-
Products and Technology
By Category
-
Groups
Activity Groups
Industry Groups
Influence and Feedback Groups
Interest Groups
Location Groups
Customer Only Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
Products
Learning and Support
-
- Products and Technology
- Groups
- Developers
- Partners
- Events
- Help Center
- Topic Pages
-
Explore SAP
- Explore SAP
-
Products
- Products
- SAP Business Suite
- Artificial Intelligence
- Business applications
- Data and analytics
- Technology Platform
- Financial Management
- Spend Management
- Supply Chain Management
- Human Capital Management
- Customer Experience
- SAP Business Network
- View products A-Z
- View industries
- Try SAP
- Partners
- Services
- Learning and Support
- About
- SAP Community
- Products and Technology
- Financial Management
- Financial Management Q&A
- Access Control Concern Regarding Journal Entry App...
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Access Control Concern Regarding Journal Entry Apps
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 2025 Apr 08 2:58 PM
- SAP Managed Tags
- SAP S/4HANA Cloud Public Edition
- SAP S/4HANA Cloud Public Edition Finance
Hello,
I have a question regarding the following apps: Verify General Journal Entries, Manage Journal Entries, and Post General Journal Entries.
For one of our customers, the intended process is that users should handle journal entries exclusively through the Verify General Journal Entries app. This approach is in place to ensure proper control and that approval workflows are followed before any postings are made.
However, we have identified that it is still possible to bypass this process.
Issue Identified:
- The Manage Journal Entries app remains accessible through certain roles/catalogs
- This app includes the "Create" function, which allows users to post journal entries directly—outside of the intended approval process.
Furthermore, the Post General Journal Entries app is also accessible via these roles/catalogs, enabling posting without prior verification.
This setup does not align with the defined access strategy for the customer and poses a risk of journal entries being posted without appropriate validation.
We have noted that the catalog SAP_FIN_BC_GL_CLOSING_PC cannot be removed, as it includes access to several apps that are actively used. However, the issue is that this catalog also grants access to the Manage Journal Entries app.
We would appreciate any guidance or recommendations on how to handle this situation while preserving access to the necessary apps.
Need more details?
Request clarification before answering.
Accepted Solutions (0)
Answers (2)
Answers (2)
MartinKrucky
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Your use case could be solved with the new authorization concept of App Authorization Variants which was delivered with S/4HANA CE2502.
For more information about this new feature please review the below links:
Blog Post with details on how to work with App Authorization Variants:
Recording of the mentioned Webinar is available for registered users here:
For the particular use case of Manage Journal Entries F0717A and verification authorization the following AAVs should be assigned:
- F0717A_TRAN + F8153_TRAN → DISPLAY + EDIT + VERIFY(SUBMIT) possibility
- F0717A_TRAN - Manage Journal Entries
- F8153_TRAN - Post General Journal Entries for Verification
Also note, that you should not allow/activate any of the AAVs for the old app F0717_xxxx as it could bring also other authorizations which enable also direct posting of journal entries.
Best Regards
Martin Krucky
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello dear user,
And thank you for asking your question in the SAP Community blog.
You've clearly laid out a common challenge in SAP S/4HANA Cloud Public Edition, especially when trying to enforce strict control over journal entry postings using the Verify General Journal Entries workflow while limiting direct posting access.
Let’s try to provide practical solutions:
Objective
Ensure users can only create/post journal entries via the "Verify General Journal Entries" workflow — not directly via:
- Manage Journal Entries (Create/Post)
- Post General Journal Entries
Current Issue
You can't remove catalog SAP_FIN_BC_GL_CLOSING_PC because it contains essential apps. But it also unintentionally provides access to:
- Manage Journal Entries (with "Create")
- Post General Journal Entries
These two allow bypassing your approval workflow.
Recommendations
1. Restrict App Functions with Custom Business Roles
Even if you keep the catalog, you can still restrict individual apps or actions using custom business roles via the Maintain Business Roles app.
Steps:
Go to Maintain Business Roles.
- Find the custom role assigned to the users in question.
- Click "Maintain Restrictions".
- For Business Catalog SAP_FIN_BC_GL_CLOSING_PC, apply read-only or no access to:
- App ID F0717 – Manage Journal Entries
- App ID F0718 – Post General Journal Entries
Tip: Use App Finder or Fiori App Library to get the exact semantic object/action for further fine-tuned control.
You don’t have to remove the entire catalog — just block access to specific tiles or functions within it.
2. Custom Catalog (if needed)
If controlling at the role level isn't granular enough, consider:
- Creating a custom catalog that includes only the apps and actions you want.
- Replace SAP_FIN_BC_GL_CLOSING_PC in the user’s business role with this custom catalog.
But this is more complex and should be a last resort.
3. Assign Users Only to “Verify Journal Entries” Process
Make sure users only have access to:
- App: Verify General Journal Entries (F2548)
- Optionally: Create General Journal Entries for Verification (F2547) — for preparers
Ensure no access to:
- Post General Journal Entries (F0718)
- Manage Journal Entries (F0717) — or at least disable the “Create” function via restrictions
4. Use Workflow Enforcement
If you're using flexible workflow for journal entry verification:
- Only allow auto-posting after approval in the Verify app
- This requires posting block until approval
- You can also enable notification if postings occur outside the process — via Audit Trail or Monitor Workflows
I hope this will help you answer your question.
Best regards,
Jeremy
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Bluesky- GRC Tuesdays: What Risks to Look Out for in 2026 in Financial Management Blog Posts by SAP
- Different cost centers visible in customer invoice posting FB01 and FL5N report in Financial Management Q&A
- Error - Page 1 LineItem 2:Different tax countries are not permitted: in Financial Management Q&A
- SAP Group Reporting Implementation: Architecture and Methodology for Success in Financial Management Blog Posts by SAP
- How to retrieve open AR items including partial payments in Custom CDS View (same as F0711)? in Financial Management Q&A
| User | Count |
|---|---|
| 32 | |
| 6 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 1 | |
| 1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.