2006 Oct 14 12:16 PM
We require an authorisation / activity group to allow postings to one-time vendors ie. only allow a user with this access the ability to post to OTVs.
Is there an authorisation object that allows postings to particular vendor master records or preferably a vendor
account group?
The only SAP provided role I could find was: SAP_FI_AP_VENDOR_MASTER_DATA. Are there any others anyone knows of that can be used to achieve this requirement?
Any assistance would be appreciated. Thanks.
2006 Oct 15 4:40 AM
Build a role with the object F_LFA1_BEK to allow posting to one time vendors.
Apart from this, you should also restrict access to LFA1 table (this table provides vendor info)
2006 Oct 15 6:23 AM
Hi - thanks for your reply, but I think you missed the point.
The role already has F_LFA1_BEK object which you have suggested, but you cannot select (hence restrict) "CPD" or "CPDL" (One Time Vendor) as a value as it is not in range.
We tried using the object L_LFA1_GRP as this actually allows you to select CPD/CPDL on for such transactions related to vendor maintenance.
What we want is to be able to restrict the role being able to post to financial type documents in transactions such as F-53 or F-58, etc...
Also, how do you restrict access to LFA1 table? Thanks.
2006 Oct 15 6:59 AM
I would still insist you to user the object F_LFA1_BEK for this purpose.
In the authorization group field, just fill in your one time vendor group name "CPD". Don't worry about not being able to find the value in selection range. This should surely work.
Restricting LFKA1 should be based on your company policies on how you prefer to restrict tables. (S_TABU_DIS)
2006 Oct 15 9:26 AM
2006 Oct 16 6:08 AM
Nope! Doesn't resrict vendor as I suspected. We are wanting to use FB60 to create a role which is restricted to post to one time vendors only.
F_LFA1_BEK applies to transactions:
F-42 Enter Transfer Posting
FB02 Change Document, and FB03 Display Document.
Also, F_LFA1_GRP Vendor: Account Group Authorization controls transactions:
FK01 Create Vendor (Accounting)
FK02 Change Vendor (Accounting)
FK03 Display Vendor (Accounting)
FK04 Vendor Changes (Accounting)
FK05 Block Vendor (Accounting)
FK06 Mark Vendor for Deletion (Acctng)
FK08 Confirm Vendor Individually (Acct
FK09 Confirm Vendor List (Accounting)
Any other suggestions? Thanks.
2006 Oct 16 2:17 PM
The auth object - F_LFA1_GRP - is checked when using tcode
FB60, but if the vendor master record does not have an authorization
group specified then the authorization check is passed.
2006 Oct 17 12:18 AM
Hi - how is it possible that the authorization check is passed if there is no account group specified in the vendor master record. There would be no point in this check then?
One would have thought that ONLY if the value is specified in the master vendor corresponds with the restricted value in the authorisation, only then should the check be passed???
2006 Oct 17 9:57 AM
Hi Benjamin,
Most of SAP works in this way.
If the master record does not have an authorization group on it and the user does not have any
authorization for a non-existing authorization group, then in SAP logic they
"match" and the authority check is "passed" by virtue of the check not being performed.
Take a look in tcode SU21 and the documentation on F_BKPF_BEK:
Definition
Using this authorization object, you determine for which vendor accounts line items can be
posted and processed.
Note
This authorization is optional.
The authorization group does not only have an effect when working with the accounts,
but also when working with the master records. If you assign this authorization when
working with accounts, you must also assign an authorization for the
corresponding authorization group when working with the master records. The authorization
object for this is called "F_LFA1_BEK".
Defined fields
The object consists of the fields "Authorization group" and "Activity". The authorization
group can be freely defined by the user. You take the possible input values
for the field "Activity" from table TACTZ.
Procedure
If you want to use this authorization, proceed as follows:
define the authorization which you want to assign to selected employees, in
which you list the authorization groups and the activities allowed.
allocate this authorization using the corresponding profile.
enter an authorization group in the master records which are specifically to
be protected. You can enter an authorization group in either the general
or in the company code-specific area of the master records.
An (initial) exception is S_TABU_DIS. If the standard SAP utility transactions are used,
then a table without an authorization group is given a "symbolic" authorization
group called '&NC&' which is checked. So you should seriously try to avoid
giving users access to this symbolic auth group. In the case of account groups,
s_program groups, etc it is a bit different as the check is only performed when
a security measure is found to have been required.
2006 Oct 19 5:18 AM
Ben,
I am at a loss of memory. I think i used both objects F_LFA1_BEK and F_BKPF_BEK (now I am mostly beting on this object) to restrict one time vendors.
As JC indicated, the vendor records should be associated with one time vendor auth group.
Are you sure that you folks are assigning the CPD or CPDL group to all you one time vendors? Or are they using some other auth group name for the one time vendors? When I worked on this issue, our folks were using different auth groups say XYZ and ABC for one time vendors, and I was told that in the auth group field they can enter anything (no restrictions).
I used the above two objects, and in the auth group field I could not find the values in the selection range, so I tried to manually enter the auth groups and it worked miraculously. Back then this issue was confusing for quite sometime.
2006 Oct 27 4:23 PM
2006 Oct 30 11:29 AM
I have tested F_BKPF_BEK and it is the object to use!
But the Vendor Master Record must have the Control - Authorization for Account group maintained; i.e. VEND, OTV, etc....
Also, in FI Configuration, for Vendor Account Types, General Data / Control / Authorization for the Vendor Account type should be selected as mandatory.