Restrict Material Type Creation and Change in MM01 and MM02

In SAP ECC, a security requirement may arise where the creation and changing of specific material types needs to be restricted through security. When running an ST01 trace, in say, MM02, you may see that there are no back-end authorization checks for the specific material type.

ST01 Trace Showing No Material Type Check

ST01 Trace Showing No Material Type Check

There is however a field called “Authorization Group” that can be maintained in transaction MM02. In the material, I will enter in “Test” in the authorization group field.

MM02 Authorization Group FIeld

MM02 Authorization Group FIeld

Once the authorization group is populated with a value, you will noticed that an authorization check now occurs on that field for this specific material.

ST01 Trace Test Authorization Group

ST01 Trace Showing "Test" Authorization Group

Making this authorization group field a required field can help with restricting the material type, but another issue arises. What is to stop a user from changing the authorization group to another value? Since the user has access to that material, the user can change the authorization group value to whatever he/she pleases; thus this would block other users from accessing the material.

Another issue is with the creation of the material. What is to stop a person from initially creating a material type he/she is not authorized to create? That user can create a different material type and simply put that material into an authorization group he/she has access to. This breaks the security requirements.

A solution to this is through configuration. In transaction OMS2, have the process team populate each material they wish to be restricted a value under the “authorization group” field.

OMS2 - Material Auth Group

Enter authorization group value in OMS2

By entering a value here, an authorization check will occur on all materials classified under this material type regardless of whether or not the authorization group field within the material (not OMS2) is populated or not. However, if a value is populated within the specific material, two authorization checks will occur, one value that is in OMS2 and the other in the material. If you do not want the users entering in the authorization group, you can hide the field within configuration.

Hope this helps.

– SAP Security Help

Posted in Security, Supply Chain, Troubleshooting | Tagged , , , , , , , | Leave a comment

Tables to Find the BW Report and Query ID from Role Menu

When a BW report is assigned to the role, the actual query ID is not shown in the role menu. Even if you right-click to view technical details of the specific report, it will not show the query ID for the BW report.

To find the query ID of all reports assigned to a specific role or all roles in the BW system, you can find it joining two tables via SE16.

Tables:
AGR_HIER – Table for Structure Information for Menu
RSRREPDIR – Directory of all reports

AGR_HIER Table Fields:
AGR_NAME – Role Name
SAP_GUID – Unique ID – 32 Characters

RSRREPDIR Table Fields:
GENUNIID – Internal display of the report identifier
COMPID – Name (ID) of reporting component

Join tables AGR_HIER and RSRREPDIR

Join the tables on the SAP_GUID and GENUNIID fields to obtain all the query IDs for all reports assigned a role.

Posted in Security, Troubleshooting, Tutorial | Tagged , , , , , , , | Leave a comment

Restrict Bank Information in MK02 and MK03

How can you hide and block bank information within SAP transactions MK02 and MK03?

If all users who use MK02 or MK03 are to be blocked access to view or change bank information within the “Payment Transactions” screen, this can be restricted through configuration. Current standard SAP authorization checks do not allow for restricting specific “check boxes” within MK02 and MK03. It only restricts based on the groupings of these check boxes: general data, purchasing data, company code data, etc.

To restrict all users from viewing bank information, have your functional team member use transaction OB23 to modify your field status groups and suppress the bank information. You restrict it to display only or hide it entirely. Configuration changes made will be specific to the transactions. For example, modifying change vendor (purchasing), MK02, will not affect MK03 nor the XK transactions (XK01, XK02, XK03) and FK transactions (FK01, FK02, FK03).

Posted in Security, Troubleshooting | Tagged , , , , | Leave a comment