How to maintain OB52 authorizations?

Leave a Comment / SAP Security / By

In the FI module, functional team members can use OB52 to maintain the Posting periods. So when they execute OB52, a pop-up appears to provide the “Posting period variant”. If we do not enter any value here and click on continue, It will allow us to maintain posting periods for all the company codes. Even if we don’t have the access to those other company codes.

OB52 Posting periods

But in an ideal scenario, Production users should only be able to see the variants for a particular company code. In order to achieve this, please follow the below steps

Implement corrections and SPRO configuration

Check if note 2421622 is applicable for your system and implement it. Other wise proceed, with the SPRO configuration.

Execute SPRO and follow path SAP Netweaver –> Application Server –> System Administration –> Users and Authorizations –> Line-oriented Authorizations
Execute “Define organization criteria”

SPRO config to define organization criteria

Create New Entry with Org. crit. as ZT001B and Org. name “Authorization for OB52

Then double click on “Attributes” and enter details as below

Then double click on “Table Fields” and maintain View/table as “V_T001B” or “T001B” and Field Name “BUKRS”. Save and create a new transport request to capture the SPRO configurations.

Go back and execute “Activate organizational criteria“. Select “Activ” if not already activated and click on Save.

Activate Organization criteria ZT001B

Maintain SU24 for OB52

Execute SU24 transaction and enter OB52 as “Transaction Code”.

SU24 main screen

Click on “Edit” button and Object –> Add Authorization Object

Add S_TABU_LIN

Authoirzation Object S_TABU_LIN

Maintain Actvt as 02(Change) and 03 (Display). Save and capture the changes in a transport request.

Maintain Roles (PFCG) containing OB52

Now open all the roles containing OB52 using PFCG transaction and generate the Authorization profiles. Enter ZT001B as Organization criterion and Company Code for which the user needs access to. Once done, click on “Transfer” icon in the bottom right.

Maintain Authorization Profile for role via PFCG

Save the changes and click on “Generate” icon,

Testing

Now login with the user having this role and execute OB52. You will now only see the Posting Periods for 0001 Variant.

Restricted OB52 screen

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top