Skip to Content
Author's profile photo Former Member

Restriction BP transaction (by BP Grouping)



The standard restriction with Authorization Object: B_BUPA_ATT does not works correctly (the BP transaction does not refresh the authorization error), the best way is create the restriction aith an Z authorization Object and a Badi:       *******************************************************************************************************        

The BP restriction by header field “Grouping”


We will use a Badi doing a check of authorities with an Z authorization object.

The steps to follow are:

1. We go to SU20 and we define a field ZGROUPING (this field will be use in the Z authorization object), we need add the name field and the elemend data:


2. Next go to SU21 and we will create a Z Authorization Object ZGROUPING using the field that we defined before


3. We go to transaction SE19, and next we will add the corresponding code in the Badi of the BP. We need to go SE19 and we will create an implementation of the Badi: BUPA_FURTHER_CHECKS called ZBUPA_FURTHER_CHECKS



4. The next step will be update the implementation created: ZBUPA_FURTHER_CHECKS, inside of it, we will go to tab “Interface” and double click in the method CHECK_CENTRAL:


5. It will open a code line where we need add the corresponding Authity-Check (using the Z authorization object created), I  used the following ABAP code:


    IF sy subrc <> 0.
MESSAGE e000(zish_pa ) WITH text 001 iv_group.


6. We go to PFCG transaction and we need to create a Z test role  adding the BP transaction by role menu (I usually add XK03 and XD03 transactions too), we need complete all authorizations and add the ZGROUPING authorization object created, resticting the values that we need to restrict.



In this case, the role will have access to the following Groupings: ZBAN, ZDR1, ZDR2 and ZDR3

7. We need to create a Test user (into SU01 transaction) and we will asign the test role ZTEST (I usually add the standard role SAP_BC_ENDUSER to give access to basic transactions as SU53, etc.)

Note: Is possible that before assign the standard role SAP_BC_ENDUSER, we need generate the profile of this standard role.


8. We log-in with the test user and we go to BP transaction to force the authorization error. We need to create a Business Partner for the Grouping ZPAT (the test used dont has access to this Gropuing). Next we will create a Business Partner to Grouping ZDR1 (he has access to this Grouping), to check that the restriction works correctly.


I am displaying the SU53 transaction (with the authorization error):


Next, we will create a BP for ZDR1, the user should to have access:



Done, with this, we have created the required Grouping restriction into BP transaction.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Sandip Kurewar
      Sandip Kurewar

      Will this solution also work in S4 HANA ?

      Author's profile photo Daniel Klein
      Daniel Klein

      Yes. You can still use the mentioned BAdI and custom auth object.

      However, question is WHY ...

      The standard restriction with Authorization Object: B_BUPA_ATT does not works correctly

      Note 2679963 gives an explanation and concludes:

      SAP does not recommend configuring authorizations for Number Grouping’(BUT000-BU_GROUP) using authorization object B_BUPA_ATT.

      Author's profile photo Mario Daniel Rios Leal
      Mario Daniel Rios Leal

      Buen Dia Alejandro,


      Agradeceria si me podrias apoyar, sabes tengo un requerimiento donde en la transaccion BP quieren limitar por TAB´s, es decir la pestaña de "Pagos" o "Payment Trasaction" no la puedan modificar.

      Sabes si hay un objeto con el cual se pueda limitar a este nivel o si se necesita realizar un UserExit?


      Agradeceria tu apoyo!