Solved: F_BKPF_BUK Object to control parking/posting

Former Member · ‎04-08-2010

Hi,

My client is in a situation where they want a certain group of Accounts Receivable Analysts to create GL documents in FV50 but they don't want to give them access to post them.

Seemed easy enough. I removing F_BKPF_BUP ACTVT=01 BUKRS=(Values) removed the ability to post through FV50; the post icon disappeared.

The problem is that removing this authorization "breaks" several other tcodes (below) that the same group of users need to use.

F-03 Clear G/L Account

F-04 Post with Clearing

F.07 G/L: Balance Carryforward

FB01 Post Document

FB08 Reverse Document

FB41 Post Tax Payable

FBD1 Enter Recurring Entry

FBRA Reset Cleared Items

So using standard functionality, we're either left in a situation with too much access or not enough access. Workflow is not in scope at this point. Does anyone have any other suggestions? One thing I see is that Activity 10 (Post) is a valid activity for the F_BKPF_BUP but the only activity being checked to be able to save documents and post them in FV50 is Activity 01. I was kind of hoping we'd be able to use Activity 10 to control the posting capability in FV50, but that activity value isn't being checked.

Thanks in advance for any suggestions.

arpan_paik · ‎04-08-2010

Hi Matt,

This is really a common requirement for most of the client but unfirtunately from SAP authorization point of view there is no solution to this. Below are the objects that need to provide to user either for parking or posting.

F_BKPF_BUK

F_BKPF_GSB

F_BKPF_KOA

There are few more F_BKPF* objects that might require in separate transaction.

For post 01 activity is must and for parking 77 activity along with 01 is must. The authorization check for parking is weired. And I scramble a lot into this for nothing. So user having access to parking will automatically get access to post. Where customer ask for vice virsa. So to my knowledge its might not be possible by authorization.

Fucntional guys may help into this. Though in my case they also failed to achieve the same.

Arpan

arpan_paik · ‎04-08-2010

Hi Matt,

This is really a common requirement for most of the client but unfirtunately from SAP authorization point of view there is no solution to this. Below are the objects that need to provide to user either for parking or posting.

F_BKPF_BUK

F_BKPF_GSB

F_BKPF_KOA

There are few more F_BKPF* objects that might require in separate transaction.

For post 01 activity is must and for parking 77 activity along with 01 is must. The authorization check for parking is weired. And I scramble a lot into this for nothing. So user having access to parking will automatically get access to post. Where customer ask for vice virsa. So to my knowledge its might not be possible by authorization.

Fucntional guys may help into this. Though in my case they also failed to achieve the same.

Arpan

Former Member · ‎04-08-2010

Hi,

I think you can try accessing the different transaction codes for posting. Try the below ones. Tthey might be helpful.

F-02

FB01

FB05

FB50

FBR2

FBVB

Regards,

Gowrinadh

Former Member · ‎04-12-2010

Hi Matt,

It can be achieved by removing value "01" ACTVT under the following authorization objects:

F_BKPF_BUK

F_BKPF_BLA

F_BKPF_KOA

Because if the value "01" is there for the above objects user gets direct posting option in parking tcodes.

In order to be able to achieve this you must segregate your roles between parking and posting and more over it can be achieved if users are assigned with Segregation of Duties (SOD) i.e If a user have a role with the above details, the user might get the posting option.

So be careful in segregating the roles and users as well.

Thanks,

Rama

Former Member · ‎04-12-2010

Thanks guys, for now we are going to have to segregate the duties.

Former Member · ‎04-12-2010

Matt,

I have accomplished this by building out seperate roles and transactions along with building out the SOD ruleset to include these checks at S_TCODE to close the loop.

FV50 - Park *have user exit to disable posting

FBV0 - Post

Thanks,

Matt

Former Member · ‎04-12-2010

Yes, the choice of transaction, RFC or service context is important if you want to use granular security.

Trying to make it as consistent as possible from a concept perspective also helps (to keep the number of single roles down).

Cheers,

Julius

Former Member · ‎04-13-2010

Hi matt, this is an easy issue to solve. The problem here is your scoping. You don't have to restrict certain access to a transaction. You have to restrict the access to an activity.

In this case in particular, you want AR staff to post certain documents and parked some others. The way to achieve this is by the Authorization Object F_BKPF_BLA. This object is verified only when the Document Type has an authorization Group associated.

In this way, if you have 5 authorization groups:

BANK - Bank Document Types

VEND - Vendor Document Types

CUST - Customer Document Types

MATE - MAterial Document Types

TAX - Tax Document Types

If you want a user to have the ability of posting to bank documents, but only post parked to vendor Documents, you have to set the autorizations in the following way:

First Authorization

F_BKPF_BLA

ACTVT: 01

BRGRU: BANK

Second Authorization

F_BKPF_BLA

ACTVT: 77

BRGRU: VEND

Hope it helps

Kind Regards,

PS: Remember that this is an optional authorization object, to make it available you have to set authorization groups for documet types first.

Former Member · ‎07-01-2011

Dear All,

I was having the same requirement from my client.

I used the auth object F_BKPF_BUK & removed the activity 01 to disable the Post tab in FV50/FV60,etc. But remember the user will not be able to post any other entry directly to FI e.g. JV in F-02.

Hope the above will help.

Regards!

Pulak Das