Problem is that even with org level restrictions users can still see GL, PO, Internal Orders outside their Cost Centre

Hi again Wanderer!

In fact I don't know your HR design, but the idea is that you play with some kind of structural authorizations as it is explained in note 902000 and specially its attachment Context_Sensitive_Authorization.pdf.

I usually found note 1261193 also useful...

Good luck!

-Jesú

...er no.

HR is not being implemented.

Context sensitive authorisations is not a solution to the question of restricting the display of G/L accounts, PO, Internal Order data by Cost Centre.

Problem is that we have 30 local offices where cost centre is key. Problem is that these local offices must see only their own data through GL, IO, Invoice, purchasing.

Not obvious why this is not working.

You mean Auth Groups, Purch Groups should allow this restiction?

My previous client had a similar structure where they the data was restricted based on profit center and cost center. So we had a similar problem. On the BI side we were able to restrict based on profit and cost center hierarchy (0PPROFITCENTER). But for ECC the restriction was possible mostly on reporting transactions that used the object K_CCA and K_PCA K_ORDER (internal orders). the field RESPAREA allows you to input the cost center values (for object K_CCA) and profit center values (for K_PCA) for which the user is autorized. It worked well for reporting transactions like FAGLL03 and FAGLB03.

But the field KOSTL (cost center) is mainly available in CO objects not FI. So difficult to restrict on FI transactions. For GL accounts, we used authorizations groups to restrict access (display / posting access). For this the check on auth groups is activated in transaction OBD4 and then the auth group assignment is done in FS00 for each account. you can create auth groups refering to FI objects in TBRG table - field BRGRU (as opposed to S_TABU_DIS).

This is as far as we could go using standard objects. Otherwise your only option, as the others have suggested, is user exits and / or custom authorization objects with the KOSTL field to filter records.

Hope this helps...

Regards,

Prashant

Thanks Prashant - I will look at this approach next week.

Is attaching the CO objects that you mention to the FI transactions in SU24 likely to be a sensible and effective approach?

You say you used auth groups to restrict GL Account groups, would this also be effective for POs and IOs?

Was the approach you described high maintenance post Go Live?

Hello,

Let us be very clear on the function of SU24 (USOBX_C and USOBT_C) first. We only maintain proposals (relationship) between a transaction and an auth object in so far as an object (and the defined field values) is added in the authorizations area when a transaction is added to the menu in a role. Just because we link and object to a transaction in SU24 does not men that the check will happen on that object when the transaction is executed.

For a check to happen on an authorization object while executing a tranaction, the underlying program code should include the check on the object. Since the standard SAP code does not fulfill your requirements for check on cost centers, the others in this forum thread have been suggesting user exits where the additional code can be written in function modules. But the feasibilty of finding an appropriate user exit needs to be worked out by your ABAP prgrammer. And in your case, we are looking at a considerable work load.

and about the internal orders and PO's i am not very sure. I found the object K_ORDER (class CO) for internal orders but couldn't find much detail. i'll get back if i can ferret out more

Something for you to think about...

Regards,

Prashant

You mean map cost centre to different auth objects?

How is this done?

You mean by using auth groups?