SAP_FI_AP_VENDOR_MASTER_DATA
We require an authorisation / activity group to allow postings to one-time vendors ie. only allow a user with this access the ability to post to OTVs.
Is there an authorisation object that allows postings to particular vendor master records or preferably a vendor
account group?
The only SAP provided role I could find was: SAP_FI_AP_VENDOR_MASTER_DATA. Are there any others anyone knows of that can be used to achieve this requirement?
Any assistance would be appreciated. Thanks.
Hi Benjamin,
Most of SAP works in this way.
If the master record does not have an authorization group on it and the user does not have any
authorization for a non-existing authorization group, then in SAP logic they
"match" and the authority check is "passed" by virtue of the check not being performed.
Take a look in tcode SU21 and the documentation on F_BKPF_BEK:
Definition
Using this authorization object, you determine for which vendor accounts line items can be
posted and processed.
Note
This authorization is optional.
The authorization group does not only have an effect when working with the accounts,
but also when working with the master records. If you assign this authorization when
working with accounts, you must also assign an authorization for the
corresponding authorization group when working with the master records. The authorization
object for this is called "F_LFA1_BEK".
Defined fields
The object consists of the fields "Authorization group" and "Activity". The authorization
group can be freely defined by the user. You take the possible input values
for the field "Activity" from table TACTZ.
Procedure
If you want to use this authorization, proceed as follows:
define the authorization which you want to assign to selected employees, in
which you list the authorization groups and the activities allowed.
allocate this authorization using the corresponding profile.
enter an authorization group in the master records which are specifically to
be protected. You can enter an authorization group in either the general
or in the company code-specific area of the master records.
An (initial) exception is S_TABU_DIS. If the standard SAP utility transactions are used,
then a table without an authorization group is given a "symbolic" authorization
group called '&NC&' which is checked. So you should seriously try to avoid
giving users access to this symbolic auth group. In the case of account groups,
s_program groups, etc it is a bit different as the check is only performed when
a security measure is found to have been required.
Similar Messages
-
How to restrict GL accounts in ME21n transaction screen
Hi Secuirty dudes..
My company wants to restrict the certain GL accounts from being used in the ME21n tcode screen..
when i create my new role with the Me21n tcode the following objects are populated into the role.
Document Type in Purchase Order M_BEST_BSA
Purchasing Group in Purchase Order M_BEST_EKG
Purchasing Organization in Purchase Order M_BEST_EKO
Plant in Purchase Order M_BEST_WRK
I am sure that the GL account can be checked using Auth groups.
Plz let me know which Auth Object will help me in getting this authorization check enabled.
Thanks a lot in advance.
Naveen MurthyHello Naveen,
It is still not clear to me which account (determination?) you are wanting to control.
Account type 'K' (of object F_BKPF_KOA) would be Vendor Accounts (K = <b>K</b>reditor).
To control the ability to display them using groups (of vendors), then this is an optional object called F_LFA1_BEK, which needs to be used in combination with F_BKPF_BEK.
Take a look at this thread for past discussions: Re: SAP_FI_AP_VENDOR_MASTER_DATA
I am not 100% sure whether this will control the ability to select a specific number, once known. But normally the standard transactions do such validations when you hit "Enter" or "Save" etc.
Hope that helps, but not sure.
Cheers,
Julius
Maybe you are looking for
-
It isn't letting me copy and paste so the question is the subject, I am sorry.
-
How many devices can you sync to itunes on one computer
How many devices can you sync to itunes on one computer ?
-
I am trying to download the adobe premiere pro cc but i can't find it. does anyone know why this happens? All programs shows except premiere. Thanks for your help
-
Error message after installing OS
My son's G4, 1.42 GHz (isn't this what's called a quicksilver - mirror-like panel on front?) Power Mac's hard drive crashed. I replaced the drive with a 320 GB parallel ATA drive (Western Digital). I formatted drive as 1 partition and tried to instal
-
HT4191 what if the notes option in Outlook mail doesn't even show up?
i'm connecting to Exchange via port 443 on an iPhone 5 ios 6.0.2 i only have the option to sync Mail, Calendar, contacts, and Tasks, but notes option is missing i have nothing in my iphone notes, but lots of items in my outlook notes. things i've tri