Skip to Content

Exits in authorization checking (FI module)

Hello all,

I am using SAP R/3 version 4.7 and FI module.

I would like to know are there any exit can be called automatically when performing authorization checking.

I need to create some roles to control to authority for different users from different departments. To reduce the effort, I am thinking to create one common role, and then call the user-exits. Inside the user-exit, I can check by retrieving the authorization information from tables.

Are there any exit can be called when performing authorization checking?

Many thanks


Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Aug 10, 2010 at 03:41 AM


    If you want to perform custom authorization checks for each FI posting then I would suggest to use FI validations. They are called for each FI posting and you can hook up your own routine for validation.

    But your approach with bespoke table is wrong and I highly recommend you to avoid z-tables with additional authorizations. Basically, you create another authorization source which you have to maintain. If you keep everything in roles then user management is easy. Another disadvantage is that you can't use CUA or IdM (Note: I guess that you can implement own custom step to manage custom records in z-table but it will significantly increase an implementation cost).


    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 10, 2010 at 06:52 AM


    Use master derive concept for authorization control and maintain data in orzanization levels

    Steps go to PFCG create Master role give necessary t codes then save it.

    then run transaction PFCG -->create derive roles and assigned master roles -->go to orzagination levels and maintain data like plant level,Shiping area,Shiping point etc as per requirment


    Manish Gupta

    Add comment
    10|10000 characters needed characters exceeded

    • I think they are advising not to mess about with FI exits and use derived role concept to simplify role admin.

      I've worked with a similar requirement for CO module and while it worked reasonably well when set up, cost many £'s and was not very cost effective if you compare it against other techniques that could have extended provisioning of roles based on other data sources.