topic Re: Authorisation group and document type in Application Development and Automation Discussions

Authorisation group and document type

Former Member — Mon, 26 Nov 2007 12:48:01 GMT

Dear Experts

I want our users who are using transaction F.14 to be able to process document type ZF only. I have created a role and in the authorisation object F_BKPF_BLA

i can see field authorisation group and activity. What value i should put in the authorizatuion group object which will allow me to restrict users to work in document type ZF only

<removed_by_moderator>

Edited by: Julius Bussche on Apr 30, 2008 4:53 PM

Re: Authorisation group and document type

Former Member — Mon, 26 Nov 2007 13:30:17 GMT

Hi Pravin,

In this context, auth checks for auth group are only performed when an auth group is assigned to the document type. I don't have access to a system right now, but assuming that F.14 has an auth check for F_BKPF_BLA where appropriate.......(If not then this won't work)

If you want to restrict people to accessing ONLY doc type ZF then you need to

1. Use OBA7 to assign an auth group to that doc type

2. Ensure that auth groups are placed against all other doc types.

3. Ensure that the user only has access for the auth group that is assigned to doc type ZF - maintain this in object F_BKPF_BLA in the appropriate role.

If you don't do step 2 then the users will be able to process doc types ZF and ALL others that have not been assigned to an auth group.

If you are going down this route, you need to consider the consequences for other tx and roles that will now use F_BKPF_BLA once auth groups have been assigned to those doc types.

p.s. I seriously recommend talking this through with your FI functional team before doing anything, especially maintaining doc type config!

Message was edited by:

Alex Ayers

Re: Authorisation group and document type

Former Member — Mon, 26 Nov 2007 14:00:45 GMT

Hi Alex

Thanks for your quick response. could you also let me know what is the transaction to created authorization group

thanks

Pravvin

Re: Authorisation group and document type

Former Member — Mon, 26 Nov 2007 14:13:55 GMT

Hi Pravin,

I don't have access to the system at the moment and can't remember how to create auth group off the top of my head. I'm sure you will get some info if you use the forum search.

More importantly, you don't have to create an auth group before assigning it to the doc type. You can use any 4 characters that you like against the doc type and that will be used as the auth group.

Re: Authorisation group and document type

Former Member — Thu, 10 Jan 2008 23:17:11 GMT

do you mean the transaction SUGR ?

cheers

oren

Re: Authorisation group and document type

Former Member — Tue, 29 Jan 2008 16:48:29 GMT

Table tbrg in se16 allows you to assign authorization groups to authorization objects

Re: Authorisation group and document type

Former Member — Wed, 30 Apr 2008 16:30:36 GMT

Hi All,

Didnt know whether to start a new post or continue this one. Basically I have the same problem but I seem to be missing something fundamental (and I think it must be obvious!).

Dev Team:-

1) New transaction code created ZF10 by which amongst other things should only process the newly created document type ZF.

Myself (Security Team):-

1) All of our document types are defined in OBA7.

2) The specific document type is ZF that we want to restrict access to.

3) In V_TBRG I have defined the custom authorisation group ZDTF against object F_BKPF_BLA.

4) In SU24 I have defined against the custom transaction code ZF10 the authorisation object F_BKPF_BLA to be inserted with Activity values 01, 02, 03; and Authorisation Group ZDTF.

5) Create new role and add ZF10 which then populates the auth object and values above.

What I cant see / understand is how the document type is then restricted to ZF in the role as it isnt defined anywhere that the authorisation group ZDTF only allows access to document type ZF.

Any help on this will be greatly appreciated. PS Should I have created a new thread for this ?

Cheers

Steve

Re: Authorisation group and document type

Former Member — Wed, 30 Apr 2008 16:50:58 GMT

Authorization groups are as a general observation optional objects or fields of objects.

You activate them by assigning an authorization group to the record to protect it.

You then grant the access to that record by assigning the corresponding authorization for that value (and therefore the group of records which are protected by it) to the user.

If there is no authorization group on a record (in this case document type), then it is not protected and the check on F_BKPF_BLA is suppressed.

There are however some special exceptions to these rules (e.g. the suppression of the check is replaced by a symbolic check if the record is not assigned to a group, and the check itself is suppressed even if protected for aggregated reporting purposes), but in general that is how it works.

Hope that helps,

Julius

Re: Authorisation group and document type

Former Member — Wed, 30 Apr 2008 17:57:05 GMT

What is still not clear is:

- you have infact assigned ZDTF to doc type ZF? (you only mentioned the doc types are in OBA7)

- have you protected all other doc types which a user of ZF10 is also able to use? (F_BKPF_KOA!)

- Does your custom ZF10 transaction infact check F_BKPF_BLA, or not?

Re: Authorisation group and document type

Former Member — Wed, 30 Apr 2008 18:01:35 GMT

Julius, I wasn't expecting to see you here

Re: Authorisation group and document type

Former Member — Wed, 30 Apr 2008 18:15:58 GMT

It's raining non-stop... and I sneaked out for a while...

(Mad dogs, Englishman and Julius... )

Re: Authorisation group and document type

Former Member — Thu, 01 May 2008 08:33:37 GMT

Hi Julius,

I have not assigned ZDTF to doc type ZF, that appears to be the step Im missing.
All doc types are defined only in OBA7, the ZF10 user should ONLY be using ZF doc types, thats what Im trying to restrict it to - I have not looked at F_BKPF_KOA - is that how I should be doing it instead ?
ZF10 checks F_BKPF_BLA because I told it to in SU24, in the hope I could then enter the value ZDTF and hence restrict ZF10 users to ZF doc types only

Thanks

Steve

Re: Authorisation group and document type

Former Member — Thu, 01 May 2008 10:35:50 GMT


> * ZF10 checks F_BKPF_BLA because I told it to in SU24, in the hope I could then enter the value ZDTF and hence restrict ZF10 users to ZF doc types only

Hi Steve, adding the check in SU24 will do nothing unless there is an AUTHORITY-CHECK for the corresponding object in the code for your custom transaction (and appropriate logic based on the results of the check). Has this been done by your dev team?

Re: Authorisation group and document type

Former Member — Fri, 10 Oct 2008 14:08:37 GMT

Yep OK I get it now thanks - one question :- should the developers just be adding the auth object in the authority check statement (and then you subsequantly define the value in SU24) or should they include in the authority check the field values ?

Re: Authorisation group and document type

Former Member — Fri, 10 Oct 2008 15:14:10 GMT


> ... or should they include in the authority check the field values ?

This one.

If the fields should not be checked for a specific value (yet), then the data element DUMMY should be used.

Cheers,

Julius

Re: Authorisation group and document type

Former Member — Fri, 10 Oct 2008 15:17:12 GMT

OK Thanks Julius, yes I know exactly what values are required so I'll get the dev team to put them in, and normally have them matched in SU24 already ready for role menu assignment.

Cheers

Steve

Re: Authorisation group and document type

Former Member — Wed, 24 Apr 2013 04:22:36 GMT

Hi,

Need your help.. when the user is trying to process the output type for biling document with immediate process during save, it gets errored showing "You are not authorized to change documents of document type ZF"

Was this error mainly because of the authorization issues that's been discussed in this forum. Do we need to ask the user to contact security team..??

thanks in advance.

-V