Everything about OB52 authorization group
I am sure many of you know that in OB52 SAP has provided option to keep two sets of posting period open at a time. Intention behind this is to help month end / year end closure activities. With the help of this function, first set of period can be closed for all end users and second set of period can be open for specific users to perform month end / year end activities smoothly. Now I am also sure that many of you don’t know how to do this setup. How to create Authorization group? How to assign authorization group to users? If you don’t know answer of these questions, keep reading..
Why two set of posting periods required in SAP FICO?
Let’s consider one scenario to understand importance of this second posting period with authorization group. In many big organizations month end / year end processes run through background job. Now usually posting periods closed for previous month in first five days of new month. Suppose a posting period of Nov closed on 4th Dec. users keep posting transactions to last posting period (Nov) till the very last moment of 4th Dec. and then suddenly the posting period is closed for everyone. Now backend job runs at a specific time, so in this case these jobs don’t get time to settle newly posted values on 4th December and so it starts failing next day onwards.
This is very typical and frequent scenario in many organizations. And this can be easily sorted out with the help of special posting period with authorization group.
How to setup authorization group in OB52
If we check in OB52 for authorization group field there is no F4 (search help) button to select authorization group.
So it is confirmed that it is freely definable field. Or user is able to enter any 4 digit alphanumeric key as authorization group.
So here I have entered AE00 as authorization group for my company code. (We will come back to this part later)
There is one object SAP has provided to control posting periods i.e. F_BKPF_BUP (Accounting Document: Authorization for Posting Periods) in this object we will enter our authorization group i.e. AE00 (same text entered in OB52)
Further this Authorization object F_BKPF_BUP is assigned to security role
And the security role is assigned to users. (We will see this with SAP Screens also in few seconds)
Let’s understand this with below diagram:
From above graph, we have seen how to create authorization group in OB52. Now we will see how to assign authorization object to security roles.
Read eBook: Controlling Profitability Analysis – Comprehensive guide to SAP COPA
How to assign authorization object to roles?
Here we have to ask security team to create a role with list of MEC/YEC transaction codes. Or whatever transaction codes user will be performing.
We will ask Basis team to assign authorization object F_BKPF_BUP to newly created security role with authorization object AE00.
In PFCG transaction Basis team will assign this object F_BKPF_BUP
In above screen we can notice authorization group is entered in authorization object and it is assigned to security role ZABC_POPS.
We will need basis help to perform this activity, but it is also important for functional consultant to know the end to end process.
We can have different authorization group for different users, for different tcodes etc. it will just increase the number of security roles.
Also Read: Note to payee functionality in SAP DME
How to find which users have authorization to post in special posting period? Or
How to check OB52 authorization group assigned to which users?
Well this is actually tricky and most asked question, because creating authorization group and assign it to roles and further to users it straight forward, but we will see how to reverse engineer the process.
Below are the steps to find out users which have authorization group:
We have authorization group – AE00 & we know authorization object is F_BKPF_BUP
First thing we will find out the roles that have authorization object F_BKPF_BUP
Transaction code SUIM
Select roles by authorization object
Enter authorization object and value in our case we want to search AE00
We will be prompted with list of roles that have above authorization object:
Now we have to see what are the users assigned to these roles, they should be able to use second set of posting periods.
To do so go to SUIM transaction code and search users by role
Execute it
Enter all roles and execute it
And here we go with the list of users who have authorization to post accounting documents in second set of posting periods.
Conclusion
These are so useful technique that can be used across modules in SAP. Hope you enjoyed the post. you can save the link of this post or bookmark it for future reference. Also sign up to below newsletter to get weekly blogpost update.
What we learn in this blogpost:
- Two set of posting periods in OB52
- Authorization group setup in OB52
- Assignment of authorization object to roles
- Check OB52 authorization group assigned to which users
If you enjoy the blogpost, then you can stay connected with us on below platforms:
