Skip to Content
avatar image
Former Member

Can we use I_BEGRP to restrict users from "blank" authorization group?

Hi - I see that there have been a lot of clever answers to authorizing in PM - I feel lucky today hoping to get your feed back on this :-)

In transaction code IH08 (display equipments) we want to restrict some users to certain equipments and have looked into the use of authorization groups and the authorization object I_BEGRP.

We have created a role with access to authorization group X and expected that the user would only view a list of relevant equipments assigned to this authorization group - but the list also contains all the equipments without authorization group X assigned - all the blank ones.

Is this an error in SAP - or is it just the way it is supposed to work?

- or have we missed something here?

Please, if you have any idea - don't hesitate to write - it is quite urgent :-)

Best regards

Jennifer McKay

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Oct 19, 2015 at 03:13 PM

    Hello Jennifer,

    We have this situation and we filled all the Authorization Group fields with some values. We did not leave anything blank. I think there is no short-cut for this, Means the Equipments with blank BEGRP field will appear in any structure. They will not be filtered. BTW, this topic I documented sometime ago. IH01 Structure Customizing beyond I_INGRP Authorization Object

    Good luck

    KJogeswaraRao

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi, It was actually because of your document regarding "IH01 Structure Customizing ..." that I got the idea of writing on SDN - I got the fealing that there are some very high skilled users in here :-)

      I have set up the authorizations and it works fine whenever we have typed in an authorization group on the master data. And it also ensures that users are only allowed to see / maintain the master data with the authorization groups that they have in their roles.

      I have worked with authorizations for many years and in some parts of SAP (on S_TABU_DIS - access to tables) it works in the way that if you need access to tables without authorization group, you need to be authorized to the authorization group = blank (' '). The use of authorization groups differs in SAP - and I was just hoping that it was working this way in EAM as well.

      For us it will be a major work load to update our master data with authorization group.

      Thanks for your reply.

      BR

      Jennifer

  • Oct 19, 2015 at 09:58 PM

    Greetings Jennifer,

    If I remember correctly, the Authorization Group for Equipments can only be used effectively if it is combined with a non-blank value in the Equipment master data. In other words, the Authorization Group prohibits anybody without the relevant  I_BEGRP value from displaying or changing the Equipment - and if the value is left blank, then there is nothing to base this restriction on.

    As Jogeswara Rao Kavala said, I believe there are no shortcuts here - you'd need to have a role that would allow the display of Equipments with I_BEGRP = 'Y' to assign to all users, then a role with I_BEGRP = 'X' to some users only, and then each and every Equipment would have to have a non-blank value of either X or Y to the Authorization group.


    This could necessitate configuring the Authorization Group screen field as mandatory for IE01/IE02 t-codes and also maintenance for the value for existing Equipments, e.g. via IBIP.

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 19, 2015 at 03:26 PM

    Hello Jennifer Ilum Mckay,

    I'm not expert on this but I can recommend to verify in case the transaction "s_bce_68001425" if this object is combined with other roles for the same user.

    And if you add an other authorization group "Y" in one equipment, this appears?

    Good luck,

    Xavier


    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Xavier

      Thank you for your reply.

      No, it I add another authorization group 'Y' the user will not be able to access these master data. So in that way it works fine.

      BR

      Jennifer