Defining General Authorizations

• DG Industries has 15 users in the sales department. These users need authorization to the Sales - A/R menus and functions in SAP Business One.
• The sales manager needs in addition access to sales reports and sales analysis dashboards. This is a very simple example of an authorization requirement; in real life the requirements would be much more complex.
• There are several ways to implement these authorizations in an optimized way:
  • Option 1: Set up one user with the required authorizations, then copy the set of authorizations to the other sales users including the manager. Manually fine tune the authorizations for the sales manager to add the additional authorizations needed for the role.
  • Option 2: Create a new authorization user group based on the default sales authorization group. Assign all users to this group including the manager, then manually fine tune the authorizations for the sales manager.
• In this course you will see how the two options work.

• When a user account is created for a normal user (not a super user), the user can logon to SAP Business One but cannot access any functionality.
• The user requires both a license and general authorizations to the menus and functions they need to work with:
  • The type of license assigned to a user determines which functions and documents the user is legally contracted to use. If the user tries to access a function that is outside the scope of the license, the user will get an error generated from the license server.
  • The general authorizations granted to a user permit the user to access or update the SAP Business One functions and objects within the scope of the assigned license type. These authorizations allow a company to limit access to menus and functions based on the requirements of a user's job role. If the user does not have authorization to a menu, the user will get an authorization error when he or she tries to access the menu.
• Note that assigning a general authorization to a user for a function that is not permitted by the assigned license type will not grant the user permission to access that function.

• The general authorizations window shows the list of authorizations granted to a selected user. The user account is selected in the left part of the window under the Users tab.
• Authorizations are listed by subject area and are expandable and generally match the main menu.
• A user defined as super user has full authorization to all SAP Business One menus and functions and you cannot modify the authorizations for this user since the selection is grayed out. In the example, the selected user is a super user and has full authorization to all menus and functions. For this reason a super user must be assigned a Professional license.

• By default, all newly created users who are not super users have no authorizations to any SAP Business One menus or functions. General Authorizations must be set for each user so they can perform their job. In the example, the selected user is a normal user and initially has no authorization to menus and functions.
• Note: authorizations should be granted in accordance with the license purchased for the user. The license comparison chart is available for download from the Partner portal and shows the access rights for each license type.

• Users are not allowed to access a form, report or document for which they have no authorization.
• In the example, a CRM user wants to view the cash flow forecast. However they do not have authorization to access this function. When they try to access the menu item a popup message appears notifying the user that they do not have authorization. A super user can temporarily allow the user one time access to the function.
• If the user needs permanent access to the function then the general authorization should be assigned.

Option 1 of the business scenario manually assigns authorizations to one sample user then copies the authorizations to other users.

• To set an authorization manually, open the authorizations window and on the Users tab select the user. Then open the dropdown list for each menu or function and select Full Authorization or Read-Only:
  • If you select Full Authorization then the user is able to display and modify data for that function. For example, if this authorization is selected for the Sales Quotation function, a user would be able to view, create and update sales quotations.
  • If you select Read-Only then the user can view, but not change any data.
• Only super users or authorized users can set authorizations for users.
• For a full explanation of each general authorization, refer to the how-to guide How to Define Authorizations.

• When you assign an authorization for a module, such as Sales - A/R, the same authorization trickles down to all the sub-menus within the module.
• If you assign or change an authorization at a lower level of the module, the top level authorization will change to Various Authorizations to indicate there are authorizations set lower down in the tree.

• In the authorizations window you can also set the maximum discount a user can offer in sales, purchasing or other forms such as business partner master data and payment terms. If the discount percentage is zero, the user will not be allowed to enter a discount at all. In the example shown here the user is allowed to enter discounts up to 15% in sales documents.
• You can also permit the amount of cash a user is allowed to enter in an incoming payment (Payment Means window, Cash tab). When you select the checkbox you will be able to enter the cash amount.

• To save time, you can copy the authorizations from one user to other users.
• In the authorizations window, select the user then choose the Copy Authorizations button. A list of users will appear and you can select multiple target users for the copy.
• You can also copy the authorizations from a selected user to another user by holding your mouse over the source user name until a black rectangle appears, then dragging and dropping the rectangle over the target user. The system asks you to confirm you want to copy the authorizations.

Option 2 of the business scenario assigns authorizations to users at the authorization user group level.

• Setting authorizations on a per user basis can be time consuming. If a company has several users who perform the same role, or work with the same set of functions, it is more efficient to use an authorization user group.
• Authorization user groups are predefined sets of authorizations that can be assigned to multiple users.
• In a new system there are four default groups defined by SAP which contain the authorizations generally required for finance, sales, purchasing and inventory-related roles.
• You can use these default user groups out-of-the-box, edit them, copy them to create new groups, or create your own user groups from scratch.

• To create a new authorization group, choose the Create Group button and enter a name and description.
• Select the Group Type as Authorization or Cross All Types.
• You have the option to set an active date when you create a new group. This allows you to predefine the authorizations then roll them out at a later date. You can also set an active date range for each individual user you add to the group.
• For SAP HANA you can associate a predefined, published cockpit template which will be assigned to all the group members. SAP provides Sales, Finance, Purchase and Inventory templates out-of-the-box, but you can also add your own cockpit templates. For information on cockpit templates, see the Getting Started topic in the Overview program.

Note: User Groups can also be created for other types of use (for example, alerts and form settings). For more information on these groups see the Users and User Groups course in this program.

• User groups of type Authorization and Cross All Types are visible in the authorizations window.
• To set authorizations for a user group, select the Groups tab in the authorizations window, then select the predefined group. You can then set the authorizations as you would manually for a user.
• The authorizations will instantly apply to all users in the group.

• Instead of setting the authorizations manually for a new user group, you can copy the authorizations from one of the predefined user groups provided out-of-the-box (Sales, Purchase, Finance and Inventory). This gives you a good starting point for setting authorizations. For example, if you create a new group for sales managers, you can select the default sales user group as the basis.
• To do this, select the Copy Authorizations button. Then select the target user group.
• You can then adjust the authorizations in the new group, as required.

• In addition to assigning users to a group by adding them in the group, you can assign a user to a group from the user account. In the user account select the ellipsis button to the right of the Groups field, and select a group from the list shown.
• When you assign a user to a group, the user is added to the group list and instantly receives the general authorizations set for the group.
• Note: If you change an authorization in a group after you have assigned users to the group, those users will all receive the changed authorization.
• You can select more than one group if applicable for the user's role and if the user has the appropriate license. You can also manually change the authorizations for a user even if they belong to a user group.

• From the authorizations window you can export the set authorizations for a user or user group to Microsoft Excel.
• To export the authorizations for one or more individual users, select the Users tab in the authorizations window then choose the Excel icon on the icon bar, and select one or more users.
• To export the authorizations for one or more user groups, select the Groups tab in the general authorizations window then choose the Excel icon and select the groups.
• Tip: During an implementation project, a report or spreadsheet of the assigned authorizations should be saved with the project documentation.

• An additional column is available in the authorizations window. This column only shows when you select a user on the Users tab.
• To view this column, click the arrow in the top-right part of the matrix, or adjust the column widths manually to bring the additional column into view.
• The Effective Authorization column shows the combined authorizations granted to a user - from an authorization user group and from any manual authorizations. In case of conflicting authorizations, the highest (most generous) authorization will prevail.
• In the example, the selected user has not been granted any authorizations directly; however the user has effective authorizations from an authorization user group.

• The system does not prevent a user from being assigned to more than one authorization group. In the user account you can see the authorization groups assigned to a user.
• If a user is assigned to multiple authorization groups then potentially there could be conflicting authorizations for a specific function.
• For example, the user could potentially receive all three permissions to the Sales - A/R menu (Read-Only, No Authorization and/or Full Authorization).
• In this case the system will grant the highest (most generous authorization) and this will appear as the effective authorization.

• Changes to authorizations for a user or user group are tracked in the Change Log. This provides an audit trail.
• The Change Log is available from the Tools menu when the authorizations window is open and when a user or user group is selected in this window.
• Each row in the change log represents a snapshot of what was changed, and you can see the full details by double-clicking the row.
• You can also select two rows and show the differences. The differences window shows a consolidation of the two selected rows, including the change date, the changed field, the previous value and the new value, as well as the name of the person changing the authorization.

• In the Additional Authorization Creator window, developers can add user authorizations to the authorizations table. A user authorization controls access to a new menu item or user form. You can set the possible authorizations as Full/None or Full/Read/None.
• You enter an Authorization Id and Name, and the FormID. To find the form ID, open the form and choose View > System information on the Top Menu. The form ID shows in the status bar when you hover over the form.
• The new authorization appears in the authorizations window, under the subject area User Authorization.

For more information on user-defined tables and user-defined objects, see the User-Defined Tables topic in this course.

Sales and purchasing reports contain sensitive information and a company might want to restrict access to these reports.

In the Reports subject area you can restrict access to all sales and purchasing reports, or to the Open Items list report, or to individual document types in the Open Items list . If you select No Authorization, the user cannot open these reports.

You can authorize or restrict access to SAP HANA analytical reports, including the ability to:

• Launch the Excel Report and Interactive Analysis Designer tool
• View a specific Excel interactive analysis report (by functional area or at the specific report level)
• View the semantic layer
• Access information in KPIs, cockpits and dashboards

Note: In the authorizations window you can see a button Apply Auth. To Back End.

This button is only relevant for companies that use Microsoft SQL Server for production and SAP HANA for analytics (B1A). Authorizations are required for users to access the semantic layer (these authorizations are listed under the Analytics subject area). After the authorizations are updated, they are saved to the SAP Business One production database, but they also must be synchronized with the underlying SAP HANA analytics server. For consistency, SAP recommends that the SAP HANA analytics server is stopped when making these changes, then after the changes are saved, to restart the analytics server and use this button to synchronize the changes. In the current release, the synchronization is not automatic and must be manually done by the administrator pressing this button.

Here are some key points to take away from this session.

• Each user who is not a super user needs to be assigned both a license and general authorization to menus and functions required for their role
• A super user has by default full authorization to every function in SAP Business One. Super users need a Professional license.
• A regular user by default has no authorizations to any function and you need to grant general authorizations to each user according to the license purchased for the user.
• The authorizations window shows the list of general authorizations in the same general order as SAP Business One menus and functions. Authorizations are also required for access to reports and analytics.
• To set an authorization manually, select the user and open the dropdown list for each menu or function and select full or read-only authorization:
  • If you select Full Authorization the user can display and modify data for that function. For example, a user would be able to view, create and update sales quotations
  • If you select Read-Only then the user can view, but not change any data
• To save time, you can copy the authorizations from one user to other users
• Changes to authorizations are recorded in the Change Log, for audit purposes
• If a company has several users who perform the same role, or work with the same set of functions, it is more efficient to use an authorization user group
• Authorization user groups are predefined sets of authorizations that can be assigned to multiple users. In a new system there are four default groups which contain the authorizations generally required for finance, sales, purchasing and inventory-related roles
• These user groups appear in the authorizations window and you can set the authorizations as you would manually for a single user
• When you create a new group, you can copy authorizations from another user group
• The Effective Authorization column shows the combined authorizations granted to a user - from an authorization user group and from any manual authorizations.
• If multiple, conflicting authorizations are granted to a user from a combination of manual assignment and user group, the highest (most generous) authorization will apply
• You can export assigned authorizations to Microsoft Excel to review, or for project documentation