07-17-2013 4:27 PM
Hello SAP Security Experts,
We are considering making Profit Center an organizational level in PFCG. Specifically, we need RESPAREA to be made an org level to derive roles based on profit center groups and/or profit center hierarchy nodes in object K_PCA. I have created org levels many times in the past and am fluent with SAP Note 727536.
Has anyone done this in the past for the field RESPAREA? If so, can you provide feedback if it worked well? One issue I see is that objects K_PCA (for profit centers) and K_CCA (for cost centers) leverage the same field but would have different values.
Any feedback is greatly appreciated!
Warm Regards,
Joe Klein
07-23-2013 7:09 PM
Some additional details. I just read note 565436 and it appears that you have to define which tabs are displayed in the event that you make RESPAREA an org level. I see that you do this by marking the first field (object) as blank and then specify all of the tabs to be displayed in table KBEROBJ.
So my only concern is if transactions pull in multiple objects with RESPAREA. I want to limit by K_PCA and specific profit centers. However, I want K_CCA, for cost center, to have full RESPAREA access. If this doable? Are there a lot of transactions that call multiple objects with the same RESPAREA field?
Thanks again.
Regards,
Joe
07-22-2013 5:29 AM
07-22-2013 9:46 AM
Hi,
I've done this plenty of times for RESPAREA and it works well (if it is aligned with your design).
You must follow the note that Martin has specified otherwise it will not work.
Cheers
07-23-2013 6:48 PM
Thank you Martin and Alex. Yes, I have read note 698401 previously.
I am most concerned about the cross-pollination of values in other objects that use field RESPAREA. In other words, what if I have both objects K_PCA for profit center and K_CCA for cost center, whihc use RESPAREA?
I see that table KBEROBJ (mentioned in OSS note 698401) has different tabs for different objects. If I populate KN (Cost center group) populated for K_CCA and PC (Profit center) populated for K_PCA, what will happen? Will both values show up in both objects or will only the tabs documented in table KBEROBJ be populated for each respective object?
Thank you again for your feedback. I really appreciate it!!!
Warm Regards,
Joe Klein
07-23-2013 7:09 PM
Some additional details. I just read note 565436 and it appears that you have to define which tabs are displayed in the event that you make RESPAREA an org level. I see that you do this by marking the first field (object) as blank and then specify all of the tabs to be displayed in table KBEROBJ.
So my only concern is if transactions pull in multiple objects with RESPAREA. I want to limit by K_PCA and specific profit centers. However, I want K_CCA, for cost center, to have full RESPAREA access. If this doable? Are there a lot of transactions that call multiple objects with the same RESPAREA field?
Thanks again.
Regards,
Joe
07-25-2013 1:49 PM
Hi Joe,
Q: In other words, what if I have both objects K_PCA for profit center and K_CCA for cost center, whihc use RESPAREA?
A: When you enter the values they are prefixed with the object type e.g. PC for profit centre, KS for cost centre, therefore only the relevant ones can be used for K_PCA, K_CCA, K_ORDER etc. Your profit centre values will not apply to your cost centres.
Q: Will both values show up in both objects or will only the tabs documented in table KBEROBJ be populated for each respective object?
A: The latter.
Hope that helps.
Cheers
07-25-2013 7:41 PM
Hi Alex,
Thank you again for your response. I have just tested out this solution in our ECC 6.0 system with Enhancement Pack 4 and this is what I found:
KN Cost center group
KS Cost center
HI Cost center standard hierarchy nodes OR Order
BP Business process
BH Business process nodes
PC Profit center
PH Profit center nodes
So profit centers and cost centers are listed in both objects for authorization element RESPAREA. The question is this: Do we not care because the cost center prefixes will be disregarded in profit center authorizations and vice versa?
Thanks again for your feedback!!!
Warm Regards,
Joe Klein
07-25-2013 8:39 PM
Hi Alex
We tried promoting this field using entries in a table (can't remember off-hand but we put an X in all of the fields)
It works fine.. as long as (as you said) your design allows for it.
After promotion we found that the roles now amalgamated the individual field values into one org level component thus losing the granularity it had at object level.
Reversing the promotion left us with the same amalgamated values but now in the separate auth objects rather than restoring the individual values.
Cheers
David
07-26-2013 9:13 AM
Hi David,
That is an unfortunate side effect. Once you do have it sorted then it works very well if your design requires it.
Cheers
07-28-2013 10:04 PM
Hi Joe,
On point 7 - apologies, I misunderstood your original question - I got mixed up between the tabs presented. Only the relevant ranges will be used as the prefix (e.g. KS, HI) is used to differentiate the values/ranges for the relevant objects. If you get your PC ranges/values for your CC's then there is a problem which should be escalated for SAP.
Cheers
07-29-2013 2:49 PM
Hi Alex,
Just to clarify, the correct prefixes are populating in the authorizations. By this I mean that if I maintain a Cost Center, the KS prefix is added. If I maintain a Profit Center, a PC prefix is added.
The issue that I have is that both authorizations (the one with the KS and PC prefixes) are populated in the both the K_CCA and K_PCA authorization objects. However, being that it is now an org level and org levels populate the same data element across all objects, I think this is probably just the way it works.
First, this might not even be an issue because I have not yet seen a task-based role scenario in which both objects (K_CCA and K_PCA) are in the same task-based role. I am just being extra cautious and anticipating how the system will react in the event that both auth objects are in a role and both prefixed values are in both objects.
My assumption is that if K_CCA will have the Profit Center (PC) authorization, it will be disregarded because the auth checks will not be looking for that prefix in that object. Likewise for Profit Center K_PCA in which the KS authorization will be disregarded because the auth check will only be looking for the profit center prefixes.
Do you concur with my assessment?
Thank you so much for your help. I have learned a lot about this unique security scenario!
Warm Regards,
Joe Klein
07-30-2013 10:18 AM
Hi Joe, I concur with your assessment, it will only pick up the relevant ranges