Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
Showing results for 
Search instead for 
Did you mean: 


Former Member
0 Kudos

We require an authorisation / activity group to allow postings to one-time vendors ie. only allow a user with this access the ability to post to OTVs.

Is there an authorisation object that allows postings to particular vendor master records or preferably a vendor

account group?

The only SAP provided role I could find was: SAP_FI_AP_VENDOR_MASTER_DATA. Are there any others anyone knows of that can be used to achieve this requirement?

Any assistance would be appreciated. Thanks.


Former Member
0 Kudos

Build a role with the object F_LFA1_BEK to allow posting to one time vendors.

Apart from this, you should also restrict access to LFA1 table (this table provides vendor info)

0 Kudos

Hi - thanks for your reply, but I think you missed the point.

The role already has F_LFA1_BEK object which you have suggested, but you cannot select (hence restrict) "CPD" or "CPDL" (One Time Vendor) as a value as it is not in range.

We tried using the object L_LFA1_GRP as this actually allows you to select CPD/CPDL on for such transactions related to vendor maintenance.

What we want is to be able to restrict the role being able to post to financial type documents in transactions such as F-53 or F-58, etc...

Also, how do you restrict access to LFA1 table? Thanks.

Former Member
0 Kudos

I would still insist you to user the object F_LFA1_BEK for this purpose.

In the authorization group field, just fill in your one time vendor group name "CPD". Don't worry about not being able to find the value in selection range. This should surely work.

Restricting LFKA1 should be based on your company policies on how you prefer to restrict tables. (S_TABU_DIS)

0 Kudos

Thanks! I'll test it tomroow and let you know how I go!


0 Kudos

Nope! Doesn't resrict vendor as I suspected. We are wanting to use FB60 to create a role which is restricted to post to one time vendors only.

F_LFA1_BEK applies to transactions:

F-42 Enter Transfer Posting

FB02 Change Document, and FB03 Display Document.

Also, F_LFA1_GRP Vendor: Account Group Authorization controls transactions:

FK01 Create Vendor (Accounting)

FK02 Change Vendor (Accounting)

FK03 Display Vendor (Accounting)

FK04 Vendor Changes (Accounting)

FK05 Block Vendor (Accounting)

FK06 Mark Vendor for Deletion (Acctng)

FK08 Confirm Vendor Individually (Acct

FK09 Confirm Vendor List (Accounting)

Any other suggestions? Thanks.

0 Kudos

The auth object - F_LFA1_GRP - is checked when using tcode

FB60, but if the vendor master record does not have an authorization

group specified then the authorization check is passed.

0 Kudos

Hi - how is it possible that the authorization check is passed if there is no account group specified in the vendor master record. There would be no point in this check then?

One would have thought that ONLY if the value is specified in the master vendor corresponds with the restricted value in the authorisation, only then should the check be passed???

0 Kudos

Hi Benjamin,

Most of SAP works in this way.

If the master record does not have an authorization group on it and the user does not have any

authorization for a non-existing authorization group, then in SAP logic they

"match" and the authority check is "passed" by virtue of the check not being performed.

Take a look in tcode SU21 and the documentation on F_BKPF_BEK:

Using this authorization object, you determine for which vendor accounts line items can be 
posted and processed.

This authorization is optional.

The authorization group does not only have an effect when working with the accounts, 
but also when working with the master records. If you assign this authorization when 
working with accounts, you must also assign an authorization for the 
corresponding authorization group when working with the master records. The authorization 
object for this is called "F_LFA1_BEK".

Defined fields
The object consists of the fields "Authorization group" and "Activity". The authorization 
group can be freely defined by the user. You take the possible input values 
for the field "Activity" from table TACTZ.

If you want to use this authorization, proceed as follows:

define the authorization which you want to assign to selected employees, in 
which you list the authorization groups and the activities allowed.
allocate this authorization using the corresponding profile.
enter an authorization group in the master records which are specifically to 
be protected. You can enter an authorization group in either the general 
or in the company code-specific area of the master records.

An (initial) exception is S_TABU_DIS. If the standard SAP utility transactions are used,

then a table without an authorization group is given a "symbolic" authorization

group called '&NC&' which is checked. So you should seriously try to avoid

giving users access to this symbolic auth group. In the case of account groups,

s_program groups, etc it is a bit different as the check is only performed when

a security measure is found to have been required.

0 Kudos


I am at a loss of memory. I think i used both objects F_LFA1_BEK and F_BKPF_BEK (now I am mostly beting on this object) to restrict one time vendors.

As JC indicated, the vendor records should be associated with one time vendor auth group.

Are you sure that you folks are assigning the CPD or CPDL group to all you one time vendors? Or are they using some other auth group name for the one time vendors? When I worked on this issue, our folks were using different auth groups say XYZ and ABC for one time vendors, and I was told that in the auth group field they can enter anything (no restrictions).

I used the above two objects, and in the auth group field I could not find the values in the selection range, so I tried to manually enter the auth groups and it worked miraculously. Back then this issue was confusing for quite sometime.

0 Kudos

Yes - the Vendor Master has "OTV" in the Authroization field.

0 Kudos

I have tested F_BKPF_BEK and it is the object to use!

But the Vendor Master Record must have the Control - Authorization for Account group maintained; i.e. VEND, OTV, etc....

Also, in FI Configuration, for Vendor Account Types, General Data / Control / Authorization for the Vendor Account type should be selected as mandatory.