Solved: Using Profit Center as an Org Level in PFCG

Former Member · ‎07-17-2013

Hello SAP Security Experts,

We are considering making Profit Center an organizational level in PFCG. Specifically, we need RESPAREA to be made an org level to derive roles based on profit center groups and/or profit center hierarchy nodes in object K_PCA. I have created org levels many times in the past and am fluent with SAP Note 727536.

Has anyone done this in the past for the field RESPAREA? If so, can you provide feedback if it worked well? One issue I see is that objects K_PCA (for profit centers) and K_CCA (for cost centers) leverage the same field but would have different values.

Any feedback is greatly appreciated!

Warm Regards,
Joe Klein

Former Member · ‎07-23-2013

Some additional details. I just read note 565436 and it appears that you have to define which tabs are displayed in the event that you make RESPAREA an org level. I see that you do this by marking the first field (object) as blank and then specify all of the tabs to be displayed in table KBEROBJ.

So my only concern is if transactions pull in multiple objects with RESPAREA. I want to limit by K_PCA and specific profit centers. However, I want K_CCA, for cost center, to have full RESPAREA access. If this doable? Are there a lot of transactions that call multiple objects with the same RESPAREA field?

Thanks again.

Regards,

Joe

mvoros · ‎07-22-2013

Hi,

for the field RESPAREA check note 698401. Just existence of this note tells you that some customers have done it before.

Cheers

Former Member · ‎07-22-2013

Hi,

I've done this plenty of times for RESPAREA and it works well (if it is aligned with your design).

You must follow the note that Martin has specified otherwise it will not work.

Cheers

Former Member · ‎07-23-2013

Thank you Martin and Alex. Yes, I have read note 698401 previously.

I am most concerned about the cross-pollination of values in other objects that use field RESPAREA. In other words, what if I have both objects K_PCA for profit center and K_CCA for cost center, whihc use RESPAREA?

I see that table KBEROBJ (mentioned in OSS note 698401) has different tabs for different objects. If I populate KN (Cost center group) populated for K_CCA and PC (Profit center) populated for K_PCA, what will happen? Will both values show up in both objects or will only the tabs documented in table KBEROBJ be populated for each respective object?

Thank you again for your feedback. I really appreciate it!!!

Warm Regards,

Joe Klein

Former Member · ‎07-23-2013

Some additional details. I just read note 565436 and it appears that you have to define which tabs are displayed in the event that you make RESPAREA an org level. I see that you do this by marking the first field (object) as blank and then specify all of the tabs to be displayed in table KBEROBJ.

So my only concern is if transactions pull in multiple objects with RESPAREA. I want to limit by K_PCA and specific profit centers. However, I want K_CCA, for cost center, to have full RESPAREA access. If this doable? Are there a lot of transactions that call multiple objects with the same RESPAREA field?

Thanks again.

Regards,

Joe

Former Member · ‎07-25-2013

Hi Joe,

Q: In other words, what if I have both objects K_PCA for profit center and K_CCA for cost center, whihc use RESPAREA?

A: When you enter the values they are prefixed with the object type e.g. PC for profit centre, KS for cost centre, therefore only the relevant ones can be used for K_PCA, K_CCA, K_ORDER etc. Your profit centre values will not apply to your cost centres.

Q: Will both values show up in both objects or will only the tabs documented in table KBEROBJ be populated for each respective object?

A: The latter.

Hope that helps.

Cheers

Former Member · ‎07-25-2013

Hi Alex,

Thank you again for your response. I have just tested out this solution in our ECC 6.0 system with Enhancement Pack 4 and this is what I found:

I created a role with K_CCA and K_PCA authorization objects.
I turned on RESPAREA as an org level via PFCG_ORGFIELD_CREATE.
Checked table KBEROBJ and added 1 additional entry in which ‘OBJECT’ is blank per OSS notes 698401 and 565436.
Went back to role and it now has RESPAREA as an org level.
I could maintain the authorizations based on the tabs I documented in table KBEROBJ.
I maintained a Profit Center as an org level and it was added to both objects. A ‘PC’ prefix was added to both authorizations and corresponds with the tab in the Org Level.
Regardless of if you maintain cost center or profit center, it populates both authorizations. However, the prefix for each authorization is based on the tab used including:

KN Cost center group

KS Cost center

HI Cost center standard hierarchy nodes OR Order

BP Business process

BH Business process nodes

PC Profit center

PH Profit center nodes

So profit centers and cost centers are listed in both objects for authorization element RESPAREA. The question is this: Do we not care because the cost center prefixes will be disregarded in profit center authorizations and vice versa?

Thanks again for your feedback!!!

Warm Regards,

Joe Klein

Former Member · ‎07-25-2013

Hi Alex

We tried promoting this field using entries in a table (can't remember off-hand but we put an X in all of the fields)

It works fine.. as long as (as you said) your design allows for it.

After promotion we found that the roles now amalgamated the individual field values into one org level component thus losing the granularity it had at object level.

Reversing the promotion left us with the same amalgamated values but now in the separate auth objects rather than restoring the individual values.

Cheers

David

Former Member · ‎07-26-2013

Hi David,

That is an unfortunate side effect. Once you do have it sorted then it works very well if your design requires it.

Cheers

Former Member · ‎07-28-2013

Hi Joe,

On point 7 - apologies, I misunderstood your original question - I got mixed up between the tabs presented. Only the relevant ranges will be used as the prefix (e.g. KS, HI) is used to differentiate the values/ranges for the relevant objects. If you get your PC ranges/values for your CC's then there is a problem which should be escalated for SAP.

Cheers

Former Member · ‎07-29-2013

Hi Alex,

Just to clarify, the correct prefixes are populating in the authorizations. By this I mean that if I maintain a Cost Center, the KS prefix is added. If I maintain a Profit Center, a PC prefix is added.

The issue that I have is that both authorizations (the one with the KS and PC prefixes) are populated in the both the K_CCA and K_PCA authorization objects. However, being that it is now an org level and org levels populate the same data element across all objects, I think this is probably just the way it works.

First, this might not even be an issue because I have not yet seen a task-based role scenario in which both objects (K_CCA and K_PCA) are in the same task-based role. I am just being extra cautious and anticipating how the system will react in the event that both auth objects are in a role and both prefixed values are in both objects.

My assumption is that if K_CCA will have the Profit Center (PC) authorization, it will be disregarded because the auth checks will not be looking for that prefix in that object. Likewise for Profit Center K_PCA in which the KS authorization will be disregarded because the auth check will only be looking for the profit center prefixes.

Do you concur with my assessment?

Thank you so much for your help. I have learned a lot about this unique security scenario!

Warm Regards,

Joe Klein

Former Member · ‎07-30-2013

Hi Joe, I concur with your assessment, it will only pick up the relevant ranges