Solved: Variable Authorizations for Cost elements (K_REPO_...

Former Member · ‎07-06-2006

Hi everybody.

I have a doubt regarding the posible options for an authorization on object K_REPO_CCA. Our system is R/3 version 5.0. Is it possible to create a variable, "$COST_ELEMENT" for example, and fill the values dinamically by a user_exit or maybe a z-program that reads in a Z-table??

Did you know if this is possible?? If yes, do you know the user-exit??

Many thanks and best regards.

Ismael Bermúdez

Former Member · ‎07-07-2006

Hi Ismael,

if I understand you right, you try to give dynamic authorizations to the object K_REPO_CCA.

Changing a authorization in a profile on runtime will not have any effect to any logged in user, because all authorizations are buffered during login. Of course, the change will have effect, if the user logges in after the change, but then it will have affect for all users!

As you see, "dynamic" authorizations are not a feature of SAP authorization concept. Having "dynamic" authorizations is only possible in HR.

Could you please explain the business need for changing cost elements. May be a change in the overall authorization concept would solve you problem.

Regards,

Michael Altmaier

Former Member · ‎07-07-2006

Hi Ismael,

if I understand you right, you try to give dynamic authorizations to the object K_REPO_CCA.

Changing a authorization in a profile on runtime will not have any effect to any logged in user, because all authorizations are buffered during login. Of course, the change will have effect, if the user logges in after the change, but then it will have affect for all users!

As you see, "dynamic" authorizations are not a feature of SAP authorization concept. Having "dynamic" authorizations is only possible in HR.

Could you please explain the business need for changing cost elements. May be a change in the overall authorization concept would solve you problem.

Regards,

Michael Altmaier

Former Member · ‎07-07-2006

Technically, you can do it at your release level.

See OSS 452904.

Regards, Julius

Former Member · ‎07-11-2006

Hi all:

Many thanks for your replies. The bussiness situation is as follows:

Each user can only see a list of Cost Elements in some Cost Centers (as is especified in auth object K_REPO_CCA). The matter is that this list of Cost Elements and Cost Centers is updated every day in a Z table. We would like to use that info in order to "update" the roles or profiles every night automatically.

Do you know any function or report that generates profiles or roles (from a table)?

Thanks in advance and best regards,

Ismael

Former Member · ‎07-12-2006

It being a Z table, you will need a Z program.

Look in transaction BAPI for a released function for updating the roles or profiles with the values in your table.

Also see OSS 489887 as such daily changes could well cause phantoms in the construct of the various user tables.

brgs,

Julius

PS: Will your Z table be in your development system?...

Former Member · ‎07-14-2006

Hi Ismael,

I am not 100% sure right now for K_REPO_CCA, however, for K_CCA and K_PCA there are user exits designed for enhancing the security available in these areas.

The user exits are PCAAUTHO and COCCA001. COCCA002 may also be interesting.

You can add your own code to add any checks you want, and have it as dynamic as you want. In fact at a client we determined the authorised cost centres at run time based on the users mapping to the HR org structure.

Remember this is an additional check not a replacement. If you want it to be a replacement you will need to change the setting of the object in SU24 or define * for all the fields in the object.

Regards

Peter

Former Member · ‎11-09-2006

Hi,

I would be really interested to find out more about what you did here.

"<i>In fact at a client we determined the authorised cost centres at run time based on the users mapping to the HR org structure."</i>

This sounds like exactly what we need at our organisation. We are a large company with around 40000 staff and have the following business requirement.

******

- Cost centre reporting is expected to be hierarchical in nature but current Cost Centre structure in Australia is flat in structure.[/li]

- Natural hierarchies already exist within the NAB by organisational structure: Total Company, Business, Zone, Region, Area and Branch.

- As a high level requirement, cost centre data should only be available to the manager of the organisational unit that they are managing and any lower level organisational units. Managers should only be able to view their organisational unit costs or lower organisational unit costs. They should not be able to view cost centre data across structures (peer organisational units) or higher levels of responsibilities (parent organisational units).

- The ability to access cost centre reporting data should take into account HR delegations and substitution processes. This also needs to take into account the granting of the correct authority to the delegated person to run reports.

- One possible option is to utilise the A250 Cost Centre Manager relationship in SAP to facilitate the security for cost centre reports.

******

I will be handling these requirements from a security perspective and would liike to achieve this without creating hundreds of roles and a maintenance nightmare.

A finance version of structural authorisations would be good

Any input would be greatly appreciated.

Barb

Former Member · ‎01-08-2009

Dear Peter,

I need to check the cost center when i'm using t-code KB61 or any actual posting. I found the user exit COCCA002 but I have a big problem. I don' t know how to add the command on this user exit. So, I need your help. Please suggest me how to check and how to discuss with apaber.

Thank you in advance.

Regards,

Ratchanee

Variable Authorizations for Cost elements (K_REPO_CCA)