cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Auth object F_KNA1_GRP: how to avoid to display specific Account group

Go to solution
Former Member

on ‎08-13-2015 8:59 AM

0 Kudos

Hi Gurus,

my aim is to avoid specific users to display customers with specific account group (XD03 transaction)..

In order to do this I've implemented Auth object F_KNA1_GRP  specifying ACVT = 3 (display) and the range of  admitted KTOKD.

Then I've associated F_KNA1_GRP to tr code XD03 (SU24 transaction) and with tr code PFCG i've modified A_FBD(CLI) including the Account Group check.

It seems not run. Could you please help me in indentifying which shoulfìd be the correct step to be performed (if it's possible step by step since i'm new  for what regards profile maintenance)?

Let me know.

Many thanks

Angelo Gaiatto

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎08-16-2015 6:16 PM
0 Kudos

Hi Angelo,

Few questions to understand your situation

1.Have you made check as 'Yes' for authorization object F_KNA1_GRP for t-code XD03 in t-code SU24?


2.Have you created a custom role 'A_FBD(CLI)' with authorization object F_KNA1_GRP with values only required for user to be visible?


3.Have you assigned the above role to the required users?


If answer to the above questions is yes then what is the error  or issue you are getting if possible share the trace data or explain clearly the issue with screenshots.


Regards

Pradeep

Show replies
Show replies
Former Member
‎08-16-2015 8:58 PM
0 Kudos

HI Pradeep,

1)yes.

2)yes

3)yes.

4)Below the trace:

Many thanks for your support

Angelo

Former Member
‎08-17-2015 12:15 PM
0 Kudos

Hi Angelo,

I have found few problems with your implementation.

1.In your PFCG role why activity 01,02 is provided when it was only display '03' activity.so please remove activity 01 & 02(Create or Change or any other activity present like Delete etc).

2.I asked for ST01 trace and not SU53.So please switch on the trace before executing the steps and then switch off and attach the same screenshot for further analysis.

Hope this helps.

Regards

Pradeep

Former Member
‎08-17-2015 1:24 PM
0 Kudos

Hi Pradeep,

first of all many thanks for your support.

1)I've just corrected

2)Even if I try to tarce XD03 the result is that the system gives the message: 0 records found.

Many thanks


Angelo

Former Member
‎08-17-2015 1:53 PM
0 Kudos

Hi Angelo,

First after correcting the activity  did it solve the issue?

Secondly I suppose you are not doing the trace correctly,you are putting trace on which user in ST01?

Regards

Pradeep

Former Member
‎08-17-2015 2:18 PM
0 Kudos

Hi Pradeep,

no I didn't solve the problem.

Secondly I put on trace user GTTN, the one  that I use in XD03 transaction.

Many thanks

Angelo

Former Member
‎08-18-2015 6:30 PM
0 Kudos

Hi Angelo,

I guess you are missing something while switching on the trace.Do you have more than one instance of the system?

As I know if you are doing something on the system with that user trace should come anyhow.

Regards

Pradeep

VeselinaPeykova
Active Contributor
‎08-22-2015 7:06 AM
0 Kudos

F_KNA1_GRP is checked actually in XD03 (at least in my test system 6.0 Ehp4) and appears in trace log files with correct values.

Did you run the test with an user that has only this new role with restricted XD03 display assigned? If not - have you checked for cross-authorizations? Did you already eliminate sync issues, problems during transport (if you are not performing the tests in the same system)?

One possible reason why you did not manage to select any entries from ST01 log could be also different time zones (user vs server) - if it is the case: just enter a wider time range for log selections.

F_KNA1_GRP was already set by default in SU24 for XD03 to Check with proposal = YES in my system, the only difference to your screenshot is that KTOKD is set to '  ' ; ACTVT is set to '03'.

Former Member
‎09-02-2015 1:41 PM
0 Kudos

Hi Pradeep,

attached the trace.

It seems that the control is succesfully passed for KTOKD = 'ZCNP' but in SU24 ZCNP doesn't appear as an authorized account group (see below).

many thanks

Angelo

VeselinaPeykova
Active Contributor
‎09-02-2015 2:57 PM
0 Kudos

So... this trace is run with a test user with only one profile assigned (for the role for which you provided screenshots earlier)? And the values maintained for object F_KNA1_GRP in the role are exactly the same as the values in SU24 which you maintained? And user comparison was successfully executed from PFCG?

Did you also check in AUTH_SWITCH_OBJECTS (also accessible from SU25) whether somebody had deactivated the checks for F_KNA1_GRP globally in this system?

By the way - it would be better to check against what is actually set for this authorization object in the test role instead of relying on the information of screenshot from SU24, as there can be some deviations.

Answers (4)

Answers (4)

Former Member
‎09-02-2015 3:40 PM
0 Kudos

Hi Angelo,

Just ensure that all the relavant Values in Field KTOKD under object F_KNA1_GRP has to be maintained correctly before executing the T-code XD03 in role by Using PFCG T-code for changing that.

After maintained the respected values in the above auth object mentioned and still getting issues,please share the error screenshots.

Thanks,

Kumar

Show replies
Show replies
Former Member
‎09-10-2015 4:02 PM
0 Kudos

Hi Kumar,

actually we're checking for Cross authorization and let you know.

Many thanks


Angelo

Former Member
‎09-23-2015 8:31 AM
0 Kudos

Hi All,

finally after checking for Cross authorization, we made the functionality run correctly.

Angelo

Bernhard_SAP
Advisor
Advisor
‎08-21-2015 10:27 AM
0 Kudos

Moving back to SD , as the applicaiton must know, what is checked when where and how.

Show replies
Show replies
Former Member
‎08-14-2015 4:38 AM
0 Kudos

hi angelo,

F_KNA1_GRP is a standard assignment/check to XD03. what have extra you done in SU24, also could you clarify ' A_FBD(CLI) '

Regards

Plaban

Show replies
Show replies
Former Member
‎08-14-2015 7:36 AM
0 Kudos

Dear Plaban,

with SU24 I've check all the auth check assigned to XD03 verifying that within F_KNA1_GRP the linjked specific account group.

With PFCG I've checked role A_FBD(CLI)  in particular authorization data to see if it's linked to Customer: Account Group Authorization.It seems all correct but when I call XD03 transaction  the system seems not pass through F_KNA1_GRP.

Many thanks

Angelo

Former Member
‎08-16-2015 8:30 AM
0 Kudos

i cannot understand A_FBD(CLI). is it a custom role, that you have created. Could you provide trace, for XD03



Former Member
‎08-16-2015 8:50 PM
0 Kudos

Hi Plaban,

I suppose A_FDB (CLI) i s a custom role created by our tech department.

Since It hasn't a Z* ad first letter I was thinking it was standard...

Below the trace (SU53 XD03): it's seems that F_KNA1_GRP isn't called by XD03.

For completeness SU24:

And PCFG:

Any help will be appreciated.

MAny thanks


Angelo

Lakshmipathi
Active Contributor
‎08-13-2015 9:09 AM
0 Kudos

Moved from SAP ERP Sales and Distribution (SAP SD) to Security

Show replies
Show replies
Ask a Question