Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Cost Center Security

Former Member

‎05-23-2007 1:35 AM

0 Kudos

I've been tasked with defining a sustainable security scheme around my clients current cost center design. The issue here is that their cost center assignments are very fluid; changing on a regular basis. There are several groupings of cost centers that relate to each company code.The total number of cost centers is very high. The persons responsibile for a given cost center changes often as well.

The client wants to use a handfull of delivered SAP reports to review different aspects about a given cost center. Though someone outside of a given cost center should not be able to view it, etc.

The approach that I would normally take would be define derived roles and make the assignments accordingly. Under these circumstances I do not think that the derived role approach is feasible. Can anyone provide any fresh ideas on this topic?

Thanks in advance

2 REPLIES 2

Former Member

‎05-24-2007 1:57 AM

0 Kudos

We have a design that will reduce the total number of roles, making it a bit easy to maintain, but will require a lot of negative testing cause it will give user more auth.

The design is to inactivate any authorization objects that contain cost center field in all the roles. Create new roles that only contain the auth object you just inactivate with the cost center field value combination according how you company want to restrict them. The end users will required both roles.

The advantage of the disign is, let say you have 10 roles that provide functional access, and you have 20 combination of cost center you want to restrict. With derive model, you will need 10 x 20 = 200 roles. With the design I just explained, you only need 10 + 20 = 30 roles.

The draw back is the roles that provide the cost center auth objects access will have more auth objects that the functional access roles need. So you might give the users more access, that is why negative testing with be very important on this design.

You can contact me thru tsehun.lye@gmail.com if need more detail.

Good luck.

Lye

Former Member

‎05-24-2007 9:13 PM

0 Kudos

Dear Michael,

You should probably decide whether it should be better to change the cost center hierarchy, considering the derived costs of maintaining multiple roles. It will of course depend of how the support organization is controlled and which are the change management procedures required, but in many cases it has been cheaper to do that in order to avoid the derived costs of changing roles frequently.

As mentioned in an earlier post, I would recommend creating "Add On" roles containing the objects you have deactivated in the main roles. You can specify in K_CCA restrictions based on hierarchies, cost centers, etc...therefore, maybe you can create an add on for the particular nodes, and each time an additional requirement is raised, you just copy any previous role, only changing the corresponding value. You could even create add on roles that differenciate between "change" and "display" functionalities, or even add K_ORDER to them, in order to also restrict the access to internal orders. Also please consider that maybe users need to access master data without restrictions, so probably you´ll need to add two authorizations, taking into considerations the available activities in the objects.

I don´t think you may need extensive testing for that, only at the beginning to be sure that you´re contemplating the right objects.

By the way, it may also help to let users know how much security changes cost to the organization or how much can be saved, so they can approach cost center assignment more responsably.

I hope it helps.

Regards,

Fernando