Skip to Content
avatar image
Former Member

#2. Restricting Changing of the Purchasing Group

Dear All,

Thank you very much for your answers. Actually I work as an auth person.

I know about roles, profiles, PFCG, SU24, SU53, auth objects and u2026, I have studied the courses SAPTEC, ADM940 and I am studying the course ADM950 right now. I am not a basic trainee!!

Before Dipanjan Sanpui posted, I myself have created a role and added the Tcodes ME51N, ME52N, MEMASSRQ, I have changed the field EKGRP in the auth obj M_BANF_EKG to 004. But when I tested my new role with a user who has only this role and no more auth this user could for example change the purchasing group of a purchasing requisition from 003 to 002.

I would like to be able to restrict a user (with purchasing group 004) of changing other purchasing groups (for example changing 002 to 003).

I hope that my question is clear enough right now and it will not be locked again.




Subject: Re: Restricting Changing of the Purchasing Group

Message: Hi,

The relationship of a Transaction ans it'd corresponding Authorization Objects is available in TCode SU24. So if you go there and put the Tcode MEMASSRQ and then execute then you will get the list of Objects available for this Tcode and their check proposals or more popularly known as Check Indicator.

Now from study of the available fields it is evident that the Object containing Purchasing Group as a Field (an Organization Level in nature) and also proposed to be maintained in Profile Generator (Check and Maintenance proposal = Yes) is M_BANF_EKG.

When you are adding the tcode in Role menu you will get this object for maintenance in Authorization data.

Subject: Re: Restricting Changing of the Purchasing Group

Message: Hi Salameh

Are you a basis or security/auths person? If basis then I (think) you are drifting into security either due to your client giving you incorrect work or the request has come to the wrong person (or...your client has only hired one person or more to do both basis and security).

4 months in SAP to know what the auth objects/tcodes/SoD issues are isn't enough to safely manage a security concept - is there anybody else in your department who you can go to to ask these sort of questions instead of posting on a forum? IMO I'd recommend sticking to basis if that is your speciality and you'll not be short of work, running role transports to prod without really understanding what/why is going to be painful for all concerned.

Best wishes


Subject: Re: Restricting Changing of the Purchasing Group

Message: Sorry, these forums are not a substitute for basic training.

This is your responsibility, or better said your customer's...

Thread locked.



Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    avatar image
    Former Member
    Oct 18, 2010 at 07:10 AM

    Hi Salameh

    For ME51N I have tested the authorisation object M_BANF_EKG with it set to check/maintain in SU24 and the test role does restrict the test user correctly, setting SU24 to no check/not maintained allows the test user to create/change etc in other purchase groups than the one in the test role.

    Are your SU24 settings maintained correctly please?

    I would avoid giving users access to MEMASSRQ though - that doesn't appear to be restricted by anything bar S_TCODE in our 4.6 system.

    (Basis Support Package 59 for 4.6C release



    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Alex and Julius

      > I have learnt a great deal from SDN and try to put a bit of that back into such discussions


      too true - thanks for the advice 😊



      Edited by: David Berry on Oct 24, 2010 1:44 AM

      Edited by: David Berry on Oct 24, 2010 1:46 AM

      Edited by: David Berry on Oct 24, 2010 1:47 AM

  • avatar image
    Former Member
    Oct 16, 2010 at 02:20 PM

    Hi Salameh

    Please accept my apologies for assuming you were new to SAP security as I read your message saying 4 months familiar to SAP and being a BASIS person so I took it that you weren't familiar with S&A activities which you now say you are in and not BASIS.

    I can't test your issue until Monday, but I'll have a look then unless somebody else manages to resolve for you in the meantime

    Have a lovely weekend and best wishes


    Add comment
    10|10000 characters needed characters exceeded