How to Open/Close posting period for one User in SAP using OB52 | Posting period set using Authorization Group

Authorization Group in Open/Close posting period (Transaction: OB52)

1. Authorization Group – Overview

The authorization group allows extended authorization protection for particular objects. The authorization groups are freely definable. The authorization groups usually occur in authorization objects together with an activity.

Authorization fields store permissions for system access. The system checks these values before granting users access to protected areas. Authorization objects enable you to permit select users access to restricted transactions by grouping up to 10 authorization fields together.

The authorization functionality streamlines the process and ensures that only the selected users

can make changes.

1.1 Posting Period Variant

A ‘Posting Period Variant’ is useful in ‘opening/closing’ Finance posting periods across many Company Codes at one time. You define a posting period variant and assign it to various Company Codes. Since the posting period variant is cross-Company Code, the opening and closing of the posting period is made simple. Instead of opening and closing individually for different Company Codes, you just need to open or close the posting period variant.

It is possible to selectively control the ‘opening’ and ‘closing’ for various types of accounts. Usually, a ‘+’ is mentioned in the top-most entry indicating that all the account types are allowed for posting. Now, for the GL(S) accounts, you will need to specify the period which needs to be opened. This ensures that all the account types are open for the current period, indicated by ‘+,’ and only the GL accounts are open for the previous period. Select account types can also be opened or closed for a specific period; select accounts within an account type can also be opened or closed.

SAP allows you to open or close the posting period only for specific users. This can be achieved by maintaining an authorization group at the document header level.

1.2 Authorization Group for opening/closing of FI posting period

In related to posting period, when you need to permit a select group of users to post to a previous period, you can use authorization groups to automate access. This prevents unauthorized users from posting to the previous period without requiring you to adjust the posting settings manually after a period closes. This means that in month-end or year-end closing for example, you can open some posting periods for specific users only. The authorization group only has an effect on time period 1. The authorization object is F_BKPF_BUP (Accounting document: Authorizations for posting periods). The authorization object F_BKPF_BUP consists of just one field, authorization group.

All releases of R/3 and ECC have standard functionality that allows a limited number of users to post to the previous period while blocking postings by unauthorized users. This functionality, which involves the use of authorization groups, is needed because accounting periods are typically left open for posting to the previous period for several days, depending on the type of business transaction.

1.3 Special posting period Scenarios

1. Normal business transactions such as posting a sales order or an invoice are usually posted in the current calendar period. Most users are not allowed to post to the previous calendar period, with the exception of a few power users.
2. Period close transactions, such as cost center assessment and order settlement, need to wait until all normal postings are complete, and run typically in the first couple of days of the next month. A dedicated team usually handles these transactions, often covered by specific authorization roles containing access to the appropriate transactions.
3. Correction postings for errors and manual provisions and accruals are generally posted last, before the period is considered finally closed. Typically, only a select group of users is allowed to carry out these postings.

 

2. Activating Authorization Group

1. Identify security role or create a new security role. (Roles: ZTEMPR1/ZTEMPR2)
2. Assign Authorization object F_BKPF_BUP (Accounting Document: Authorization for Posting Periods) to the identified role.
3. The Authorization Object F_BKPF_BUP contains only one field (Authorization Group)
4. Maintain Authorization group value in Authorization object F_BKPF_BUP. (Auth. Group DE01 assigned to ZTEMPR1 role & DE02 assigned to ZTEMPR2)
5. Assign the security role to required users.  Users would be able to access provided in the assigned group.

3. Posting Scenarios using Authorization group (AG)

3.1 AG (DE01) at only Account Type +

1. Normal Users: System first checks period is opened in Interval 2 at account type +, then it checks if the period is opened in both Interval 1 & 2 for the given account.
2. Authorized users (DE01): System first checks period is opened in Interval 1 & 2 at account type +, then it checks if the period is opened in both Interval 1 & 2 for the given account.

Period	Normal user	Authorized user
5-7	Yes	Yes
4	No No Authorization for posting period 004 2014	Yes
3	No No Authorization for posting period 003 2014	No Period 003/2014 is not open for account type K and G/L 4000

3.2 AG (DE01) at Account Type + and particular account

1. Normal Users: System first checks period is opened in Interval 2 at account type +, then it checks if the particular account is to be posted then period is opened in  Interval 2, if other accounts to be posted (with blank Authorization group) the period is opened in both Interval 1 & 2.
2. Authorized users (DE01): System first checks period is opened in Interval 1 & 2 at account type +, then it checks if the period is opened in both Interval 1 & 2 for the given account.

Period	Normal user		Authorized user
	Vendor Acc 4000	GL 400300	Vendor Acc 4000	GL 400300
7	Yes	Yes	Yes	Yes
6	Yes	No No Authorization for posting period 006 2014	Yes	Yes
5	No No Authorization for posting period 005 2014	No No Authorization for posting period 005 2014	Yes	Yes

3.3 AG (DE01) at particular account

1. Normal Users: System first checks period is opened in both Interval 1 & 2 at account type +, then it checks if the particular account (Authorization group DE01) is to be posted then period is opened in Interval 2, if other accounts to be posted (with blank Authorization group) the period is opened in both Interval 1 & 2.
2. Authorized users (DE01): System first checks period is opened in Interval 1 & 2 at account type +, then it checks if the period is opened in both Interval 1 & 2 for the given account.

Period	Normal user		Authorized user
	Vendor Acc 4000	GL 400300	Vendor Acc 4000	GL 400300
6-7	Yes	Yes	Yes	Yes
5	Yes	No No Authorization for posting period 005 2014	Yes	Yes

3.4 AG (DE01) at Account Type + and AG (DE02) particular account

1. Normal Users: System first checks period is opened in Interval 2 at account type +, then it checks if the particular account is to be posted then period is opened in  Interval 2, if other accounts to be posted (with blank Authorization group) the period is opened in both Interval 1 & 2.
2. Authorized users (DE01): System first checks period is opened in both Interval 1 & 2 at account type +, then it checks if the particular account is to be posted then period is opened in  Interval 2, if other accounts to be posted (with blank Authorization group) the period is opened in both Interval 1 & 2.
3. Authorized users (DE02): System first checks period is opened in Interval 2 at account type +, then it checks if the period is opened in both Interval 1 & 2 for the given account.
4. Authorized users (DE01 & DE02): System first checks if period is opened in both interval 1 & 2 at account type +, then it checks if the period is opened in both Interval 1 & 2 for the given account.

Account: 400300

Period	Normal User	Auth User (DE01)	Auth User (DE02)	Auth User (DE01 & DE02)
7	Yes	Yes	Yes	Yes
6	No No Authorization for posting period 006 2014	No No Authorization for posting period 006 2014	Yes	Yes
5	No No Authorization for posting period 005 2014	No No Authorization for posting period 005 2014	No No Authorization for posting period 005 2014	Yes

Vendor Account: 400000

Period	Normal User	Auth User (DE01)	Auth User (DE02)	Auth User (DE01 & DE02)
6-7	Yes	Yes	Yes	Yes
5	No No Authorization for posting period 005 2014	Yes	No No Authorization for posting period 005 2014	Yes

3.5 AG (DE01) at one account and AG (DE02) other account

5. Normal Users: System first checks period is opened in both Interval 1 & 2 at account type +, then it checks if the account (Authorization group DE01 or DE02) is to be posted then period is opened in Interval 2, if other accounts to be posted (with blank Authorization group) the period is opened in both Interval 1 & 2.
6. Authorized users (DE01): System first checks period is opened in both Interval 1 & 2 at account type +, then it checks if the account (DE02) is to be posted then period is opened in  Interval 2, if other accounts to be posted (Authorization group Blank or DE01) the period is opened in both Interval 1 & 2.
7. Authorized users (DE02): System first checks period is opened in both Interval 1 & 2 at account type +, then it checks if the account (DE01) is to be posted then period is opened in  Interval 2, if other accounts to be posted (Authorization group Blank or DE02) the period is opened in both Interval 1 & 2.
8. Authorized users (DE01 & DE02): System first checks if period is opened in both interval 1 & 2 at account type +, then it checks if the period is opened in both Interval 1 & 2 for the given account.

Account: 400300

Period	Normal User	Auth User (DE01)	Auth User (DE02)	Auth User (DE01 & DE02)
7	Yes	Yes	Yes	Yes
6	No No Authorization for posting period 006 2014	No No Authorization for posting period 006 2014	Yes	Yes

Vendor Account: 400000

Period	Normal User	Auth User (DE01)	Auth User (DE02)	Auth User (DE01 & DE02)
6-7	Yes	Yes	Yes	Yes
5	No No Authorization for posting period 005 2014	Yes	No No Authorization for posting period 005 2014	Yes

4. System Behavior

1. Without Authorization group Interval 1 is treated as Normal posting period, while with authorization group Interval 2 is treated as Normal posting period.
2. Without Authorization group all users could post in the period opened in the interval 1 & 2. With authorization group, all users including users who are part of Authorization group can post in the period opened in the interval 2.
3. Only users who are part of Authorization group can post the period opened in Interval 1.
4. Posting Authorization can be restricted at Account type and account level. If no authorization group is assigned to particular account range then, generic user can post in all the periods opened in Interval 1 & 2.
5. When authorization group is assigned to particular Account range, system first checks if the Posting period is opened (Interval 1) for Account Type + & then it check for concern account range (Interval 1).

5. Caution

1. With User role having authorization object F_BKPF_BUP with * value, Authorization Group functionality would not work.
2. Identify such user roles and remove access to authorization object F_BKP_BUP.
3. Impact analysis should be done before removing before removing * access.