Maintain Authorizations

You define an authorization by listing the operational objects allowed (for example, company code or business area) and the editing functions allowed (for example, create, change, delete) for a standard authorization object. You can always define several authorizations for each authorization object.

For each authorization object, you can assign authorizations on one or more independent levels. This restricts access to documents depending on, for example, the company code, business area, document type, account type and account. There is an authorization object for each level which determines how you enter the corresponding authorizations.

An example of an authorization object is "Accounting document: Company code authorization". With this standard authorization object, two specifications are required to assign authorization:

A list of the company codes where documents can be processed

A list of the activities permitted for document processing in the above-mentioned company codes.

The possible activities are defined in the system. You can find the activities and their keys for each authorization object in the TACTZ table.

Most authorization objects have a similar structure, that is, two specifications are necessary for each object. The first specification lists values for a field in the object to be protected (company code for example) and the second lists a series of activities. Via this combination, you can differentiate the permitted activities distinctly. For example, you can restrict the creation and changing of documents to one company code, but permit the display of documents in other company codes.

Defining authorizations

The assignment of authorizations is divided into three groups:

General authorizations, with which you specify the functions that an employee may carry out. In this authorization, you can specify that an employee cannot change the system configuration, for example.

Organizational authorizations, on the level of the organizational units with which you specify the activities that are permitted in the organization units. These authorizations can be seen as a restriction of the general authorizations. If an employee can post documents, for example, you can specify the company codes or business areas where this is possible via these authorizations.

Functional authorizations, with which you can restrict activities to certain account types, accounts or master records. These authorizations can be seen as a restriction of the general authorizations. If an employee can post documents, for example, you can specify the document types or accounts where this is permitted via these authorizations.

You can assign general authorizations for the individual functions defined in the standard system.

You can assign organizational authorizations for:

Company codes

Business areas

You can assign functional authorizations, for example, for the account type, the document type or the customer, vendor or G/L account.

Checking the general authorization

If you want to prevent an employee from carrying out certain functions, you can do this by assigning a general authorization. The system checks this authorization when the employee selects a function and prevents him or her from carrying out the function if no corresponding authorization exists.

Example: The authorization object "Accounting document: Company code authorization" has been assigned to the function for posting documents. When you select this function, the system checks whether you have authorization to post documents (activity 01) in at least one company code. Posting is only permitted to employees who are allowed to post in at least one company code.

With the organizational and functional authorizations, you further limit this general authorization.

Checking the organizational and functional authorizations

When an employee attempts to carry out an activity, the system checks whether he or she

Is permitted to carry out the activity for the specified organizational units (company code and business area)

Has the required functional authorizations.

These authorization checks are always carried out after a user makes an entry. If all authorization checks were passed successfully, the next activity can be carried out. Otherwise, the system rejects further processing.

Note

You can protect customer and vendor master record fields from being changed using the "Customer: Change authorization for certain fields" and "Vendor: Change authorization for certain fields" authorization objects. You can read about which requirements have to be fulfilled for this in the chapters on the topic Prepare to change customer master records and Prepare to change vendor master records.

When assigning authorizations for one-time accounts, you should note that master data is entered during document entry with the one-time account method. If you want to limit the processing of master data using the assignment of authorizations, you must take this into consideration.

Authorization objects in Financial Accounting

The Financial Accounting component contains predefined authorization objects. These are described in the following. You define authorizations for these objects by entering the required values in the fields for the objects. If you do not want any restrictions, you can enter * in the corresponding field.

Caution: Authorization groups are contained in certain authorization objects. These objects have been defined to protect individual master records, accounts or document types. If you do not require this special protection, you need not define any authorizations for these objects. By omitting these authorizations, the processing options of your employees are not restricted. For all other authorization objects, you must assign authorizations to enable processing with the objects.

Authorization objects

For customer master data:

F_KNA1_APP application authorization

F_KNA1_BUK company code

F_KNA1_BED account authorization

F_KNA1_KGD account group

F_KNA1_AEN change authorization for certain fields

For vendor master data:

F_LFA1_APP application authorization

F_LFA1_BUK company code

F_LFA1_BEK account authorization

F_LFA1_AEN change authorization for certain fields

For G/L account master data:

F_SKA1_BUK company code

F_SKA1_KTP chart of accounts

F_SKA1_BES account authorization

For banks:

F_BNKA_BUK company code

F_BNKA_MAN general maintenance authorization

Note You can create, display and change bank master records with a specific function or from the maintenance screen for customer or vendor master records. Therefore, you should also give authorization for bank master records to the employees who maintain customer and vendor master records.

For credit management:

F_KNKA_KKB credit control area

F_KNKA_MAN general maintenance authorization

F_KNKA_AEN change authorization for certain fields

For account analysis for customers:

F_KNB1_ANA account analysis

Using the account analysis, you can gain an overview of: the total open items, the statements and interest, the credit limit and the payment history.

For accounting document:

F_BKPF_BLA document type

F_BKPF_BUK company code

F_BKPF_BUP posting period

F_BKPF_GSB business area

F_BKPF_KOA account type

F_BKPF_BED customer accounts

F_BKPF_BEK vendor accounts

F_BKPF_BES G/L account

F_BKPF_VW default values for changing document type and posting keys

You can protect the user activities that affect accounting documents from different viewpoints. On the one hand, you can specify the organizational units (such as company code, business area) in which an employee may post or display a document. On the other hand, you can define authorization for posting and processing documents from the point of view of the accounts.

You should note the following special features of authorization objects for accounting documents:

With automatic postings, the system does not carry out an authorization check for business areas and accounts. Therefore, these authorizatons only take effect with manually-entered line items.

Authorizations for document types and business areas are not taken into consideration for display functions and for reporting. That is, line items are always displayed in lists for all document types and for all business areas.

Line items for which an employee has no authorization are suppressed when displaying and changing documents. The system indicates the missing authorization with a message.

The authorization check for business areas is carried out when posting and changing documents, but not when displaying them. You use this authorization check for posting and changing, to avoid incorrect entries.

For account assignment model

F_KMT_MGMT authorization for maintenance and usage

For financial statement

F_T011 general maintenance authorization

For planning

F_T011_BUK authorization for company codes

For payment program

F_REGU_BUK company code

F_REGU_KOA account type

The system contains special activitiy keys for defining authorizations, which apply only to the payment program. You can call them up via the Environment menu option on the request screen for the payment run. When you define authorizations, you specify the required activities with the keys. When defining the authorizations, you can combine the activities with company codes and/or account types.

Example: An employee starts the payment program centrally and the payment run (production run) is carried out. In each company code, an accounts payable accounting clerk should be able to display and process the payment proposal. You define a profile for which all activities are permitted for the payment program. You define a second profile with which you assign authorization to process and display the payment proposal.

For dunning program

F_MAHN_BUK company code

F_MAHN_KOA account type

The system contains special activity keys for defining authorizations, which only apply to the dunning program. You can call them up via the Environment menu option on the request screen for the dunning run. When you define authorizations, you specify the required activities with the keys. When defining the authorizations, you can combine the activities with company codes and/or account types.

Example: An employee starts the dunning program centrally. In each company code, an accounts receivable accounting clerk should be able to display and process the dunning proposal. You define a profile for which all activities are permitted for the dunning program. You define a second profile with which you assign authorization to process and display the dunning proposal.

For check management:

F_PAYR_BUK action authorization for company codes

For information system

F_T060_ACT account type/evaluation view

For payment advice management:

F_AVIK_BUK company code

F_AVIK_AVA payment advice types

For financial calendar:

F_T011E schedule

For Financial Accounting programs:

S_PROGRAM ABAP: program run checks

You can assign authorizations for running a program in Financial Accounting, which includes scheduling it as a background job, using this authorization object.

The object consists of the following fields:

ABAP/4 program authorization group

Here you specify the name of the program groups for which a user has authorization. In Financial Accounting, these are the groups F_001 (for all programs which make changes to the database, such as batch input, automatic clearing), F_002 (for all programs which delete or archive objects), F_003 (mass reversal of documents).

ABAP/4 programm user input

Here you enter the permitted operations. Possible values are, for example, SUBMIT (run program) and BTCSUBMIT (schedule program for background processing).

You can find this authorization object within the "Basis development environment" object class. Otherwise, carry out the general authorization maintenance in the same way as for FI authorization objects.

Customizing authorizations

The specifications which you make when configuring the Financial Accounting module are stored in tables. For assigning authorizations, the configuration tables are grouped into authorization groups. You can assign tables to authorization groups as you wish.

For example, the tables for the payment program have been assigned to authorization group FC12 and the tables for the organizational units in Financial Accounting to group FC01.

You assign authorization for the tables and therefore for configuration by specifying the required authorization classes and activities (maintenance and display) for table maintenance (under the "Basis - Administration" object class for the authorization object. You can assign authorization to tables not belonging to any authorization group via the group "NC".

If you want to change the standard allocation of tables, you should take into consideration that there are tables which may need to be maintained by the accounting clerks. These include, for example, the table with the exchange rates for foreign currencies. Consequently, these individual accounting clerks require authorization to maintain these tables. These tables have therefore been grouped together in separate groups in the standard system (FC31 for posting periods, FC32 for exchange rates, FC24 and FC35 for available amounts).

Standard settings

The standard system has authorizations which are specially adapted to Financial Accounting. These authorizations which are grouped together in SAP standard profiles, generally give authorization for all organizational units.

Example

You need to define authorizations for Accounts Receivable in a company with several company codes. Authorizations for accounts receivable accounting clerks, who are responsible for different company codes or business areas, often only differ when company codes or business areas are listed in the objects (organizational authorizations). Authorizations referring to account types, document types and bank data processing (functional authorizations), however, are always differentiated. Therefore, it is recommended not to group all authorizations into one profile for an accounts receivable clerk, but instead to set up one profile for assigning company code-specific or business area-specific authorizations and one profile for all further authorizations.

To do this, you define the following profiles:

DEBI_0001 for company code 0001

DEBI_0002 for company code 0002

DEBI_0003 for company code 0003

DEBI_ALL for the functional authorizations that are identical for all accounts receivable accounting clerks.

Two profiles are assigned to each employee. For example, you would assign profiles DEBI_0001 and DEBI_ALL to an accounts receivable accounting clerk in company code 0001.

With the profile DEBI_0001, you assign authorization for all activities in customer master records and customer accounts in company code 0001. The master records in company code 0002 can be displayed only. For all further activities in this company code, do not assign any authorization.

The corresponding profile for company code 0001, DEBI_0001, is as follows:

Authorization object for customer master records in the company code: You assign all authorizations for customer master records in company code 0001. For company code 0002, you assign the display authorization only.

Authorization object for accounting documents in the company code: In company code 0001, you permit all activities since all work with the documents needs to be carried out for this company code. For company code 0002, you assign the display authorization only.

Authorization object for G/L account master records in the company code: For G/L accounts in company code 0001, you also assign all authorizations.

For all other company codes, you define corresponding profiles. Via a functional authorization profile, you can also specify which general master record functions are permitted and which account types can be posted. You can assign this profile to all accounts receivable accounting clerks.

With the profile DEBI_ALL, you assign a general maintenance authorization for master records. You also assign authorization to post to all customer accounts and G/L accounts as well as authorization to process the documents posted to these accounts.

The corresponding profile DEBI_ALL is as follows:

Authorization object for general customer master record maintenance: You assign all authorizations for customer master records. By doing this, an employee can create, display, change, block or mark customer master records for deletion. An employee can also display change documents. Since you only maintain accounting data in your accounts, you assign the above-mentioned authorizations for the Financial Accounting application.

Authorization object for bank master records: So that accounts receivable accounting clerks can display their customers' bank master records, you assign the display authorization for bank master records.

Authorization object for accounting document and account type: You assign all authorizations for the account types D (customer) and S (G/L account).

Activities

You specify authorizations for the individual workplaces by defining authorizations for the standard authorization objects. You define an authorization by listing the permitted business attributes (such as company code or business area) and the permitted activities (such as create, change or delete) for a standard authorization object. You can define several authorizations for each authorization object.

Select the object for which you want to define one or more authorizations from the list of authorization objects. Via Authorization -> Create, you can define new authorizations by entering the required values in the predefined fields.

You can use the standard authorizations and change them as necessary to meet your own requirements.

Notes on transporting

You transport authorizations as follows:

1. Display the list of authorizations.

2. Select the object class.

3. Choose Authorization -> Transport.

4. Select the authorizations you wish to transport.

5. Confirm your selections and enter the correction number.

Additional information

You can find further information on authorizations in the R/3 Basis online documentation. Here you select the "System Administration" area. Then select the "Users, authorizations, system security" document.

The authorization objects are also documented online. To find this documentation, select the "Financial Accounting" object class from the list of object classes within the SAP system. Then position the cursor on a particular authorization object and select Utilities -> Documentation.

By means of Utilities -> Technical name, you can display the technical name for each authorization object. By means of Utilities -> Display fields, you can find out which values can be entered when defining a standard authorization object. This generally includes the list of permitted business objects (such as company code) and of permitted activities (such as create, change and delete).