This website is not affiliated with, sponsored by, or approved by SAP AG.

SAP authorization post & display in different company codes

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

SAP authorization post & display in different company codes

Postby mm0000 » Thu Sep 20, 2012 11:43 pm

The SAP help file mentions the following :

'Most authorization objects have a similar structure, that is, two specifications are necessary for each object. The first specification lists values for a field in the object to be protected (company code for example) and the second lists a series of activities. Via this combination, you can differentiate the permitted activities distinctly. For example, you can restrict the creation and changing of documents to one company code, but permit the display of documents in other company codes.'

I dont think what is mentioned above is possible in SAP. What it implies is that you can set authorizations so that a user can post a document to one company code and display a document in another company code - or was it possible earlier and not possible now?

Link:
http://help.sap.com/saphelp_40b/helpdat ... ontent.htm
mm0000
 
Posts: 9
Joined: Wed Sep 08, 2004 1:09 am

Re: SAP authorization post & display in different company codes

Postby Al. » Fri Sep 21, 2012 3:22 am

Hi,

It is very possible.
As an example in a single or combination of:

Authorisation 1
F_BKPF_BUK ACTVT 03 BUKRS 1000

Authorisation 2
F_BKPF_BUK ACTVT 01, 02 BUKRS 2000

Will give you display only to company code 1000 and create and change only to company code 2000
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3050
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: SAP authorization post & display in different company codes

Postby mm0000 » Fri Sep 21, 2012 3:54 am

Al,

The example you gave will not work. The user will be able to post and change document in company code 1000 also. Try it out in SAP.

MM
mm0000
 
Posts: 9
Joined: Wed Sep 08, 2004 1:09 am

Re: SAP authorization post & display in different company codes

Postby mm0000 » Fri Sep 21, 2012 4:05 am

See the following discussion also.

viewtopic.php?f=24&t=320862

MM
mm0000
 
Posts: 9
Joined: Wed Sep 08, 2004 1:09 am

Re: SAP authorization post & display in different company codes

Postby Al. » Fri Sep 21, 2012 5:22 am

Hi, I disagree, I have achieved this plenty of times in SAP. Please read that link again as that example is also a lot more developed than the question you asked.

In the scenario I gave you the access will be:

Display for 1000
Create and Change for 2000

However (and this links to the thread you linked) if you have 2 different transactions which share a common controlling object, the above combination would give you D 1000, Cr Ch 2000 for both transaction 1 and transaction 2. What it would not give you is transaction 1 Display 1000 and transaction 2 Cr Ch 2000.
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3050
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: SAP authorization post & display in different company codes

Postby mm0000 » Fri Sep 21, 2012 5:48 am

Al.

I think I would also have to disagreee with you. I dont know how you managed to achieve this many times.

See also :

scn.sap.com/thread/1842450
mm0000
 
Posts: 9
Joined: Wed Sep 08, 2004 1:09 am

Re: SAP authorization post & display in different company codes

Postby Al. » Fri Sep 21, 2012 6:38 am

I respect your option to disagree but that does not change the fact that based on your question your understanding of the following is not correct.

"you can restrict the creation and changing of documents to one company code, but permit the display of documents in other company codes. I dont think what is mentioned above is possible in SAP"

The correct answer is that it is very possible in SAP and a technique that is frequently used.


The original link you have provided describes exactly the scenario that I pointed out when I said:

"However (and this links to the thread you linked) if you have 2 different transactions which share a common controlling object, the above combination would give you D 1000, Cr Ch 2000 for both transaction 1 and transaction 2. What it would not give you is transaction 1 Display 1000 and transaction 2 Cr Ch 2000"

Which is the same principle as the SDN scenario (I put the important bit in bold):

FB60 (Vendor Invoice) u2013 ONLY Company Code 1001
FB70 (Customer Invoice) u2013 ONLY Company Code 1002
FB50 (Journal Entry) u2013 ONLY Company Code 1003

We have these 3 transactions in separate roles and have assigned the roles to an individual user, and this scenario results in the following:
u2022 FB60, FB70 & FB50 For ALL Company Codes specified (i.e. 1001, 1002 & 1003)

The issue is these transactions all share the Authorization Object F_BKPF_BUK and so it seems to take the combination of all three


You are not comparing like for like which is where your confusion is coming from. Where you have an authorisation set (e.g. F_BKPF_BUK ACTVT 01,02 BUKRS 2000) then it will apply to all transaction which use it. In the above situation FB50,60,70 would be able to create and change for comp code 2000. If you add another authorisation set (F_BKPF_BUK ACTVT 03 BUKRS 1000) then FB50,60,70 would be able to create and change for 2000 and display for 1000.

What it cannot do is let FB50 create for 1000, FB60 create for 2000 and FB70 display for 3000 as they all share a common object.
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3050
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: SAP authorization post & display in different company codes

Postby mm0000 » Fri Sep 21, 2012 11:59 am

Al,

What I am saying is that if you give:

Role1
S_TCODE - FB01
F_BKPF_BUK ACTVT - 01
F_BKPF_BUK BUKRS - 1000

Role2
S_TCODE - FB03
F_BKPF_BUK ACTVT - 03
F_BKPF_BUK BUKRS - 2000

If both the above roles are assigned to a user, the user will be able to post a document to both company codes 1000 and 2000. You you cannot restrict creation of document for one company code and only display document for another company code.
mm0000
 
Posts: 9
Joined: Wed Sep 08, 2004 1:09 am

Re: SAP authorization post & display in different company codes

Postby gauts99 » Fri Sep 21, 2012 12:51 pm

You're either missing something or trolling. Not sure which option is more pathetic at this point. This is Security 101.
gauts99
 
Posts: 48
Joined: Mon Mar 06, 2006 8:45 pm
Location: Ottawa, Ontario

Re: SAP authorization post & display in different company codes

Postby Al. » Sat Sep 22, 2012 1:47 am

mm0000,

We are in agreement. Your initial question referred to a different (albeit related) auths behaviour.
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3050
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: SAP authorization post & display in different company codes

Postby mm0000 » Sat Sep 22, 2012 4:37 am

Al,

Sorry for the confusion if there was any. I did think that the extract from the SAP Help file was saying that you could create authorizations allowing a user to create a document in one company code and only display documents in another company code which went against how I understood authorizations worked in SAP. Specifically the last sentence in the extract -

For example, you can restrict the creation and changing of documents to one company code, but permit the display of documents in other company codes.'

The extract was from SAP Version 4 help file, so I was wondering whether authorizations worked in the way mentioned in the help file in Version 4.0b, however since there is no 4.0b system currently available, I could not check it. So that is why I posted the query in this forum to check whether anybody was aware on whether this was the way authorizations worked from 4.0b.
mm0000
 
Posts: 9
Joined: Wed Sep 08, 2004 1:09 am

Re: SAP authorization post & display in different company codes

Postby Al. » Sat Sep 22, 2012 12:47 pm

Auths generally worked the same in the various 4.0 as they do now (but roles were called responsibilities & lots of people still used profiles). The statement from SAP is as true now as it is then & as standard we can't split between tcodes that share the single object. If it is that important it is a relatively simple fix (usually) to add in an additional check through the enhancement framework. Another view is that the users are accessing common functionality (as defined by the auth object) and there therefore the risk is not always so high as to mandate a preventative control.
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3050
Joined: Tue Feb 25, 2003 5:35 am
Location: London


Return to SAP Security

Who is online

Users browsing this forum: No registered users and 6 guests





loading...


This website is not affiliated with, sponsored by, or approved by SAP AG.