Use of Authorization groups - do we need check on S_PROGRAM as well?

Similar Messages

• Use of Authorization Group in OB52

  Dear Experts,
  I have updated Authorization Group as "OB52" in the last column of OB52 T-Code against each posting period variant with account type + , A,D,K,S,M etc with normal period 1 to 12 and special period 13 to 16.
  The same Authorization Group "OB52" is updated in one of FI users say Mr X Role profile under authorization object F_BKPF_BUP.
  Now as per the SAP standard practice the special period 13-16 should open for the user Mr X and block for all other users. But system is allowing to do transaction with special period 13-16 for other users also.
  Please advise where I am wrong.
  Regards,
  Alok

  Dear,
  I will explain you the step involved for auth Mr.X to post for the particular period.
  Let take an example  that Mr.X has to be allowed to post between the period 1 to 11 and other user only for the period 11(Apr - March as fiscal year).
  Now,for valuation variant with account  ' +'  for the first period, you enter from period as '1' and to period as '10' and in second period, you enter from period '11' and to period '11', provide the auth group (eg KU - key user)  in the last column.
  For other accounts (A,D,M,K,S) change the first period from '1' to '12' and dont assign any auth group.
  Now you goto se16n and check in TBRG table whether your auth group KU is available for the object F_BKPF_BUP,if not maintain it.
  The last step is to assign "KU" to Mr.X profile or role against the object F_BKPF_BUP.
  Once you made the change"generate" and save it.
  Now the system will permit Mr.X to post for the periods between 1 to 11 and other user only for 11 period.
  Hope that i am ab;le to clear your boubt.
  Do revert for any further assistance.
  Take care
  God Bless
  Regards

• Using Authorization group field in Data entry profile

  Hi,
  I would need some help in configuring/using the authorization group field in data entry profile.
  After setting up the values in the drop down, how do we link to the authorization profiles or roles .
  basically, I would like to know the steps/activities required to use this field

  cross posting->thread locked.

• Multiple Authorization groups to be used in OB52 for a single company code

  Hello All,
  I need help in creating and assigning authorization groups in Transaction Code: OB52 to control the postings of few users in one authorization group. That is i want some users  to post in 2 back  period and others in only 1 back period.I have tried from my side and it is still not working.
  I followed the following step:
  I have created 2 groups and assigned the users accordingly but the thing is i am only able to find 1 feild for entering authorization group
  If there is any thing i am missing or if i have done some thing wrong in this process please help me.
  Please Provide me the logic of how to use two authorization groups with one feild.
  Best Regards,
  Ravi
  Edited by: Ravi Eddhula Reddy Kumar on Apr 3, 2011 1:01 PM

  Hi,
  Try with this possibility
  In ob52 create two rows.
  Assign the required periods for Group A in Row 1
  Assign the required periods for Groub b in Row 2
  Regards
  Prasad

• Authorization Group in se38

  Hi everybody,
  what is the use of Authorization group in se38 attribute? can we create and assign our own one?
  The actual scenerio which i am facing here is My report should not be viewed by some grop of  users. My friend is saying i can do that through the above said one. But i know i can do that using AUTHORITY-CHEK.  What i am asking here is can i accomplish this task by the above said attributes.
  Points will be awarded.
  Thanx in advance.
  Gladiator

  Hi,
  Authorization Checks
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  The following actions are subject to authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid:
  ·Starting SAP transactions (authorization object S_TCODE)
  Starting reports (authorization object S_PROGRAM)
  Calling RFC function modules (authorization object S_RFC)
  Table maintenance with generic tools (S_TABU_DIS)
  Checking at Program Level with AUTHORITY-CHECK
  Applications use the ABAP statement AUTHORITY-CHECK, which is inserted in the source code of the program, to check whether users have the appropriate authorization and whether these authorizations are suitably defined; that is, whether the user administrator has assigned the values required for the fields by the programmer. In this way, you can also protect transactions that are called indirectly by other programs.
  AUTHORITY-CHECK searches profiles specified in the user master record to see whether the user has authorization for the authorization object specified in the AUTHORITY-CHECK. If one of the authorizations found matches the required values, the check is successful.
  The access protection system must ensure that only authorized individuals have access to the system and to particular data. For achieving precise application security concerning authorization and to protect confidential data against unauthorized access it is very important to focus on the use of authorization groups.
  The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. They usually occur in authorization objects together with an activity.
  The table that contains all authorization objects is TOBJ.
  The table that contains all activities is TACT.
  The table that contains definition of all authorization groups is TBRG.
  TBRG -- Contains all authorization groups and gives information about relation between authorization object and authorization group. The description of the authorization groups is defined in table TBRGT.
  The field name for authorization group -- BRGRU -- is used to make additional restrictions on authorizations /e.g. for document maintenance/. In authorization objects and authorization checks, there are fields which are checked to verify user authorizations. Customizing objects are combined in authorization groups, and the authorization group is one of the two authorization fields, for example, in authorization object S_TABU_DIS which is in the object class BC_A (Basis - Administration). This object is for displaying or maintaining tables. It controls access using the standard table maintenance tool (transaction SM31), enhanced table maintenance (SM30) or the Data Browser (SE16), including access in Customizing.
  Authorization object S_TABU_DIS has the following fields: DICBERCLS - Authorization group, maximum field length is four characters; and ACTVT - Activity (02: Add, change or delete table entries, 03: Only display table contents).
  Generally, SAP standard tables are assigned to authorization groups. These assignments can be changed. You can then assign tables manually to a suitable authorization group. To do this, start Transaction SM30 for maintenance view V_DDAT, and create an entry for each of these tables. In V_DDAT is stored the assignment of Tables/Views to Authorization Groups. V_DDAT is cross-client; therefore, it can be viewed and used in all clients.
  Note: If you don't make a selection, all tables maintained in Customizing transactions are assigned to authorization groups.
  Reward If Helpfull,
  Naresh.

• Authorization Group in T-Code: OB52

  Hi,
  I need to maintain 2 Auth. Group in T-Code: OB52, my requirment is below:
  for some users (nearly 25) needs to post the transaction in June Month and for some users (nearly 10)should have to post for selected GL in the month of June.
  So we decide to create two roles and assign the Auth Group in F_BKPF_BUP Auth. group. But i need to know whether the system will allow to assign two Auth. Group for one Company code (ie., 2 Auth. Group and all common users)
  Please revert ASAP.
  Regards
  JS

  The help on AuGr field in OB52 is good.  Here it is
  Authorization Group
  The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. The authorization groups usually occur in authorization objects together with an activity.
  Use
  A posting period can be made available to only a limited set of users using the authorization group.
  Procedure
  If only a limited set of users is to be able to post in a particular posting period, proceed as follows:
  Add the posting period authorization (authorization object F_BKPF_BUP) to the authorizations of the selected users. Assign an authorization group (e.g. '0001').
  Enter the account type '+' for the posting period variant to which the restriction is to apply. Enter the period(s) whose use is to be restricted in the first period, those which are available to all users in the second period, and the authorization group (e.g. '0001') in the last column.
  Examples
  A posting period can be successively restricted. If, e.g. 10 users have the posting period authorization with authorization group '0001', and 3 of these 10 users also with authorization group '0002'.
  If the period is only to be accessible to the 10 selected users the authorization group '0001' is entered in the posting period variant. Access can later be restricted to the remaining 3 users by entering '0002'.
  I guess your requirement can very well be met, as explained in the example above.  Also implement the following SAP Note to be able to assign the authorization group at document header level (account type '+') and at line item level in Transaction OB52.
  https://service.sap.com/sap/support/notes/891505
  Srikanth
  PS: I have seen in a reply above that AuGr controls only special periods, which is not a correct statement.  AuGr controls postings in the period specified in From per.1/Year To period/Year in OB52.

• Authorization Groups and table TBRG

  In our system we have tables which are using custom authorization group ZEXC.  I am looking at this via SE11 Table Maintenance Generator or SE54 Assign Authorization Group.
  I can also see that it is assigned to roles by using SUIM -->Roles-->By Authorization values -->entry auth object (S_TABU_DIS) and click on entry values.
  What I am not seeing is that the authorization group is defined in table TBRG.
  So my question is....  An authorization group does not need to be defined in order to attach it to a table or assign it to a role?  If the authorization group was created then deleted is it still valid to have it attached to tables and roles?

  Hi Sharon,
  Assign the authorization to user and make it inactive mode.Then authorization will be deactived to tat particular user's.

• SE54 Change Authorization Group

  Hi all,
  I have an immediate need -- a previous developer created a table view and generated a function group for maintenance. The authorization group they assigned was incorrect so I need to change it. How can I do this?
  I went to SE54, changed the authorization group, then hit the "Change" button. It pops up asking for a "Reason for Change". My questions:
  1. Will this overwrite the funciton group and generate a new one? I do not want this to happen.
  2. Does it matter what reason I choose? There is not one for authorization group change.
  Thanks in advance. Points will be awarded for helpful answers.
  Message was edited by:
          John S

  Has anyone else encountered this problem? I have still not been able to find a solution.
  A recap:
  1. A previous developer created a custom table and a maintenance view to edit that table. Using the table maintenance generator he also developed some custom functionality and created a custom transaction to call this in SM30.
  2. The table and maintenance view were created with &NC& authorization group.
  3. We created a new authorization group that we need to assign to the maintenance view.
  4. Somehow the auth group for the custom table was changed to the new auth group.
  5. We have been unable to change the auth group for the maintenance view using a variety of ways.
  Does anyone have any suggestions?

• What is authorization group?

  Hi all,
  Can anyone tell me what is authorization group? I always come across this when I am inside pfcg and look into the authorization object.
  I know that authorization object groups authorization fields together. And authorization is an instance of authorization object. But how does authorization group fit into this model?
  I have read parts of the help manual that mention auth. group is used to manage Z tables, but they never mention the above relationship.
  Thanks.

  HI Jockey,
  The access protection system must ensure that only authorized individuals have access to the system and to particular data. For achieving precise application security concerning authorization and to protect confidential data against unauthorized access it is very important to focus on the use of authorization groups.
  The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. They usually occur in authorization objects together with an activity.
  The table that contains all authorization objects is TOBJ.
  The table that contains all activities is TACT.
  The table that contains definition of all authorization groups is TBRG.
  TBRG -- Contains all authorization groups and gives information about relation between authorization object and authorization group. The description of the authorization groups is defined in table TBRGT.
  The field name for authorization group -- BRGRU -- is used to make additional restrictions on authorizations /e.g. for document maintenance/. In authorization objects and authorization checks, there are fields which are checked to verify user authorizations. Customizing objects are combined in authorization groups, and the authorization group is one of the two authorization fields, for example, in authorization object S_TABU_DIS which is in the object class BC_A (Basis - Administration). This object is for displaying or maintaining tables. It controls access using the standard table maintenance tool (transaction SM31), enhanced table maintenance (SM30) or the Data Browser (SE16), including access in Customizing.
  Authorization object S_TABU_DIS has the following fields: DICBERCLS - Authorization group, maximum field length is four characters; and ACTVT - Activity (02: Add, change or delete table entries, 03: Only display table contents).
  Generally, SAP standard tables are assigned to authorization groups. These assignments can be changed. You can then assign tables manually to a suitable authorization group. To do this, start Transaction SM30 for maintenance view V_DDAT, and create an entry for each of these tables. In V_DDAT is stored the assignment of Tables/Views to Authorization Groups. V_DDAT is cross-client; therefore, it can be viewed and used in all clients.
  Note: If you don't make a selection, all tables maintained in Customizing transactions are assigned to authorization groups.
  Check these links too..
  http://help.sap.com/saphelp_crm50/helpdata/en/52/671285439b11d1896f0000e8322d00/frameset.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67129f439b11d1896f0000e8322d00/frameset.htm
  http://www.sap4.com/contentid-39.html
  Thanks,
  Susmitha
  Dont forget to reward points for useful answers.
  Message was edited by: Susmitha Thomas

• Material Type & Authorization group

  Hi -
  I got the following question from a friend.
  We need to remove the material type XXXX and YYYY from the authorization group ZZZZ
  We need to add the Material Type AAAA to the Authorization Group ZZZZ. "
  I have no clue where a material type can be associated with Auth Group.
  Please advise.
  Thanks alot.

  Hi,
  I will give the Authorzation object and Authorization group
  1. M_MATE_MAR (Auth. Object)
  2. BEGRU  ( Auth. Group).
  You can change material type and authorization group here.
  Siva

• Regarding ABAP Query authorization group

  Hi Team,
  This is regarding ABAP Query!
  I have created one authorization group, for testing i have assigned my id in authorization group.
  After creation of ABAP query,standard program got generated. Now i have created one transaction code at the last for the ABAP Query.
  Now the isse is even though i have deleted my id from the authorization group. I am able to execute the query from SQ01 and with the Transaction code .
  It should not happen...i want who soever id is mapped to the transaction code ...that member should only be able to run that query, otherwise there is no use of authorization group.
  Please help me out in this case.
  Thanks & Regards,
  Anil Kumar Sahni

  Are you sure that you don't have access to that authorisation group? Execute report RSUSR002. In the 'Authorization Object 1' block inform  S_TABU_DIS in 'Auth.Object' and accept. Then inform Activity=03 and Auth.Gruop= your group.
  You will get a list of all the users which, theoretically, will be able to execute the query. If you press 'Roles' or 'Profiles' in the toolbar of the listing you will get to know why you have authorisation. May be you have the SAP_ALL profile.
  Also, one more thing to take into account: how have you created your transaction? Is it referring directly to the generated report? Then it is an error, you should execute program SAP_QUERY_CALL. Read this post: [Relate transaction to query;

• How work Authorization Group in cv02n ?

  Dear Gurus
  i would like to know how i can use the Authorization Group in cv02n?
  Is possible use this objcet in order to enable the some user to change document data ?
  Thanks a lot
  Daniele

  You can use the Authorization Group to control the authorization at DIR level,
  Person authorize for a one Authorization Group will be not able to access the DIR of other Authorization Group.

• Check available authorization groups

  Hi ,
  if a custom table needs to be assigned to an authorization group in SAP.
  Which is the transaction to check users assigned to an authorization group?
  Currently i have an idea that Assigning and Creating authorization groups are dealt in SE54 but i cannot find a way to check
  whether users are assigned to an authorization group...!!!
  thanks
  kritika

  Checking Assignment of Authorization Groups to Tables:
  You can also assign authorization groups to tables to avoid users accessing tables using general access tools (such as transaction SE16). A user requires not only authorization to execute the tool, but must also have authorization to be permitted to access tables with the relevant group assignments. For this case, we deliver tables with predefined assignments to authorization groups. The assignments are defined in table TDDAT; the checked authorization object is S_TABU_DIS.
  You can assign a table to authorization group Z000. (Use transaction SM30 for table TDDAT) A user that wants to access this table must have authorization object S_TABU_DIS in his or her profile with the value Z000 in the field DICBERCLS (authorization group for ABAP Dictionary objects).
  See also:
  ·        SAP Notes 7642, 20534, 23342, 33154, and 67766
  ·        Documentation for RSCSAUTH
  Hope this helps.... if not check the following link
  If you still don't find, search google 'table authorization groups in sap' - There are good info on web.
  You can assign the authorization group to any custom table via SE11 - table - display - utilities - assign authorization group and rest follow the sap help (where to maintain and how to assign) .This is a developer and security persons work.

• Checking BOM Authorization Group

  Hai Friends,
  I have developed a mulitilevel BOM display report. End users have been assigned to 2 Authorization Group as A1 and A2.
  If a user has A1 authorization i have to explode the BOM fully else i have stop to a certain class. How do i identify that a user has A1 authorization or not?. Is there any FM?. if so what all are the parameters needs to be passed.

  Hi T,
  First you need to get authorization object for BOM. You can use transaction ST05 to trace the object.
  Then you can use command AUTHORITY-CHECK OBJECT in your program to check against the object whether the user have authorization or not.
  Regards,
  Chaiphon

• Authorization group in GL A/C using FB01

  HI, We have  activated the authorization Group in GL A/c. Using the authorization object F_BKPF_BES we were able to create restrictions on other tcodes like F-28 . However when using the u201CFB01u201D tcode, the authorization check does not have any effect. I have already check the authorization in SU24 for fb01 and status is set to YES. I have also created a trace(using ST01) for this transaction but ST01 does not show any authorization trace for F_BKPF_BES.

  Hello,
  Authorization object：F_BKPF_BES should be checked when you run FB01.
  In your case,please try to check the following points:
  1.Authrization group was assigend to G/.L master data correctly.
  2.Authrization group  was assigend to object：F_BKPF_BES correctly.
  3.Avtivity was defined in this object correctly.
  4.Role was assgined to user correctly.
  5.SAP_ALL authorization was deleted from the user profile.
  Note: it is impossible to define the authorization group as '  '(space) in object：F_BKPF_BES,
  if '  ' was defined, system will consider there are no any setting existed.
  Hope the above infor. could help you to solve this issue.
  Best Regards,