All releases of R/3 and ECC have standard functionality that allows a limited number of users to post to the previous period while blocking postings by unauthorized users. This functionality, which involves the use of authorization groups, is needed because accounting periods are typically left open for posting to the previous period for several days, depending on the type of business transaction:

1. Normal business transactions such as posting a sales order or an invoice are usually posted in the current calendar period. Most users are not allowed to post to the previous calendar period, with the exception of a few power users.

2. Period close transactions, such as cost center assessment and order settlement, need to wait until all normal postings are complete, and run typically in the first couple of days of the next month. A dedicated team usually handles these transactions, often covered by specific authorization roles containing access to the appropriate transactions.

3. Correction postings for errors and manual provisions and accruals are generally posted last, before the period is considered finally closed. Typically, only a select group of users is allowed to carry out these postings.

You could manually open the previous period using settings and manually change the settings when the postings are finished by the select group of users carrying out business transaction types 2 and 3. However, this option is time-consuming and you risk allowing accidental postings to the previous period by unauthorized users.

The authorization functionality streamlines the process and ensures that only the selected users can make changes. I will show you an example of an implemented authorization group and explain how to add authorized groups for period close.

Example of an Authorization Group

Enter an authorization group in the AuGr column of transaction OB52 (open and close periods). You may also use menu path Accounting>Financial Accounting>General Ledger>Environment>Current Settings>Open and Close Posting Periods. In Figure 1, you can see that previous period 4 in fiscal year 2006 is available only to users in authorization group 0001. That is, only members of authorization group 0001 may post from period 4 (previous period) during period 5 (current period). Authorization group 0001 refers only to the From per.1 column, not the From per.2 column. The From per.2 column defines posting periods available for users not included in authorization group 0001. The authorization group can only be entered in rows with account type + (second column in Figure 1). For more information about numbering options for authorization groups, refer to the sidebar, "Authorization Group Numbering Options."

Figure 1

Restriction with authorization group 0001 for posting to previous period 4

In my example, when users without authorization group 0001 in their profiles attempt to post to previous period 4, they receive the error message shown in Figure 2. These users are blocked from posting to the previous period.

Figure 2

Message displayed during unauthorized attempt to post to period 4

Assign Authorization Groups to User Profiles

You also need to know how to enter an authorization group in a user profile. If you don't have access to maintain authorization profiles, you may need assistance from your Basis team. The setup should not take more than an hour.

User master records contain one or more roles that allow authorized users access to transactions within a section of the main SAP menu. Examples of roles are financial accounting manager, accounts payable clerk, and purchasing officer. Each role requires a separate group of transactions for the performance of daily duties. You can copy SAP standard transaction groups to custom groups as required. You assign authorization groups to roles with the following steps:

Step 1. Find all roles that contain authorization object F_BKPF_BUP. Go to transaction SU01 and follow menu path Information>Information System. The result is the screen shown in Figure 3. Follow menu path Roles>By authorization object, click on the execute icon, and enter F_BKPF_BUP in the subsequent screen. Click on the execute icon to display a list of roles similar to the example shown in Figure 4.

Figure 3

Search roles for the authorization object F_BKPF_BUP

Figure 4

Roles that contain the authorization object F_BKPF_BUP

Step 2. Look for a role assigned only to users authorized to post to previous periods. Then go to transaction SU01 and follow menu path Information>Information System again. From the resulting screen, follow menu path User>Users by complex selection criteria>By profiles. Determine if the profile you are considering is assigned only to authorized users.

If you cannot find a suitable existing role, the posting period authorization group can be assigned to a new custom role containing only the authorization group. This example concerns the assignment of the authorization group to an existing role Z_FI_GL_PERIOD_END_CLOSING. This existing role is a copy of SAP standard role SAP_FI_GL_PERIOD_END_CLOSING, which was made to keep the SAP standard role for future reference.

Step 3. Access the user's master record. Go to transaction SU01 to display the user master record for the user you wish to assign to authorization group 0001. Click on the edit icon, and then click on the Roles tab to display the screen shown in Figure 5.

Figure 5

User Z_TEST has the Z_FI_GL_PERIOD_END_CLOSING role in his master record

Step 4. Edit the user's authorizations. A list of roles assigned to the user appears. Double-click on the role chosen in step 2, in this example Z_FI_GL_PERIOD_END_CLOSING. Click on the edit icon in the resulting Display Roles screen, then click on the Authorizations tab. Next, click on the change authorization data icon at the bottom of the screen to display the Change role: Authorizations screen shown in Figure 6. This is a hierarchical display of authorization objects.

Figure 6

Hierarchical display of authorization objects

Step 5. Search roles for the authorization object. Use menu path Edit>Find, and type F_BKPF_BUP in the Authorization object field. F_BKPF_BUP is the authorization object that contains the posting period authorization group. Click on the Find object button to display the screen shown in Figure 7.

Figure 7

Search for F_BKPF_BUP to display authorization group 0001

If the role you selected does not contain F_BKPF_BUP, try another standard role assigned to the users or create a custom role that contains F_BKPF_BUP and assign it to the users.

Step 6. Edit users assigned to the role. Click on the edit icon, enter authorization group 0001 in the From field in the Maintain Field Values dialog box, and press Enter. Click on the green back arrow, then click on the generate icon that appears in the dialog box to generate an authorization profile. Click on the User tab to confirm to which users the role is assigned (Figure 8). You can manually add or delete users in this screen.

Figure 8

Display users assigned to role

Step 7. Replace old profiles with your updates. After you make changes to users assigned to a role, or generate authorization profiles for them, a red status light appears on the User compare button in Figure 8. This indicates that the current user profiles have changed, and are now different from the profiles assigned in the user master records. Click on the User compare button. Then, click on the Complete compare button to remove authorization profiles that are no longer current with user master records and to insert the current profiles.

Step 8. Remove authorization for users who no longer need it. Deactivate authorization object F_BKPF_BUP within all other roles shown in Figure 4. Edit each of the roles with transaction code PFCG. Click on the Authorization tab, then click on the change authorization data icon at the bottom of the screen. Search for F_BKPF_BUP and click on the inactivate icon shown in Figure 9. This ensures that unauthorized users do not have authorization to post to previous periods. You may wish to allow full authorization to roles used exclusively by senior managers.

Figure 9

Authorization group deactivated

You can generate new authorization profiles after making these changes. Perform a test of your authorization changes and you will be ready to use authorization groups to open and close accounting periods.

Authorization Group Numbering Options

The authorization group field is freely definable (i.e., you can enter any combination of four letters and numbers). You may decide to use something relevant to a company name, such as MBP for Molly Brand Products or MBUS for U.S. operations of Molly Brand.

Larger organizations can restrict a posting period to progressively smaller groups of users. For example, 10 users have posting authorization with authorization group 0001, and five of these 10 users also have authorization group 0002. Enter authorization group 0001 in the posting period variant to restrict posting to the 10 users. Later, enter authorization group 0002 to restrict posting to the remaining five users. Figure A shows the screen to enter a range of values for an authorization group.

Figure A

Enter a range of authorization group values

John Jordan

John Jordan is a freelance consultant specializing in product costing and assisting companies gain transparency of production costs resulting in increased efficiency and profitability. John has authored bestselling SAP PRESS books Product Cost Controlling with SAP and Production Variance Analysis in SAP Controlling.

You may contact the author at jjordan@erpcorp.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.