01-29-2010 4:06 AM
Hi guys,
I have such a complex requirement from my CO functional team. They just came to me and ask me to create a role with the KSB1 transaction and wants me restrict it by Cost Center group in ECC. They already created all the cost center grouping and hierarchy that already have been extracted to in BI system and I already created lots of roles in BI for reporting. But I think they want to give access to some users to see the reports through ECC using KSB1.
However this request is pretty late because we just finished our security testing. I created a role with the above transaction and try to restrict by cost center group but I can't restrict it by cost center group because the authorization object for cost center group (K_CSKS_SET) has two field ACTVT and controlling area (KOKRS) and we have only one controlling area. There is no field that can be used to restrict cost center group. I also ran trace and these two authorization objects are really executing (K_REPO_CCA) & (K_CCA).
I can restrict it by cost centers but not cost center group. I have no idea how I can accomplish this request. They want to restrict by cost center group, not cost centers, and I don't have much choice in controlling area.
I read about variant but I'm not sure how it can be done by using variant, Please help me.
It will be really appreciated
Thank you so much
Faisal
01-29-2010 2:14 PM
Hi Faisal,
In object K_CCA field RESPAREA you can restrict it to cost centre groups. For this you need to check the group details from FICO team. IN KSH3 you can also check the coste centre group for particular controling areas.
Cheers:)
01-29-2010 4:38 AM
Hi,
you can't restrict KSB1 by cost center groups. It's not supported. Unless you have a naming convention which you can use to identify cost center group from cost center. This report is using FM K_LINE_ITEMS_SELECT to get records so you can enhance this report for additional authorization checks using enhancement framework.
Cheers
01-29-2010 1:44 PM
Hi Faisal,
for the objects K_CCA and K_REPO_CCA did you try aking restrictinon on the authorization hierarchies?
when you click on F4 in the "auth.Hier" tab you would get a list of cost centres and the cost centre groups in the hierarchy
01-29-2010 2:14 PM
Hi Faisal,
In object K_CCA field RESPAREA you can restrict it to cost centre groups. For this you need to check the group details from FICO team. IN KSH3 you can also check the coste centre group for particular controling areas.
Cheers:)
01-29-2010 3:18 PM
Thank you so much for all the feedbacks from you guys,
However itu2019s not working I selected a cost center group using object K_CCA field RESPAREA. There are three tabs in this field first one is cost center second one is Authorization hier, and last one is cost center group. I used only cost center group tab and inserted the controlling area and the group that I want to give access to, but some reason I can still view/execute different reports through KSB1.
Please tell me what else needs to be done to minimize the report by only cost center group.
Thanks again
Faisal
01-29-2010 5:35 PM
Hi Faisal,
Have you checked the user buffer SU56 for the cost centre object checked by KSB1. May be user is getting the value from other profile having the cost centre for other areas then restructed one.
Objects:
K_CCA
K_CSKB
K_CSKS
K_CSKS_SET
K_REPO_CCA
Check value in cost centre fields.Also confirm with FI team wheather hierarchies are maintained correctly.
Check it if this can solve the issue, also run the ST01 trace and check the trace report as well to check the object where the values are coming.
Edited by: connecpk on Jan 29, 2010 7:28 PM
01-29-2010 6:44 PM
I really appreciated your reply, I'm testing only this role which has KSB1 transaction, so there is no other role assign to this test ID. I'm testing with this KSB1 only.
Let me tell what is happening, I'm using this authorization K_CCA restricting cost center group by using this RESPAREA field, when I'm inserting cost center group it's not working but when I'm inserting cost centers that belongs to mentioned cost center group it's working for that cost center group. Basically it's working for cost centers but there are so many cost centers in my controlling area, and I have only one controlling area.
In addition to above authorization aboject I have some more auth objects that you already mentioned I assigned * to other cost center field (KOSTL) but still if I would put cost center group name in this field RESPAREA it is not showing any reports, but when I put some cost centers inside this filed RESPAREA along cost center group it's working for that specifc cost center group, becuase I inserted the same cost centers that was already grouped together in KSH3.
I'm not sure if this is posible, please let me know if you sure this can be done thourgh this auth object K_CCA and in this field RESPAREA. because there is another auth object K_CSKS_SET that I checked first but there is no field to restrict cost center group.
Please let me know if anything else I can try
Thank you so much for you feedback
Faisal
01-30-2010 7:15 AM
Hi Faisal,
Have you checked report suggested by Martin Voros ...
Edited by: connecpk on Feb 1, 2010 12:24 PM
02-14-2010 10:52 PM
Hi guys,
I posted this thread about two weeks ago and I haven't found anything that will fulfill my requirement. I have been trying to figure it out if I can restrict cost center group through KSB1. I also created SAP request (OSS note) to find out why I can't restrict cost center group. However SAP also didn't give me clear cut answer they sent me the note that has all kind of information about cost center authorization.
I just received a SAP note (0000031608) form my functional team and I guess it has a solution because it explain that you can create Authorization Group through (KSH2) for each cost center group, and that authorization group will insert it into this authorization object (G_800S_GSE) for each cost center group, I'll have each role to restrict each cost center group.
Please someone can tell me if this can be some kind of solution for my problem, or is this not going to work. As far as I know we can restrict by auth group as we usually restrict by auth group for any FI activity.
Please give me your feedback.
Thanks
Faisal
Edited by: Faisal on Feb 14, 2010 11:55 PM
02-15-2010 8:23 AM
You might be interested in [SAP note 698401|https://websmp230.sap-ag.de/sap%28bD1lbiZjPTAwMQ==%29/bc/bsp/spn/sapnotes/index2.htm?numm=698401] which explains how you can use table KBEROBJ to configure the RESPAREA field to maintain authorization on different cost/profit center hierarchy levels.
If configured correctly, you can maintain authorizations on cost/profit center group level.
09-02-2010 12:16 PM