Enterprise Resource Planning Blogs by Members
Gain new perspectives and knowledge about enterprise resource planning in blog posts from community members. Share your own comments and ERP insights today!
cancel
Showing results for 
Search instead for 
Did you mean: 

Authorization Group

The four-character authorization group provides another level of protection to objects beyond permitted activities (e.g., create, change, display, delete). To carry out an action against an object with authorization group requires a user to have a role with maintained values for the combination of activity and authorization group.

ℹ While authorization group functionality is the same in retail, terminology can differ. Differences are shown in brackets [ ]. E.g., material [article].

Use

In materials [articles] management master data, authorization group is checked with five (5) authorization objects:

  1. M_MATE_MAR (Material [Article] Types)
  2. M_MATE_WGR (Material Groups [Merchandise Categories])
  3. M_MATE_MAT (Materials [Articles])
  4. M_MATE_CHG (Batches/Trading Units)
  5. M_MATE_CHP (Batch Record)

When performing authority checks against the above authorization objects, a value for data element BEGRU (Authorization Group) is found in the below locations:

Authorization ObjectTableField

M_MATE_MAR

T134BEGRU

M_MATE_WGR

T023BEGRU

M_MATE_MAT

MARABEGRU

M_MATE_CHG

MARABEGRU

M_MATE_CHP

MARABEGRU

Table 1: Authorization object to table/field mapping


Prerequisites

  1. Gather information from the business on their security requirement(s) with regards to material [article] master and/or batch records
  2. Determine if authorization groups will be a solution for the requirement(s). If yes, then proceed.
  3. Work with your SAP security administrator to understand existing activities that users have access to with regard to material [article] master and/or batch records
  4. Based on the business requirements and input from the security admin, put together a design that covers the following, as needed:
    • Configuration
    • Development
    • Master data
    • Role maintenance / authorization objects

ℹ Appendix A shows a simple example of a matrix that might be used for authorization groups at a material [article] type level. A similar matrix could be used for material groups [merchandise categories] or materials [articles].

Setup

Authorization groups can be directly assigned to material [article] types and material groups [merchandise categories] through configuration, and materials [articles] through maintenance of the material [article] master. Batches rely on the authorization group assigned to the material [article] master.

ℹ One-time configuration may be needed to make authorization group visible on the material [article] master screen. This is covered in the Materials [Articles] section.

Setup Option 1: Material [Article] Type

A required field in material [article] creation that groups materials [articles] together. Its configured attributes control how a [an] material [article] assigned to it is used. E.g., whether a [an] material [article] will have internal or external number assignment, if the material [article] is configurable, what sections ("user departments") will be shown, how valuation will be determined, etc.

Authorization Group Assignment

Assignment of an authorization group to material [article] type is done through configuration

  • Configuration options
    • Transaction OMS2 - double-click on material [article] type

    • Transaction SM34 - View cluster MTART (Maintain material [article] types)

    • IMG: Logistics - General > Material Master > Basic Settings > Material Types > Define Attributes of Material [Article] Types

  • Data dictionary information
    • Table T134 (Material [Article] types)
    • Field BEGRU (Authorization group in the material [article] master)
    • Data element BEGRM
    • Domain BEGRM

:!: Domain BEGRM includes value table TMBG (Material [Article] Master: Authorization Groups). This is a customizing table; however, it plays no role in the five authorization objects listed above. In addition, it is not used to provide a list of allowed values on screens where authorization group is used. See Appendix B for more information on this topic.

Step 1

Enter an authorization group for the material [article] type in the Authorization group field

     Screenshot 1: Material [article] type configuration

Step 2

Repeat Step 1, as needed

:!: Determine if unused material [article] types should be left blank or assigned an authorization group (e.g., Z999) that will not be used in role maintenance. (See Caution below for further information.)


Step 3

Save this configuration

Step 4

Update authorizations for authorization group M_MATE_MAR

Here is an example of a role that has only display access to material [article] types with authorization group Z001, but full access to material [article] types with authorization group Z002.

     Screenshot 2: Role maintenance - setting values for M_MATE_MAR authorization object

:!: Caution: Material [Article] types with no authorization group will skip the M_MATE_MAR authority check. (The highlighted code below shows the authority check function only being called if BEGRU is provided.) The same is true for the others... A material group [merchandise category] with no authorization group will skip M_MATE_WGR. A material [article] with no authorization group will skip M_MATE_MAT, M_MATE_CHG, and M_MATE_CHP.

     Screenshot 3: READ_MATERIALTYPE

Setup Option 2: Material Group [Merchandise Category]

A field in material [article] creation that allows for the grouping of materials [articles] with similar attributes. E.g., software, hardware, etc.

Authorization Group Assignment

Assignment of an authorization group to a material group [merchandise category] is done through configuration

  • Configuration options
    • Transaction OMSF
    • Transaction SM30 - Maintenance view V023 (Material groups [Merchandise Categories])
    • IMG: Logistics - General > Material Master > Settings for Key Fields > Define Material Groups [Define Merchandise Categories]
  • Data dictionary information
    • Table T023 (Material groups [Merchandise categories)
    • Field BEGRU (Authorization group in the material [article] master)
    • Data element BEGRU
    • Domain BEGRU

Step 1

Enter an authorization group for the material group [merchandise category] in the Authorization group field

     Screenshot 4: Material group [Merchandise category] configuration


Step 2

Repeat Step 1, as needed

:!: Determine if unused material groups [merchandise categories] should be left blank or assigned an authorization group (e.g., Z999) that will not be used in role maintenance.


Step 3

Save this configuration

Step 4

Update authorizations for authorization group M_MATE_WGR

Setup Option 3: Materials [Articles]

Alphanumeric key uniquely identifying a [an] material [article]

Authorization Group Assignment

Assignment of an authorization group to materials [articles] is done through the material [article] master.

ℹ A new SAP install has Authorization Group hidden on the material [article] master Basic Data 1 screen. If the field is not visible, then follow the steps in the Configuration section below.

  • Configuration
    • Transaction OMSR
    • IMG: Logistics - General > Material Master > Field Selection > Assign Fields to Field Selection Groups
    • Click on the Field Name field selection button
    • Type MARA-BEGRU
    • Click Field Selection Maintenance icon to the right of the selection group number
    • Find Field Reference MM01 and MM02, and set to Required or Optional

     Screenshot 5: Field selection maintenance

  • Data dictionary information
    • Table MARA (General Material [Article] Data)
    • Field BEGRU (Authorization group in the material [article] master)
    • Data element BEGRU
    • Domain BEGRU

Step 1

Enter an authorization group for the material [article] in the Authorization group field of the Basic Data 1 screen

Step 2

Save material [article] master


Step 3

Repeat Steps 1 and 2, as needed

Step 4

Update authorizations for authorization group M_MATE_MAT

Setup Option 4: Various combinations of options above

:!: Using more than one option outlined above is allowed; however, this adds complexity. Be sure that the design is well documented and maintained as changes are made.

Appendix A: Sample matrix for material [article] type authorization groups

     Table 2: Sample matrix for authorization groups by material [article] type

Appendix B: Table TMBG

As described above, "Domain BEGRM includes value table TMBG (Material [Article] Master: Authorization Groups). This is a customizing table; however, it plays no role in the five authorization objects listed above. In addition, it is not used to provide a list of allowed values on screens where authorization group is used."


All five authorization groups described in this document use the same authorization fields: ACTVT (Activity) and BEGRU (Authorization Group). As shown in the Screenshot 6 below, the BEGRU authorization field uses the BEGRU data element, and has no linkage to table TMBG. In addition, notice that there is no search help; therefore, clicking on the drop-down icon when adding values to the authorization group field when maintaining an authorization object will not show any values from TMBG or any other area (see Screenshot 7).


:!: Modifications to standard SAP are possible to change this behavior. If this is required, then proceed with caution.


Table TMBG is accessed from function module TMBG_SINGLE_READ, which is then accessed from function module MARA_BEGRU. Notice in Screenshot 8 the EXIT statement in MARA_BEGRU. This EXIT statement is always hit; therefore, the call to TMBG_SINGLE_READ (further down in MARA_BEGRU) will never be called.


     Screenshot 6: Authorization field setup for field BEGRU


     Screenshot 7: Adding values to field BEGRU; drop-down will not show any values


     Screenshot 8: EXIT in function module MARA_BEGRU

ℹ Information provided is based on IDES install of ECC 6.0 EhP 7

Labels in this area