits in the order
IWO10008 Cust. enhancement: Determination of tax jurisdiction code
IWO10009 PM Order: Customer Check for 'Save' Event
IWO10010 Maint. order: Cust. enhancement for determining WBS element
IWO10011 Maint. order: Customer enhancement for component selection
IWO10015 Maintenance order: F4 Help for user fields on operation
IWO10016 PM Order: Cust. enhancement to check operation user fields
IWO10017 Determine external order number by customer logic
IWO10018 Maintenance order: User fields on order header
IWO10020 Maintenance order: Automatically include task list
IWO10021 Automatic task list transfer when creating order from notif.
IWO10022 Determine calendar from user exit
IWO10023 Service order: Change header data for advance shipment doc.
IWO10024 Service order: Changes to items for advance shipment
IWO10025 PM/SM order: Finding responsible cost center
IWO10029 Inclusion of bill of material in PM/SM order
IWO10030 Preset Fields for Event Object
IWO10031 Hide personnel number in PM/SM order
BADI
Name of a BAdI Definition
ARC_PM_ORDER_CHECK
ARC_PM_ORDER_DELETE
ARC_PM_ORDER_PREPROCESSING
ARC_PM_ORDER_WRITE
ARC_PM_QMEL_CHECK
ARC_PM_QMEL_DELETE
ARC_PM_QMEL_PREPROCESS
ARC_PM_QMEL_WRITE
IWO1_ORDER_BADI
IWO1_PREQ_BADI
IWO1_SCREEN_MODIFY
IWO1_TL_INTEGRATION
IWO1_TL_INTEGRATION2
Edited by: Manish Bisht on Jul 11, 2009 9:27 AM
Edited by: Manish Bisht on Jul 11, 2009 9:28 AM -
Check available authorization groups
Hi ,
if a custom table needs to be assigned to an authorization group in SAP.
Which is the transaction to check users assigned to an authorization group?
Currently i have an idea that Assigning and Creating authorization groups are dealt in SE54 but i cannot find a way to check
whether users are assigned to an authorization group...!!!
thanks
kritikaChecking Assignment of Authorization Groups to Tables:
You can also assign authorization groups to tables to avoid users accessing tables using general access tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must also have authorization to be permitted to access tables with the relevant group assignments. For this case, we deliver tables with predefined assignments to authorization groups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.
You can assign a table to authorization group Z000. (Use transaction SM30 for table TDDAT) A user that wants to access this table must have authorization object S_TABU_DIS in his or her profile with the value Z000 in the field DICBERCLS (authorization group for ABAP Dictionary objects).
See also:
· SAP Notes 7642, 20534, 23342, 33154, and 67766
· Documentation for RSCSAUTH
Hope this helps.... if not check the following link
If you still don't find, search google 'table authorization groups in sap' - There are good info on web.
You can assign the authorization group to any custom table via SE11 - table - display - utilities - assign authorization group and rest follow the sap help (where to maintain and how to assign) .This is a developer and security persons work. -
Could you restrict purchase orders based upon Vendor / Material Group?
Hey everyone - I've got a general "could this be done" kind of question.
We would like to add on to the vendor purchasing view to include "valid" material groups. This would then have what material groups could be purchased for which company code for that vendor. Then in the purchase order creation / modification we would like to be able to validate this purchase order against this vendor / company code / material group combination.
Obviously with enough custom code this could be done. My question is whether it could be done without out introducing too much custom code - how would you construct such a solution to this problem?
We are a SAP 4.7 shop.
Thanks! Ken Little>
Ken Little wrote:
> Hey everyone - I've got a general "could this be done" kind of question.
>
> We would like to add on to the vendor purchasing view to include "valid" material groups. This would then have what material groups could be purchased for which company code for that vendor. Then in the purchase order creation / modification we would like to be able to validate this purchase order against this vendor / company code / material group combination.
>
> Obviously with enough custom code this could be done. My question is whether it could be done without out introducing too much custom code - how would you construct such a solution to this problem?
>
> We are a SAP 4.7 shop.
>
> Thanks! Ken Little
By include "valid" material groups i think it means you are introducing a new field or some value in already existing field in vendor master.
1) Now to restrict PO based upon material group a small custom code is needed.
Use BAdI ME_PROCESS_PO_CUST....here write a code with help of your ABAP person that system will first select the
LIFNR (vendor code) entered in the PO...then it will check the same LIFNR in LFM1 table...here it will check the material
group in the customized field & if found that it is within the list of previous listed material group then it will allow to process
further or otherwise give a customized error message.
or
2) Use the field Group in OMSF...here maintain a common group against the material groups you want to do the purchase cycle.Now ask your BASIS person to use this group in carry out a specific activity, the user must have authorization for the combination of the activity and the authorization group.
Regards,
Indranil
Maybe you are looking for
-
In PE6, how do you keep from automatically displaying the tagline of "I sent these photos using Adobe(R) Photoshop(R) Elements 6.0. Find out more: http://www.adobe.com/products/photoshopelwin/" I couldn't find this in a search probably because I coul
-
No images or CSS in Dreamweaver CC in LIVE
After switching from Dreamweaver CS6 to Dreamweaver CC all images in LIVE are gone. Even when I open a new page, and only add 1 image, nothing else, no CSS, and SAVE. I then select LIVE, the image shows a broken link. I turn off LIVE and I see the im
-
How much ram can i max out on imac 20 (2009 model)
*Hi i have a APPLE MB417B/A iMac 20" MB417B/A* *what ram do i need? how much ram can i get? 4g? or 8g?* specs are as follows: With a 2.66GHz Intel Core 2 Duo processor, 2GB DDR3 RAM & NVIDIA graphics, iMac brings you more performance than ever. iMac
-
I also tried dragging this "icon" to my tool bar below or what Mac calls it. No luck. Still get message that I have an outdated version. What gives?
-
hi, folks... posing an old question that was never completely resolved because i've bumped up against it again. here's the situation: i've shot and edited hours of footage at 24p advanced on a canon xl2. captured using 2:3:3:2 advanced pulldown remov