Role & authorization group

Similar Messages

• Table for Role & Authorization group

  Hi Gurus,
  I am looking for a table or FM to get all roles for Authorization group.
  I tried in SUIM tcode but could not able to find exact DB table for these.
  Giri
  P.S.: To Moderator:
         My earlier thread was locked for the same question, I was searching in SDN and google from last 3 days and could not able to find enough information on it. AGR_USERS, TBRG, TACT are the tables i found. But still there is a link missed between Role & Authorization Group.

  Thomas,
  My report have selection screen with Auth group and user.
  If user provides Auth. Group then need to find all roles linked to auth group and users assigned to that role.
  In my investigation, there is link between Auth. Group <--> Auth. object.
  Also Auth. Object <--> Role.
  but still there is a fine link missing between Auth Group <--> Role.
  For Eg: Auth Object S_TABU_DIS will be associated to all Auth. Groups but assigned to only limited roles.
  I tried to debug the SUIM transaction multiple times but couldn't find the tables to find the link and not able to find the FM's.
  if anybody have any idea to find that link between Auth. Group & Role then it will be helpful....
  Giri

• Assigning authorization group to users or roles.

  Hi
  How do I assign authorization group I created for ECM digital signature approval to users

  Hi,
  Provide the authorization group and the role details to which it needs to be linked to your basis team and they should be able to do this for you.
  Regards
  Sreekanth

• Basic steps in creating an authorization group/role?

  Hi,
  What are the basic steps followed in creating an authorization group and role?

  HI,
  http://help.sap.com/saphelp_wp/helpdata/en/52/6714b6439b11d1896f0000e8322d00/frameset.htm
  Steps,
  Go to PFCG
  Enter role name say ZSALES ORDER PROCESSING and click on single role
  Enter discription and save
  Then click on MENU tab,then click on transaction and maintain t-codes like VA01,VA02,VA03 and click on assign transactions and save
  Then click on AUTHORIZATION tab and click to Change autorization data,then it will ask for orgz. level maintain orgz.data or click on FULL Authorization
  Then you can able to see modules from where the the transaction code belongs(SD)
  Expand it to lower level node and maintain autorization for Perticular sales document, sales area
  Then save and click on GENEREATE ICON (Shift+F5)
  Now go to tab USER and assign users
  Click on user comparision >> Complete comparision
  Now when the assigned user log in syatem system will display this role for user and he/she may authorization for perticular sales document and sales area depending uppon your authorization provided in this role.
  You can see existing roles and copy from existing one
  kapil

• Authorization Group for G/L Account

  Hi,
  What?
  - I wish to restrict the 'posting' of a G/L account to be done by certain users only
  How?
  - What I have done was...
  a) From FS00, I have added a free-text (BANK) into the Authorization Group for a G/L account
  b) From PFCG, a new role was created to allow these 2 Authorization Objects, F_BKPF_BES and F_SKA1_BES
  c) 'BANK' was entered for the Authorization Group for both these 2 Authorization Objects
  d) From there, I have assigned this new role to the user that I wish to allow Posting of the G/L account
  Problem?
  - Other users still can do Posting for this G/L account
  - Any steps which I have missed out here or done wrongly?
  Thanks,
  Brandon

  Hi,
  Some other roles of the users may override and cause the users to post against this GL account.
  Check all the roles relevant for the restricted users. 
  Use SUIM t-code to find if the auth object mentioned above is included in any other role.
  If it be, restrict that again.
  Generally if one role as no restriction against this auth and not all, this issue tends to happen.
  Regards,
  Sridevi

• Authorization group in GL A/C

  Hi,
      I have a role that has the authorization group in the authorization objects  F_BKPF_BES , F_SKA1_BES  updated only with 'AUTH' but the same role is also able to access GL accounts with authorization group 'REST'.
     I want to restrict the role to access GL Accounts only with authorization group 'AUTH'.
  How to do it.Kindly advise.
  Thanks.

  GL account Authorization
  Re: How to create authorization groups for G/L Accounting
  Thanks
  Javed

• Authorization group in GL A/C using FB01

  HI, We have  activated the authorization Group in GL A/c. Using the authorization object F_BKPF_BES we were able to create restrictions on other tcodes like F-28 . However when using the u201CFB01u201D tcode, the authorization check does not have any effect. I have already check the authorization in SU24 for fb01 and status is set to YES. I have also created a trace(using ST01) for this transaction but ST01 does not show any authorization trace for F_BKPF_BES.

  Hello,
  Authorization object：F_BKPF_BES should be checked when you run FB01.
  In your case,please try to check the following points:
  1.Authrization group was assigend to G/.L master data correctly.
  2.Authrization group  was assigend to object：F_BKPF_BES correctly.
  3.Avtivity was defined in this object correctly.
  4.Role was assgined to user correctly.
  5.SAP_ALL authorization was deleted from the user profile.
  Note: it is impossible to define the authorization group as '  '(space) in object：F_BKPF_BES,
  if '  ' was defined, system will consider there are no any setting existed.
  Hope the above infor. could help you to solve this issue.
  Best Regards,

• E-Recruiting : Role Authorization in e-recruiting standalone scenario

  Hello Friends,
  We have EREC on a standalone system (ERD 100). HR ECC is another system (ECD 300), Enterprise portal in another system (EPD 100).
  we are on EHP 5, EREC 605, Support Pack 7.
  We have activated the single sign on mechanism.
  I have following queries regarding role authorizations on EREC in  standalone model.
  1) We have standard reference users  such as recruiter, manager, decision-maker, data entry clerk, rec.admic etc;  the" RCF_RECRUIT, RCF_MANAGER, RCF_CAND_INT, RCF_DATA_TYP" etc, Should this reference users be created both in EREC & HR system or only in EREC system ?
  2) If the "RCF_XXXX" reference users roles are supposed to be created only in EREC system, how to assign reference user roles to employees whose master data is in HR System. ?
  3) Can support teams concept help for mass authorizations? Can someone elaborate on the support team, support group concepts ?
  Kindly provide inputs.
  Regards,
  ER.

  Thanks Nicole for the inputs.
  Just  expanding my query on the 2nd point regarding assigning Reference users like manager, recruiter to certain employees :
  Example: Say I have Emp. No 20003000. He is an hiring manager, In HR System,  IT105, subtype user id is "20003000".
  To assign RCF_MANAGER reference user role to user id 20003000, should i have to recreate the userid in EREC system as well and assign it in SU01 for this user id.
  Would like to take your comments.
  Thanks,
  Regards,
  ER.

• Use of Authorization Group in OB52

  Dear Experts,
  I have updated Authorization Group as "OB52" in the last column of OB52 T-Code against each posting period variant with account type + , A,D,K,S,M etc with normal period 1 to 12 and special period 13 to 16.
  The same Authorization Group "OB52" is updated in one of FI users say Mr X Role profile under authorization object F_BKPF_BUP.
  Now as per the SAP standard practice the special period 13-16 should open for the user Mr X and block for all other users. But system is allowing to do transaction with special period 13-16 for other users also.
  Please advise where I am wrong.
  Regards,
  Alok

  Dear,
  I will explain you the step involved for auth Mr.X to post for the particular period.
  Let take an example  that Mr.X has to be allowed to post between the period 1 to 11 and other user only for the period 11(Apr - March as fiscal year).
  Now,for valuation variant with account  ' +'  for the first period, you enter from period as '1' and to period as '10' and in second period, you enter from period '11' and to period '11', provide the auth group (eg KU - key user)  in the last column.
  For other accounts (A,D,M,K,S) change the first period from '1' to '12' and dont assign any auth group.
  Now you goto se16n and check in TBRG table whether your auth group KU is available for the object F_BKPF_BUP,if not maintain it.
  The last step is to assign "KU" to Mr.X profile or role against the object F_BKPF_BUP.
  Once you made the change"generate" and save it.
  Now the system will permit Mr.X to post for the periods between 1 to 11 and other user only for 11 period.
  Hope that i am ab;le to clear your boubt.
  Do revert for any further assistance.
  Take care
  God Bless
  Regards

• Authorization Groups

  Hi Experts,
  If I have values NPD,R&D etc. for authorization groups. How to maintain these values in SAP DMS? Is there any t-code or spro configuration for maintaining these values? I know it's basis activity.
  I hope you understood the question properly, how to set the authorization groups and where to maintain the values for them?
  Regards,
  Ravindra

  Hi,
  In DMS auth grp is  free field and we can maintain any value for it.
  But to control access we must assign these value to auth obj  c_DRAW_BGR.
  This auth obj  will be assigned to role and role to user.
  So user who has auth value R&D in his role can enter this auth obj value while creating a dir and at the same time he can access a DIR with this auth obj value created by other user having same auth obj in his role.
  Plz note that this auth ob c_Draw_bgr works with other auth obj in DMS.
  Regards
  Abhijit

• Authorization Group & TBRG

  Hello. I wonder what case should I create records into TBRG for.
  Generally, authorization group works when I set it to master record (e.g.vendor, customer,account code) and role (from PFCG).
  But, in some case, It is required to insert authorization group and its text to TBRG.
  Please tell me weather TBRG setting is essencial or not .
  Edited by: Julius Bussche on Dec 28, 2009 6:13 PM
  Table name corrected.

  Hi Yugo,
  Table TBRG - Contains all authorization groups and gives information about relation between authorization object and authorization group. Hence its very much necessary you maintain the authgroups in this table.
  Also if you want it to appear as a pick list when you click F4 in the DICBERCLES field in object S_TABU_DIS then you should have those valuse maintained in table:TBRG.
  There are several threads based on your query which are already answered. just search by "TBRG Auth Groups" in the same forum.
  Hope it helps.Let us know if you  need any more information from our side.

• Set up authorization group F_LFA1_BEK

  Hi All,
  I would like to limit visibility of specific vendors and any related documents.  In the contol field of the vendor master (lfa1-begru), I entered an authorization group.  How do I limit the user's access to this authorization group.  Do I need to create an activity group before our security team can enter it into the user's profiles? 
  When I do an F1 on the control field, the procedure information states that 'You assign the authorization using authorization object F_LFA1_BEK.' 
  Kind regards,
  Cheryl Adamonis

  Hi Cheryl
  You just need to advise your Security Team the authorisation group value that you assigned, and what activity the users will need to have.
  For example, if you entered authorisation group ZZZZ in the vendor master:
  You would need to tell the Security Team, for roles XXXXXX, the authorisation object is L_FA1_BEK.  The activity is (1 = Create, 2 = Change, 3 = Display etc) and the Authorisation is ZZZZ (eg the one assigned to the vendor).  This will then restrict the users access.
  Regards
  Kylie

• Regarding ABAP Query authorization group

  Hi Team,
  This is regarding ABAP Query!
  I have created one authorization group, for testing i have assigned my id in authorization group.
  After creation of ABAP query,standard program got generated. Now i have created one transaction code at the last for the ABAP Query.
  Now the isse is even though i have deleted my id from the authorization group. I am able to execute the query from SQ01 and with the Transaction code .
  It should not happen...i want who soever id is mapped to the transaction code ...that member should only be able to run that query, otherwise there is no use of authorization group.
  Please help me out in this case.
  Thanks & Regards,
  Anil Kumar Sahni

  Are you sure that you don't have access to that authorisation group? Execute report RSUSR002. In the 'Authorization Object 1' block inform  S_TABU_DIS in 'Auth.Object' and accept. Then inform Activity=03 and Auth.Gruop= your group.
  You will get a list of all the users which, theoretically, will be able to execute the query. If you press 'Roles' or 'Profiles' in the toolbar of the listing you will get to know why you have authorisation. May be you have the SAP_ALL profile.
  Also, one more thing to take into account: how have you created your transaction? Is it referring directly to the generated report? Then it is an error, you should execute program SAP_QUERY_CALL. Read this post: [Relate transaction to query;

• How to create authorization groups for G/L Accounting

  Hi:
  I have a problem with authorizations groups in FI, I hope you could help me.
  We want to control access to accounting in FI by authorization group so user only can work with some G/L accounts.
  I have seen in transaction FS00, in control data tab, a field called Auth. Group, but I really donu2019t know if this is the right field.
  Do you know how I can control access to G/L Accounts by Authorization Groups? Perhaps must I to create a new Authorization Group by roles? We have 4.6c.
  Please, any help is welcome.
  Thanks in advance.

  Hi
  Update the authorization group field in the GL master with any user defined value and then include the same in the respective user roles against the authorization object - F_BKPF_BES-BRGRU in PFCG
  Ensure you have updated 'Authorization group' for the GL accounts in your chart of accounts
  Thank You,

• Using Authorization group field in Data entry profile

  Hi,
  I would need some help in configuring/using the authorization group field in data entry profile.
  After setting up the values in the drop down, how do we link to the authorization profiles or roles .
  basically, I would like to know the steps/activities required to use this field

  cross posting->thread locked.