Solved: Authorization for AuGr in OB52 does not work as in...

ChrLid_Swe · ‎02-11-2008

Hi,

I'm trying to get the Authorization group in OB52 to work for the end user, but it will not work. I have followed the procedure described in the help text in OB52 but when it comes to the actual use of the authorization it is never being checked.

We are trying to use it for transaction FB01 - Post Document. And authorization object F_BKPF_BUP should be checked whenever this transaction is being used (according to SU24). I have checked in the trace log (ST01) and there is no sign of F_BKPF_BUP when the user is running FB01.

Does anyone know the reason to this or which transactions that will work when you set up the AuGr in OB52???

Any answer appriciated!

Thanks!

/Christer

Edited by: Christer Lidholm on Feb 11, 2008 10:12 AM

Former Member · ‎02-12-2008

My guess would be that there is an interval of accounts or account types which is open, hence F_BKPF_BUP is not checked as it is not required.

My understanding of F_BKPF_BUP is that it can be used over and above the existing concept of opening / closing posting periods for company codes at the level of the account type and individual account number (or interval of them) to protect access to closed periods at a per user level, based on their authorization for F_BKPF_BUP and whether that account is in an OB52 interval which has that auth group value on it... in which case the return code is set to 0 (successfull). A blank authorization group in OB52 is exactly the same (either open or closed), except you cannot differenciate between the users who can and cannot post to the account.

Take a read through function module FI_PERIOD_CHECK and the SAP notes mentioned in it (which, of course, depends on which release and SP level you are on...).

Examples of transactions you might want to try are VF01 and MIGO.

Cheers,

Julius

Former Member · ‎02-11-2008

Hi,

The object that the posting period auth group relates to is F_BKPF_BUP and not F_BKPF_BUK.

You should make sure that there is an auth group attached to all the posting periods, as each one with a blank auth group field is unrestricted.

Hope this helps....

ChrLid_Swe · ‎02-11-2008

Hi,

Sorry, that was a mistyping from my side. Of course it should be the object F_BKPF_BUP I'm checking. But question remains. Why is this not working for transaction code FB01 and others that should have this check included?

My test user without any access to F_BKPF_BUP can post a document in FB01 without any problem. There is no check done whatsoever!

Former Member · ‎02-11-2008

Can't be certain why is not working but I would check the following, although you have probably been through this already:

SU24 - ensure that the object is set to checked, and yes for proposal although that is not entirely necessary

OB52 - make sure that all the posting periods have an auth group attached, ensure that the relevant posting periods are applied to the all the relevant account types and ensure that the posting period you are providing access to does not override the one that is being restricted.

Other than that I can't think of anything else that could affect it.

Former Member · ‎02-11-2008

>

> Can't be certain why is not working but I would check the following, although you have probably been through this already:

> OB52 - make sure that all the posting periods have an auth group attached, ensure that the relevant posting periods are applied to the all the relevant account types and ensure that the posting period you are providing access to does not override the one that is being restricted.

This is usually the most common one in my experience & runs across almost all uses of auth groups.

Former Member · ‎02-11-2008

Hi Christer,

To post a document a document through FB01 , Object F_BKPF_BUP doesnot require for from some scenarios.If you want to post into previous months individually(by leaving others to current month in OB52) ,then u may require this object which needs to be maintened with authorization group value.

The other reason could be the user may already added to AMOUNT TOLERANCE GROUP in SPRO setting(provided posting for current month in OB52).

In SPRO u can the following path whether user added/not.

Financial accounting~~->accounts receivable and accounts payable~~-->business transactions ~~->incoming payments~~->manual incoming payments---->ASSIGN USER/TOLERANCE GROUPS.

U can in the above path

i hope i have cleared little from my knowledge...

Rgds,

Gadde

ChrLid_Swe · ‎02-12-2008

Hi Gadde and S Morar,

Thanks both for your answers! All of your suggestions have been checked and double checked but problem remains.

Does anyone knows of any other end user transaction (apart from FB01) that really uses F_BKPF_BUP and the AuGr in OB52 as an authorization check? It really feels like I need to try some other transaction here.

Thanks!

Former Member · ‎02-12-2008

HI

I have checked in my own system, the both given transaction are not controlling by the giving authorization object F_BKPF_BUP.

FB01

There are many authorization group are controlled by the FB01, you can control by one of them.

OB52

You can create authorization group by the se54 to control through the S_TABU_DIS Table Maintenance.

as i am doing myself for the OB52.

Regards

Anwer Waseem

SAP BASIS

Former Member · ‎02-12-2008

My guess would be that there is an interval of accounts or account types which is open, hence F_BKPF_BUP is not checked as it is not required.

My understanding of F_BKPF_BUP is that it can be used over and above the existing concept of opening / closing posting periods for company codes at the level of the account type and individual account number (or interval of them) to protect access to closed periods at a per user level, based on their authorization for F_BKPF_BUP and whether that account is in an OB52 interval which has that auth group value on it... in which case the return code is set to 0 (successfull). A blank authorization group in OB52 is exactly the same (either open or closed), except you cannot differenciate between the users who can and cannot post to the account.

Take a read through function module FI_PERIOD_CHECK and the SAP notes mentioned in it (which, of course, depends on which release and SP level you are on...).

Examples of transactions you might want to try are VF01 and MIGO.

Cheers,

Julius

ChrLid_Swe · ‎02-13-2008

Hi,

I am happy to say problem has been solved. There are no worries any longer and everything is working according to SAP standard functionality.

The answer was in the period 2 in OB52. I was not careful enough checking the year in the column From per.2. So period 2 had a greater span than period 1. Hence it was overriding every change made to period 1. I had the perception the AuGR was only checking Period 1, but this was obviusly wrong.

Lessons learnt! You can never be careful enough checking tables and intervals in your customizing.

Anyway, thanks for all your input on the subject!

/Christer

Former Member · ‎02-13-2008

I think what you mean is that the period interval without the AuGR was greater than that with the AuGR, which would explain why the check on object F_BKPF_BUP was never reached... it was not required.

For the same reason, turning SU24 check indicators off for such optional (exceptional) objects is questionable, as it is the intention of the authority-check result on the object to set the return code to 0.

Cheers,

Julius

Former Member · ‎05-13-2008

HI All

I am also facing same problem In OB52.

In OB52 Posting period "+" symbol in first interval we r using for authorisation group. In second Interval we r using for Normal users. In second interval we close the 10th period and open the 11th period but some of the "s" type G/L accounts still allowing to post the documents in normal users.

Please suggest me I am confusion.

Regards,

Lakshmi Narayana

Authorization for AuGr in OB52 does not work as intended