04-08-2010 5:23 AM
Hi,
My client is in a situation where they want a certain group of Accounts Receivable Analysts to create GL documents in FV50 but they don't want to give them access to post them.
Seemed easy enough. I removing F_BKPF_BUP ACTVT=01 BUKRS=(Values) removed the ability to post through FV50; the post icon disappeared.
The problem is that removing this authorization "breaks" several other tcodes (below) that the same group of users need to use.
F-03 Clear G/L Account
F-04 Post with Clearing
F.07 G/L: Balance Carryforward
FB01 Post Document
FB08 Reverse Document
FB41 Post Tax Payable
FBD1 Enter Recurring Entry
FBRA Reset Cleared Items
So using standard functionality, we're either left in a situation with too much access or not enough access. Workflow is not in scope at this point. Does anyone have any other suggestions? One thing I see is that Activity 10 (Post) is a valid activity for the F_BKPF_BUP but the only activity being checked to be able to save documents and post them in FV50 is Activity 01. I was kind of hoping we'd be able to use Activity 10 to control the posting capability in FV50, but that activity value isn't being checked.
Thanks in advance for any suggestions.
04-08-2010 10:52 AM
Hi Matt,
This is really a common requirement for most of the client but unfirtunately from SAP authorization point of view there is no solution to this. Below are the objects that need to provide to user either for parking or posting.
F_BKPF_BUK
F_BKPF_GSB
F_BKPF_KOA
There are few more F_BKPF* objects that might require in separate transaction.
For post 01 activity is must and for parking 77 activity along with 01 is must. The authorization check for parking is weired. And I scramble a lot into this for nothing. So user having access to parking will automatically get access to post. Where customer ask for vice virsa. So to my knowledge its might not be possible by authorization.
Fucntional guys may help into this. Though in my case they also failed to achieve the same.
Arpan
04-08-2010 10:52 AM
Hi Matt,
This is really a common requirement for most of the client but unfirtunately from SAP authorization point of view there is no solution to this. Below are the objects that need to provide to user either for parking or posting.
F_BKPF_BUK
F_BKPF_GSB
F_BKPF_KOA
There are few more F_BKPF* objects that might require in separate transaction.
For post 01 activity is must and for parking 77 activity along with 01 is must. The authorization check for parking is weired. And I scramble a lot into this for nothing. So user having access to parking will automatically get access to post. Where customer ask for vice virsa. So to my knowledge its might not be possible by authorization.
Fucntional guys may help into this. Though in my case they also failed to achieve the same.
Arpan
04-08-2010 2:22 PM
Hi,
I think you can try accessing the different transaction codes for posting. Try the below ones. Tthey might be helpful.
F-02
FB01
FB05
FB50
FBR2
FBVB
Regards,
Gowrinadh
04-12-2010 10:43 AM
Hi Matt,
It can be achieved by removing value "01" ACTVT under the following authorization objects:
F_BKPF_BUK
F_BKPF_BLA
F_BKPF_KOA
Because if the value "01" is there for the above objects user gets direct posting option in parking tcodes.
In order to be able to achieve this you must segregate your roles between parking and posting and more over it can be achieved if users are assigned with Segregation of Duties (SOD) i.e If a user have a role with the above details, the user might get the posting option.
So be careful in segregating the roles and users as well.
Thanks,
Rama
04-12-2010 2:28 PM
04-12-2010 9:35 PM
Matt,
I have accomplished this by building out seperate roles and transactions along with building out the SOD ruleset to include these checks at S_TCODE to close the loop.
FV50 - Park *have user exit to disable posting
FBV0 - Post
Thanks,
Matt
04-12-2010 11:11 PM
Yes, the choice of transaction, RFC or service context is important if you want to use granular security.
Trying to make it as consistent as possible from a concept perspective also helps (to keep the number of single roles down).
Cheers,
Julius
04-13-2010 1:23 PM
Hi matt, this is an easy issue to solve. The problem here is your scoping. You don't have to restrict certain access to a transaction. You have to restrict the access to an activity.
In this case in particular, you want AR staff to post certain documents and parked some others. The way to achieve this is by the Authorization Object F_BKPF_BLA. This object is verified only when the Document Type has an authorization Group associated.
In this way, if you have 5 authorization groups:
BANK - Bank Document Types
VEND - Vendor Document Types
CUST - Customer Document Types
MATE - MAterial Document Types
TAX - Tax Document Types
If you want a user to have the ability of posting to bank documents, but only post parked to vendor Documents, you have to set the autorizations in the following way:
First Authorization
F_BKPF_BLA
ACTVT: 01
BRGRU: BANK
Second Authorization
F_BKPF_BLA
ACTVT: 77
BRGRU: VEND
Hope it helps
Kind Regards,
PS: Remember that this is an optional authorization object, to make it available you have to set authorization groups for documet types first.
07-01-2011 9:11 AM
Dear All,
I was having the same requirement from my client.
I used the auth object F_BKPF_BUK & removed the activity 01 to disable the Post tab in FV50/FV60,etc. But remember the user will not be able to post any other entry directly to FI e.g. JV in F-02.
Hope the above will help.
Regards!
Pulak Das