Use of Authorization Group in OB52

Similar Messages

• Authorization group in OB52

  Hi,
  We want to give April 2009 authorization for one user and rest of the users should be post in this monthly.
  for that we have created 1 authorization groups in OB52 we entered like this:
  0001 + 1 2009 1 2009 3 2009 3 2009 3333 (Aut. group)
  we assigned 3333 in user profile also.
  guide me
  sateesh

  Hi Sateesh,
  It should be the other way around. The first section of the periods is controlled by the authorisation group. I understand that the user profile with the authorisation 3333 should be able to post in April ie 04/2009. Others should not be allowed to post, right?
  Maintain as follows in OB52 -
  0001  +  <GL Accounts>  04  2009  04  2009  06  2009  06  2009  3333
  0001  D  <GL Accounts>  04  2009  04  2009  06  2009  06  2009  3333
  0001  K  <GL Accounts>  04  2009  04  2009  06  2009  06  2009  3333
  0001  M  <GL Accounts>  04  2009  04  2009  06  2009  06  2009  3333
  0001  S  <GL Accounts>  04  2009  04  2009  06  2009  06  2009  3333
  0001  A  <GL Accounts>  04  2009  04  2009  06  2009  06  2009  3333
  Regards,
  Mike

• Use of Authorization groups - do we need check on S_PROGRAM as well?

  Hi!
  As a rule we always implement authorization group in the attributes of our ABAP programs. We also insert an include which contains a check:
  AUTHORITY-CHECK OBJECT 'S_PROGRAM'
         ID 'P_GROUP' FIELD  W-SECU
         ID 'P_ACTION' DUMMY.
  where W_SECU is the given authorization group.
  My question is : do we really need this check in saperp2005 systems? I have a feeling that this check is included in the SE38 transaction already now.   Why I think this: someone forgot th copy the content of the mentioned include into our upgraded system, and if I try to run a program with a specfied authorization group I do not have access to , I get a message about this automatically from SE38.
  Regards, Tine

  Hi,
  that must be wrong. You must differentiate between calling transaction SE38 (for which you need an authorization) and executing the program (which you insert as an include). On one side, transaction SA38 is the one your users must call for this. On the other side, I´m also working with MySAP 2005 and SE38 does not check the authority for the program.

• Multiple Authorization groups to be used in OB52 for a single company code

  Hello All,
  I need help in creating and assigning authorization groups in Transaction Code: OB52 to control the postings of few users in one authorization group. That is i want some users  to post in 2 back  period and others in only 1 back period.I have tried from my side and it is still not working.
  I followed the following step:
  I have created 2 groups and assigned the users accordingly but the thing is i am only able to find 1 feild for entering authorization group
  If there is any thing i am missing or if i have done some thing wrong in this process please help me.
  Please Provide me the logic of how to use two authorization groups with one feild.
  Best Regards,
  Ravi
  Edited by: Ravi Eddhula Reddy Kumar on Apr 3, 2011 1:01 PM

  Hi,
  Try with this possibility
  In ob52 create two rows.
  Assign the required periods for Group A in Row 1
  Assign the required periods for Groub b in Row 2
  Regards
  Prasad

• Authorization Group in T-Code: OB52

  Hi,
  I need to maintain 2 Auth. Group in T-Code: OB52, my requirment is below:
  for some users (nearly 25) needs to post the transaction in June Month and for some users (nearly 10)should have to post for selected GL in the month of June.
  So we decide to create two roles and assign the Auth Group in F_BKPF_BUP Auth. group. But i need to know whether the system will allow to assign two Auth. Group for one Company code (ie., 2 Auth. Group and all common users)
  Please revert ASAP.
  Regards
  JS

  The help on AuGr field in OB52 is good.  Here it is
  Authorization Group
  The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. The authorization groups usually occur in authorization objects together with an activity.
  Use
  A posting period can be made available to only a limited set of users using the authorization group.
  Procedure
  If only a limited set of users is to be able to post in a particular posting period, proceed as follows:
  Add the posting period authorization (authorization object F_BKPF_BUP) to the authorizations of the selected users. Assign an authorization group (e.g. '0001').
  Enter the account type '+' for the posting period variant to which the restriction is to apply. Enter the period(s) whose use is to be restricted in the first period, those which are available to all users in the second period, and the authorization group (e.g. '0001') in the last column.
  Examples
  A posting period can be successively restricted. If, e.g. 10 users have the posting period authorization with authorization group '0001', and 3 of these 10 users also with authorization group '0002'.
  If the period is only to be accessible to the 10 selected users the authorization group '0001' is entered in the posting period variant. Access can later be restricted to the remaining 3 users by entering '0002'.
  I guess your requirement can very well be met, as explained in the example above.  Also implement the following SAP Note to be able to assign the authorization group at document header level (account type '+') and at line item level in Transaction OB52.
  https://service.sap.com/sap/support/notes/891505
  Srikanth
  PS: I have seen in a reply above that AuGr controls only special periods, which is not a correct statement.  AuGr controls postings in the period specified in From per.1/Year To period/Year in OB52.

• Using Authorization group field in Data entry profile

  Hi,
  I would need some help in configuring/using the authorization group field in data entry profile.
  After setting up the values in the drop down, how do we link to the authorization profiles or roles .
  basically, I would like to know the steps/activities required to use this field

  cross posting->thread locked.

• Regarding ABAP Query authorization group

  Hi Team,
  This is regarding ABAP Query!
  I have created one authorization group, for testing i have assigned my id in authorization group.
  After creation of ABAP query,standard program got generated. Now i have created one transaction code at the last for the ABAP Query.
  Now the isse is even though i have deleted my id from the authorization group. I am able to execute the query from SQ01 and with the Transaction code .
  It should not happen...i want who soever id is mapped to the transaction code ...that member should only be able to run that query, otherwise there is no use of authorization group.
  Please help me out in this case.
  Thanks & Regards,
  Anil Kumar Sahni

  Are you sure that you don't have access to that authorisation group? Execute report RSUSR002. In the 'Authorization Object 1' block inform  S_TABU_DIS in 'Auth.Object' and accept. Then inform Activity=03 and Auth.Gruop= your group.
  You will get a list of all the users which, theoretically, will be able to execute the query. If you press 'Roles' or 'Profiles' in the toolbar of the listing you will get to know why you have authorisation. May be you have the SAP_ALL profile.
  Also, one more thing to take into account: how have you created your transaction? Is it referring directly to the generated report? Then it is an error, you should execute program SAP_QUERY_CALL. Read this post: [Relate transaction to query;

• Authorization Group in se38

  Hi everybody,
  what is the use of Authorization group in se38 attribute? can we create and assign our own one?
  The actual scenerio which i am facing here is My report should not be viewed by some grop of  users. My friend is saying i can do that through the above said one. But i know i can do that using AUTHORITY-CHEK.  What i am asking here is can i accomplish this task by the above said attributes.
  Points will be awarded.
  Thanx in advance.
  Gladiator

  Hi,
  Authorization Checks
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  The following actions are subject to authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid:
  ·Starting SAP transactions (authorization object S_TCODE)
  Starting reports (authorization object S_PROGRAM)
  Calling RFC function modules (authorization object S_RFC)
  Table maintenance with generic tools (S_TABU_DIS)
  Checking at Program Level with AUTHORITY-CHECK
  Applications use the ABAP statement AUTHORITY-CHECK, which is inserted in the source code of the program, to check whether users have the appropriate authorization and whether these authorizations are suitably defined; that is, whether the user administrator has assigned the values required for the fields by the programmer. In this way, you can also protect transactions that are called indirectly by other programs.
  AUTHORITY-CHECK searches profiles specified in the user master record to see whether the user has authorization for the authorization object specified in the AUTHORITY-CHECK. If one of the authorizations found matches the required values, the check is successful.
  The access protection system must ensure that only authorized individuals have access to the system and to particular data. For achieving precise application security concerning authorization and to protect confidential data against unauthorized access it is very important to focus on the use of authorization groups.
  The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. They usually occur in authorization objects together with an activity.
  The table that contains all authorization objects is TOBJ.
  The table that contains all activities is TACT.
  The table that contains definition of all authorization groups is TBRG.
  TBRG -- Contains all authorization groups and gives information about relation between authorization object and authorization group. The description of the authorization groups is defined in table TBRGT.
  The field name for authorization group -- BRGRU -- is used to make additional restrictions on authorizations /e.g. for document maintenance/. In authorization objects and authorization checks, there are fields which are checked to verify user authorizations. Customizing objects are combined in authorization groups, and the authorization group is one of the two authorization fields, for example, in authorization object S_TABU_DIS which is in the object class BC_A (Basis - Administration). This object is for displaying or maintaining tables. It controls access using the standard table maintenance tool (transaction SM31), enhanced table maintenance (SM30) or the Data Browser (SE16), including access in Customizing.
  Authorization object S_TABU_DIS has the following fields: DICBERCLS - Authorization group, maximum field length is four characters; and ACTVT - Activity (02: Add, change or delete table entries, 03: Only display table contents).
  Generally, SAP standard tables are assigned to authorization groups. These assignments can be changed. You can then assign tables manually to a suitable authorization group. To do this, start Transaction SM30 for maintenance view V_DDAT, and create an entry for each of these tables. In V_DDAT is stored the assignment of Tables/Views to Authorization Groups. V_DDAT is cross-client; therefore, it can be viewed and used in all clients.
  Note: If you don't make a selection, all tables maintained in Customizing transactions are assigned to authorization groups.
  Reward If Helpfull,
  Naresh.

• How work Authorization Group in cv02n ?

  Dear Gurus
  i would like to know how i can use the Authorization Group in cv02n?
  Is possible use this objcet in order to enable the some user to change document data ?
  Thanks a lot
  Daniele

  You can use the Authorization Group to control the authorization at DIR level,
  Person authorize for a one Authorization Group will be not able to access the DIR of other Authorization Group.

• Authorization Groups and table TBRG

  In our system we have tables which are using custom authorization group ZEXC.  I am looking at this via SE11 Table Maintenance Generator or SE54 Assign Authorization Group.
  I can also see that it is assigned to roles by using SUIM -->Roles-->By Authorization values -->entry auth object (S_TABU_DIS) and click on entry values.
  What I am not seeing is that the authorization group is defined in table TBRG.
  So my question is....  An authorization group does not need to be defined in order to attach it to a table or assign it to a role?  If the authorization group was created then deleted is it still valid to have it attached to tables and roles?

  Hi Sharon,
  Assign the authorization to user and make it inactive mode.Then authorization will be deactived to tat particular user's.

• What is authorization group?

  Hi all,
  Can anyone tell me what is authorization group? I always come across this when I am inside pfcg and look into the authorization object.
  I know that authorization object groups authorization fields together. And authorization is an instance of authorization object. But how does authorization group fit into this model?
  I have read parts of the help manual that mention auth. group is used to manage Z tables, but they never mention the above relationship.
  Thanks.

  HI Jockey,
  The access protection system must ensure that only authorized individuals have access to the system and to particular data. For achieving precise application security concerning authorization and to protect confidential data against unauthorized access it is very important to focus on the use of authorization groups.
  The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. They usually occur in authorization objects together with an activity.
  The table that contains all authorization objects is TOBJ.
  The table that contains all activities is TACT.
  The table that contains definition of all authorization groups is TBRG.
  TBRG -- Contains all authorization groups and gives information about relation between authorization object and authorization group. The description of the authorization groups is defined in table TBRGT.
  The field name for authorization group -- BRGRU -- is used to make additional restrictions on authorizations /e.g. for document maintenance/. In authorization objects and authorization checks, there are fields which are checked to verify user authorizations. Customizing objects are combined in authorization groups, and the authorization group is one of the two authorization fields, for example, in authorization object S_TABU_DIS which is in the object class BC_A (Basis - Administration). This object is for displaying or maintaining tables. It controls access using the standard table maintenance tool (transaction SM31), enhanced table maintenance (SM30) or the Data Browser (SE16), including access in Customizing.
  Authorization object S_TABU_DIS has the following fields: DICBERCLS - Authorization group, maximum field length is four characters; and ACTVT - Activity (02: Add, change or delete table entries, 03: Only display table contents).
  Generally, SAP standard tables are assigned to authorization groups. These assignments can be changed. You can then assign tables manually to a suitable authorization group. To do this, start Transaction SM30 for maintenance view V_DDAT, and create an entry for each of these tables. In V_DDAT is stored the assignment of Tables/Views to Authorization Groups. V_DDAT is cross-client; therefore, it can be viewed and used in all clients.
  Note: If you don't make a selection, all tables maintained in Customizing transactions are assigned to authorization groups.
  Check these links too..
  http://help.sap.com/saphelp_crm50/helpdata/en/52/671285439b11d1896f0000e8322d00/frameset.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67129f439b11d1896f0000e8322d00/frameset.htm
  http://www.sap4.com/contentid-39.html
  Thanks,
  Susmitha
  Dont forget to reward points for useful answers.
  Message was edited by: Susmitha Thomas

• Authorization group in GL A/C using FB01

  HI, We have  activated the authorization Group in GL A/c. Using the authorization object F_BKPF_BES we were able to create restrictions on other tcodes like F-28 . However when using the u201CFB01u201D tcode, the authorization check does not have any effect. I have already check the authorization in SU24 for fb01 and status is set to YES. I have also created a trace(using ST01) for this transaction but ST01 does not show any authorization trace for F_BKPF_BES.

  Hello,
  Authorization object：F_BKPF_BES should be checked when you run FB01.
  In your case,please try to check the following points:
  1.Authrization group was assigend to G/.L master data correctly.
  2.Authrization group  was assigend to object：F_BKPF_BES correctly.
  3.Avtivity was defined in this object correctly.
  4.Role was assgined to user correctly.
  5.SAP_ALL authorization was deleted from the user profile.
  Note: it is impossible to define the authorization group as '  '(space) in object：F_BKPF_BES,
  if '  ' was defined, system will consider there are no any setting existed.
  Hope the above infor. could help you to solve this issue.
  Best Regards,

• Which table could i find 'Authorization Group'  used for Material master?

  Hi experts,
  Is there any table available could i find all 'Authorization Group' list as used by material master data.
  OR in SPRO, anywhere could i find 'Define authorization group' for material master data specific??
  Thanks.

  Hi
  Authorization group in the material master are maintained at the material type level.
  SPRO->IMG-> Logistics - General-> Material Master-> Basic Settings-> Material Types-> Define Attributes of Material Types
  List of authorization roups can be found in table T134-Material Types
  this filed is a free defined 4 charcter field.
  Thanks & Regards
  Kishore

• Cant use more than one authorization group per report with SBO CR Basic

  Cant use more than one authorization group per report with SBO CR Basic.
  I have installed on SAP Business One SBO 2007 SP00 PL49 the Crystal Reports Basic 2.0.0.7.
  i have defined two users, manager and supervisor.
  I have defined two groups, M and S.
  Manager belongs in managers (M), and supervisor is assigned to the supervisors (S).
  i enter to one report, disable the public option to enable group authorization, and then check M group.
  Manager can see the report, but Supervisor is not allowed. So far good.
  Then i uncheck M, then check S in the report properties, and Manager cant get in, supervisor opens the report, So far good.
  But when we check both Groups or more, only the M group authorization appears to work, and S group users cant acess, even the report is allowed for that group, also happens with all the groups appart the first (2nd, 3rd, 4th, etc.).
  It seems that a report can manage a single group, but i have to be shure to tell this to the customer.
  So far we have included all Manager users to the S group in order that only S group is used and authorized users can use, but this is duplicating user participation in groups, and it would be much easier to check the desired groups for a single report.

  Cant use more than one authorization group per report with SBO CR Basic.
  I have installed on SAP Business One SBO 2007 SP00 PL49 the Crystal Reports Basic 2.0.0.7.
  i have defined two users, manager and supervisor.
  I have defined two groups, M and S.
  Manager belongs in managers (M), and supervisor is assigned to the supervisors (S).
  i enter to one report, disable the public option to enable group authorization, and then check M group.
  Manager can see the report, but Supervisor is not allowed. So far good.
  Then i uncheck M, then check S in the report properties, and Manager cant get in, supervisor opens the report, So far good.
  But when we check both Groups or more, only the M group authorization appears to work, and S group users cant acess, even the report is allowed for that group, also happens with all the groups appart the first (2nd, 3rd, 4th, etc.).
  It seems that a report can manage a single group, but i have to be shure to tell this to the customer.
  So far we have included all Manager users to the S group in order that only S group is used and authorized users can use, but this is duplicating user participation in groups, and it would be much easier to check the desired groups for a single report.

• Assign posting periods to authorization group in tcode S_ARL_87003642

  Hello,
  I want to restrict posting periods for some users. Therefore, I have created 2 functions associated to 2 authorization groups.
  In transaction S_ARL_87003642, when I try to assign different posting periods to each authorization group to the same company code (Posting Period Variant) it appears a message saying u2018Target key must be different from source keyu2019.
  What am I doing wrong? Do you know how can I restrict posting periods for some users?
  Thanks and regards
  Ana Rita

  Dear,
  You simply have to define authorisation groups in OB52 and assign this group to F_bkpf_bup in SU01 against user proflie as desired. Take basis help.
  Regards