{"id":9463,"date":"2026-06-15T12:06:30","date_gmt":"2026-06-15T05:06:30","guid":{"rendered":"https:\/\/www.sterling-team.com\/news\/?p=9463"},"modified":"2026-06-15T12:07:26","modified_gmt":"2026-06-15T05:07:26","slug":"additional-authorization-setup-in-sap-business-one-for-enhanced-erp-security","status":"publish","type":"post","link":"https:\/\/www.sterling-team.com\/news\/en\/additional-authorization-setup-in-sap-business-one-for-enhanced-erp-security\/","title":{"rendered":"Additional Authorization Setup in SAP Business One for Enhanced ERP Security"},"content":{"rendered":"<p>Many organizations have implemented add-ons, custom forms, or custom reports within SAP Business One; however, not every user should be granted access to these functionalities. Without a properly configured authorization framework, the risks of uncontrolled data modifications, exposure of sensitive information, and weakened audit trails can increase substantially.<\/p>\n<p>As a business expands, its organizational structure demands access controls that are far more granular than the standard permissions provided by the system out of the box.<\/p>\n<p>Additional Authorization Creator is a native SAP Business One feature designed to introduce custom authorizations into the General Authorizations menu. It enables system administrators to govern access rights to custom forms, add-ons, stored procedure reports, and User-Defined Windows (UDWs) with precision, whether by individual user or user group.<\/p>\n    <nav class=\"toc-container\" aria-label=\"Table of Contents\">\n        <div class=\"toc-header\" onclick=\"toggleTOC()\">Table of Content<\/div>\n        <div class=\"toc-list\" id=\"toc-list\" style=\"display:block\">\n            <ul id=\"toc-items\"><\/ul>\n        <\/div>\n    <\/nav>\n    <div id=\"toc-schema\"><\/div>\n    \n<h2>What Is Additional Authorization Creator in SAP Business One?<\/h2>\n<p>Out of the box, SAP Business One provides the General Authorizations menu, allowing administrators to manage access rights for standard modules and forms, including Sales Orders, A\/P Invoices, and Journal Entries.<\/p>\n<p>However, once your system is extended through the SDK (Software Development Kit), UI API, DI API, or enhanced with User-Defined Objects (UDOs), these newly created components will not automatically appear within the General Authorizations window.<\/p>\n<p>This is where Additional Authorization Creator becomes indispensable. The feature serves as a bridge that registers the unique identifiers of custom-built forms, third-party add-on menus, and custom reports within the standard General Authorizations hierarchy.<\/p>\n<p>By leveraging this functionality, administrators can apply SAP Business One\u2019s three standard authorization levels to custom objects:<\/p>\n<ul>\n<li>Full Authorization: Users are granted unrestricted access to open, view, create, and modify data.<\/li>\n<li>Read Only: Users may view information but are prevented from making changes or performing further interactions.<\/li>\n<li>No Authorization: The menu or form is completely restricted. In certain scenarios, the custom menu may not even appear in the user\u2019s Main Menu.<\/li>\n<\/ul>\n<h2>Why Is Additional Authorization Necessary?<\/h2>\n<p>Overlooking security controls for custom components is one of the most significant vulnerabilities in ERP governance. Allowing all users unrestricted access to add-ons or internal reports exposes the organization to a range of operational and financial risks.<\/p>\n<p>To better understand the importance of this feature, consider the following risk-and-control matrix:<\/p>\n<div class=\"table-container\">\n<table class=\"responsive-table\">\n<thead>\n<tr>\n<th>KEY CHALLENGE<\/th>\n<th>BUSINESS IMPACT<\/th>\n<th>SOLUTION WITH ADDITIONAL AUTHORIZATION<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td data-label=\"KEY CHALLENGE\">\n      All users share identical access rights to custom menus.\n    <\/td>\n<td data-label=\"BUSINESS IMPACT\">\n      Potential exposure of sensitive information, such as profit-margin reports or production costing data.\n    <\/td>\n<td data-label=\"SOLUTION WITH ADDITIONAL AUTHORIZATION\">\n      Restrict access to custom reports exclusively to management personnel or designated users.\n    <\/td>\n<\/tr>\n<tr>\n<td data-label=\"KEY CHALLENGE\">\n      Absence of Segregation of Duties (SoD).\n    <\/td>\n<td data-label=\"BUSINESS IMPACT\">\n      Warehouse personnel may gain the ability to alter approval parameters or pricing validations within sales add-ons.\n    <\/td>\n<td data-label=\"SOLUTION WITH ADDITIONAL AUTHORIZATION\">\n      Separate permissions for custom data entry from add-on configuration privileges.\n    <\/td>\n<\/tr>\n<tr>\n<td data-label=\"KEY CHALLENGE\">\n      Elevated risk of human error.\n    <\/td>\n<td data-label=\"BUSINESS IMPACT\">\n      Data stored in User-Defined Tables (UDTs) may be inadvertently modified or deleted by non-technical users.\n    <\/td>\n<td data-label=\"SOLUTION WITH ADDITIONAL AUTHORIZATION\">\n      Assign Read Only or No Authorization permissions to operational users where appropriate.\n    <\/td>\n<\/tr>\n<tr>\n<td data-label=\"KEY CHALLENGE\">\n      Weak internal audit trails.\n    <\/td>\n<td data-label=\"BUSINESS IMPACT\">\n      Difficulty identifying who executed custom utility functions or data-cleansing tools.\n    <\/td>\n<td data-label=\"SOLUTION WITH ADDITIONAL AUTHORIZATION\">\n      Ensure that every custom-function activity is tied to a formally authorized User ID.\n    <\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<style>.table-container{width:100%;overflow-x:auto}.responsive-table{width:100%;border-collapse:collapse;background:#fff}.responsive-table th,.responsive-table td{border:1px solid #ddd;padding:14px;text-align:left;vertical-align:top}.responsive-table th{background-color:#e6e6e6;font-weight:700}.responsive-table tr:nth-child(even){background-color:#fafafa}@media (max-width:768px){.responsive-table thead{display:none}.responsive-table,.responsive-table tbody,.responsive-table tr,.responsive-table td{display:block;width:100%}.responsive-table tr{margin-bottom:20px;border:1px solid #ddd;background:#fff}.responsive-table td{padding:12px 12px 12px 45%;position:relative}.responsive-table td::before{content:attr(data-label);position:absolute;left:12px;top:12px;width:40%;font-weight:700;white-space:normal}}<\/style>\n<h2>How Does Additional Authorization Creator Work?<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/d2h87rbqc48mm2.cloudfront.net\/ws\/2026\/img-diagram-parameter-teknik.webp\" width=\"680\" height=\"453\" alt=\"Technical parameter diagram illustrating Form ID and Authorization ID within the SAP Business One Additional Authorization Creator component\" class=\"alignnone size-full\" \/><\/p>\n<p>Before moving into the technical implementation, it is essential to understand the key parameters that define the structure of an Additional Authorization. Each authorization entity is composed of the following elements:<\/p>\n<ul>\n<li><strong>Authorization ID:<\/strong> A unique alphanumeric code that serves as the primary authorization identifier within the database. It is highly recommended to adopt a dedicated company or add-on prefix (for example: A_PUR_RPT01).<\/li>\n<li><strong>Authorization Name:<\/strong> The descriptive label displayed within the General Authorizations hierarchy (for example: Advanced Purchase Analysis Report).<\/li>\n<li><strong>Form ID:<\/strong> The unique string or numeric identifier of the form being controlled. For add-ons, this typically refers to the FormUID declared within the UI API code. For reports, it may correspond to a Query Wizard object or a specific window ID.<\/li>\n<li><strong>Parent ID:<\/strong> Determines where the custom authorization will be positioned within the General Authorizations hierarchy beneath the standard menu structure.<\/li>\n<li><strong>Level:<\/strong> Defines the hierarchy depth, such as Level 1 for primary groups and Level 2 for subordinate menu items.<\/li>\n<li><strong>Display Order:<\/strong> Specifies the vertical display sequence relative to other custom authorization items within the same hierarchy level.<\/li>\n<li><strong>Authorization Type:<\/strong> Determines the available permission options for the object, whether it supports Full \/ Read \/ None or only Full \/ None authorization models.<\/li>\n<\/ul>\n<p>Once an Additional Authorization is successfully created, it becomes fully integrated with the standard User Authorization and User Group Authorization framework. As a result, organizations that already employ user-group-based permission management can administer access rights efficiently without configuring permissions individually for every user.<\/p>\n<h2>How to Configure Additional Authorization in SAP Business One<?h2><br \/>\nFollow the structured steps below to safely create and implement additional authorizations within your SAP Business One environment.\n<h3>Step 1: Access the Additional Authorization Creator<\/h3>\n<p>Launch SAP Business One using an account with <strong>Superuser<\/strong> privileges. Navigate to:<\/p>\n<p><strong>Administration<\/strong> &gt; <strong>System Initialization<\/strong> &gt; <strong>Authorizations<\/strong> &gt; <strong>Additional Authorization Creator<\/strong>.<\/p>\n<p>The <em>Additional Authorization Creator<\/em> window will open, displaying the authorization hierarchy currently configured within the system.<\/p>\n<h3>Step 2: Define the Hierarchical Position (Parent Level)<\/h3>\n<p>Before creating a new authorization item, determine where it should reside within the hierarchy. For example, if you want to place it under the standard Purchasing module:<\/p>\n<ol>\n<li>Select the relevant module area or folder in the left-hand panel.<\/li>\n<li>Use <strong>Add Same Level<\/strong> to create a new primary category, or <strong>Add Sub Level<\/strong> to place the authorization within an existing module subfolder.<\/li>\n<\/ol>\n<h3>Step 3: Define the Authorization ID and Name<\/h3>\n<p>In the active right-hand panel, complete the primary identification fields:<\/p>\n<ul>\n<li>In the <strong>Authorization ID<\/strong> field, enter a unique string without spaces.<\/li>\n<li>In the <strong>Authorization Name<\/strong> field, provide a clear and meaningful description that can be easily understood by users and auditors alike.<\/li>\n<\/ul>\n<h3>Step 4: Specify the Correct Form ID<\/h3>\n<p>This is the most critical step. Enter the appropriate <strong>Form ID<\/strong> corresponding to your custom object. If you are securing a <em>User-Defined Window<\/em> or an <em>add-on form<\/em>, ensure that the <code>FormUID<\/code> value entered matches exactly\u2014character for character and case-sensitive\u2014the identifier registered within the system.<\/p>\n<h3>Step 5: Configure Display Order and Authorization Options<\/h3>\n<p>Assign a <strong>Display Order<\/strong> value (for example: 1, 2, or 3) to maintain a well-organized hierarchy. Under <em>Options<\/em>, determine whether the custom form should support a <em>Read Only<\/em> permission level or only the binary <em>Full\/None<\/em> authorization model.<\/p>\n<h3>Step 6: Save the Authorization Configuration<\/h3>\n<p>Once all parameters have been completed accurately, click <strong>Update<\/strong> or <strong>Add<\/strong> at the bottom of the window to save the configuration to the SAP Business One database.<\/p>\n<h3>Step 7: Assign the Authorization to Users or User Groups<\/h3>\n<p>Your newly created authorization is now ready for deployment. To assign it:<\/p>\n<ol>\n<li>Navigate to <strong>Administration<\/strong> &gt; <strong>System Initialization<\/strong> &gt; <strong>Authorizations<\/strong> &gt; <strong>General Authorizations<\/strong>.<\/li>\n<li>Select the target <em>User<\/em> or <em>User Group<\/em> from the left-hand panel.<\/li>\n<li>Locate the custom <em>Authorization Name<\/em> you have just created. It is typically found beneath the selected parent module or within a dedicated <em>User Authorizations<\/em> folder.<\/li>\n<li>Set the authorization level to <em>Full Authorization<\/em>, <em>Read Only<\/em>, or <em>No Authorization<\/em> according to the user&#8217;s operational responsibilities and access requirements.<\/li>\n<li>Click <strong>Update<\/strong> to apply the new security controls.<\/li>\n<\/ol>\n<\/h2><h2>Understanding the Authorization Hierarchy Structure<\/h2>\n<p>Managing dozens of custom forms without a well-defined structure can significantly complicate security audits and permission administration. The <em>Additional Authorization Creator<\/em> adopts a highly flexible <em>Parent\u2013Child Authorization<\/em> model to address this challenge.<\/p>\n<pre>[Main Module: Purchasing - Custom]   &lt;-- Parent Level (Level 1)\r\n   |\r\n   +-- [Vendor Evaluation Report]    &lt;-- Child Level (Level 2)\r\n   |\r\n   +-- [Special Approval Form]       &lt;-- Child Level (Level 2)\r\n<\/pre>\n<p>To efficiently manage this hierarchy, utilize the three primary functions available within the creator menu:<\/p>\n<ul>\n<li><strong>Add Sub Level:<\/strong> Creates a child branch beneath the currently selected authorization item. This function is particularly useful for grouping multiple custom reports under a single parent folder.<\/li>\n<li><strong>Add Same Level:<\/strong> Creates a new authorization item at the same hierarchical level as the selected item.<\/li>\n<li><strong>Delete Authorization:<\/strong> Removes a custom authorization entry from the system. It is important to note that deleting an <em>Authorization ID<\/em> does not remove the associated form or add-on from the database; it merely removes the access-control mechanism from the <em>General Authorizations<\/em> menu.<\/li>\n<\/ul>\n<h2>Implementation Examples for Add-Ons and Custom Forms<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/d2h87rbqc48mm2.cloudfront.net\/ws\/2026\/img-separating-staff-authorization.webp\" width=\"680\" height=\"373\" alt=\"Example of SAP Business One custom form access control separating standard staff permissions from managerial-level authorizations\" class=\"alignnone size-full\" \/><\/p>\n<p>Consider the following real-world scenarios in which <em>Additional Authorization<\/em> was implemented within a mid-sized Indonesian enterprise to strengthen internal controls.<\/p>\n<h3>Case 1: Custom Purchasing Report (Stored Procedure \/ Crystal Reports)<\/h3>\n<p>The company manufactures products using proprietary formulas and maintains a custom report called <em>Primary Raw Material Pricing Report<\/em>.<\/p>\n<ul>\n<li><strong>Before Implementation:<\/strong> The report was accessible through a general menu, allowing all purchasing administrators to view confidential raw material pricing fluctuations, thereby increasing the risk of information leakage to competitors.<\/li>\n<li><strong>After Implementation:<\/strong> A dedicated <em>Authorization ID<\/em> was created for the report. Access was set to <em>No Authorization<\/em> for all staff members, while <em>Full Authorization<\/em> was granted exclusively to the Purchasing Manager.<\/li>\n<\/ul>\n<h3>Case 2: Custom Approval Form (Logistics Add-On)<\/h3>\n<p>The organization utilizes a third-party add-on that allows users to override customer credit limits through a <em>Credit Limit Override Window<\/em>.<\/p>\n<ul>\n<li><strong>Before Implementation:<\/strong> Anyone familiar with the shortcut code or add-on menu could access the form and unlawfully increase customer credit limits.<\/li>\n<li><strong>After Implementation:<\/strong> The window\u2019s Form ID was registered within the <em>Additional Authorization Creator<\/em>. Access was completely restricted for operational sales personnel and granted solely to the Finance Controller team with <em>Full Authorization<\/em> privileges.<\/li>\n<\/ul>\n<h2>Authorization Configuration Best Practices<\/h2>\n<p>As a consultant, I strongly recommend adhering to the following governance principles to ensure that your ERP environment remains secure, scalable, and audit-ready.<\/p>\n<h3>1. Enforce the Principle of Least Privilege<\/h3>\n<p>Always grant users only the minimum level of access required to perform their daily responsibilities. Begin with <em>No Authorization<\/em> by default and elevate permissions only when a formally approved business request has been submitted.<\/p>\n<h3>2. Leverage User Groups<\/h3>\n<p>Avoid managing custom permissions on an individual-user basis if your organization has more than 20 employees. Instead, group users according to functional roles (for example, <em>Finance &#038; Logistics Group<\/em> or <em>Sales Administration Group<\/em>) and assign <em>Additional Authorizations<\/em> at the group level for greater administrative efficiency.<\/p>\n<p>For guidance on managing main menu visibility in alignment with these authorization settings, refer to the <em>Form Authorization &amp; Main Menu Settings Guide in SAP Business One<\/em>.<\/p>\n<h3>3. Document Every Authorization ID<\/h3>\n<p>Maintain a master spreadsheet that records every <em>Authorization ID<\/em>, <em>Form ID<\/em>, object name, business purpose, and the designated <em>Business Process Owner<\/em> responsible for each custom object.<\/p>\n<h3>4. Conduct Regular Access Reviews<\/h3>\n<p>Perform authorization audits at least every six months. Ensure that employees who have transferred roles or left the organization have their custom permissions revoked promptly, and verify that organizational changes have not inadvertently created unauthorized access pathways.<\/p>\n<h2>Impact on Security and Audit Trail<\/h2>\n<p>The disciplined implementation of <em>Additional Authorization<\/em> has a direct impact on an organization\u2019s compliance with financial auditing standards. When external auditors assess an enterprise\u2019s information systems, one of their primary areas of focus is the enforcement of <em>Segregation of Duties<\/em> (SoD) within the ERP environment.<\/p>\n<p>By securing custom forms, organizations effectively eliminate potential backdoor avenues for unauthorized data manipulation. Whenever a user attempts to access a custom form for which they lack authorization, SAP Business One automatically denies access and displays the standard system message: <em>&#8220;You are not authorized to perform this action&#8221;<\/em>.<\/p>\n<p>Furthermore, custom form security should always be complemented by rigorous activity log monitoring. To comprehensively track data modifications across both standard and custom documents, you may refer to the <em>SAP B1 Access &amp; <a href=\"https:\/\/www.sterling-team.com\/news\/en\/monitor-sap-business-one-user-access-audit-trail-data\/\">Change Log<\/a> for User Activity Monitoring<\/em> guide.<\/p>\n<p>This layered approach to governance ensures that every critical data interaction leaves behind a valid and auditable digital footprint.<\/p>\n<h2>FAQ (Frequently Asked Questions)<\/h2>\n<h3>What Is Additional Authorization Creator?<\/h3>\n<p>It is a built-in SAP Business One utility that enables administrators to register custom objects\u2014such as <em>custom forms<\/em>, <em>add-ons<\/em>, and newly created data windows\u2014within the standard <em>General Authorizations<\/em> framework, allowing their access rights to be centrally managed and controlled.<\/p>\n<h3>What Is the Difference Between General Authorization and Additional Authorization?<\/h3>\n<ul>\n<li><em>General Authorization<\/em> refers to the standard, out-of-the-box permission structure provided by SAP Business One for its native modules and functionalities.<\/li>\n<li><em>Additional Authorization<\/em> is an administrator- or consultant-configured authorization layer designed to manage access rights for custom forms, add-ons, and functions that extend beyond SAP\u2019s standard capabilities.<\/li>\n<\/ul>\n<h3>How Can I Identify a Form ID in SAP Business One?<\/h3>\n<p>Enable the <em>System Information<\/em> feature by navigating to <strong>View<\/strong> &gt; <strong>System Information<\/strong>. Once activated, move your mouse cursor over the custom form or window you wish to identify. The lower-left corner of the SAP Business One application window will display technical information containing values such as <code>Form=XXX<\/code> or <code>FormID=XXX<\/code>.<\/p>\n<h3>Can Authorization Be Applied to Add-Ons?<\/h3>\n<p>Yes. In fact, this is one of the primary functions of the <em>Additional Authorization Creator<\/em>. Simply obtain the unique <code>FormUID<\/code> string or Menu ID from the developer responsible for the add-on and register it within the authorization hierarchy.<\/p>\n<h3>Can Authorization Be Assigned to User Groups?<\/h3>\n<p>Absolutely. Once a new authorization has been created through the <em>Additional Authorization Creator<\/em>, it immediately becomes available within the <em>General Authorizations<\/em> window. From there, you can select the <em>User Groups<\/em> tab and apply the custom authorization to all members of the group simultaneously.<\/p>\n<h3>Are Authorization Changes Recorded in the Audit Trail?<\/h3>\n<p>Yes. Whenever a Superuser modifies a user\u2019s authorization level\u2014for example, changing a permission from <em>Read Only<\/em> to <em>Full Authorization<\/em> within the <em>General Authorizations<\/em> window\u2014the action is recorded by SAP Business One\u2019s internal logging system for security auditing and compliance purposes.<\/p>\n<h2>Conclusion<\/h2>\n<p>The <strong>Additional Authorization Creator<\/strong> feature in SAP Business One is an indispensable instrument for organizations seeking to establish a secure, well-governed, and compliant ERP environment.<\/p>\n<p>Its ability to provide granular control over access to <em>custom forms<\/em>, <em>add-ons<\/em>, and internal reports significantly reduces the risk of sensitive data exposure while minimizing operational errors caused by human oversight.<\/p>\n<p>To maximize its effectiveness, implement this feature in accordance with the principle of <em>least privilege<\/em> and maintain comprehensive documentation for every custom authorization ID you create. Doing so will greatly simplify future audit processes and strengthen your organization\u2019s overall security posture.<\/p>\n<p>Looking to enhance SAP Business One security and access control within your organization? Explore our additional SAP Business One resources or discuss your implementation requirements with an experienced team of consultants.<\/p>\n<p><a href=\"https:\/\/www.sterling-team.com\/sap-business-one\/\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-1344 aligncenter\" src=\"https:\/\/www.sterling-team.com\/news\/wp-content\/uploads\/2020\/05\/banner-sap-indonesia-cta-en.jpg\" alt=\"SAP Business One Indonesia\" width=\"600\" height=\"150\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Many organizations have implemented add-ons, custom forms, or custom reports within SAP Business One; however, not every user should be&hellip;<\/p>\n","protected":false},"author":1,"featured_media":9464,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[767],"tags":[],"class_list":["post-9463","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general-tips"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.sterling-team.com\/news\/wp-json\/wp\/v2\/posts\/9463","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sterling-team.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sterling-team.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sterling-team.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sterling-team.com\/news\/wp-json\/wp\/v2\/comments?post=9463"}],"version-history":[{"count":2,"href":"https:\/\/www.sterling-team.com\/news\/wp-json\/wp\/v2\/posts\/9463\/revisions"}],"predecessor-version":[{"id":9466,"href":"https:\/\/www.sterling-team.com\/news\/wp-json\/wp\/v2\/posts\/9463\/revisions\/9466"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sterling-team.com\/news\/wp-json\/wp\/v2\/media\/9464"}],"wp:attachment":[{"href":"https:\/\/www.sterling-team.com\/news\/wp-json\/wp\/v2\/media?parent=9463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sterling-team.com\/news\/wp-json\/wp\/v2\/categories?post=9463"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sterling-team.com\/news\/wp-json\/wp\/v2\/tags?post=9463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}