Skip to Content
avatar image
Former Member

Link between end-user field and authorization object

Hi experts,

I am having a hard time finding the information below, so if anyone can help me that will be great.

I am trying to link the field an end-user handles and the associated authorization object.

Here are the details :

My starting point is specific fields of a transaction and my end point is the users associated to them.

For example I want to find out which users can create or modify the Bank Key and Bank accounts (BANKL and BANKN of LFKB table) you can find in the payment transaction section of the vendor master record.

I need to know which authorization objects are behind as well as which Tcodes, this way I will be able to identify the roles using the authorization object/tcode and in the end the users who can access them.

Surfing on the discussions I found a lot of information on different Tcodes and tables (SU24, SUIM, PFCG, TOBJ, TACTZ, AUSOBT, TSTCA, etc.) but nothing that can bring me from the field technical name to the list of roles and therefore end users.

Thank you all for your help.

Sanddie

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Sep 10, 2013 at 10:51 PM

    Hi,

    there is is no such a link. The fields of authorization objects can't be directly mapped to the database fields. The logic is built into applications. For example object M_BEST_BSA. It controls access to PO based on document type. Just giving authorization for this object is not going to give access to all POs. There are additional checks performs such as if user has access for a site and so on. There might be some more objects that control access on more granular level (e.g. access to pricing on PO).

    In your case we are talking about vendor which can be modified in transaction XK02. So you can see a list of all proposed object for this transaction in SU24. The object F_LFA1_AEN might be interesting for you. You can get more info about this object in SU21.

    Cheers

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Sep 11, 2013 at 04:41 AM

    Hi Sanddie,

    Sanddie wrote:

    "I need to know which authorization objects are behind as well as which Tcodes,this way I will be able to identify the roles using the authorization object/tcode and in the end the users who can access them."

    Have you approached your functional consultants to get the list of Master Data related tcodes?

    They are the right point of contact to give you the List of all Master Data tcodes.

    E.g (XK,XD,FD,VD,MM,OX,FS) 01,02, VK11,VK12, FS00, etc...list goes on...

    Then your task starts with SUIM.

    Cheers,

    Rama

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Sep 11, 2013 at 06:32 AM

    Next best would be the F1 key and navigate to the technical field object to be able to where-used-list it. But that is not scalable.

    It is easier to get to know the authorization objects more intimately. All 4000 of them will however keep you busy for a while. Having funky consultants who also understand authorizations for their modules helps a lot..

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Sep 11, 2013 at 05:17 PM

    For the table restriction you can search the table authorization group to which the specific table is assigned and restrict all your roles to this authorization group.

    Regarding the transactions that give access to this functionality, it is best to restrict the authorization objects below instead on focussing on the transaction codes. In tis case, if you are missing the one or more transactions, it will not be a real problem because the required authorization objects are restricted properly.

    Add comment
    10|10000 characters needed characters exceeded