11-30-2009 5:02 PM
Hello,
I have been asked by our internal auditors to see about limiting access to transaction FK02. They want me to make only certain screens editable. When FK02 is executed, there are two lists of selections. General Data & Company Code Data. I found that by limiting F_LFA1_GEN to activity 03 will only allow display access to the General Data list. Does anyone know if there is a way to be a bit more granular and only allow display on the Address and Controll pages and allow Change access on the Payment transactions page?
Thank you,
Michael
11-30-2009 6:06 PM
Hi,
Auth object F_LFA1_AEN might be able to help here. Have a look at the documentation in SU03/SU21. There is some config to do but I think it will cover what you want.
11-30-2009 6:06 PM
Hi,
Auth object F_LFA1_AEN might be able to help here. Have a look at the documentation in SU03/SU21. There is some config to do but I think it will cover what you want.
11-30-2009 7:09 PM
F_LFA1_AEN looks good and seems to be exactly what I am looking for. However, trying to test this out, I went to IMG, Financial Accounting, Accounts Receivable & Payable, Vendor Accounts, Master Data, Preparations for Changing Vendor Master Data. I have gone through Defining Field Groups and Field Groups, both activities. Now in my roles containing F_LFA1_AEN I see the fields I have added, but they do not seem to do anything whether I check or uncheck them. Any ideas where I am missing?
Thank You
11-30-2009 8:12 PM
You might have misunderstood the concept of this optional object?
Whenever you see a field called BEGRU, you can in most cases be sure that you protect the field by assigning the group to it (like you did in SPRO) and then grant the access back for it using PFCG with dependencies on activities.
However ... if a field in SPRO is not protected by a BEGRU value, then no PFCG authorization will protect access to it because it is optional, even if the user has no authority for the optional object --> the authority-check is suppressed.
So...
- For those whom everyone can have the same access to, leave it open for optional objects.
- For those whom only some should have access to, protect them and grant the access back again.
You cannot protect some fields, and then expect to only grant those fields back again.
Sorry if I am mentioning the seemingly obvious, but I often find it misunderstood.
Cheers,
Julius