08-20-2009 2:16 PM
Hi,
I have got some strange requirement.
We have to maintain the different values in the same authorization object of different roles for the same user.
For Instance:
1)F-28 transaction which has F_BKPF_GSB for Business area restriction was added in Role 1 .In this we need to maintain the country specific Business area value
2)FBL5n transaction which has the same F_BKPF_GSB for Business area restriction was added in Role 2 .In this we need to maintain the * value.
So when we assigned the above 2 roles to the same user then as far as SAP standard's authorization concept concern the authorization restriction will not work although we maintain the specific value in F-28 since in FBL5n we have given it as ' * 'as both the transactions have business area organisation level maintained in the same object.
But my client wants me to make it work at least display access with full business area access for FBL5n along with business area restriction for F-28.How can it be done?
if there is any way to achieve this please let me know.
Regards,
Dheeraj
08-20-2009 2:35 PM
I think it's not possible to restrict this way as SAP roles work in combination and the highest authorization takes precedence over the lesser one.
Maybe designing a custom tcode for display access would help.
08-20-2009 2:51 PM
Hi,
Make sure that you have two entries on object F_BKPF_GSB and provide the details as below.
F_BKPF_GSB entry 1:
Activity *
Business area: Name of the business are to whcih you want to provide the maintain authorization
F_BKPF_GSB entry 2:
Activity 03
Business area: *
This should work for your requirement.
Please check and let me know.
Regards,
Gowrinadh
08-20-2009 4:43 PM
Also this is possible in a single role..
Create a new role.. Add transaction : F-28 and FBL5n . Then add object: F_BKPF_GSB two times in the role..
first you add object: F_BKPF_GSB with Activity as * and put restriction in the Business area. and again put restriction in a activity and define business area as per requirement in the second object: F_BKPF_GSB.
Regards,
Sandip.
08-20-2009 5:42 PM
>
> first you add object: F_BKPF_GSB with Activity as * and put restriction in the Business area. and again put restriction in a activity and define business area as per requirement in the second object: F_BKPF_GSB.
That second object instance will need GSBER to be hard coded as it's an org level.
Having it defined properly in org level field of another role would be less likely to cause confusion for a less-experienced sec admin
08-20-2009 5:42 PM
Just checking, as I do not have a system within reach, are we sure the "Business area" is not an organizational field? If it is, you'll need two roles to achieve this separation.
Ah, Alex does have a system.
Edited by: Jurjen Heeck on Aug 20, 2009 6:42 PM
08-20-2009 6:18 PM
08-20-2009 8:39 PM
> > Ah, Alex does have a system.
> Alex has a spreadsheet of org levels
And an big Post-It on the monitor of all known security admins, listing roles for which the activity levels should always be display only and transaction SE16 is "illegal"...:-)
08-20-2009 10:11 PM
>
> And an big Post-It on the monitor of all known security admins, listing roles for which the activity levels should always be display only and transaction SE16 is "illegal"...:-)
I have a post-it of all known security admins (it is a big one), I think I need another one listing roles as recommended.
08-20-2009 10:15 PM
08-21-2009 9:40 AM
Hi,
We already performed the testing by including 2 objects for F_BKPF_GSB.
I knew that this will work if we have different specific values needs to be maintained.
For instance
F_BKPF_GSB:activity-03,BA:xxxx
F_BKPF_GSB:activity-01,02,03,BA:yyyy
In the above scenario what ever you have suggested works,but here we have to maintain * value althoguh the activity is display only but the BA value bypassing the object which has 01,02 .Eventually the object which has BA restriction not validating.
Regards,
Dheeraj
08-21-2009 1:04 PM
Hi Julius,
After being discussed,it's been finalised that the Check/Maintenance for FBL5N transaction will be removed in SU24.So that there will be no BA restriction as they can see all the documents irrespective of country
However i told them that it's a global impact and they are ok with that.
Can you let me know does it works?
Regards,
Dheeraj
08-20-2009 8:44 PM
> F_BKPF_GSB
Note that this is an optional object.
It cannot be excluded that the ability to change "something" (if authorized for "anything") is included in the ability to display or select "everything" in an optional object.
=> Choose your transactions carefully and negative test the combination of the roles.
Cheers,
Julius