Restrict Material Type Creation and Change in MM01 and MM02

In SAP ECC, a security requirement may arise where the creation and changing of specific material types needs to be restricted through security. When running an ST01 trace, in say, MM02, you may see that there are no back-end authorization checks for the specific material type.

ST01 Trace Showing No Material Type Check

ST01 Trace Showing No Material Type Check

There is however a field called “Authorization Group” that can be maintained in transaction MM02. In the material, I will enter in “Test” in the authorization group field.

MM02 Authorization Group FIeld

MM02 Authorization Group FIeld

Once the authorization group is populated with a value, you will noticed that an authorization check now occurs on that field for this specific material.

ST01 Trace Test Authorization Group

ST01 Trace Showing "Test" Authorization Group

Making this authorization group field a required field can help with restricting the material type, but another issue arises. What is to stop a user from changing the authorization group to another value? Since the user has access to that material, the user can change the authorization group value to whatever he/she pleases; thus this would block other users from accessing the material.

Another issue is with the creation of the material. What is to stop a person from initially creating a material type he/she is not authorized to create? That user can create a different material type and simply put that material into an authorization group he/she has access to. This breaks the security requirements.

A solution to this is through configuration. In transaction OMS2, have the process team populate each material they wish to be restricted a value under the “authorization group” field.

OMS2 - Material Auth Group

Enter authorization group value in OMS2

By entering a value here, an authorization check will occur on all materials classified under this material type regardless of whether or not the authorization group field within the material (not OMS2) is populated or not. However, if a value is populated within the specific material, two authorization checks will occur, one value that is in OMS2 and the other in the material. If you do not want the users entering in the authorization group, you can hide the field within configuration.

Hope this helps.

– SAP Security Help

This entry was posted in Security, Supply Chain, Troubleshooting and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *