Business Partner Authorization Tips and Tricks
In the spirit of helping customers in their move to SAP S/4HANA and to Business Partner I have often found myself being asked many questions in regards to the authorization part of the Business Partner and how to tackle it.
Based on that I compiled a short guide on how to approach these questions of the Business Partner and some useful scenarios.
! Kindly seek the help and guidance of your security consultant when creating and generating new roles as if this activity is not done and tested correctly it can have grave consequences.!
First let’s start with the Roles, but before we do that, I would like to point out that what print-screens will be shown below will be of Template Roles and Standard SAP fields. Please extrapolate to your own unique scenarios.
- Got to transaction PFCG
- Go on the Role field and press F4
- On the “Roles” tab type in *Business*
- Select a role like “SAP_CA_BP_DISPLAY_FS” and now click on Display
- Go to the “Authorizations” tab and click on Display Authorization Data
- From here we can see Object class and all the Authorization Objects we need
From a logic perspective the role we are on if attributed to a user would only allow the user to have a display only role when accessing the BP transaction and that is based on a multitude of objects that have the value of Display:
For details on each individual object please deep dive in the link below:
Right now we covered the foundation upon which we will build our roles for our unique situations and for that I made up some likely scenarios below:
- I want to have separate roles for my Customer Team and my Vendor team
In order to achieve this functionality we will use our template role above and create 6 additional roles: 3 for the Customer Team(admin,change and display) and 3 for Vendor Team (admin,change and display).
Once we have the roles created we can go in the authorization object B_BUPA_RLT make them custom:
We are adjusting the BP Role to only include the 000000, FLCU01 and FLCU00 with the activity of Display
We are adjusting the BP Role to only include the 000000, FLCU01 and FLCU00 with the activity of either Change or Create depending on the Role.
The same process is applied for the Vendor Team, but instead of FLCU01 and FLCU00 we will have FLVN01 and FLVN00 and of course different activity types based on each specific role.
- Besides the roles for each team I need certain fields to behave differently depending on who is viewing it
For this activity we will be using help of the Authorization Object B_BUPA_FDG and a customizing activity under the SPRO->Cross Application Component->SAP Business Partner->Business Partner->Basic Settings->Authorization Management->Define Field Groups Relevant to Authorizations
For the exercise at hand I have defined field group 9 which is Bank Details, as I want this field to be visible only for the Create and Change roles I created above, and hidden for the Display role.
As we did the customizing, lets now adjust the role of Customer Display, under the B_BUPA_FDG object with the following setting:
The setting basically exclude field group 9(Bank Details) from the list of fields available to be displayed while having this Customer Display role on your user.
- I have specific Business Partner/Account Group that I do not want certain employees to touch, as I have a specific team which handles that specific account group
This scenario is even trickier as it involves customizing, master data and authorization change.
Let’s first start with the customizing for which we will go to SPRO->Cross Application Component->SAP Business Partner->Business Partner->Basic Settings->Authorization Management->Maintain Authorization Groups
Now we are going to create an Authorization Group like “TEST” as seen below and we will save our work.
Now we move to the master data part in which we choose our “specific” Business Partner we perform a change on field AUGRP which is on the Control Tab of the Business Partner under the Control Parameters view with the “TEST” value:
For this exercise we will change just one BP but for an entire Account Group you can use the MASS transaction to change multiple BPs with the field in question.
The last piece of the puzzle is to change the authorization on our Role, on the B_BUPA_GRP object:
With the change above it means that the user with the Display Role will only be able to see Business Partners that do not have the TEST Authorization Group.
- If you also want to limit the F4 search help when searching for a specific Business Partner please read and implement the note: https://launchpad.support.sap.com/#/notes/2441447
Please take the above as just an example of what can be done. Of course certain situations and scenarios may see a combination of different aspects, but with the above information as a baseline I am sure you will be able to achieve it and combine field, authorization groups and roles to best suit your needs.
Another important activity when tackling roles and authorization is to test one specific activity under 1 user. That means you work your way up from scenario number 1 to 3 and beyond, testing and validating each part of the process.
Do not start customizing a role with multiple authorization on it as you may find yourself spending days on a activity that can be accomplished in minutes, as roles can overwrite each other and you will be back to square 1 ?
Hope you liked the ideas plus the tips and tricks above.
As usual thank you and see you later.
Thank you very much for giving all the details.
Just stumbled across this, great detail and easy to follow. Very helpful article, thanks for sharing Dorin!
I would need more detailed information, I should be able not to display any support teams no longer used on ITSM but without deleting anything at the level of BP etc etc
it can be done ?
We are using for our customer the HCM integration and we are using the following reports as daily jobs:
After first running these reports in order to synchronize employee data to business partner data, 2 new business partners are created. (1 as BP employee, 1 as BP employment + vendor) These BP are assigned in separate BP groupings.
The customer wishes that these business partner synchronized from employees receive automatically in the field "authorization group" the value 0002 (visibility very restricted), so that just the HR users are able to see these BPs; this we have covered already in the authorization concept by managing the object B_BUPA_GRP.
I couldn't figure out how to fill in automatically the field "authorization group" with the value 0002 when running the synchronization reports. I have tried with MASS transaction, but I need a viable solution for the productive system that should also run as a job.
You can add this via development in the class /SHCM/B_EE_BP_SYNC and method "MODIFY_ALL" which is called during report /SHCM/RH_SYNC_BUPA_FROM_EMPL during BP creation/update.
You have to update the parameter CS_BP_DATA with the required value in the field "authorization group"