This blog contains experience gained over the years of implementing (and de-implementing) large scale IT applications/software.

Values for SAP Auth Objects F_REGU_BUK and F_REGU_KOA

Whilst configuring some new read-only SAP roles for FICO access, you may be struggling to find the descriptions for the actions for authorisation objects F_REGU_BUK and F_REGU_KOA and the values for FBTCH (Action for Automatic Procedure).
The descriptions do not appear in the usual auth object display screens.

Within the SAP GUI, if you go into transaction F110, then from the menu select “Environment -> Authorizations”, a popup will be displayed with the following legend:

02Edit parameters
03Display parameters
11Execute proposal
12Edit proposal
13Display proposal
14Delete proposal
15Create payment medium proposal
21Execute payment run
23Display payment run
24Delete payment run payment dat
25Create payment media of paymen
26Delete payment orders of payme
31Print payment medium manually

For a read-only role, I would recommend only actions 03,13,23 and possibly 31 (in case the electronic BACS payment method breaks).

SAP Authorisation Objects Naming Convention

The first letter of SAP authorisation objects is intelligently coded to represent the SAP module for which it belongs:
e.g. F_KNA1_BUK

A   Assets Accounting
C   Classification System
E   Consolidation
F   Financial Accounting
G   Special Ledger
K   Controlling
L   Logistic execution
M   Materials Management
P   Human Resources
S   Basis
V   Sales and Distribution

If the second character is an underline, then this indicates this authorisation object is a SAP standard one.

Use transaction SU03, SU21 or table TOBJ, to list the authorisation objects in the system and drill-down into the authorisation fields and their possible values.

If using the tables, you may need the other related tables to pull the texts: TOBJ, TOBC (classes), TOBJT.

SAP FBL5N and Change Document Authorisation

After spending tedious amounts of time in SU24 and performing an authorisation trace I was unable to work out how users got “Change Document” access in FBL5N (Customer Line Item Display).

Access to change documents via transaction FBL5N, which is inherently a display only transaction, is controlled by giving transaction FB02 to the user.
You have to look in the source of program RFITEMAR:

Adding transaction FB02 (plus maintaining the subsequent authorisation activities) to a users role, as well as FBL5N, provides the “Change Document” button on the menu bar in FBL5N:

Disabling Change or Deactivation of SAP Audit Logging SM19 – SAL

To disable changing or deactivation of the SAP Audit Logging (SAL) settings via transaction SM19, you can remove the authorisation object S_ADMI_FCD activity AUDA.

This would prevent “normal” BASIS administrators from being capable of changing or disabling audit logging, but permit you to provide an emergency user with this capability (you will need to change SAL settings in SM19 at some point!).