Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

F_LFA1_BEK - access to specific vendor

christian_mayr
Explorer
0 Kudos

Hello,

my first posting....hope someone has an answer...

We need to give 2 users transaction FBL1N (vendor line items) with only access to 2 specific vendors.

As far as we know there is no authority object for the vendor account number itself.

So we thought we can use object F_LFA1_BEK. We entered an authorization group (LFA1-BEGRU) to this 2 vendors and added this group to F_LFA1_BEK. So far so good.

Problem is now that it is still possible to access all vendors where no authorization group is maintained in the vendors master record. (No authorization group is the default case and it is not possible to add another one the other vendors)

Is it possible to achieve this with F_LFA1_BEK or is there any other solution?

Thanks a lot!

Christian

1 ACCEPTED SOLUTION

martin_voros
Active Contributor
0 Kudos

Hi,

unfortunately, the authorization check for object F_LFA1_BEK is not performed if BEGRU is blank. Hence you get all accounts without authorization group. If you want to use F_LFA1_BEK then you need to assign a dummy authorization group to all accounts. Don't forget that you will have to give to all your roles access to this group. Another solution would be find a suitable BADI or enhancement point where you could perform additional authorization check. Have a look at BADI FAGL_ITEMS_CH_DATA.

Cheers

4 REPLIES 4

martin_voros
Active Contributor
0 Kudos

Hi,

unfortunately, the authorization check for object F_LFA1_BEK is not performed if BEGRU is blank. Hence you get all accounts without authorization group. If you want to use F_LFA1_BEK then you need to assign a dummy authorization group to all accounts. Don't forget that you will have to give to all your roles access to this group. Another solution would be find a suitable BADI or enhancement point where you could perform additional authorization check. Have a look at BADI FAGL_ITEMS_CH_DATA.

Cheers

0 Kudos

Hi,

thanks!

Like I wrote, assigning a group to all vendors is not possible. Adapting the roles would not be the problem but getting the users to maintain the group for each vendor is not applicable.

I will check the BADI you told me next week.

Regards,

Christian

0 Kudos

Hi Christian

Assigning an auth group to all vendors is the standard approach and the majority of companies do this (especially where there are employee vendors). Why is this not possible when it is the standard solution to a common problem?

0 Kudos

Hi Alex,

of course it is possible to do it that way and we already use the LFB1-BEGRU to restrict access to specific vendors.

But we have a lot of different accounting groups and a lot of users who create/maintain vendors each being responsible for one or more accounting groups. And furthermore this is relevant for 2 company codes.

And what I haven't mentioned yet: This also needed for customers (FBL5N).

So you are right it is possible and it is the standard way but in our case currently too much effort.

Thanks.

Christian