Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Different restrictions in same authorization object F_BKPF_GSB

Former Member

‎08-20-2009 2:16 PM

0 Kudos

Hi,

I have got some strange requirement.

We have to maintain the different values in the same authorization object of different roles for the same user.

For Instance:

1)F-28 transaction which has F_BKPF_GSB for Business area restriction was added in Role 1 .In this we need to maintain the country specific Business area value

2)FBL5n transaction which has the same F_BKPF_GSB for Business area restriction was added in Role 2 .In this we need to maintain the * value.

So when we assigned the above 2 roles to the same user then as far as SAP standard's authorization concept concern the authorization restriction will not work although we maintain the specific value in F-28 since in FBL5n we have given it as ' * 'as both the transactions have business area organisation level maintained in the same object.

But my client wants me to make it work at least display access with full business area access for FBL5n along with business area restriction for F-28.How can it be done?

if there is any way to achieve this please let me know.

Regards,

Dheeraj

12 REPLIES 12

Former Member

‎08-20-2009 2:35 PM

0 Kudos

I think it's not possible to restrict this way as SAP roles work in combination and the highest authorization takes precedence over the lesser one.

Maybe designing a custom tcode for display access would help.

Former Member

‎08-20-2009 2:51 PM

0 Kudos

Hi,

Make sure that you have two entries on object F_BKPF_GSB and provide the details as below.

F_BKPF_GSB entry 1:

Activity *

Business area: Name of the business are to whcih you want to provide the maintain authorization

F_BKPF_GSB entry 2:

Activity 03

Business area: *

This should work for your requirement.

Please check and let me know.

Regards,

Gowrinadh

Former Member

‎08-20-2009 4:43 PM

0 Kudos

Also this is possible in a single role..

Create a new role.. Add transaction : F-28 and FBL5n . Then add object: F_BKPF_GSB two times in the role..

first you add object: F_BKPF_GSB with Activity as * and put restriction in the Business area. and again put restriction in a activity and define business area as per requirement in the second object: F_BKPF_GSB.

Regards,

Sandip.

Former Member
In response to Former Member

‎08-20-2009 5:42 PM

0 Kudos

> 

> first you add object: F_BKPF_GSB with Activity as * and put restriction in the Business area. and again put restriction in a activity and define business area as per requirement in the second object: F_BKPF_GSB.

That second object instance will need GSBER to be hard coded as it's an org level.

Having it defined properly in org level field of another role would be less likely to cause confusion for a less-experienced sec admin

jurjen_heeck
Active Contributor
In response to Former Member

‎08-20-2009 5:42 PM

0 Kudos

Just checking, as I do not have a system within reach, are we sure the "Business area" is not an organizational field? If it is, you'll need two roles to achieve this separation.

Ah, Alex does have a system.

Edited by: Jurjen Heeck on Aug 20, 2009 6:42 PM

Former Member
In response to Former Member

‎08-20-2009 6:18 PM

0 Kudos

> 

> Ah, Alex does have a system.

Alex has a spreadsheet of org levels

Former Member
In response to Former Member

‎08-20-2009 8:39 PM

0 Kudos

> > Ah, Alex does have a system.

> Alex has a spreadsheet of org levels

And an big Post-It on the monitor of all known security admins, listing roles for which the activity levels should always be display only and transaction SE16 is "illegal"...:-)

Former Member
In response to Former Member

‎08-20-2009 10:11 PM

0 Kudos

> 

> And an big Post-It on the monitor of all known security admins, listing roles for which the activity levels should always be display only and transaction SE16 is "illegal"...:-)

I have a post-it of all known security admins (it is a big one), I think I need another one listing roles as recommended.

Former Member
In response to Former Member

‎08-20-2009 10:15 PM

0 Kudos

Please revert back if found doubtfull

Cheers,

Julius

Former Member
In response to Former Member

‎08-21-2009 9:40 AM

0 Kudos

Hi,

We already performed the testing by including 2 objects for F_BKPF_GSB.

I knew that this will work if we have different specific values needs to be maintained.

For instance

F_BKPF_GSB:activity-03,BA:xxxx

F_BKPF_GSB:activity-01,02,03,BA:yyyy

In the above scenario what ever you have suggested works,but here we have to maintain * value althoguh the activity is display only but the BA value bypassing the object which has 01,02 .Eventually the object which has BA restriction not validating.

Regards,

Dheeraj

Former Member
In response to Former Member

‎08-21-2009 1:04 PM

0 Kudos

Hi Julius,

After being discussed,it's been finalised that the Check/Maintenance for FBL5N transaction will be removed in SU24.So that there will be no BA restriction as they can see all the documents irrespective of country

However i told them that it's a global impact and they are ok with that.

Can you let me know does it works?

Regards,

Dheeraj

Former Member

‎08-20-2009 8:44 PM

0 Kudos

> F_BKPF_GSB

Note that this is an optional object.

It cannot be excluded that the ability to change "something" (if authorized for "anything") is included in the ability to display or select "everything" in an optional object.

=> Choose your transactions carefully and negative test the combination of the roles.

Cheers,

Julius