Introduction:
In SAP, a Business Partner (BP) represents an individual or organization involved in business processes, and it is used to manage master data such as customers and vendors. Business partner general data like name and address are maintained in one place and then can be extended into roles like customer or vendor based on business needs.
To control the access to this general data, SAP provides authorization objects such as B_BUPA_FDG, B_BUPA_RLT, B_BUPA_ATT, and B_BUPA_GRP. However, understanding how this work in real business scenarios can be confusing.
In this blog, we will explore these authorization objects in a practical way using simple examples.
Basic Information on Authorization object in SAP
Authorization Objects are used to restrict the access given to a user.
The major components of authorization concept are as follows,
Authorization object class: It is a container, which encapsulates a number of authorization objects. It has no functional importance except for the encapsulation purpose that helps in easier administration of authorization objects. They are created in transaction su21. The authorizations class AAAB contains authorization objects for Business Partners.
SU21 Transaction
Authorization objects: They are at the heart of the authorization concept. They are the objects that implement actual authorization. They can be looked upon as function modules that import certain values and return a SY-SUBRC value which tells whether a user is authorized or not to access a particular value or not. Authorization objects can be created with the transaction SU21. They have the following structure,
Object: Name of the objectClass: The name of the class to which the above object belongsFields: It can accommodate a maximum of 10 fields. These fields along with their data-element have to be created in transaction SU20. This transaction also takes the table name for the data-element entered which will be used to provide F4 help. The values then can be assigned to these fields in PFCG can be set here using the push button PERMITTED VALUES.
In the context of Business Partners has 4 main Authorization Objects provided under standard release.
B_BUPA_FDGB_BUPA_RLTB_BUPA_ATTB_BUPA_GRP
Generally, the administrator creates a role to grant the required authorizations to users.
Login with Admin user,
Create a single role in PFCG to manage Business Partner (BP) authorization.
PFCG (Profile Generator) is an SAP transaction used to create roles that control user authorizations in the system.
After creating, add BP transaction in MENU tab as shown below.
In Authorization tab, click on ‘Propose profile name’ to Generate Profile name and Text.
Then click on ‘Change Authorization Data’.
Since we have Assigned BP transaction, the system will generate Authorization objects related to BP automatically, no need to add manually.
Save and generate.
Create a Test User in SU01: ZUSER_TEST.
Note: Creating a test user ensures that access behaves as expected.
Then in the User tab in PFCG, add the created user and click on User Comparison.
Click on Full Comparison.
Login with the Test user and open the BP transaction (Since we have assigned the transaction, user will have the access to open BP transaction).
Open the BP transaction.
We can observe that the create buttons are disabled, test user doesn’t have access to create BPs.
This is because every Business partner will be created with the general role initially and the user doesn’t have access to the general role.
We can assign the General role to the test user under B_BUPA_RLT role.
B_BUPA_RLT:
Exclusively used for managing access to roles. In the authorization role for a particular user, the names of the BP roles for which he should have access to are entered. When this user runs BP transaction, he sees only these roles for which he has authorization.
In this section, we will see how to maintain the B_BUPA_RLT authorization object.
Add general role (000000) in PFCG and provide ACTVT under B_BUPA_RLT.
Note:
01 for create,02 for change,03 for Display,04 for Display in Value Help,06 for Delete,
Save and generate.
Now Create buttons are enabled, click on create and fill mandatory fields and save.
Business partners will be created in general role by default.
Now Let’s say we need to provide access to extend the business partner to MKK (Contract partner) role.
We can choose the MKK role from the dropdown to extend.
Only the roles assigned to a user are visible in the dropdown. Therefore, to ensure the required access, the MKK role must be assigned to the user.
(With Admin user) Add MKK role in PFCG under B_BUPA_RLT.
So now the test user will have the access to create MKK.
Save.
Let’s say we want to restrict that user from changing the Business partner with MKK role, and we need full access to General role.
Click on Manually and add B_BUPA_RLT.
Maintain MKK role and provide create authorization.
Now MKK will appear in the dropdown.
Select MKK role and try to change.
An error message is raised Since no Authorization to change.
B_BUPA_FDG
Consider a scenario where certain users should not have the access to change bank details in the BP transaction; this can be achieved using the B_BUPA_FDG authorization object.
Currently user can edit the Bank details.
To restrict the user from changing the Bank details.
Open BUCN transaction and Field-group of Bank details.
Or SPRO → Cross-Application Components → SAP Business Partner → Business Partner → Basic Settings → Authorization Management → Define Field Groups Relevant to Authorizations.
To get Field-group of Bank details, Open BP transaction and use command BDT_ANALYZER.
After that Go to PFCG and restrict change access to B_BUPA_FDG.
Save and generate.
Open the BP in change mode with test user.
‘Bank details’ is non-editable.
B_BUPA_ATT
Consider a scenario where a user is permitted to create Business Partners only when the country is Germany; this can be achieved using the B_BUPA_ATT authorization object.
To achieve this, In SPRO → Cross-Application Components → SAP Business Partner → Business Partner → Basic Settings → Authorization Management → Maintain Authorization Types.
Create an Authorization type,
Take screen field name of country from BP transaction.
Then in PFCG, Provide Auth type and Values and ACTVT.
Open BP with Test user and create BP with country DE.
BP is created, now try to create BP with different value for country.
An error message because the country is IN.
B_BUPA_GRP
This object is used to group the BPs so that only a selected number of users can access these BPs. The value for the group is entered when a BP is created. The field is present in the tab ‘control’.
Consider a scenario where Business Partners are assigned to different authorization groups such as GRP1 and GRP2, and a user should be able to create, change, and display Business Partners in GRP1 while having display-only access to GRP2; this can be achieved using the B_BUPA_GRP.
Create 2 Authorization groups GRP1 and GRP2.
To achieve this, In SPRO → Cross-Application Components → SAP Business Partner → Business Partner → Basic Settings → Authorization Management → Maintain Authorization Groups for Business Partner.
Create 2 BPs to demonstrate,
Give Authorization group GRP1 for one BP in control tab.
And GRP2 for another.
Now In PFCG, Give access to GRP1 and GRP2.
Display access to BPs which comes under group GRP1 and all 3 access to GRP2.
So now the test user will only be able to display GRP1 BPs and able to create, change and display the GRP2 BPs.
Open the 12093 BP which has GRP1 (Display only access).
Change button is disabled for the test user.
If the user tries to create BP with Authorization group GRP1, an error message will be raised.
Open the 12094 BP which has GRP1 (Create, change and display access).
Test user can change the BP and can create.
Conclusion:
In conclusion, B_BUPA_RLT, B_BUPA_FDG, B_BUPA_GRP, and B_BUPA_ATT these authorization objects help to control the access to different aspects of Business Partner central data in SAP. Using these objects ensures that users will have access only for what they are allowed to, improving system control and data security.
Introduction:In SAP, a Business Partner (BP) represents an individual or organization involved in business processes, and it is used to manage master data such as customers and vendors. Business partner general data like name and address are maintained in one place and then can be extended into roles like customer or vendor based on business needs.To control the access to this general data, SAP provides authorization objects such as B_BUPA_FDG, B_BUPA_RLT, B_BUPA_ATT, and B_BUPA_GRP. However, understanding how this work in real business scenarios can be confusing.In this blog, we will explore these authorization objects in a practical way using simple examples. Basic Information on Authorization object in SAPAuthorization Objects are used to restrict the access given to a user.The major components of authorization concept are as follows,Authorization object class: It is a container, which encapsulates a number of authorization objects. It has no functional importance except for the encapsulation purpose that helps in easier administration of authorization objects. They are created in transaction su21. The authorizations class AAAB contains authorization objects for Business Partners.SU21 TransactionAuthorization objects: They are at the heart of the authorization concept. They are the objects that implement actual authorization. They can be looked upon as function modules that import certain values and return a SY-SUBRC value which tells whether a user is authorized or not to access a particular value or not. Authorization objects can be created with the transaction SU21. They have the following structure,Object: Name of the objectClass: The name of the class to which the above object belongsFields: It can accommodate a maximum of 10 fields. These fields along with their data-element have to be created in transaction SU20. This transaction also takes the table name for the data-element entered which will be used to provide F4 help. The values then can be assigned to these fields in PFCG can be set here using the push button PERMITTED VALUES.In the context of Business Partners has 4 main Authorization Objects provided under standard release.B_BUPA_FDGB_BUPA_RLTB_BUPA_ATTB_BUPA_GRPGenerally, the administrator creates a role to grant the required authorizations to users.Login with Admin user,Create a single role in PFCG to manage Business Partner (BP) authorization.PFCG (Profile Generator) is an SAP transaction used to create roles that control user authorizations in the system.After creating, add BP transaction in MENU tab as shown below.In Authorization tab, click on ‘Propose profile name’ to Generate Profile name and Text.Then click on ‘Change Authorization Data’.Since we have Assigned BP transaction, the system will generate Authorization objects related to BP automatically, no need to add manually.Save and generate.Create a Test User in SU01: ZUSER_TEST.Note: Creating a test user ensures that access behaves as expected. Then in the User tab in PFCG, add the created user and click on User Comparison.Click on Full Comparison.Login with the Test user and open the BP transaction (Since we have assigned the transaction, user will have the access to open BP transaction).Open the BP transaction.We can observe that the create buttons are disabled, test user doesn’t have access to create BPs.This is because every Business partner will be created with the general role initially and the user doesn’t have access to the general role.We can assign the General role to the test user under B_BUPA_RLT role. B_BUPA_RLT:Exclusively used for managing access to roles. In the authorization role for a particular user, the names of the BP roles for which he should have access to are entered. When this user runs BP transaction, he sees only these roles for which he has authorization.In this section, we will see how to maintain the B_BUPA_RLT authorization object.Add general role (000000) in PFCG and provide ACTVT under B_BUPA_RLT.Note: 01 for create,02 for change,03 for Display,04 for Display in Value Help,06 for Delete,Save and generate.Now Create buttons are enabled, click on create and fill mandatory fields and save.Business partners will be created in general role by default.Now Let’s say we need to provide access to extend the business partner to MKK (Contract partner) role. We can choose the MKK role from the dropdown to extend.Only the roles assigned to a user are visible in the dropdown. Therefore, to ensure the required access, the MKK role must be assigned to the user.(With Admin user) Add MKK role in PFCG under B_BUPA_RLT.So now the test user will have the access to create MKK.Save.Let’s say we want to restrict that user from changing the Business partner with MKK role, and we need full access to General role.Click on Manually and add B_BUPA_RLT.Maintain MKK role and provide create authorization.Now MKK will appear in the dropdown.Select MKK role and try to change.An error message is raised Since no Authorization to change. B_BUPA_FDGConsider a scenario where certain users should not have the access to change bank details in the BP transaction; this can be achieved using the B_BUPA_FDG authorization object.Currently user can edit the Bank details.To restrict the user from changing the Bank details.Open BUCN transaction and Field-group of Bank details.Or SPRO → Cross-Application Components → SAP Business Partner → Business Partner → Basic Settings → Authorization Management → Define Field Groups Relevant to Authorizations.To get Field-group of Bank details, Open BP transaction and use command BDT_ANALYZER.After that Go to PFCG and restrict change access to B_BUPA_FDG.Save and generate.Open the BP in change mode with test user.‘Bank details’ is non-editable. B_BUPA_ATTConsider a scenario where a user is permitted to create Business Partners only when the country is Germany; this can be achieved using the B_BUPA_ATT authorization object.To achieve this, In SPRO → Cross-Application Components → SAP Business Partner → Business Partner → Basic Settings → Authorization Management → Maintain Authorization Types.Create an Authorization type,Take screen field name of country from BP transaction.Then in PFCG, Provide Auth type and Values and ACTVT.Open BP with Test user and create BP with country DE.BP is created, now try to create BP with different value for country.An error message because the country is IN. B_BUPA_GRPThis object is used to group the BPs so that only a selected number of users can access these BPs. The value for the group is entered when a BP is created. The field is present in the tab ‘control’.Consider a scenario where Business Partners are assigned to different authorization groups such as GRP1 and GRP2, and a user should be able to create, change, and display Business Partners in GRP1 while having display-only access to GRP2; this can be achieved using the B_BUPA_GRP.Create 2 Authorization groups GRP1 and GRP2.To achieve this, In SPRO → Cross-Application Components → SAP Business Partner → Business Partner → Basic Settings → Authorization Management → Maintain Authorization Groups for Business Partner.Create 2 BPs to demonstrate,Give Authorization group GRP1 for one BP in control tab.And GRP2 for another.Now In PFCG, Give access to GRP1 and GRP2.Display access to BPs which comes under group GRP1 and all 3 access to GRP2.So now the test user will only be able to display GRP1 BPs and able to create, change and display the GRP2 BPs. Open the 12093 BP which has GRP1 (Display only access).Change button is disabled for the test user.If the user tries to create BP with Authorization group GRP1, an error message will be raised.Open the 12094 BP which has GRP1 (Create, change and display access).Test user can change the BP and can create. Conclusion:In conclusion, B_BUPA_RLT, B_BUPA_FDG, B_BUPA_GRP, and B_BUPA_ATT these authorization objects help to control the access to different aspects of Business Partner central data in SAP. Using these objects ensures that users will have access only for what they are allowed to, improving system control and data security. Read More Technology Blog Posts by Members articles
#SAP
#SAPTechnologyblog
