Hi Arpan,

FS10N checks for this object ("Check" in Su24) but when user doesnot has this authorization object he gets access to all doc types and when the user is restricted to specific doc types (object present in user's authorization) he will get access to only those doc types. This is how the authorization check for F_BKPF_BLA works, in other words this authorization is Optional.

But KSB1 does not has any field for Doc types and I doubt its program will be restricted for any doc type. But found the below thread which discusses this topic for KSB1.

[;

@Kiran: Please have a look at the SAP note mentioned in the note and see if it works then you may try adding F_BKPF_BLA to user's role with specific doc types and see if it really restricts.

Thanks

Sandipan

Sandipan Choudhury wrote:
FS10N checks for this object ("Check" in Su24) but when user doesnot has this authorization object he gets access to all doc types and when the user is restricted to specific doc types (object present in user's authorization) he will get access to only those doc types. This is how the authorization check for F_BKPF_BLA works, in other words this authorization is Optional.

Sorry, but this is not true and seems to be an invention of how you would like it to work...

The coding works like this (generally):

    if sy-subrc ne 0.
      select single * from  t003 where blart = postab-blart.
      check sy-subrc = 0.
      blrtab-blart = t003-blart.
      blrtab-brgru = t003-brgru.
      append blrtab.
    endif.
    if blrtab-brgru ne space.    "<--- important condition!!
      authority-check object 'F_BKPF_BLA'
           id 'BRGRU' field blrtab-brgru
           id 'ACTVT' field actvt.
      if sy-subrc ne 0.
        rcode = 4.
      endif.
    endif.
  endif.  

The "optional" aspect is whether or not the document type has an auth group on it in T003, failing which the check is suppressed.

If it reaches the check, then it found something and then checks that selected value.

Moral of the story:

--> Do not believe SU53.

--> Do not make assumptions from ST01 traces.

--> Read the documentation carefully.

--> Read the code to see how it really works (you can jump to the coding location from the trace).

Cheers,

Julius

Hi Julius,

Thanks for sharing the code excerpt. The "optional" remark was to explain the concept you explained above based on SAP object documentation for F_BKPF_BLA from Su21.

Note
This authorization is optional. Therefore, you do not have to assign this authorization if no particular document types are to be protected.

When I wrote:

but when user doesnot has this authorization object he gets access to all doc types

-

I referred to a case where no doc types in the system are protected via an auth group but I mis-stated the fact that if there is an authorization group entered for a document type(for those which are to be specially protected via this auth object), users would need authorization to this auth object with appropriate field values. However, in case there are no such "protected" doc types, then we do not need to add this Auth object to user's role.

Thanks for the catch!

Sandipan

Thanks for the catch!

Nope, I thank you!

Hi All,

Thanks for the solutions. The sap note is giving some information. My actual requirement is to restrict the access in multiple FI tcodes. Can any one help me with detailed way? Sorry. I am new to security.

Regards,

KIRAN

Hi Kiran,

I recommend you to first identify the tcodes in which you wish to restrict. If those tcodes doesn't check the authorization object, you may need to make them check/maintained.

Regards.

Raghu

Best way to identify the authorization objects based on which you can restrict your tcodes is to execute the tcodes and use its functionalities on different screens extensively (or have a FI functional consultant execute them) in your system (you might need an user id with some wider authorizations) and record the authorization objects being checked while using all the required functionalities within a tcode via a system trace(ST01) then you can put the required field values for those objects in your role via PFCG to match your business requirement.

Refer[wiki|http://wiki.sdn.sap.com/wiki/display/PLM/AuthorizationTraceintransactionST01] for detailed steps of using ST01 trace. Make sure you are on same application server as your user( tcode AL08) and switch app server if required via tcode SM51.

Also, check tcode SU24 or table USOBT_C for the list of check\maintained authorization objects attached to your tcodes, these objects are inserted into the role when tcodes are added to PFCG role menu.

Thanks

Sandipan

Edited by: Sandipan Choudhury on Dec 28, 2010 9:05 PM