Skip to Content

SAP MDG Authorisations mix-up

We have problems to control the user authorizations for master data, if a user ID is assigned authorization for different master data processes for several accounting groups in a mixed MDG and non-MDG environment (i.e. the major Vendor account groups are managed via MDG, the rarely used account groups like plants or intercompany Vendors are managed directly in our SAP ECC system).

In SAP for granting a user change access to company code data a transaction assignment (in this case XK01/02) plus one or more objects with change authority (in this case Vendor: Account Group Authorization and Vendor: Authorization For Company Codes) are required.


- A User he has XK01/02 assigned for maintaining YCUS directly in ECC including change objects

- The same user is a MDG Requestor/Approver for YIND having change objects as described above.

This is where it goes bad: SAP mixes this together in the user buffer as transaction authorisations are NOT linked to objects. In result the user was able to maintain YIND directly using XK02.

The solution currently proposed by SAP is Business Transaction Events (BTE). As we have not had too much experience with implementation of BTEs a question to the MDG community (might also be a question to the authorisations community in general…):

Has anyone experience with implementation of the BTE in an MDG authorisations context?

Any issues / lessons learned with these BTEs & authorisations?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Jan 17, 2017 at 09:28 AM


    Have you tried the below option -

    1. In MDG and ECC, assign a separate role to this user id or

    2. Create 2 sets of roles - 1 for ECC and 1 for MDG. And assign them to different user id's

    With this I think it will work.


    Add comment
    10|10000 characters needed characters exceeded

  • Jan 19, 2017 at 09:46 AM

    Hey Kiran,

    many thanks for your Feedback. But the issue is that one and the same User is supposed to manage Supplier master data. For one Vendor Account Group via MDG CR and for another Vendor Account Group directly with XK02 in ECC. Accordingly the same user ID will need both authorisations/roles.

    The authorisations are then mixed in the user buffer.

    I am pretty sure I have posted this answer to you already yesterday, but somehow it disappear overnight :-(

    Many thanks + Best Regards


    Add comment
    10|10000 characters needed characters exceeded

  • Jan 19, 2017 at 01:23 PM

    Hi Klaas,

    Set allowed account groups in the authorization object and enhance code in the ECC side to read auth obj values and throw error message if user tries to access other types.

    Thank you!

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Loga,

      Thanks a lot for the feedback, your approach is something we have also considered. It seems it would also fulfill our requirement.

      If I understand correctly, your proposal would mean adding a customer object to SAP standard authorisations?

      If so, this would also be something not yet done in our MDG environment…same as the BTEs.

      Thx Klaas

  • Feb 07, 2017 at 11:57 AM

    Hi everyone, thanks to all Folks who submitted Feedback.

    To wrap this Topic up: We have implemented the Business Transaction Event functionality.

    This now prohibits the direct maintenance of certain Customer and Vendor account Groups to be directly maintained in ECC. In an exception table we have maintained firefighter user IDs. Therefore all Standard Business Partner maintenance now Needs to go via SAP-MDG.

    Best Regards


    Add comment
    10|10000 characters needed characters exceeded