Use of authorization group in materials management master data
Authorization Group
The four-character authorization group provides another level of protection to objects beyond permitted activities (e.g., create, change, display, delete). To carry out an action against an object with authorization group requires a user to have a role with maintained values for the combination of activity and authorization group.
ℹ While authorization group functionality is the same in retail, terminology can differ. Differences are shown in brackets [ ]. E.g., material [article].
Use
In materials [articles] management master data, authorization group is checked with five (5) authorization objects:
- M_MATE_MAR (Material [Article] Types)
- M_MATE_WGR (Material Groups [Merchandise Categories])
- M_MATE_MAT (Materials [Articles])
- M_MATE_CHG (Batches/Trading Units)
- M_MATE_CHP (Batch Record)
When performing authority checks against the above authorization objects, a value for data element BEGRU (Authorization Group) is found in the below locations:
| Authorization Object | Table | Field |
|---|---|---|
|
M_MATE_MAR |
T134 | BEGRU |
|
M_MATE_WGR |
T023 | BEGRU |
|
M_MATE_MAT |
MARA | BEGRU |
|
M_MATE_CHG |
MARA | BEGRU |
|
M_MATE_CHP |
MARA | BEGRU |
Table 1: Authorization object to table/field mapping
Prerequisites
- Gather information from the business on their security requirement(s) with regards to material [article] master and/or batch records
- Determine if authorization groups will be a solution for the requirement(s). If yes, then proceed.
- Work with your SAP security administrator to understand existing activities that users have access to with regard to material [article] master and/or batch records
- Based on the business requirements and input from the security admin, put together a design that covers the following, as needed:
- Configuration
- Development
- Master data
- Role maintenance / authorization objects
ℹ Appendix A shows a simple example of a matrix that might be used for authorization groups at a material [article] type level. A similar matrix could be used for material groups [merchandise categories] or materials [articles].
Setup
Authorization groups can be directly assigned to material [article] types and material groups [merchandise categories] through configuration, and materials [articles] through maintenance of the material [article] master. Batches rely on the authorization group assigned to the material [article] master.
ℹ One-time configuration may be needed to make authorization group visible on the material [article] master screen. This is covered in the Materials [Articles] section.
Setup Option 1: Material [Article] Type
A required field in material [article] creation that groups materials [articles] together. Its configured attributes control how a [an] material [article] assigned to it is used. E.g., whether a [an] material [article] will have internal or external number assignment, if the material [article] is configurable, what sections (“user departments”) will be shown, how valuation will be determined, etc.
Authorization Group Assignment
Assignment of an authorization group to material [article] type is done through configuration
- Configuration options
-
Transaction OMS2 – double-click on material [article] type
-
Transaction SM34 – View cluster MTART (Maintain material [article] types)
-
IMG: Logistics – General > Material Master > Basic Settings > Material Types > Define Attributes of Material [Article] Types
-
- Data dictionary information
- Table T134 (Material [Article] types)
- Field BEGRU (Authorization group in the material [article] master)
- Data element BEGRM
- Domain BEGRM
❗ Domain BEGRM includes value table TMBG (Material [Article] Master: Authorization Groups). This is a customizing table; however, it plays no role in the five authorization objects listed above. In addition, it is not used to provide a list of allowed values on screens where authorization group is used. See Appendix B for more information on this topic.
Step 1
Enter an authorization group for the material [article] type in the Authorization group field
Screenshot 1: Material [article] type configuration
Step 2
Repeat Step 1, as needed
❗ Determine if unused material [article] types should be left blank or assigned an authorization group (e.g., Z999) that will not be used in role maintenance. (See Caution below for further information.)
Step 3
Save this configuration
Step 4
Update authorizations for authorization group M_MATE_MAR
Here is an example of a role that has only display access to material [article] types with authorization group Z001, but full access to material [article] types with authorization group Z002.
Screenshot 2: Role maintenance – setting values for M_MATE_MAR authorization object
❗ Caution: Material [Article] types with no authorization group will skip the M_MATE_MAR authority check. (The highlighted code below shows the authority check function only being called if BEGRU is provided.) The same is true for the others… A material group [merchandise category] with no authorization group will skip M_MATE_WGR. A material [article] with no authorization group will skip M_MATE_MAT, M_MATE_CHG, and M_MATE_CHP.
Screenshot 3: READ_MATERIALTYPE
Setup Option 2: Material Group [Merchandise Category]
A field in material [article] creation that allows for the grouping of materials [articles] with similar attributes. E.g., software, hardware, etc.
Authorization Group Assignment
Assignment of an authorization group to a material group [merchandise category] is done through configuration
- Configuration options
- Transaction OMSF
- Transaction SM30 – Maintenance view V023 (Material groups [Merchandise Categories])
- IMG: Logistics – General > Material Master > Settings for Key Fields > Define Material Groups [Define Merchandise Categories]
- Data dictionary information
- Table T023 (Material groups [Merchandise categories)
- Field BEGRU (Authorization group in the material [article] master)
- Data element BEGRU
- Domain BEGRU
Step 1
Enter an authorization group for the material group [merchandise category] in the Authorization group field
Screenshot 4: Material group [Merchandise category] configuration
Step 2
Repeat Step 1, as needed
❗ Determine if unused material groups [merchandise categories] should be left blank or assigned an authorization group (e.g., Z999) that will not be used in role maintenance.
Step 3
Save this configuration
Step 4
Update authorizations for authorization group M_MATE_WGR
Setup Option 3: Materials [Articles]
Alphanumeric key uniquely identifying a [an] material [article]
Authorization Group Assignment
Assignment of an authorization group to materials [articles] is done through the material [article] master.
ℹ A new SAP install has Authorization Group hidden on the material [article] master Basic Data 1 screen. If the field is not visible, then follow the steps in the Configuration section below.
- Configuration
- Transaction OMSR
- IMG: Logistics – General > Material Master > Field Selection > Assign Fields to Field Selection Groups
- Click on the Field Name field selection button
- Type MARA-BEGRU
- Click Field Selection Maintenance icon to the right of the selection group number
- Find Field Reference MM01 and MM02, and set to Required or Optional
Screenshot 5: Field selection maintenance
- Data dictionary information
- Table MARA (General Material [Article] Data)
- Field BEGRU (Authorization group in the material [article] master)
- Data element BEGRU
- Domain BEGRU
Step 1
Enter an authorization group for the material [article] in the Authorization group field of the Basic Data 1 screen
Step 2
Save material [article] master
Step 3
Repeat Steps 1 and 2, as needed
Step 4
Update authorizations for authorization group M_MATE_MAT
Setup Option 4: Various combinations of options above
❗ Using more than one option outlined above is allowed; however, this adds complexity. Be sure that the design is well documented and maintained as changes are made.
Appendix A: Sample matrix for material [article] type authorization groups
Table 2: Sample matrix for authorization groups by material [article] type
Appendix B: Table TMBG
As described above, “Domain BEGRM includes value table TMBG (Material [Article] Master: Authorization Groups). This is a customizing table; however, it plays no role in the five authorization objects listed above. In addition, it is not used to provide a list of allowed values on screens where authorization group is used.”
All five authorization groups described in this document use the same authorization fields: ACTVT (Activity) and BEGRU (Authorization Group). As shown in the Screenshot 6 below, the BEGRU authorization field uses the BEGRU data element, and has no linkage to table TMBG. In addition, notice that there is no search help; therefore, clicking on the drop-down icon when adding values to the authorization group field when maintaining an authorization object will not show any values from TMBG or any other area (see Screenshot 7).
❗ Modifications to standard SAP are possible to change this behavior. If this is required, then proceed with caution.
Table TMBG is accessed from function module TMBG_SINGLE_READ, which is then accessed from function module MARA_BEGRU. Notice in Screenshot 8 the EXIT statement in MARA_BEGRU. This EXIT statement is always hit; therefore, the call to TMBG_SINGLE_READ (further down in MARA_BEGRU) will never be called.
Screenshot 6: Authorization field setup for field BEGRU
Screenshot 7: Adding values to field BEGRU; drop-down will not show any values
Screenshot 8: EXIT in function module MARA_BEGRU
ℹ Information provided is based on IDES install of ECC 6.0 EhP 7