Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

#2. Restricting Changing of the Purchasing Group

Dear All,

Thank you very much for your answers. Actually I work as an auth person.

I know about roles, profiles, PFCG, SU24, SU53, auth objects and u2026, I have studied the courses SAPTEC, ADM940 and I am studying the course ADM950 right now. I am not a basic trainee!!

Before Dipanjan Sanpui posted, I myself have created a role and added the Tcodes ME51N, ME52N, MEMASSRQ, I have changed the field EKGRP in the auth obj M_BANF_EKG to 004. But when I tested my new role with a user who has only this role and no more auth this user could for example change the purchasing group of a purchasing requisition from 003 to 002.

I would like to be able to restrict a user (with purchasing group 004) of changing other purchasing groups (for example changing 002 to 003).

I hope that my question is clear enough right now and it will not be locked again.




Subject: Re: Restricting Changing of the Purchasing Group

Message: Hi,

The relationship of a Transaction ans it'd corresponding Authorization Objects is available in TCode SU24. So if you go there and put the Tcode MEMASSRQ and then execute then you will get the list of Objects available for this Tcode and their check proposals or more popularly known as Check Indicator.

Now from study of the available fields it is evident that the Object containing Purchasing Group as a Field (an Organization Level in nature) and also proposed to be maintained in Profile Generator (Check and Maintenance proposal = Yes) is M_BANF_EKG.

When you are adding the tcode in Role menu you will get this object for maintenance in Authorization data.

Subject: Re: Restricting Changing of the Purchasing Group

Message: Hi Salameh

Are you a basis or security/auths person? If basis then I (think) you are drifting into security either due to your client giving you incorrect work or the request has come to the wrong person (or...your client has only hired one person or more to do both basis and security).

4 months in SAP to know what the auth objects/tcodes/SoD issues are isn't enough to safely manage a security concept - is there anybody else in your department who you can go to to ask these sort of questions instead of posting on a forum? IMO I'd recommend sticking to basis if that is your speciality and you'll not be short of work, running role transports to prod without really understanding what/why is going to be painful for all concerned.

Best wishes


Subject: Re: Restricting Changing of the Purchasing Group

Message: Sorry, these forums are not a substitute for basic training.

This is your responsibility, or better said your customer's...

Thread locked.



Former Member
Former Member replied

Hi Salameh

For ME51N I have tested the authorisation object M_BANF_EKG with it set to check/maintain in SU24 and the test role does restrict the test user correctly, setting SU24 to no check/not maintained allows the test user to create/change etc in other purchase groups than the one in the test role.

Are your SU24 settings maintained correctly please?

I would avoid giving users access to MEMASSRQ though - that doesn't appear to be restricted by anything bar S_TCODE in our 4.6 system.

(Basis Support Package 59 for 4.6C release



0 View this answer in context
Not what you were looking for? View more on this topic or Ask a question