11-03-2009 3:53 PM
I have activated the object "F_LFA1_GRP" im my transaction FV60 by SU24.
When I execute FV60, it does not check this object and it does not call another tranasaction to check the object, for exemple
FBV3 call FV63 witch control and check this authorization object F_LFA1_GRP.
Please, Can some one tell me why my FV60 does not control and check "F_LFA1_GRP"?
Thank you.
11-03-2009 4:38 PM
Did you test it for specific users? what makes you think that FV60 doesnt restrict on the vendor authorization group?
11-03-2009 4:38 PM
From memory this only works on management of vendors (XK01/2 etc) rather than the posting transactions.
11-03-2009 4:38 PM
Did you test it for specific users? what makes you think that FV60 doesnt restrict on the vendor authorization group?
11-03-2009 5:21 PM
F_LFA1_GRP is a master data control auth object. Any reason that you activated this object for FV60?
11-04-2009 10:17 AM
Your response:
F_LFA1_GRP is a master data control auth object. Any reason that you activated this object for FV60?
My reply:
My user does not have Xk01 or xk02 and I want to restrict to this user to don't create a document for a vendor with a "Vendor account group" : Z999
What can I do if there is any reason to activate this object for FV60?
Thank you.
Edited by: BOBALICE on Nov 4, 2009 11:19 AM
11-04-2009 10:45 AM
Hi there,
The object F_LFA1_GRP is used to secuire the master data maintenance, if you want to control the posting to a vendor account,. you need to use the complemenatary object F_BKPF_BEK, this should allow you to control postings to vendor account groups
Hope this helps,
Tom
11-04-2009 11:25 AM
Now, my simple role has FV60 with this values in F_BKPF_BEK:
Activity : * ACTVT
Authorization Group : Z001, Z002, Z011, Z012, Z901 BRGRU
My role is affected for specific user.
But I don't understand why my role allow to create by FV60 a document for a vendor with a "Vendor account group :: Z999 " (I don't have this value in BRGRU !!!)
Thank you.
11-04-2009 11:33 AM
Hi,
Have you checked the combinations of roles assigned to the user, are they gaining access to this object with the value for Z999 in another role? Have you tried tracing the access for the user to see the check made on the object for this account group - if the check is passing, then the user is gaining the authorisation through their buffer somewhere...
Tom
11-04-2009 12:09 PM
Hi,
My user is affected to one role, is my simple role.
All the values of "Authorization Group" in F_BKPF_BEK are: Z001, Z002, Z011, Z012, Z901
I have traced the autorizations by ST01 for the user and ST01 does not give any things of F_BKPF_BEK (any problems)
I also have the some problem. (with Z999)
Can you test it in your system?
Thanks.
11-04-2009 12:25 PM
Hi
As transaction FV60 is allowing posting to Z999 account groups, you would not expect to see a failure against F_BKPF_BEK for that account group, what you need to know is if the check is being made on the object at all. Have you validated the SU24 settings for this object in SU24, I can only assume the object is not being checked as you have no other roles assigned to this user.
Tom.
11-04-2009 12:33 PM
The user is affected to a one role, there are not others roles affected to this user
F_BKPF_BEK is already validate in FV60 by SU24
I don't understand why this problem
Do you have another idea?
thank you very match.
11-06-2009 4:20 PM
Hi there,
The Su24 link for these auth objects associated to transaction FV60 does not mean the check will automatically take place. If the ABAP statements are not in place to make the authority check on object F_BKPF_BEK, then the restriction will not apply - the trace should show if the object is being checked at all. If this is not the case, you'll need to work with a developer to ensure that the relevant authority checks are entered in the underlying program.
Hope this helps,
Tom
11-09-2009 3:35 PM
11-10-2009 6:19 PM
Have you considered using F_LFA1_BEK? It is optional and intended to protect vendor accounts via their group assignment.
It corresponds to the authorization group value on the Company Code data tab in the vendor master <- Important!
Cheers,
Julius
11-10-2009 6:30 PM
> ... the trace should show if the object is being checked at all.
Before you go the ABAP route, you should read the object documentation in SU21 first and speak to a functional consultant (preferably a good one who understands the use of authorizations and what the ABAP system has to offer...).
Optional objects such as these provide a "selective protection" mechanism for using master data which is dependent on the master data record itself having been protected by the same authorization group value to, for example display the vendor... or to display transaction data records for that vendor. Generally they come in pairs (double trouble) of objects.
Now, if there is no value found on the master record, then the optional object check is suppressed. This also means that if the system first checks for the presence of a value in the LFB1-BEGRU field before performing the check, and there is no value found... then the check is not performed.
=> No use in tracing code which is never reached by the config...
Cheers,
Julius
11-11-2009 4:12 PM
I Have also actived F_LFA1_BEK in FV60 by SU24, but the same problem: FV60 does not check authorization F_LFA1_BEK :
All objects checking in FV60 (by ST01):
S_TCODE
F_BKPF_BUK
F_BKPF_KOA
S_CTS_ADMI
F_SKA1_BUK
F_BKPF_GSB
F_FAGL_SEG
S_ALV_LAYO
S_GUI
F_FICB_FKR
F_FICA_FSG
F_FMMD_MES
S_DOKU_AUT
S_TRANSLAT
Thanks all.
Edited by: BOBALICE on Nov 11, 2009 5:13 PM
11-11-2009 7:52 PM
Please go to XK02 and display one of the vendors you are wanting to protect, go to the company code tab and look at the Authorization Group field.
Is there a value in the field looking back at you?
Cheers,
Julius