What is authorization group?

Similar Messages

• What is the Authorization group in Cash Journal View Maintenance (FBCJC0)

  Question 1: In Cash Journal View Maintenance (Tcode: FBCJC0), what is the Authorization group? 
  Question 2: How / Where can I define this Authorization group?
  As per the F1 Help  document in SAP :
  The authorization group enables you protect access to certain objects.
  In order to carry out a specific activity, the user must have authorization for the combination of the activity and the authorization group.

  Hi,
  Authorisation in Cash journal is meant for controlling of FBCJ transaction with an user ID. 
  For example, if you have a multiple cash book (Cash journal) or you are maintaining a cash book according to Business Area wise, Plant wise, etc.,
  In this case, you don't want to allow the other people to view / transact your cash book, then you can assign some unique identification in the authorisation group column against the each of your cash journal.
  These unique identification can be of any thing eg. 1001, 1002, 1ABC, ABC, etc.,  After this, the indentification has to be assigned in the respective user profiles in the below mentiond objects,
  F_BKPF_BED
  F_BKPF_BEK
  F_BKPF_BES
  F_BKPF_BLA
  F_FBCJ
  Hope it helps
  Saravanan.A

• Assign posting periods to authorization group in tcode S_ARL_87003642

  Hello,
  I want to restrict posting periods for some users. Therefore, I have created 2 functions associated to 2 authorization groups.
  In transaction S_ARL_87003642, when I try to assign different posting periods to each authorization group to the same company code (Posting Period Variant) it appears a message saying u2018Target key must be different from source keyu2019.
  What am I doing wrong? Do you know how can I restrict posting periods for some users?
  Thanks and regards
  Ana Rita

  Dear,
  You simply have to define authorisation groups in OB52 and assign this group to F_bkpf_bup in SU01 against user proflie as desired. Take basis help.
  Regards

• Authorization Group for G/L Account

  Hi,
  What?
  - I wish to restrict the 'posting' of a G/L account to be done by certain users only
  How?
  - What I have done was...
  a) From FS00, I have added a free-text (BANK) into the Authorization Group for a G/L account
  b) From PFCG, a new role was created to allow these 2 Authorization Objects, F_BKPF_BES and F_SKA1_BES
  c) 'BANK' was entered for the Authorization Group for both these 2 Authorization Objects
  d) From there, I have assigned this new role to the user that I wish to allow Posting of the G/L account
  Problem?
  - Other users still can do Posting for this G/L account
  - Any steps which I have missed out here or done wrongly?
  Thanks,
  Brandon

  Hi,
  Some other roles of the users may override and cause the users to post against this GL account.
  Check all the roles relevant for the restricted users. 
  Use SUIM t-code to find if the auth object mentioned above is included in any other role.
  If it be, restrict that again.
  Generally if one role as no restriction against this auth and not all, this issue tends to happen.
  Regards,
  Sridevi

• Creation of Authorization group

  Hello All,
  I have a requirement from FI consultant for creation of new authorization group. This auth. group we want to use in FI objects like F_BKPF_BEK. so that for few end users they should not change any vendor data in FK02.
  I have gone through several posts, but not able to get / understand clear steps for creation of auth group and assignment.
  One of the post i found is below:
  [How to create Authorization group;
  i tried to do few steps but not in right direction. Request you some one please suggest me the steps for cration.
  Rgds,
  Durga.

  Julius,
  Thanks for the update. As suggested by you i have inserted one entry of auth group in TBRG table against FI object with SE16.
  Now how do we maintain the view of V_TBRG. Is it from SE11?, if yes then i should do this step from ABAP login.
  But what i heard is, this activity is purely involved by Basis people.
  Please suggest.
  Rgds,
  Durga.

• Authorization Group & TBRG

  Hello. I wonder what case should I create records into TBRG for.
  Generally, authorization group works when I set it to master record (e.g.vendor, customer,account code) and role (from PFCG).
  But, in some case, It is required to insert authorization group and its text to TBRG.
  Please tell me weather TBRG setting is essencial or not .
  Edited by: Julius Bussche on Dec 28, 2009 6:13 PM
  Table name corrected.

  Hi Yugo,
  Table TBRG - Contains all authorization groups and gives information about relation between authorization object and authorization group. Hence its very much necessary you maintain the authgroups in this table.
  Also if you want it to appear as a pick list when you click F4 in the DICBERCLES field in object S_TABU_DIS then you should have those valuse maintained in table:TBRG.
  There are several threads based on your query which are already answered. just search by "TBRG Auth Groups" in the same forum.
  Hope it helps.Let us know if you  need any more information from our side.

• Abap report attributes : Authorization group

  Hello,
  I would like to know if there is an enhancement to force the developer to assign an authorization group to the new created abap report, when filling the attributes
  Thank you by advance
  Philippe

  Hello,
  Thank you all for your answers.
  In both FUNCTIONs , EXIT_SAPDSAHD_010 (include ZXSEUU09) and
  EXIT_SAPLSEDTATTR_010 (include ZXSEUU20), I inserted a break <sy-uname>.
  When creating a new abap report (i.e. a local object), I reach only the
  break in include ZXSEUU20, and never after having filled up the program
  attributes popup, always before.
  My initial goal was to force the developer to enter a value in the authorization
  group.
  Do you have an idea of what is going wrong or is it the normal behaviour?
  Thank you,
  Philippe

• Set up authorization group F_LFA1_BEK

  Hi All,
  I would like to limit visibility of specific vendors and any related documents.  In the contol field of the vendor master (lfa1-begru), I entered an authorization group.  How do I limit the user's access to this authorization group.  Do I need to create an activity group before our security team can enter it into the user's profiles? 
  When I do an F1 on the control field, the procedure information states that 'You assign the authorization using authorization object F_LFA1_BEK.' 
  Kind regards,
  Cheryl Adamonis

  Hi Cheryl
  You just need to advise your Security Team the authorisation group value that you assigned, and what activity the users will need to have.
  For example, if you entered authorisation group ZZZZ in the vendor master:
  You would need to tell the Security Team, for roles XXXXXX, the authorisation object is L_FA1_BEK.  The activity is (1 = Create, 2 = Change, 3 = Display etc) and the Authorisation is ZZZZ (eg the one assigned to the vendor).  This will then restrict the users access.
  Regards
  Kylie

• What is authorization object and how to create it for a table

  Hi All,
  What is authorization object and how to create it for a table?
  Thanks

  Hi
  Authorization
  For authorization checks, there are many ways of linking authorization objects with user actions in an SAP system. The following discusses three possibilities in the context of ABAP programming.
  Authorization Check for Transactions
  You can directly link authorization objects with transaction codes. You can enter values for the fields of an authorization object in the transaction maintenance. Before the transaction is executed, the system compares these values with the values in the user master record and only starts the transaction if the appropriate authorization exists.
  Authorization Check for ABAP Programs
  For ABAP programs, the two objects S_DEVELOP (program development and program execution) and S_PROGRAM (program maintenance) exist. They contains a field P_GROUP that is connected with the program attribute authorization group. Thus, you can assign users program-specific authorizations for individual ABAP programs.
  Authorization Check in ABAP Programs
  A more sophisticated, user-programmed authorization check is possible using the Authority-Check statement. It allows you to check the entries in the user master record for specific authorization objects against any other values. Therefore, if a transaction or program is not sufficiently protected or not every user that is authorized to use the program can also execute all the actions, this statement must be used.
  AUTHORITY-CHECK OBJECT object
                          ID name1 FIELD f1
                          ID name2 FIELD f2
                          ID namen FIELD fn.
  object is the name of an authorization object. With name1, name2 ... , and so on, you must list all fields of the authorization object object. With  f1, f2 ... , and so on, you must specify the values that the system is to check against the entries in the relevant authorization of the user master record. The AUTHORITY-CHECK statement searches for the specified object in the user profile and checks the useru2019s authorizations for all values of f1, f2 ... . You can avoid checking a field name1, name2 ... by replacing FIELD f1  FIELD f2 with DUMMY.
  After the FIELD addition, you can only specify an elementary field, not a selection table. However, there are function modules available that execute the AUTHORITY-CHECK statement for all values of selection tables. The AUTHORITY-CHECK statement is supported by a statement pattern.
  Only if the user has all authorizations, is the return value sy-subrc of the AUTHORITY-CHECK statement set to 0. The most important return values are:
  ·        0: The user has an authorization for all specified values.
  ·        4: The user does not have the authorization.
  ·        8: The number of specified fields is incorrect.
  ·        12: The specified authorization object does not exist.
  A list of all possible return values is available in the ABAP keyword documentation. The content of sy-subrc has to be closely examined to ascertain the result of the authorization check and react accordingly.
  REPORT demo_authorithy_check.
  PARAMETERS pa_carr LIKE sflight-carrid.
  DATA wa_flights LIKE demo_focc.
  AT SELECTION-SCREEN.
    AUTHORITY-CHECK OBJECT 'S_CARRID'
                    ID 'CARRID' FIELD pa_carr
                    ID 'ACTVT' FIELD '03'.
    IF sy-subrc = 4.
      MESSAGE e045(sabapdocu) WITH pa_carr.
    ELSEIF sy-subrc <> 0.
      MESSAGE e184(sabapdocu) WITH text-010.
    ENDIF.
  START-OF-SELECTION.
    SELECT  carrid connid fldate seatsmax seatsocc
      FROM  sflight
      INTO  CORRESPONDING FIELDS OF wa_flights
      WHERE carrid = pa_carr.
      WRITE: / wa_flights-carrid,
               wa_flights-connid,
               wa_flights-fldate,
               wa_flights-seatsmax,
               wa_flights-seatsocc.
    ENDSELECT.
  Regards
  Hitesh

• AUTHORIZATION GROUP IN BP

  Hi All,
  Morning I posted this question. I wanted to know what is the use of the field authorization group in control tab of BP.
  I knw how to give value but what is the importance
  Thanx
  SARAVANA

  Hi Redek,
  Thanx for ur answer. I hv created the role and in that screen there is a tab like menu if i go to that menu there I can assign to that rle what will be the functionality by clicking on sap menu. second thing if I go to the authorization tab of role screen there I can choose the manual data by clicking on change authorization data and assign the user.
  Lets say I had created an role as sales manager. If I create an bp as a person and role how can I assign the role to that bp and what is the use of that field authorization group in control tab of bp.
  If I supposed to assign the authorization group in that how can I do this?
  Thanx
  Saravana

• Authorization Group in se38

  Hi everybody,
  what is the use of Authorization group in se38 attribute? can we create and assign our own one?
  The actual scenerio which i am facing here is My report should not be viewed by some grop of  users. My friend is saying i can do that through the above said one. But i know i can do that using AUTHORITY-CHEK.  What i am asking here is can i accomplish this task by the above said attributes.
  Points will be awarded.
  Thanx in advance.
  Gladiator

  Hi,
  Authorization Checks
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  The following actions are subject to authorization checks that are performed before the start of a program or table maintenance and which the SAP applications cannot avoid:
  ·Starting SAP transactions (authorization object S_TCODE)
  Starting reports (authorization object S_PROGRAM)
  Calling RFC function modules (authorization object S_RFC)
  Table maintenance with generic tools (S_TABU_DIS)
  Checking at Program Level with AUTHORITY-CHECK
  Applications use the ABAP statement AUTHORITY-CHECK, which is inserted in the source code of the program, to check whether users have the appropriate authorization and whether these authorizations are suitably defined; that is, whether the user administrator has assigned the values required for the fields by the programmer. In this way, you can also protect transactions that are called indirectly by other programs.
  AUTHORITY-CHECK searches profiles specified in the user master record to see whether the user has authorization for the authorization object specified in the AUTHORITY-CHECK. If one of the authorizations found matches the required values, the check is successful.
  The access protection system must ensure that only authorized individuals have access to the system and to particular data. For achieving precise application security concerning authorization and to protect confidential data against unauthorized access it is very important to focus on the use of authorization groups.
  The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. They usually occur in authorization objects together with an activity.
  The table that contains all authorization objects is TOBJ.
  The table that contains all activities is TACT.
  The table that contains definition of all authorization groups is TBRG.
  TBRG -- Contains all authorization groups and gives information about relation between authorization object and authorization group. The description of the authorization groups is defined in table TBRGT.
  The field name for authorization group -- BRGRU -- is used to make additional restrictions on authorizations /e.g. for document maintenance/. In authorization objects and authorization checks, there are fields which are checked to verify user authorizations. Customizing objects are combined in authorization groups, and the authorization group is one of the two authorization fields, for example, in authorization object S_TABU_DIS which is in the object class BC_A (Basis - Administration). This object is for displaying or maintaining tables. It controls access using the standard table maintenance tool (transaction SM31), enhanced table maintenance (SM30) or the Data Browser (SE16), including access in Customizing.
  Authorization object S_TABU_DIS has the following fields: DICBERCLS - Authorization group, maximum field length is four characters; and ACTVT - Activity (02: Add, change or delete table entries, 03: Only display table contents).
  Generally, SAP standard tables are assigned to authorization groups. These assignments can be changed. You can then assign tables manually to a suitable authorization group. To do this, start Transaction SM30 for maintenance view V_DDAT, and create an entry for each of these tables. In V_DDAT is stored the assignment of Tables/Views to Authorization Groups. V_DDAT is cross-client; therefore, it can be viewed and used in all clients.
  Note: If you don't make a selection, all tables maintained in Customizing transactions are assigned to authorization groups.
  Reward If Helpfull,
  Naresh.

• Authorization Group in CV01n Document Data tab

  Hi SAP Gurus,
  I went on to Configure the Authorization groups at  spro / Document Management / Approval Tab,
  but the same is not appearing in CV01N create document, Basic data tab. Screen......
  can any one explain how to configure this Authorization Group and make use of this Authorization Group
  i tried in PFCG, at object C_DRAW_BGR, also but the authorization groups i have created is not displayed at all.
  what is the Configuration missing and to work with Authorization groups.
  please Advice
  Points Awaiting
  Thanks and Regards
  Kumar

  Dear Punam,
  Thanks for ur reply. i have created the authorization groups in SPRO at the approval Tab,
  and also can see the Field Authorization Group in CV01N basic data Field but
  By pressing F4 or searching i could not find my Auth groups created there,
  Nor i could find them at PFCG, at  C_DRAW_BGR objects, at BEGRU
  where has my created Auth group gone,
  please explain how to work with Auth groups. where and all it has to be assigned and linked.
  How to use Authorization Groups for Digital signatures and restrict users For accessing Documents And Original files specifically.
  Thanks and regards
  Kumar

• Authorization Groups and table TBRG

  In our system we have tables which are using custom authorization group ZEXC.  I am looking at this via SE11 Table Maintenance Generator or SE54 Assign Authorization Group.
  I can also see that it is assigned to roles by using SUIM -->Roles-->By Authorization values -->entry auth object (S_TABU_DIS) and click on entry values.
  What I am not seeing is that the authorization group is defined in table TBRG.
  So my question is....  An authorization group does not need to be defined in order to attach it to a table or assign it to a role?  If the authorization group was created then deleted is it still valid to have it attached to tables and roles?

  Hi Sharon,
  Assign the authorization to user and make it inactive mode.Then authorization will be deactived to tat particular user's.

• Checking BOM Authorization Group

  Hai Friends,
  I have developed a mulitilevel BOM display report. End users have been assigned to 2 Authorization Group as A1 and A2.
  If a user has A1 authorization i have to explode the BOM fully else i have stop to a certain class. How do i identify that a user has A1 authorization or not?. Is there any FM?. if so what all are the parameters needs to be passed.

  Hi T,
  First you need to get authorization object for BOM. You can use transaction ST05 to trace the object.
  Then you can use command AUTHORITY-CHECK OBJECT in your program to check against the object whether the user have authorization or not.
  Regards,
  Chaiphon

• SE54 Change Authorization Group

  Hi all,
  I have an immediate need -- a previous developer created a table view and generated a function group for maintenance. The authorization group they assigned was incorrect so I need to change it. How can I do this?
  I went to SE54, changed the authorization group, then hit the "Change" button. It pops up asking for a "Reason for Change". My questions:
  1. Will this overwrite the funciton group and generate a new one? I do not want this to happen.
  2. Does it matter what reason I choose? There is not one for authorization group change.
  Thanks in advance. Points will be awarded for helpful answers.
  Message was edited by:
          John S

  Has anyone else encountered this problem? I have still not been able to find a solution.
  A recap:
  1. A previous developer created a custom table and a maintenance view to edit that table. Using the table maintenance generator he also developed some custom functionality and created a custom transaction to call this in SM30.
  2. The table and maintenance view were created with &NC& authorization group.
  3. We created a new authorization group that we need to assign to the maintenance view.
  4. Somehow the auth group for the custom table was changed to the new auth group.
  5. We have been unable to change the auth group for the maintenance view using a variety of ways.
  Does anyone have any suggestions?