Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restrict G/L account access

Go to solution
former_member250429
Explorer

‎07-22-2012 3:39 PM

0 Kudos

Dear Gurus

We are trying to restrict view access to data on the basis of G/L account for end users via a report which displays following data from
Table BSIS and BSAS

1:Company Code   2:GL Account   3:Acc.Document Number    4:Document Type
5:Cost Center        6:Profit Center  7:Posting Date                   8:Document Date

In report we have included Authorization checks for below Authorization objects in order to restrict via G/L account

1 F_BKPF_BES             2 F_SKA1_BES

We have maintained Authorization group in G/L account via Transaction FS00 -->Control data ---> Authorization group.
Authorization group we created via T-code SE56.

We have assigned authorization to test user for the report and above mentioned authorization objects (Say activity 03 and Authorization group  ZZZZ ) with a new role and assigned only that role to user.

But when user is executing the report , he is able to see the data from the G/L account which have different Authorization group maintained say YYYY and G/L Account which do not have authorization group assigned to them and hence voilating authorization checks.

We have gone through many SCN threads but did not find satisfactory solution.

Regards

1 ACCEPTED SOLUTION

Go to solution
ThomasZloch
Active Contributor

‎07-22-2012 9:58 PM

0 Kudos

Yes, please post the relevant code.

Look at FM AUTHORITY_ACCOUNT how it uses buffering to reduce the actual authorization checks (keeps the trace small). You can actually use it as is for the F_BKPF_BES check, not sure if there is a similar one for F_SKA1_BES.

Accounts without authorization group are not checked at all by the standard, you should be consistent there. So if you have ZZZZ in your profile, you should not see YYYY, but all those without a group assigned.

Thomas

9 REPLIES 9

Go to solution
Former Member

‎07-22-2012 9:39 PM

0 Kudos

Perhaps a silly question and too obvious, but where did you locate your authority-check and did you react to the return code?

Some folks check explicit values from the selection screen input but allow select-options...

You must use the result of the authority-check to select the data, or select the data and remove the records which are not authorized.

But anyway... there are a lot of standard reports for data in these tables. They don't always respect account groups out of the box, but if you got the master data fields maintained correctly (SKA1) and select based on that which the user is authorized for then it should work.

Please post your code (not all of it, just the relevant parts and infos about where it is called from)!

Cheers,

Julius

Go to solution
ThomasZloch
Active Contributor

‎07-22-2012 9:58 PM

0 Kudos

Yes, please post the relevant code.

Look at FM AUTHORITY_ACCOUNT how it uses buffering to reduce the actual authorization checks (keeps the trace small). You can actually use it as is for the F_BKPF_BES check, not sure if there is a similar one for F_SKA1_BES.

Accounts without authorization group are not checked at all by the standard, you should be consistent there. So if you have ZZZZ in your profile, you should not see YYYY, but all those without a group assigned.

Thomas

Go to solution
Former Member
In response to ThomasZloch

‎07-22-2012 10:10 PM

0 Kudos

The guru is actually checking two objects which are both optional and have different semantics.

SKA1 is for the account master data reporting including balances.

BKPF if for the navigation into the document.

In both cases, F_SKA1_BUK and F_BKPF_BUK are the primary objects respectively. They should ideally be checked as well before the optional BEGRU objects.

@ "Basis TCS": Did you consider using an LDB for your report? Perhaps a query or a standard report would fullfil the requirement?

Or is this just an academic excersize which TCS gave you as a task?

Cheers,

Julius

Go to solution
ashok_kumar24
Contributor
In response to ThomasZloch

‎07-25-2012 10:09 AM

0 Kudos

Hi All,

Access to G/L Accounting data can be controlled from within an ABAP program. Follow the steps to resolve the issue:-

1. Create an authorization group using T Code SE54

2. Maintain the Authorization group in FS00 -> Control data tab.

3. Maintain the relevant authorizations at user profile level

4. Include the following check in the custom program and control the data flow based on return code.

                    authority-check object 'F_BKPF_BES'
                                                     id 'BRGRU' field <Authorization Group
                                                     id 'ACTVT' field '03'.      
                     if sy-subrc <> 0.
                             message "No Authorization" type 'E'.
                      endif.

5. The G/L Account master data needs to be maintained with the relevant Authorization groups.

Hope it helps.

Best Regards,

Ashok


Go to solution
former_member250429
Explorer
In response to ThomasZloch

‎07-27-2012 8:29 AM

0 Kudos

Dear Julius,Thomas and Ashok

Thanks a ton for your help !!!!!

I appreciate all of you for spending your precious time.

We included code mentioned by Ashok in program and it worked fine.

Dear Julius

We got clue after your suggestion and we looked again in our program !!!

It was not an excercise , we were having this as a new req from our client and from SAP security perspective i have idea of basic things so overall it was a good lerning for me as well !!!

Thanks again to all of you.

Cheers !!!!!!

Go to solution
Former Member
In response to ThomasZloch

‎07-27-2012 10:54 PM

0 Kudos

Out of curiosity, did you check the input values only or not react to the return code?

I collect some statistics on this. Select-options with empty fields is winning so far (if LDBs are not used).

Cheers,

Julius

Go to solution
former_member250429
Explorer
In response to ThomasZloch

‎07-30-2012 9:42 AM

0 Kudos

Dear Julius

we followed below sequence

1 : The G/L Account master data needs to be maintained with the relevant Authorization groups.

2 : <Authorization Group> is picked from the G/L Master data and validated using the following

check


    authority-check object 'F_BKPF_BES'
                                                     id 'BRGRU' field <Authorization Group>
                                                     id 'ACTVT' field '03'.     
                     if sy-subrc <> 0.
                             message "No Authorization" type 'E'.
                      endif.

Ans to your Question : Yes we checked G/L Account group based on the G/L account entered by User on the screen.If User Master data is maintained with same Authorization group we allowed him to access otherwise he will get message "No Authorization"

Regards

Go to solution
Former Member
In response to ThomasZloch

‎08-01-2012 11:11 AM

0 Kudos

HI,

Please activate trace and find out from which authorization object the auth group authorization is getting to the user ID,

and also check the auth group provided in "S_TABU_DISP" because normaly table authorization come from this authorization object.

Regards,

Lokeshwar.

Go to solution
former_member250429
Explorer
In response to ThomasZloch

‎08-01-2012 11:15 AM

0 Kudos

Dear Lokeshwar

Thanks for your reply..My Problem is already resolved. Also i updated the solution i followed.

Regards