Question:
I am exploring security in G/L Account level - NOT G/L authorization group - so that I could specify the G/L range.
It seems not working as I expect though during my test. Here's what I did:
1. SU20 --- Authorization field = ZGL, Data Element = SAKNR, Table = SKA1
2. SU21 --- Object Class = ZFGL, Object = ZFI_GL, AuthFields = ZGL, ACTVT (01,02,03...) --- Regenerated SAP_ALL
3. SU01 --- Created a sample user
4. PFCG --- Created a role defining GL-relevant TCodes such as FB01, FS10N, FBL3N, FS00 --- Maintained the profiles as usual --- Manually added AuthObj ZFI_GL and maintained the ranges of G/L ie 100000-199999
5. I logged on using the sample user and tested FB01. Entered G/L 100100 and I got the message 'You are not authorized to this account'. Same result when i entered G/L 700000. But G/L 300100 is ok.
Did I follow the steps correctly? We are in 46c.
Thanks for any input.
Answer:
If you have not included an authorisation check in the ABAP code then creating a custom object will do absolutely nothing.
The auth failures that you are getting will be from existing SAP standard auth object restrictions that are in place.
Answer:
Thanks Al.
I am exploring a possibility where I can implement G/L security other than using the standard G/L authorization groups.
The target is to control some accounts defined by the client as 'sensitive'. SKA1-BRGRU is kinda complex to implement post-productively (all roles were defined with BRGRU set to * ). Implementing a BTE (Business Transaction Event) is okay as far as posting documents is concerned. The issue is the standard G/L display functions i.e. FS10n and FBL3N. I might just copy and modify these standard programs and implement the authorization using the custom authorization object - as a workaround.
Gracias!