Skip to Content

Restrict Users to post in specific GL

Hi Experts,

We have a business requirement to restrict the users to do not post in a specific GL account. We have almost achieved the requirement through

SAP standard authorization group “F_BKPF_BES” for all desired FI Tcodes except the T-code F110.

We have checked “Maintain the Assignments of Authorization Objects” under Transaction code SU24 and did not find the transaction code F110.

So we cannot restrict the GL through authorization object “F_BKPF_BES” for transaction code F110.

We have come through the different SCN links and found the OSS note "528727 ( F110: BTE Authorize. check in maintenance of propasal run) " to implement the BTE "1860". We have implemented the requested BTE into the DEV environment and put the break point in function module with the help of technical team. But the system is not taking us to the prgram of F110. Hence, we are not able to write our own logic in the program.

Regards,

Mohammed Kalim

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • Best Answer
    Posted on Jan 15, 2016 at 11:34 AM

    I have never seen any client restricting the F110 like this. Either you should revisit your business requirements or there must be some misunderstanding what needs to be achieved.

    By one way you are giving F110 and the other way you said it cannot be posted to certain. These accounts are driven by configuration, hence you do not have any control. There is no point to restrict them for certain users.

    Add a comment
    10|10000 characters needed characters exceeded

    • Hi Kalim,

      For me this looks more of a design issue rather than SAP functionality. You should keep such accounts, which are being used in the configuration for F110 postings should be free from restrictions. F110 more automated transaction code, it might not check what you are looking for.

      You should restrict the roles by transaction codes / activity. You should have clear segregation of duties. If you keep your Security design simple, then there would not be a problem. The more validations / restrictions you are bringing into the system, will create more hurdles for the users.

  • author's profile photo Former Member
    Former Member
    Posted on Jan 13, 2016 at 08:07 AM

    Hi, your question is not clear?

    You mixed 2 different things - 1 Auth check during posting FI document, 2 Auth check during run payment proposal. Also as far as I remember payment propousal creating it's background process, therefore you can't use breakpoint here, ofcause there are some trick how debbug it

    Add a comment
    10|10000 characters needed characters exceeded

    • Dear Ajay,

      First I wanted to thank you for showing special attention to my issue.

      We have a requirement to restrict users to post in bank clearing accounts, means only certain users can post to these accounts. To achieve the requirement, We have created a role with authorization object "F_BKPF_BES" with activity "01" and authorization group "ZCSC" and assigned the authorization group "ZCSC" in GL master data. The role is working fine for all the desired FI Tcodes except Tcode F110.

      We have checked the "Assignment for the objects" under Tcode SU24 for authorization object "F_BKPF_BES" and did not find the Tcode F110. Hence, F110 will not work for the created role.

      To achieve the requirment for Tcode F110, I am looking for a BADI or Exit or BTE where we can directly put the authorization object into the program.

      I have already implemented the BTE 1860, 1830, 1120, 2110 but the system is not taking us to the function module while executing Tcode F110. After going through the different SCN links I came to know that break point does not work for background Job's Tcodes.

      Could you please suggest me then how should we handle the BTE for this type of Tcodes or any workarounds to achieve the requirement.

      Looking forward your kind help in advance.

      Regards,

      Mohammed Kalim

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.