cancel
Showing results for 
Search instead for 
Did you mean: 

New MDG implementation for supplier module - Restriction based on BU group or alternate solutions

twister091
Discoverer
0 Kudos
254

We have a new MDG implementation for supplier module and would like to restrict different groups of users with "Account Group" (In search) and also in "Manage Supplier" -> Select ‘New’ > "Organization" > "X– Create Supplier" to specific "Business Partner id/group".


Looking at the B_BUPA_GRP authorization object, it doesn't check for these BP BU groups. We did set some groups in "Maintain Authorization Groups " but are there any other steps to configure so the authorization checks are performed for B_BUPA_GRP.


If we would like to go with restriction for display/change/create based on "BU Groups", is it only done by custom development?
Is there any other suggestion to go with data visibility restriction of BP’s? And also to create change requests for specific groups?

studencp
Active Participant
0 Kudos

activate authorization trace when running the operations you want to restrict - in the log you can see which authorizations are checked

if the auth. object you want to use is not in the log - it means it is not checked, so to use it you need custom coding

Accepted Solutions (1)

Accepted Solutions (1)

twister091
Discoverer
0 Kudos

Hi @studencp Agree, i would like to confirm if its some configuration enabling as the trace doesn't check for any authorization groups (see attached). I would prefer to check configuration before performing any custom coding. 

 

SAP MDG security guide says "B_BUPA_GRP - This authorization object is optional. You need to assign this
authorization object only if master data records are to be specifically protected.". 

 

Additionally, it says "If you want to restrict the authorizations for users or roles to specific values, go to Create Authorizations for Data Model and define which entity types and attributes are authorization
relevant." - Did anyone perform this?

studencp
Active Participant

Hi, regarding the last sentence the MDGIMG help says:
(this "comment" field is crappy)

studencp
Active Participant

Hi, regarding the last sentence the MDGIMG help says:
"For data model BP, the standard ERP authorization checks are performed; additional settings in this Customizing activity are not supported."

And the B_BUPA_GRP seems to work in this way:
if you assign something to BP_CENTRL-REF_CEN (BUT000-AUGRP) then MDG will check if current user has access to this group. if left empty - no such check

check where used CL_MDG_BS_BP_AUTHORITY_CHECK->CHECK_AUTHORITY_BP_GROUP

Answers (0)