This website is not affiliated with, sponsored by, or approved by SAP AG.

BP Authorizations not working

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

BP Authorizations not working

Postby PankajBasis » Wed Nov 12, 2008 9:32 am

Dear All,

CRM 4.0

We want to restrict fields ( Few as display and others as change) in transaction BP. We have done following
1. Checked that field groups are authorization relevant (SPRO)
2. Assign Field group in object B_BUPA_FDG (PFCG)
- Auth1: activiy 02, fld1,fld2 which we need to change
- Auth2: Activity 03, fld3 which we need display
3. Required BP roles are assigned in B_BUPA_RLT and acvt is 02,03 (PFCG)

I have not assigned few fields for change but still I am able to change those fields ex. Masterdata->group company

The BP Role is Z role
Could anybody help me. I have searched SAP notes and forum but no help
Lets Help each other
Thanks to everybody who post solution
Posts: 50
Joined: Wed Oct 26, 2005 11:51 pm
Location: Roaming

Re: BP Authorizations not working

Postby Harters » Tue Nov 18, 2008 7:30 pm

I recently came across a similar issue around characteristics in material master but this revolved around class characteristics in materials based on class type, org indicator and material auths. Auths was not up to the level of detail required and so we made open objects and editable items greyed out using GuiXT.

We had to also define so local script variables and work with a description field.

GuiXT will let you grey out the change icon / change record e.t.c even with SAP_ALL profile as it works in a higher level than auths restrictions (or openness).
Posts: 229
Joined: Thu Feb 07, 2008 8:03 am
Location: Sitting in front of 21 SAP systems

Re: BP Authorizations not working

Postby DPELSSERS » Sat Dec 06, 2008 7:10 am

I have set this up in the past one or more times without any problem.

If you still need to set up this requirement you can always email me the requirement itself AND screenshots of the configuration in customizing and roles you made.

-Requirement Info needed in such a case:
* what field groups does your business need to protect for people working a certain function
(e.g. change of field authorization group should not be changed by business - see tabpage "control" in tcode BP)

>> in such a case the relevant field is AUGRP stored in table BUT000
You can check which is the relevant fieldgroup using transaction code BUS2.
As it turns out this field is stored in FieldGroup 12 (AUTHORISATION GROUP) and contains following fields:
BUT000 AUGRP -- this is an input field
TB037T BEZ50

Now that you know the relevant field group to protect, you define in customizing:
SAP Implementation Guide>> Cross-application components>> SAP Business Partner>> Business Partner>> Basic settings>> Authorization management>>Define field groups relevant to authorisations
Here you select via the input help the field group (0012 - authorization group)

Next in the authorization role you put for the object B_BUPA_FDG for example the following values:
Activity: 03 (display)
Fieldgroup: 0012

TIP: The reason why it might not have worked is probably the following:
In customizing, if you check the field group it says 12 instead of 0012 (which is the actual value).
So in your role; you might have put 12 instead of 0012 and as a result it would not work !!

Therefore Try always to use the input help (F4) instead of manually typing in the values where possible.
Davy Pelssers
SAP CRM /Security consultant
Kind regards
Davy Pelssers
SAP CRM and Security Consultant
Posts: 24
Joined: Wed Nov 26, 2008 7:57 am
Location: Belgium

Re: BP Authorizations not working

Postby BMC » Wed May 22, 2013 1:43 am


Nice description. As I see this, this is a description on how to prevent users from working with certain fields, but they are still able to se data in the fields.

My problem is, that I have, what you can call sensitive fields in the BP. So I need to find a authorization, that can protect the data. Any I dea if this is possible. I do know about transaction variants / screen variants. But in the case of the BP I do not think this will work, since the transaction i a lot of cases is called indirectly (drill down), and it would be impossible to change these calls to an authorization variant.

Posts: 19
Joined: Mon Mar 13, 2006 9:35 am

Return to SAP Security

Who is online

Users browsing this forum: No registered users and 3 guests

This website is not affiliated with, sponsored by, or approved by SAP AG.