Restriction BP transaction (by BP Grouping)

*******************************************************************************************************

IMPORTANT:                                                                                                                                             

The standard restriction with Authorization Object: B_BUPA_ATT does not works correctly (the BP transaction does not refresh the authorization error), the best way is create the restriction aith an Z authorization Object and a Badi:       *******************************************************************************************************        

The BP restriction by header field “Grouping”

We will use a Badi doing a check of authorities with an Z authorization object.

The steps to follow are:

1. We go to SU20 and we define a field ZGROUPING (this field will be use in the Z authorization object), we need add the name field and the elemend data:

2. Next go to SU21 and we will create a Z Authorization Object ZGROUPING using the field that we defined before

3. We go to transaction SE19, and next we will add the corresponding code in the Badi of the BP. We need to go SE19 and we will create an implementation of the Badi: BUPA_FURTHER_CHECKS called ZBUPA_FURTHER_CHECKS

4. The next step will be update the implementation created: ZBUPA_FURTHER_CHECKS, inside of it, we will go to tab “Interface” and double click in the method CHECK_CENTRAL:

5. It will open a code line where we need add the corresponding Authity-Check (using the Z authorization object created), I  used the following ABAP code:

   AUTHORITY-CHECK OBJECT ‘ZGROUPING’
                    ID ‘ZGROUPING’ FIELD iv_group.

    IF sy– subrc <> 0.
      MESSAGE e000(zish_pa ) WITH text– 001 iv_group.
    ENDIF .

6. We go to PFCG transaction and we need to create a Z test role  adding the BP transaction by role menu (I usually add XK03 and XD03 transactions too), we need complete all authorizations and add the ZGROUPING authorization object created, resticting the values that we need to restrict.

In this case, the role will have access to the following Groupings: ZBAN, ZDR1, ZDR2 and ZDR3

7. We need to create a Test user (into SU01 transaction) and we will asign the test role ZTEST (I usually add the standard role SAP_BC_ENDUSER to give access to basic transactions as SU53, etc.)

Note: Is possible that before assign the standard role SAP_BC_ENDUSER, we need generate the profile of this standard role.

8. We log-in with the test user and we go to BP transaction to force the authorization error. We need to create a Business Partner for the Grouping ZPAT (the test used dont has access to this Gropuing). Next we will create a Business Partner to Grouping ZDR1 (he has access to this Grouping), to check that the restriction works correctly.

I am displaying the SU53 transaction (with the authorization error):

Next, we will create a BP for ZDR1, the user should to have access:

Done, with this, we have created the required Grouping restriction into BP transaction.