Skip to Content
avatar image
Former Member

Restricting the posting period to particular users

hi ,

we have a requrement to restrict the posting periods to limited users only .

when i tried doing it in ob52 , there they say we need to give the authorization group for that particular posting period .

the auth .object 'F_BKPF_BUP' has been assigned with full auth for all the users in our company .

now how to do this . this is my first assignment is security , kindly help me to solve this

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

2 Answers

  • Best Answer
    Sep 02, 2008 at 09:02 AM

    Hi,

    If you read the documentation for OB52 and object F_BKPF_BUP then it gives you all the info you need to know.

    Basically the FI team need to put authorisation groups against the posting periods & put a process in place to maintain the OB53

    You need to remove all access to F_BKPF_BUP except to roles which require it & then amend the object in the relevant roles with the correct auth groups as defined by the functional team.

    It is often seen that a role containing only F_BKPF_BUP + correct auth group is created and assigned only to the users requiring it. F_BKPF_BUP is then inactivated in all other roles.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      >

      > OB52 field is free form, so you dont' have to configure the auth group. As long as you have the exact same values in OB52 and PFCG then it works.

      I haven't ever tried this for OB52, but if you activated S_TABU_LIN for the TBRG object field and there is no reason to grant the other objects to be selected, then the F4 might filter the others out.

      I am aware that this does not always work for all F4 help functions, but it might work in this case (for TBRG)?

      Cheers,

      Julius

  • avatar image
    Former Member
    Sep 04, 2008 at 03:28 PM

    In OB52 under the AuGrp section, it is free form. If the business puts some values in there you can control it by the object 'F_BKPF_BUP'.

    In the past, I've deactivated the object 'F_BKPF_BUP' out of all transactions in su24 by changing the value to C instead of CM.

    Then after expert mode generation of the roles in order to remove 'F_BKPF_BUP' I've created some posting period roles with just the object 'F_BKPF_BUP' in it with the values corresponding to the OB52 table. Then you can control who has access to what posting period authorization group.

    An example would be that on the 1st of the month all people with posting access would have access to XXX1 auth group. They could then post for the next month but not the previous month. Then group xxx2 could post for the previous month for 1-4 days and and the corporate team/closers xxx3 could post for up to 5 days (or how long it takes to close) without it impacting the bulk of users.

    Additionally, instead of deactivating the object in all tcodes you could just put in the value for end users to post to the next month and create the special roles for the people that can post outside of the current period. All in all, it needs to be controled in OB52 and the object 'F_BKPF_BUP'

    Add comment
    10|10000 characters needed characters exceeded