Set up authorization group F_LFA1_BEK

Similar Messages

• Authorization Groups

  Hi Experts,
  If I have values NPD,R&D etc. for authorization groups. How to maintain these values in SAP DMS? Is there any t-code or spro configuration for maintaining these values? I know it's basis activity.
  I hope you understood the question properly, how to set the authorization groups and where to maintain the values for them?
  Regards,
  Ravindra

  Hi,
  In DMS auth grp is  free field and we can maintain any value for it.
  But to control access we must assign these value to auth obj  c_DRAW_BGR.
  This auth obj  will be assigned to role and role to user.
  So user who has auth value R&D in his role can enter this auth obj value while creating a dir and at the same time he can access a DIR with this auth obj value created by other user having same auth obj in his role.
  Plz note that this auth ob c_Draw_bgr works with other auth obj in DMS.
  Regards
  Abhijit

• Restrict Vendor line items display by Vendor authorization group

  Hi Gurus,
  I have a requirement to restrict Vendor line item diplay for Tcode FBL1N, I have updated the Authorization object F_LFA1_BEK, its work fine if all the vendors have authorization, However it also display vendors whose auth. group is "BLANK" or "SAPCE",
  Is there a way that I can slove this issue, is there any SAP notes of other object which needs to be updated ?

  Hi,
  this problem has been discussed on this forum last week. Basically, SAP does not perform authorization check if the authorization group is blank. Hence you need to assign authorization object to all vendors.
  Cheers

• Authorization group in GL A/C using FB01

  HI, We have  activated the authorization Group in GL A/c. Using the authorization object F_BKPF_BES we were able to create restrictions on other tcodes like F-28 . However when using the u201CFB01u201D tcode, the authorization check does not have any effect. I have already check the authorization in SU24 for fb01 and status is set to YES. I have also created a trace(using ST01) for this transaction but ST01 does not show any authorization trace for F_BKPF_BES.

  Hello,
  Authorization object：F_BKPF_BES should be checked when you run FB01.
  In your case,please try to check the following points:
  1.Authrization group was assigend to G/.L master data correctly.
  2.Authrization group  was assigend to object：F_BKPF_BES correctly.
  3.Avtivity was defined in this object correctly.
  4.Role was assgined to user correctly.
  5.SAP_ALL authorization was deleted from the user profile.
  Note: it is impossible to define the authorization group as '  '(space) in object：F_BKPF_BES,
  if '  ' was defined, system will consider there are no any setting existed.
  Hope the above infor. could help you to solve this issue.
  Best Regards,

• Authorization Group

  Dear Friends,
  I know I can restrict two user "A" & "B"  who create DIR  " 1001" & "1002" respectively under same document Type say "DRW". Means they cannot display the DIR created by each other  by Authorization Object "C_SIGN_BGR".
  I have tried this and works perfect.
  But my question is can I maintain these Authorization Groups so that  when user enters any wrong Authorization group, it should not allow him to enter in Authorization Group Field.
  If I Maintain the setting in SPRO in DMS>Approvals>Define Authorization groups, will my maintained  values will be validated with the values I enter in Authorization Group field.
  Also I know the developement mentioned under link.
  [https://wiki.sdn.sap.com/wiki/display/PLM/F4forAuthorization+group]
  But I want to avoid this developement.
  Waiting for your reply.
  With warm Regards
  Mangesh

  Hi Mangesh,
  To achieve this I suggest you to Update domain BEGRU as mentioned in the link
  http://wiki.sdn.sap.com/wiki/display/PLM/UsingAuthorizationGroupfieldin+DMS
  values can be maitained in ztable
  You can also have search help for BEGRU, by adding search help in DRAW table for BEGRU.
  also go through post - Re: Authorization Group in CV01n Document Data tab
  Auth object C_DRAW_BGR has field value reference to data element BEGRU
  Regards
  Surjit

• How can i transfer the 'Authorization Group'(SE54) to another client?

  In project i must define an 'Authorization Group' in T-Code SE54---The 3rd radiobutton.
  But there is no message to me to entry the Request NO.?
  How can i transfer the 'Authorization Group' ?
  I konw the date can be show from view 'V_BRG_54' ,but how to transport the data of the view?
  TKS a millon~~

  Hi,
  If your client is set for automatic recording of changes it should prompt for a transport, check there is not another client where you should make config changes.  If not, the menu option Table View -> Transport will let you assign the Auth group to a transport.
  Regards,
  Nick

• Authorization Group & TBRG

  Hello. I wonder what case should I create records into TBRG for.
  Generally, authorization group works when I set it to master record (e.g.vendor, customer,account code) and role (from PFCG).
  But, in some case, It is required to insert authorization group and its text to TBRG.
  Please tell me weather TBRG setting is essencial or not .
  Edited by: Julius Bussche on Dec 28, 2009 6:13 PM
  Table name corrected.

  Hi Yugo,
  Table TBRG - Contains all authorization groups and gives information about relation between authorization object and authorization group. Hence its very much necessary you maintain the authgroups in this table.
  Also if you want it to appear as a pick list when you click F4 in the DICBERCLES field in object S_TABU_DIS then you should have those valuse maintained in table:TBRG.
  There are several threads based on your query which are already answered. just search by "TBRG Auth Groups" in the same forum.
  Hope it helps.Let us know if you  need any more information from our side.

• Authorization group in Gl account

  Hi friends,
  In Control tab in FS00 there is a field called Authorzation group which i think restrict the users for the GL Account. where i can create this group and how can i assign this group to a particular user to restrict a particular user from using a GL Account.
  Any idea kindly share with me.
  Thank you

  Hello Siva,
  The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. The authorization groups usually occur in authorization objects together with an activity.
  Access to a master record may be restricted. One reason for this might be to protect master data from unauthorized changes.
  Authorization can be assigned for the following editing functions:
  Create
  Change
  Display
  All employees can display the G/L account master records, but only a limited number of people may create or change them.The authorizations for editing G/L account master records are set in your user master record.
  To restrict access to a G/L account master record, enter a key in the Authorization field in the company code area of the master record.
  Prerequisites: You have to define authorizations before you can limit access to a G/L account master record. You can find these settings in Financial Accounting Customizing under Financial Accounting Global Settings->Maintain Profiles .
  Hope I had been able to help you. Please assign points.
  In case you donot have idea of how to assign points, pls let me know.
  Rgds
  Manish

• Using Authorization group field in Data entry profile

  Hi,
  I would need some help in configuring/using the authorization group field in data entry profile.
  After setting up the values in the drop down, how do we link to the authorization profiles or roles .
  basically, I would like to know the steps/activities required to use this field

  cross posting->thread locked.

• Authorization Group in Campaign and Marketing plan

  Hi,
  I have a requirement as campaigns assigned with "X" authorization group, should be viewed/changed by certain set of users. How can I do this? I have created 3 authorization group and assigned to user's PFCG role and also in 3 different campaigns viz  but system allowing user to make changes in all of them. Am I missing something?
  Please suggest.
  Regards,
  Nikhil

  Hi PP,
  I have campaign type lets say "Brand Promotion". User should be able to change/view/delet/create it. But if the authorization group  say XXXX assigned to this campaign and if user is not give authorization for this auth group in role under object CRM_CPGAGR ,then user should not be allowed to make changes in the campaign.  How can I achieve both of these functionality together? which are all auth objects involved in this?
  I want to restict user from changing campaign if not allowed for XXXX authorization group. Even if he is allowed for campaign type "Brand Promotion".
  Regards,
  Nikhil

• Authorization Group in T-Code: OB52

  Hi,
  I need to maintain 2 Auth. Group in T-Code: OB52, my requirment is below:
  for some users (nearly 25) needs to post the transaction in June Month and for some users (nearly 10)should have to post for selected GL in the month of June.
  So we decide to create two roles and assign the Auth Group in F_BKPF_BUP Auth. group. But i need to know whether the system will allow to assign two Auth. Group for one Company code (ie., 2 Auth. Group and all common users)
  Please revert ASAP.
  Regards
  JS

  The help on AuGr field in OB52 is good.  Here it is
  Authorization Group
  The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. The authorization groups usually occur in authorization objects together with an activity.
  Use
  A posting period can be made available to only a limited set of users using the authorization group.
  Procedure
  If only a limited set of users is to be able to post in a particular posting period, proceed as follows:
  Add the posting period authorization (authorization object F_BKPF_BUP) to the authorizations of the selected users. Assign an authorization group (e.g. '0001').
  Enter the account type '+' for the posting period variant to which the restriction is to apply. Enter the period(s) whose use is to be restricted in the first period, those which are available to all users in the second period, and the authorization group (e.g. '0001') in the last column.
  Examples
  A posting period can be successively restricted. If, e.g. 10 users have the posting period authorization with authorization group '0001', and 3 of these 10 users also with authorization group '0002'.
  If the period is only to be accessible to the 10 selected users the authorization group '0001' is entered in the posting period variant. Access can later be restricted to the remaining 3 users by entering '0002'.
  I guess your requirement can very well be met, as explained in the example above.  Also implement the following SAP Note to be able to assign the authorization group at document header level (account type '+') and at line item level in Transaction OB52.
  https://service.sap.com/sap/support/notes/891505
  Srikanth
  PS: I have seen in a reply above that AuGr controls only special periods, which is not a correct statement.  AuGr controls postings in the period specified in From per.1/Year To period/Year in OB52.

• Determine if user belongs to Authorization Group.

  My requirement is I have a authorization group (BRGRU) and I need to check if the logged in user belongs to that authorization group. Is there any FM for this or a Database table where in I can get list of users belonging to a particular authorization group.

  Hi
  check the tables
  UST12
  AGR_1252
  and check the Tcode SU21
  see the doc about authorizations:
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC <> 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a  profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Reward points if useful
  Regards
  Anji

• Viewing custom Z tables with blank authorization group

  I'm trying to view all the Z tables without any authorization group (blank) in TDDAT.  It only displays Z tables with &NC& or other valid groups we assign.  Is there another table I can query to show ALL Z tables without an auth group?
  Thanks.

  > It only displays Z tables with &NC& or other valid groups we assign. 
  Oops, sorry. Martin had already mentioned this.
  &NC& is not a valid group, it is a symbolic group which is the equivalent of a blank for the table - except that a view had been created for it and during that process no authorization group was set either. This also used to be the default, which doesn't really make sense... hence all the values.
  If you take a look at FM VIEW_AUTHORITY_CHECK then you will see how it works and which tables are used.
  Cheers,
  Julius
  Edited by: Julius Bussche on Feb 13, 2010 10:01 AM

• Set Up Authorization Check for G/L Accounts  into PO creation

  Dear friends !
  How could I activate check to the access to certain accounts into PO creation ?
  I know that is possible to activate this into Purchasing customizing under path
  SPRO > Materials management > Purchasing > Purchase order > Set Up Authorization Check for G/L Accounts
  But could I use it to give access only to certain GL Accounts by user ? Is this the purpose of this customizing ?
  If yes what´s the object should I use to link with user account !?
  best regards,
  Ale

  Hi ,
  After you setup the configuration in transaction OMRP, please setup up
  the authorisation group in the account code (FS02, the field is on the
  "Control", technical name is BEGRU).
  When a account assigned purchase order is created, the system checks for
  object F_BKPF_BES with values from the BEGRU and activity 01.

• Granting Authorization Group SC in S_TABU_DIS

  Hello Gurus,
  In our SAP Security Optimization Report, we have been highlighted that granting authorization group 'SC' to user will open a risk as follows:-
  "The authorization to view the data in table RFCDES makes it possible for a dictionary attack to find out the
  password of a user specified in an RFC connection."
  However, authorization group SC is also assigned to some other HR table under HRP* e.g. HRP1002.
  Can you advice what approach have you taken on granting access to this table?
  Thank you,
  Suriati

  Hi Bernhard,
  I was very curious about this and thinking about it while mowing the lawn this weekend
  I tried to emulate the checks described in my sandbox system (7.01 Bc SP 06) by modifying the function module.
  First of all, I think the checks can be transfered to a central form (just a logistics comment). If need be, STATICS could be used for CASES of the tables, which is already an import parameter (less spagetti
  Where I ran into some problems are with parameter transactions as "proxies" in the authorization maintenance for core transactions SM30, SE16, SM34 etc. I also tried the "old" tcodes.
  When you switch to the new S_TABU_NAM concept then it makes sense to not propose any S_TABU_DIS for the parameter transaction. In that case the core transaction pulls it's empty field for S_TABU_DIS each time ...
  The TSTCA entries are also a pestilence here, even if they were maintained with exact values. I maintained SU24 for my Z_TABU_NAM object so can as expected use it but there is a huge backlog of TSTCA entries for S_TABU_DIS.
  As the check is only performed (in my prototype) when S_TABU_DIS fails, it did provide certain granularity for isolated transaction codes, but with given (in my case very explicit!) standard authorizations for S_TABU_DIS in larger (single) roles if was very difficult to cleanly migrate to^the new concept (because of TSTCA and S_TABU_DIS NE Z_TABU_NAM).
  I am aware of SAP Note 1404093 but it is hard to "sell" SU24 maintenance to developers. You have it good in SAP type systems and it is still a hassle.
  Would it be possible that the expert mode merge can look for S_TABU_NAM and the automatically set S_TABU_DIS to inactive? I removed S_TABU_DIS from the core transactions as a workaround but it does not always work when it was already maintained.... This would require a "history" of the pervious merge, I guess... ?
  I will use this in new roles but am sceptical about a migration path for existing roles and existing SU24 maintenance "in the wild".
  Is there a major SAP release change at which SU22 will switch to this new concept as well?
  Cheers,
  Julius