In SAP ECC, a security requirement may arise where the creation and changing of specific material types needs to be restricted through security. When running an ST01 trace, in say, MM02, you may see that there are no back-end authorization checks for the specific material type.
There is however a field called “Authorization Group” that can be maintained in transaction MM02. In the material, I will enter in “Test” in the authorization group field.
Once the authorization group is populated with a value, you will noticed that an authorization check now occurs on that field for this specific material.
Making this authorization group field a required field can help with restricting the material type, but another issue arises. What is to stop a user from changing the authorization group to another value? Since the user has access to that material, the user can change the authorization group value to whatever he/she pleases; thus this would block other users from accessing the material.
Another issue is with the creation of the material. What is to stop a person from initially creating a material type he/she is not authorized to create? That user can create a different material type and simply put that material into an authorization group he/she has access to. This breaks the security requirements.
A solution to this is through configuration. In transaction OMS2, have the process team populate each material they wish to be restricted a value under the “authorization group” field.
By entering a value here, an authorization check will occur on all materials classified under this material type regardless of whether or not the authorization group field within the material (not OMS2) is populated or not. However, if a value is populated within the specific material, two authorization checks will occur, one value that is in OMS2 and the other in the material. If you do not want the users entering in the authorization group, you can hide the field within configuration.
Hope this helps.
– SAP Security Help