The four-character authorization group provides another level of protection to objects beyond permitted activities (e.g., create, change, display, delete). To carry out an action against an object with authorization group requires a user to have a role with maintained values for the combination of activity and authorization group.
ℹ While authorization group functionality is the same in retail, terminology can differ. Differences are shown in brackets [ ]. E.g., material [article].
In materials [articles] management master data, authorization group is checked with five (5) authorization objects:
When performing authority checks against the above authorization objects, a value for data element BEGRU (Authorization Group) is found in the below locations:
Authorization Object | Table | Field |
---|---|---|
M_MATE_MAR | T134 | BEGRU |
M_MATE_WGR | T023 | BEGRU |
M_MATE_MAT | MARA | BEGRU |
M_MATE_CHG | MARA | BEGRU |
M_MATE_CHP | MARA | BEGRU |
Table 1: Authorization object to table/field mapping
ℹ Appendix A shows a simple example of a matrix that might be used for authorization groups at a material [article] type level. A similar matrix could be used for material groups [merchandise categories] or materials [articles].
Authorization groups can be directly assigned to material [article] types and material groups [merchandise categories] through configuration, and materials [articles] through maintenance of the material [article] master. Batches rely on the authorization group assigned to the material [article] master.
ℹ One-time configuration may be needed to make authorization group visible on the material [article] master screen. This is covered in the Materials [Articles] section.
A required field in material [article] creation that groups materials [articles] together. Its configured attributes control how a [an] material [article] assigned to it is used. E.g., whether a [an] material [article] will have internal or external number assignment, if the material [article] is configurable, what sections ("user departments") will be shown, how valuation will be determined, etc.
Assignment of an authorization group to material [article] type is done through configuration
Transaction OMS2 - double-click on material [article] type
Transaction SM34 - View cluster MTART (Maintain material [article] types)
IMG: Logistics - General > Material Master > Basic Settings > Material Types > Define Attributes of Material [Article] Types
:!: Domain BEGRM includes value table TMBG (Material [Article] Master: Authorization Groups). This is a customizing table; however, it plays no role in the five authorization objects listed above. In addition, it is not used to provide a list of allowed values on screens where authorization group is used. See Appendix B for more information on this topic.
Step 1
Enter an authorization group for the material [article] type in the Authorization group field
Screenshot 1: Material [article] type configuration
Step 2
Repeat Step 1, as needed
:!: Determine if unused material [article] types should be left blank or assigned an authorization group (e.g., Z999) that will not be used in role maintenance. (See Caution below for further information.)
Step 3
Save this configuration
Step 4
Update authorizations for authorization group M_MATE_MAR
Here is an example of a role that has only display access to material [article] types with authorization group Z001, but full access to material [article] types with authorization group Z002.
Screenshot 2: Role maintenance - setting values for M_MATE_MAR authorization object
:!: Caution: Material [Article] types with no authorization group will skip the M_MATE_MAR authority check. (The highlighted code below shows the authority check function only being called if BEGRU is provided.) The same is true for the others... A material group [merchandise category] with no authorization group will skip M_MATE_WGR. A material [article] with no authorization group will skip M_MATE_MAT, M_MATE_CHG, and M_MATE_CHP.
Screenshot 3: READ_MATERIALTYPE
A field in material [article] creation that allows for the grouping of materials [articles] with similar attributes. E.g., software, hardware, etc.
Assignment of an authorization group to a material group [merchandise category] is done through configuration
Step 1
Enter an authorization group for the material group [merchandise category] in the Authorization group field
Screenshot 4: Material group [Merchandise category] configuration
Step 2
Repeat Step 1, as needed
:!: Determine if unused material groups [merchandise categories] should be left blank or assigned an authorization group (e.g., Z999) that will not be used in role maintenance.
Step 3
Save this configuration
Step 4
Update authorizations for authorization group M_MATE_WGR
Alphanumeric key uniquely identifying a [an] material [article]
Assignment of an authorization group to materials [articles] is done through the material [article] master.
ℹ A new SAP install has Authorization Group hidden on the material [article] master Basic Data 1 screen. If the field is not visible, then follow the steps in the Configuration section below.
Screenshot 5: Field selection maintenance
Step 1
Enter an authorization group for the material [article] in the Authorization group field of the Basic Data 1 screen
Step 2
Save material [article] master
Step 3
Repeat Steps 1 and 2, as needed
Step 4
Update authorizations for authorization group M_MATE_MAT
:!: Using more than one option outlined above is allowed; however, this adds complexity. Be sure that the design is well documented and maintained as changes are made.
Table 2: Sample matrix for authorization groups by material [article] type
As described above, "Domain BEGRM includes value table TMBG (Material [Article] Master: Authorization Groups). This is a customizing table; however, it plays no role in the five authorization objects listed above. In addition, it is not used to provide a list of allowed values on screens where authorization group is used."
All five authorization groups described in this document use the same authorization fields: ACTVT (Activity) and BEGRU (Authorization Group). As shown in the Screenshot 6 below, the BEGRU authorization field uses the BEGRU data element, and has no linkage to table TMBG. In addition, notice that there is no search help; therefore, clicking on the drop-down icon when adding values to the authorization group field when maintaining an authorization object will not show any values from TMBG or any other area (see Screenshot 7).
:!: Modifications to standard SAP are possible to change this behavior. If this is required, then proceed with caution.
Table TMBG is accessed from function module TMBG_SINGLE_READ, which is then accessed from function module MARA_BEGRU. Notice in Screenshot 8 the EXIT statement in MARA_BEGRU. This EXIT statement is always hit; therefore, the call to TMBG_SINGLE_READ (further down in MARA_BEGRU) will never be called.
Screenshot 6: Authorization field setup for field BEGRU
Screenshot 7: Adding values to field BEGRU; drop-down will not show any values
Screenshot 8: EXIT in function module MARA_BEGRU
ℹ Information provided is based on IDES install of ECC 6.0 EhP 7
User | Count |
---|---|
3 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
2 | |
1 | |
1 |