Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Prevent Employee Vendor Bank Detail Access

Former Member

‎10-24-2013 9:37 PM

0 Kudos

Hello Security Gurus,

Had a question. How do we prevent access(create/change/display) of employee vendor bank data by the AP clerks on Vendor Master data, but at the same time, let them have access to do payment runs(F110) for them?

Using authorization object F_LFA1_GRP, I tried taking away activities 01, 02, 03 for employee group 1004(employee vendor account group). This works as far as preventing them from having any view access of all employee vendor data(not just bank), which is great. But the downside is, when they try to do ACH payment run for the employee vendors, it prevents them from creating the ACH file for employee vendors, giving the error message saying 'No authorization to display account from account group F_LFA1_GRP'. See screenshot below..

Is there any way to achieve this? Would greatly appreciate any feed back.

Thanks and regards,

Wayfarer

Preview file
345 KB
9 REPLIES 9

Former Member

‎10-25-2013 9:41 AM

0 Kudos

Hi,

Try flagging F_LFA1_GRP as Check = No (the specifics will depend on version) in SU24 for F110.

I've not seen F110 check F_LFA1_GRP as default in the past for the very reason that payments runs can be processed by people who don't necessarily need to see the master record.

Former Member
In response to Former Member

‎10-28-2013 3:33 PM

0 Kudos

Thanks a lot, Alex. It did seem like a great suggestion, but somehow it is not working, maybe I am not doing something right. I changed it to 'Do not check' for F110 in SU24, and then did 'Read old status and merge with new data' in PFCG for the particular role with F110, then regenerated the role, but I am still getting the exact same authorization check error as before when the user tries to do a payment run for the employee vendor . What am I doing wrong, please help!!. Screenshots below of what I did..

Thanks and regards,

Wayfarer

Preview file
176 KB

Former Member
In response to Former Member

‎10-28-2013 4:36 PM

0 Kudos

Hi,

Did you transport your SU24 change into the client where the payment run is being performed (or tested)?

Also what version of SAP & what Service Pack version is it on ?

Former Member
In response to Former Member

‎10-28-2013 6:09 PM

0 Kudos

Hi Alex,

SU24 changes, PFCG role generation, and F110 was all done in the same Test/Dev Instance/Client, so the issue of transport does not arise. We are on ECC6 and enhancement package 4. SPAM screenshot below..

Thanks and regards,

Wayfarer

Preview file
206 KB

Former Member
In response to Former Member

‎11-03-2013 1:01 PM

0 Kudos

Hi,

That is a bit strange.  I'll take a look in the week and see what I can find.

Former Member
In response to Former Member

‎11-05-2013 10:50 PM

0 Kudos

Hi Wayfarer,

It doesn't look like good news I'm afraid.  The 4.6 system I have been working on doesn't exhibit this behaviour as default. 

However on an ECC6 IDES I have been checking I see exactly the problem that you are describing & it happens when F110 steps out into a routine that creates the payment/BACS file.  Unfortunately I have drawn a blank at being able to bypass the check while not granting access to view the emp vendors. 

Former Member
In response to Former Member

‎11-06-2013 12:29 AM

0 Kudos

Thank you, Alex. Greatly appreciated. Wondering whether it would help putting it out on OSS, treat it as a bug, since you say that in 4.6 version it works as it should with SU24. I will discuss with our Basis Admin to see if we can pursue a solution thru SAP. Meanwhile if any other BASIS gurus out there can find a solution for me, that would be great.

Thanks and regards,

Wayfarer

Former Member

‎10-28-2013 6:41 PM

0 Kudos

Hi,

have you tried assigning authorizations for field groeps for vendor master data?

You can protect fields from the vendor master records from being changed by authorization for field groups.


To be able to assign this special authorization, proceed as follows:


1. Define field groups (Tr. OBAT). These groups combine the fields which are to be protected together.

2. Allocate the master record fields which are to be protected to the groups (Tr. OBAU). For example, per group 01 assign LFBK-BANKL "Bank Key" and LFBK-BANKN "Bank Account Number".

3. Define the authorization by specifying required groups for the Vendor by changing authorization for particular fields authorization object.

4. Allocate the authorization to the required profile.


The profiles are stored in the user master record of the accounting clerk. The authorizations become effective once they are in these.


For additional info check documentation for report RFKABL00.

Former Member
In response to Former Member

‎10-29-2013 7:15 PM

0 Kudos

Thanks Meta, I don't think that will work. i just read up on field groups and the authorization object F_LFA1_AEN that uses field groups to restrict access. Unfortunately I don't want the users to even have display access to those fields, and this object does NOT restrict display access, so wouldn't work for me.

regards,

Wayfarer

Preview file
150 KB