Skip to Content

Authorization Group

The four-character authorization group provides another level of protection to objects beyond permitted activities (e.g., create, change, display, delete). To carry out an action against an object with authorization group requires a user to have a role with maintained values for the combination of activity and authorization group.

ℹ While authorization group functionality is the same in retail, terminology can differ. Differences are shown in brackets [ ]. E.g., material [article].

Use

In materials [articles] management master data, authorization group is checked with five (5) authorization objects:

  1. M_MATE_MAR (Material [Article] Types)
  2. M_MATE_WGR (Material Groups [Merchandise Categories])
  3. M_MATE_MAT (Materials [Articles])
  4. M_MATE_CHG (Batches/Trading Units)
  5. M_MATE_CHP (Batch Record)

When performing authority checks against the above authorization objects, a value for data element BEGRU (Authorization Group) is found in the below locations:

Authorization Object Table Field

M_MATE_MAR

T134 BEGRU

M_MATE_WGR

T023 BEGRU

M_MATE_MAT

MARA BEGRU

M_MATE_CHG

MARA BEGRU

M_MATE_CHP

MARA BEGRU

Table 1: Authorization object to table/field mapping


Prerequisites

  1. Gather information from the business on their security requirement(s) with regards to material [article] master and/or batch records
  2. Determine if authorization groups will be a solution for the requirement(s). If yes, then proceed.
  3. Work with your SAP security administrator to understand existing activities that users have access to with regard to material [article] master and/or batch records
  4. Based on the business requirements and input from the security admin, put together a design that covers the following, as needed:
    • Configuration
    • Development
    • Master data
    • Role maintenance / authorization objects

ℹ Appendix A shows a simple example of a matrix that might be used for authorization groups at a material [article] type level. A similar matrix could be used for material groups [merchandise categories] or materials [articles].

Setup

Authorization groups can be directly assigned to material [article] types and material groups [merchandise categories] through configuration, and materials [articles] through maintenance of the material [article] master. Batches rely on the authorization group assigned to the material [article] master.

ℹ One-time configuration may be needed to make authorization group visible on the material [article] master screen. This is covered in the Materials [Articles] section.

Setup Option 1: Material [Article] Type

A required field in material [article] creation that groups materials [articles] together. Its configured attributes control how a [an] material [article] assigned to it is used. E.g., whether a [an] material [article] will have internal or external number assignment, if the material [article] is configurable, what sections (“user departments”) will be shown, how valuation will be determined, etc.

Authorization Group Assignment

Assignment of an authorization group to material [article] type is done through configuration

  • Configuration options
    • Transaction OMS2 – double-click on material [article] type

    • Transaction SM34 – View cluster MTART (Maintain material [article] types)

    • IMG: Logistics – General > Material Master > Basic Settings > Material Types > Define Attributes of Material [Article] Types

  • Data dictionary information
    • Table T134 (Material [Article] types)
    • Field BEGRU (Authorization group in the material [article] master)
    • Data element BEGRM
    • Domain BEGRM

❗ Domain BEGRM includes value table TMBG (Material [Article] Master: Authorization Groups). This is a customizing table; however, it plays no role in the five authorization objects listed above. In addition, it is not used to provide a list of allowed values on screens where authorization group is used. See Appendix B for more information on this topic.

Step 1

Enter an authorization group for the material [article] type in the Authorization group field

Image01.jpg

     Screenshot 1: Material [article] type configuration

Step 2

Repeat Step 1, as needed

❗ Determine if unused material [article] types should be left blank or assigned an authorization group (e.g., Z999) that will not be used in role maintenance. (See Caution below for further information.)


Step 3

Save this configuration

Step 4

Update authorizations for authorization group M_MATE_MAR

Here is an example of a role that has only display access to material [article] types with authorization group Z001, but full access to material [article] types with authorization group Z002.

Image02.jpg

     Screenshot 2: Role maintenance – setting values for M_MATE_MAR authorization object

❗ Caution: Material [Article] types with no authorization group will skip the M_MATE_MAR authority check. (The highlighted code below shows the authority check function only being called if BEGRU is provided.) The same is true for the others… A material group [merchandise category] with no authorization group will skip M_MATE_WGR. A material [article] with no authorization group will skip M_MATE_MAT, M_MATE_CHG, and M_MATE_CHP.

Image03.jpg

     Screenshot 3: READ_MATERIALTYPE

Setup Option 2: Material Group [Merchandise Category]

A field in material [article] creation that allows for the grouping of materials [articles] with similar attributes. E.g., software, hardware, etc.

Authorization Group Assignment

Assignment of an authorization group to a material group [merchandise category] is done through configuration

  • Configuration options
    • Transaction OMSF
    • Transaction SM30 – Maintenance view V023 (Material groups [Merchandise Categories])
    • IMG: Logistics – General > Material Master > Settings for Key Fields > Define Material Groups [Define Merchandise Categories]
  • Data dictionary information
    • Table T023 (Material groups [Merchandise categories)
    • Field BEGRU (Authorization group in the material [article] master)
    • Data element BEGRU
    • Domain BEGRU

Step 1

Enter an authorization group for the material group [merchandise category] in the Authorization group field

Image05.jpg

     Screenshot 4: Material group [Merchandise category] configuration


Step 2

Repeat Step 1, as needed

❗ Determine if unused material groups [merchandise categories] should be left blank or assigned an authorization group (e.g., Z999) that will not be used in role maintenance.


Step 3

Save this configuration

Step 4

Update authorizations for authorization group M_MATE_WGR

Setup Option 3: Materials [Articles]

Alphanumeric key uniquely identifying a [an] material [article]

Authorization Group Assignment

Assignment of an authorization group to materials [articles] is done through the material [article] master.

ℹ A new SAP install has Authorization Group hidden on the material [article] master Basic Data 1 screen. If the field is not visible, then follow the steps in the Configuration section below.

  • Configuration
    • Transaction OMSR
    • IMG: Logistics – General > Material Master > Field Selection > Assign Fields to Field Selection Groups
    • Click on the Field Name field selection button
    • Type MARA-BEGRU
    • Click Field Selection Maintenance icon to the right of the selection group number
    • Find Field Reference MM01 and MM02, and set to Required or Optional

Image06.jpg

     Screenshot 5: Field selection maintenance

  • Data dictionary information
    • Table MARA (General Material [Article] Data)
    • Field BEGRU (Authorization group in the material [article] master)
    • Data element BEGRU
    • Domain BEGRU

Step 1

Enter an authorization group for the material [article] in the Authorization group field of the Basic Data 1 screen

Step 2

Save material [article] master


Step 3

Repeat Steps 1 and 2, as needed

Step 4

Update authorizations for authorization group M_MATE_MAT

Setup Option 4: Various combinations of options above

❗ Using more than one option outlined above is allowed; however, this adds complexity. Be sure that the design is well documented and maintained as changes are made.

Appendix A: Sample matrix for material [article] type authorization groups

Image04.jpg

     Table 2: Sample matrix for authorization groups by material [article] type

Appendix B: Table TMBG

As described above, “Domain BEGRM includes value table TMBG (Material [Article] Master: Authorization Groups). This is a customizing table; however, it plays no role in the five authorization objects listed above. In addition, it is not used to provide a list of allowed values on screens where authorization group is used.”


All five authorization groups described in this document use the same authorization fields: ACTVT (Activity) and BEGRU (Authorization Group). As shown in the Screenshot 6 below, the BEGRU authorization field uses the BEGRU data element, and has no linkage to table TMBG. In addition, notice that there is no search help; therefore, clicking on the drop-down icon when adding values to the authorization group field when maintaining an authorization object will not show any values from TMBG or any other area (see Screenshot 7).


❗ Modifications to standard SAP are possible to change this behavior. If this is required, then proceed with caution.


Table TMBG is accessed from function module TMBG_SINGLE_READ, which is then accessed from function module MARA_BEGRU. Notice in Screenshot 8 the EXIT statement in MARA_BEGRU. This EXIT statement is always hit; therefore, the call to TMBG_SINGLE_READ (further down in MARA_BEGRU) will never be called.


Image07.jpg

     Screenshot 6: Authorization field setup for field BEGRU


Image08.jpg

     Screenshot 7: Adding values to field BEGRU; drop-down will not show any values


Image09.jpg

     Screenshot 8: EXIT in function module MARA_BEGRU

ℹ Information provided is based on IDES install of ECC 6.0 EhP 7

To report this post you need to login first.