Authorization check by Cost centers

Hello all,
I developed a report in Report Painter and the requirement is that the users be able to run it only for their own CCtrs - challenge is that we are trying to not use variants, custom transactions and also modifying / checking authorization at at SU01 level.
Is there any other way to do this and if yes can you pls provide some details.
Thanks,
Richa

hi richa,
Authorizations with Variables
Definition
Instead of using a single value or interval, you can also use variables in authorizations. The Customer Exit is called up for these variables while the authorization check is running. The call is carried out with I_STEP = 0. The intervals of characteristic values or hierarchies for which the user is authorized can be returned here. By doing this, the maintenance load for authorizations and profiles can be reduced significantly.
Every cost center manager should only be allowed to evaluate data for his/her cost center. Within the SAP authorization standard, a role or a profile with the authorization for the InfoObject 0COSTCENTER equal to XXXX (XXXX stands for the particular cost center) would have to be made for every cost center manager X. This then has to be entered in the user master record for the cost center manager.
Using variables reduces the authorization maintenance workload with the InfoObject 0COSTCENTER equal to $VARCOST, as well as with the role or the profile, which is maintained for all cost center managers. The value of the variable VARCOST is then set for runtime during the authorization check by the CUSTOMER-EXIT RSR00001.
Maintaining the authorizations restricts the entries for the values to the length of the existing InfoObject. It is possible, however, to use both limits of the interval. In the example 0COSTCENTER with 4 spaces, the variable VARCOST is, therefore, entered as $VAR COST.
There is a buffer for these variables. If this buffer is switched on, the customer exit is only called up once for a variable with the authorization check. In doing so, you avoid calling up the customer exit for variables over and over, as well as decreasing performance. If you want to call up the customer exit each time, you have to deactivate this buffer in the Setting Up Reporting Authorizations. To do this, go to the main menu and choose Extras ® Compatibility ® Buffer for Variables (Customer-Exit) ® Deactivate..
You can also call up the customer exit for authorizations for hierarchies. There are two ways to do this:
       1.      Enter the variable in the authorization for characteristic 0TCTAUTHH. The customer exit is then called up while the authorization check is running. In the LOW fields of the return table E_T_RANGE, the system anticipates the technical name for the hierarchy authorization that you specified in the authorization maintenance (transaction RSSM).
As a result, all parameters are available for such an authorization. Nevertheless, you must also create a new definition for each node.
       2.      Where many authorizations differ from an authorization for a hierarchy only in respect to the nodes and not to the other authorizations, we suggest the following solution: Different users can be authorized for a specific hierarchy area (subtree). The highest node is different for each user.
Do this by creating an authorization for a hierarchy in the transaction RSSM and enter this in the authorization or role. Instead of specifying a particular node, you specify the variable in the authorization maintenance (transaction RSSM). The customer exit is then called up for the node while the authorization check is running. The return table E_T_RANGE must be filled according to the customer exit documentation (nodes in the LOW field, InfoObject of the node in the HIGH field
Setting Up Reporting Authorizations
Use
Before you are able to set up reporting authorizations, you have to create authorization objects.
As soon as an authorization object is saved, it can be checked when a query is run. The user may not have the appropriate authorizations if he or she has not yet been assigned this authorization object.
Only when the user has been assigned the appropriate authorizations can he/she define and execute a query or navigate in an existing query.
If in the query a characteristic value or a node is excluded, a complete authorization check * is required.
Procedure
Creating an authorization object
       1.      In the SAP Easy Access initial screen of the SAP Business Information Warehouse, choose the path SAP Menu ® Business Explorer ® Authorizations ® Reporting Authorization Objects.
       2.      Choose Authorization Object ® Create. Give the authorization object a technical name and a regular name. Save your entries.
       3.      On the right-hand side of the screen, an overview of all the InfoObjects that are authorization-relevant is displayed.
Only those characteristics that have been flagged as authorization-relevant previously in the InfoObject maintenance screen can be assigned as fields for an authorization object. See also: Creating InfoObjects: Characteristics
       4.      Assign the InfoObject fields to the authorization object:
¡        Select the characteristics for which you want an authorization check of the selection conditions to be carried out.
¡        Select the InfoObject key figure (1KYFNM) if you want to restrict the authorization to a single key figure.
¡        Select the InfoObject (0TCTAUTHH) if you want to check authorizations for a hierarchy.
¡        Include the authorization field activity (ACTVT) in the authorization object if you want to check authorizations for documents.
       5.      Save your entries.
       6.      Go back to the initial screen of the authorization maintenance.
       7.      Choose Check for InfoProviders ® Display to get a list of the InfoProviders that contain the InfoObjects that you selected and are therefore subject to an authorization check (where-used list). In the change mode you can exclude individual InfoProviders from the authorization check for this authorization object by removing the flag.
Authorization object:           S_RSRSAREA
Name:                   Sales area
Fields:                         DIVISION, CUSTGROUP, 1KYFNM
Creating authorizations
Authorizations are created and maintained in the role maintenance screens.
       1.      Choose Authorizations ® Roles ® Change.
       2.      Specify the roles that you want to change and choose Change. This takes you to the role maintenance screen.
       3.      On the Authorizations tabstrip, choose the Expert mode for generating profiles option.
       4.      Choose the Enter Authorization Objects Manually option, and specify the objects that you require. Choose Enter. The authorization object is added to the role.
       5.      Choose Generate.
For more information, see Changing and Assigning Roles.
Result
The user is now able to work with queries
Authorizations to Work with a Query
Use
Authorizations to work with a query are first checked in the dialog box to open a query.
Furthermore, when a query is opened, the authorizations for the individual objects are checked.
See also: Authorization Check When Executing a Query..
Structure
Check in the Open Dialog Box:
When you open a query, you will see four buttons in the dialog box. The History, Favorites and Roles buttons only display your own queries and those queries intended for you per role definition.
The InfoAreas button enables you to look at all queries for which the user has display authorization. If this display authorization is not restricted to queries, the user will see all available queries in the system here. It is possible to hide the InfoAreas button if you do not want the user to see all queries in the system. The authorization object S_RS_FOLD with the field SUP_FOLDER can be used here. In order to hide the InfoArea button, set this field to X when authorizing, otherwise leave the field blank or set it to * (asterisk all authorizations).. The button will be displayed if the authorization check fails.
Authorizations by User
It is also possible to make queries from particular users (= OWNER = query creator) available to other users (= USER) for display or processing. The authorization object S_RS_COMP1 with four fields (COMPID, COMPTYPE, OWNER, ACTVT) is used here.
You can grant this authorization to a particular team or use the variable $USER to give all users the authorization for queries that they created themselves. $USER is replaced by the corresponding user name during the authorization check.
See also the Example for Reporting Authorizations.
Authorizations for the BEx Broadcaster
Using the authorization object S_RS_BCS, you can determine which user is allowed to register broadcasting settings for execution and in which way.
Note:
·        The only authorization necessary for the online execution of broadcasting settings is the authorization for the execution of the underlying reporting objects (for example, the Web template).
·        Every user that has authorization to create background jobs also has authorization for direct scheduling in the background.
·        If you need to work under the name of another user to execute broadcast settings (for example with user-specific precalculations), the authorization object S_BTCH_NAM for background scheduling is also required for the other user. For more information, see Authorizations for Background Processing and Definition of Users for Background Processing
Authorizations for Selection Criteria
Definition
The selection criteria of a query determine which data can be displayed after you have entered it in a workbook.
An authorization check for certain InfoObjects only takes place if an authorization object with this InfoObject was already created in the authorization object class Business Information Warehouse.
As soon as an authorization object is created, only authorized users can select query data.
Use
To decide whether a user should be authorized to work with a query, you should check whether authorization has been given to him/her for all selection criteria.
Essential to the authorization of selection criteria is the authorization object S_RS_ICUBE.
Definitions of authorizations for working with certain InfoCubes must be transported separately.
See: Transporting Additional Information
In general, it is not sufficient to give authorizations for individual InfoObjects (characteristics and key figures), or to check them separately from one another. It more usual that specific authorizations should be given for combinations of characteristics and key figures.
It is therefore feasible that a "Sales Manager" is allowed to view the respective total sales figures for all sales areas, but is only authorized to break down "his/her" area (0001) according to the individual sales personnel. In this case, the following authorizations, which are grouped together, would be created and assigned.
Sales area = *
Sales personnel = :
Key figure = Sales figures
(: represents the authorization to view the values aggregated with the characteristic.
Sales area = 0001
Sales personnel = *
Key figure = Sales figures
The user frequently uses these "multidimensional" authorities in companies that are regional as well as product-oriented (matrix organization). In this way, you could arrange for the person responsible for the combination of a certain division and a certain sales area to have the exact authorization for the output of the relevant values, without him/her necessarily also having access to the data for the whole division or the whole sales area.
Authorizations for the Query Definition
Authorizations can be granted for the following objects for the query definition in the Business Explorer:
The entire query
Structures
Calculated key figures
Restricted key figures
Variables
The activities for the query definition are specified in the authorization object S_RS_COMP (Business Explorer - components). The authorization object has the following fields: InfoArea, InfoCube, component type, component name and activity.
The following values are possible for the component type:
REP: Entire query
STR: Structure
CKF: Calculated key figure
RKF: Restricted key figure
VAR: Variables
By specifying an InfoArea or an InfoCube, you can further restrict the component types. By specifying a component name, you can specify the authorization for individual components in more detail. Components that begin with 0 are delivered by SAP and cannot be changed. Components that are within the customer name range must begin with a letter of the alphabet.
Valid activities are:
01 (create)
02 (change)
03 (display)
06 (delete)
At the moment, activities 16 (Execute) and 22 (Save for Reuse) are not checked for the query definition.
User A is allowed to create, change or delete queries beginning with A1 and A6 within InfoArea 0001 in InfoCube 0002. In addition, the user is allowed to change the calculated key figures and structures (templates) already defined in this InfoProvider.
Related authorizations for user A:
InfoArea: 0001
InfoProvider: 0002
Component type: REP
Component Name: A1, A6
Activity: 01, 02, 06
InfoArea: *
InfoProvider: 0002*
Component type: STR, CKF
Component name: *
Activity: 02
Authorizations for Display Attributes
Definition
Authorization-relevant display attributes are hidden in the query if the user does not have sufficient authorization to view them.
Use
For characteristics:
The user needs to have complete authorization (*) to see the display attribute in the query.
For the characteristic 0EMPLOYEE, the 0EMPLSTATUS attribute is authorization-relevant. Only users with authorization "*" for 0EMPLSTATUS can display the attribute in the query.
For key figures:
Key figures cannot be marked as authorization-relevant. To use this function nonetheless for key figure attributes, the system checks against meta object 1KYFNM. For this, the user requires authorization for the field 1KYFNM in the authorization object.
The key figure attribute 0ANSALARY is contained in the 0EMPLOYEE characteristic.
If the user has the 1KYFNM field in his or her authorization object, and authorization "*", he or she can display all key figure attributes.
If the user has the 1KYFNM field in the authorization object and the 0ANSALARY key figure as a value of the authorization, he or she can only see this key figure attribute. If the user is not supposed to see this attribute, do not give the authorization "*" but only assign the key figures for authorization that are to be displayed.
Authorizations for Navigation Attributes
Use
During authorization checks for navigation attributes, it is always the characteristic that is being used as a navigation attribute that is checked.
Integration
If referencing characteristics are used as navigation attributes, authorization for the basic characteristic is checked. You should, however, change this logic so that the referencing characteristic is checked for instead. In the maintenance screen for reporting authorizations, choose the following path from the main menu Extras ® Compatibility ® Navigation Attributes ® Switch Off.
This function exists for reasons of compatibility. The authorization logic of referencing characteristics worked differently with the beginning of Release BW 2.0. From BW 2.0, Support Package 20 and in all of the releases that follow, for referencing characteristics as well, the authorization for exactly this characteristic (and not the basic characteristic, as was the case previously) is checked.
Example
In the query, you use characteristic A with the navigation attributes A__B and A__R. Characteristic R references characteristic B. For these navigation attributes, authorization for the basic characteristic B is checked. If you switch off the compatibility for navigation attributes option, B is checked for A__B, and R is check for A__R.
Maintaining Authorizations for Hierarchies
Use
Authorizations for hierarchies determine up to which subarea of a hierarchy a user may drilldown.
Prerequisites
Before you can set authorizations for hierarchies, you must first transfer and activate the InfoObject 0TCTAUTHH from the Business Content. Make sure that the indicator Relevant for Authorization is set. You must also create an authorization object for which you want to set the authorization.
Authorization for a hierarchy on the Profit Center characteristic (0PROFIT_CTR):
Define an authorization object with 0PROFIT_CTR and 0TCTAUTHH.
Example: You define a hierarchy for the basic characteristic B. For characteristic B there is a referencing characteristic R. If you use this hierarchy for characteristic R in the query, authorization for the basic characteristic B is checked. However, you can change this logic so that characteristic R is checked for instead. In the maintenance screen for reporting authorizations, choose the following path from the main menu Extras ® Compatibility ® Ref. Characteristics with Hierarchy ® Switch Off.
You need the characteristic 0TCTAUTHH to specify the hierarchy in the authorization. If you add this characteristic to an authorization object, you can specify authorizations for hierarchies for all InfoObjects in the authorization object.
Procedure
       1.      In the SAP Easy Access initial screen of the SAP Business Information Warehouse, choose SAP Menu ® Business Explorer ®Reporting Authorization Objects.
       2.      Choose Authorizations ® Authorization Definition for Hierarchies ® Change.
       3.      In the Definition, select the InfoObject, hierarchy and node.
If there are several users who are authorized to work with just one part of a hierarchy (subtree) but the top node is different for each, you have the option of specifying a variable instead of a node.
See also: Variable Types
Instead of selecting a node, you can also set the Top of hierarchy indicator. This enables you to ensure that a user is authorized to use a hierarchy from the top node down to a determined level.
You can select the top node here. However, if the hierarchy is being used in a query without a filter on this node, the user will not be able to execute the query.
This is because the top-most visible node does not represent the actual top of the hierarchy. As, for example, there are other Remaining Leaves, there should always be exactly one internal node at the top of the hierarchy. Therefore, there is one internal node above the top-most visible node. If the hierarchy is used in a query without the top-most node being determined, it is compared with this unseen, internal node. So that the user has the correct authorizations, select the internal top of the hierarchy for this option.
       4.      Select the authorization type:
¡        0 for the node
¡        1 for a subtree below the node
¡        2 for a subtree below the node up to and including a level (absolute)
You must define a level for this type. A typical example of an absolute level is data protection with regard to the degree of detail of the data (works council ruling: no reports at employee level only at more summarized levels).
¡        3 for the entire hierarchy
¡        4 for a subtree below the node up to and including a level (relative)
You must specify a level that is defined relative to the node for this type. It makes sense to specify a relative distance if an employee may only expand the hierarchy to a certain depth below his or her initial node, but this node moves to another level when the hierarchy is restructured.
       5.      For types 2 and 4 you can specify, in Hierarchy Level, the level to which the user can expand the hierarchy.
¡        With authorization type 2 (up to and including a level, absolute) the level refers to the absolute number of the level in the hierarchy where the top-most node of the hierarchy is level 1.
¡        With authorization type 4 (up to and including a level, relative) the level number refers to the number of levels starting from the selected node itself which is level 1.
       6.      In the Validity Area you specify in exactly which ways a hierarchy authorization has to match a selected display hierarchy for it to be included in the authorization check.
¡        Type 0 (very high) : The name, version and key date of the hierarchy on which the hierarchy authorization is based have to agree with the selected display hierarchy.
¡        Type 1: The name and version of the hierarchy on which the hierarchy authorization is based have to agree with the selected display hierarchy.
¡        Type 2: The name of the hierarchy on which the hierarchy authorization is based has to agree with the display hierarchy.
¡        Type 3 (lowest) : None of the characteristics have to match.
Note that in some circumstances, setting a check level that is too low may lead to more nodes being selected using hierarchy node variables that are filled from authorizations, than actually exist in the display hierarchy for the query. This can cause an error message.
As a general rule, select the highest possible level for the check.
       7.      If you set the Node variable default value indicator, this definition of an authorization for a hierarchy is used as the default value for node variables.
If more than several authorizations are assigned to a user for different subareas of the same hierarchy, one of these authorizations has to be defined as the default value. Only one node can be selected for a node variable on the variable screen of a query. So that this variable can be filled from the authorizations, the correct variable type has to be selected and an authorization has to be determined as the default value.
       8.      Specify a technical name for this definition. If you do not enter a value, a unique ID is set.
       9.      Now create an authorization for the new authorization object. To do this, enter the technical name of the definition as a characteristic value for the characteristic 0TCTAUTHH. Hierarchy authorizations and authorizations for characteristic values are added:
¡        Specify the value (a blank character) as a characteristic value if only hierarchy authorizations are to be in effect. If you specify more values these are authorized additionally.
¡        Specify the value : (a colon) when queries are also allowed without this characteristic.
The value ' (all characteristic values) is not supported for the characteristic 0TCTAUTHH. Nevertheless, if you specify the value a : is automatically generated instead because no other valid value is found.
If you would like the user to be able to see all values and hierarchies for a characteristic, use the value '*' for this characteristic.
If you use a drilldown hierarchy in the query, you restrict the highest node by a fixed node or a node variable.
Definitions of authorizations for hierarchies must be transported separately. See: Transporting Additional Information
Alternative Procedure:
Manually Maintaining Reporting Authorizations
Use
You usually maintain authorizations in the role maintenance. However, in exceptional cases it could be more practical to create authorizations manually. This is the case if you have to assign every user his/her own role.
Prerequisites
Reporting authorization objects have been created.
Procedure
Assign Authorization Objects
       1.      In the SAP Easy Access initial screen of the SAP Business Information Warehouse, choose SAP Menu ® Business Explorer ® Authorizations ® Reporting Authorization Objects.
       2.      Choose Authorizations ® Authorizations for Several Users. Enter an interval and choose Change.
       3.      Select a characteristic from the left side of the screen. You can then display master data as a list or as a hierarchy. The right side of the screen shows you a list of all the selected users with the authorization profiles and roles you assigned.
       4.      You can now use Drag&Drop to assign additional authorization objects to the user.
       5.      Choose Generate authorizations. The system creates the authorizations and assigns them to the users.
Assigning Authorizations for Hierarchies
You can also make authorizations for hierarchies in the same transaction.
       1.      Select a characteristic.
       2.      You can use the context menu on the authorization object to determine up to which hierarchy level the authorization should apply.
You can currently select exactly 1 level for each hierarchy and user.
       3.      Choose Generate authorizations. The system creates the authorizations and assigns them to the user.
Result
The system has created individual authorization profiles.
thanks
karthik
reward me ipoints if the above is usefull to you

Similar Messages

Authorization check for cost centre

Hi ,
Im creating a zprogram ,in which i give bukrs,kostl,kokrs,lednr,...etc in the select options..Can somebody tell , how to create restricted access for individuals who are able to view other cost centres that they are not normally responsible for..
Thanks...

Hi,
You can handle this by AUTHORITY CHECK functionality. Get all the cost centers from selection screen and do the Authority check. If user does not have authorization, you can display error message. To get Cost center Authorization objects, check transaction SU20 and SU21.
for more details see this thread -
Authority check
Hope this helps.
ashish

S_ALR_87013644 - Cost Centers: Cost Component Split

Dear SAP Gurus,
I am executing Cost splitting in KSII, and the values are coming correctly while doing the test run. However in the report S_ALR_87013644 - Cost Centers: Cost Component Split , price per unit is getting doubled. For example
Cost center X actual costs 20000
Activity unit for this cots center 2000 hrs
After splitting the value per hr=10
However in this report, per hr cost is coming as 20.
Is this a standard way of calu
Thanks

Hi,
Pls check the cost centers that you entered when executing the report.
If there are more than 1 cost center was selected, the system will sum the activity price per unit of all selected cost centers then display..
So the value maybe different from your expectation.
Regards!
Edited by: The Cuong Than on May 6, 2010 4:57 AM

Authorization - cost centers

Hello experts,
I need to set up authorizations for BW users for cost centers. For each BW user I have cost center assigned in employee master data. I am using old authorizaiton model (RSSM).
Is there a method how to create these authorizations programatically?
I was also considering to write an user-exit variable to fill according cost center to filter query results, but I found variable 0A_COSTC - how does that work?

Hi,
Please go through the following:
1. Identify the authorization relevant objects, according to your requirements. For eg: If you want region
    wise authorization for users, the object you are using for region like 0REGION or ZREGION.
2. Go to RSD1 and mark the objects as authorization relevant in the tab Business Explorer.
3. Open all queries in which these objects are used one by one and create varibles processed by
    authorization for these objects.
4. Go to t-code RSECADMIN and create a new authorization object. You can copy 0BI_ALL and make
    necessary changes.
5. Ask your Basis team to create a role in PFCG for attaching the following components:
    S_RS_COMP
    S_RS_COMP1
    S_RS_AUTH
    S_RFC ( for portal users)
    S_TCODE(Only if you want t-code based authorization)
6. Attach the newly created authorization object (created in RSECADMIN) to S_RS_AUTH.
7. If any errors occur at the time of running the query, go to t-code RSECPROT and check the logs with
    the help of your Basis team.
   You can chekc the following link for further details:
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea

Authorizations for cost centers or profit centers on FI documents

Hi,
We need to assign some users to a role so they are allowed only to post documents that are related only to a specific cost centers or profit centers in the document.
We try to do it using role authorizations transaccion PFCG, however we cannot find the appropiate object to do it. Does someone know how to do it ?
We appreciate any help and reward points will be granted.
Thanks !

Hello,
try the K_CSKS authorisation object for cost center

Authorization Check in Personnel Cost Planning (PA-CP)

Dear Experts,
We are facing an issue where there is no authorization checking when performing the Cost Planning functions. The requirement here is to put in an authorization check such that when:
1) collecting cost plan data for employees (tcode: PHCPDCEM), it will check against HR Master Data (e.g. P_ORGIN, P_ORGINCON) or HR Clusters (P_PCLX) (e.g. check which Personnel Area the user has authorization for). Currently, the Data Record Log does not have this checking.
2) Creating, generating, viewing and maintenance of cost plan (e.g. tcode: PHCPADMN), it should have the same checking as above
We are using SAP ECC 6.0.
Has anyone encounter the same issue and has a resolution for it (configuration or user exit?)? I see that there is a user exit HRHCP00_RESP_OBJECTS available, but it does not provide the authorization check even when it returns "NO_AUTHORITY".
Thanks very much in advance.
Alex

Hi Alex,
I am not very sure about Personnel Cost Planning,
But an approach I have used in the past when exploring a module about which there is limited documentation or SAP standard model roles is to
1) Switch on Trace using ST01.
2) Carry out a series of transcations using a user id which has a lot of authorizations or SAP_ALL.
3) Anlayse the trace document and identify all the authorization object.
4) BUild a new role with the auth objects and assign to test user id.
5) test and confirm that the authorizations are not too many or too less.
A time consuming but thorough approach.
hope this helps.

Shipment cost with authorization check

Dear Expert,
I have a problem about shipment cost, my requirement would like to check authorize by transport planning point
during transaction
VI01
VI02
VI03
VI04
but Standard shipment cost check only "Shipment Cost Type"
there is the user exit to check authorize in stage VI01 VI02 and also in VI03 VI04
or what should I do
Thank you very much for suggestion

Dear Expert,
I try to activate "Transport planning point" for checking authorize in VI01
also I check authorize object by "ST01"
there is no authorize check about "Transport planning point" (only have shipment cost type)
then i debug on VI01
1. put shipment number
2. debug
3. enter
in this area there is no transport planning point in variable that sent to check authorization
Please Helps me find out this solution
thank you very much

Cost element group authorization check on controlling area level

Hi!
When maintaining cost element groups (KAH1, KAH2, KAH3) is it possible to run an authorization check on controlling area level?
We have one global chart of account but several controlling areas. When we create a cost element group it is created at chart of account level for all the controlling areas. When someone changes a cost element group it changes in all controlling areas. I cannot restrict user's authorization to be able to change cost element groups only in their own controlling area.
Is it possible somehow?
Thanks for your help.

Hi,
Like how the global chart of accounts is at the client level, the cost element groups are also independent of the controlling areas. Infact, the cost element groups are created at the global COA level.
In such a case, I don't think it is possible to restrict the authorizations to amend the cost element groups at controlling area level.
Thanks and Regards,
Bhuvaneswari.S

Cost Centre authorization check during PR creation

Hi all,
Just want to know whether the standard SAP do check the cost centre authorization during PR creation with account assignment.
Please note that no user exit is used.
I am looking at standard system check on the authorization object thru the user profile.
Thanks.
Tom

Hi Steve,
I found the solution. The control must be from the authorization object that assigned to the user.
For example, M_BEST_EKO authorization object. The display activity "09" (Display Price) should not be assigned to this authorization object.
Hence, the user would not be able to see the price info in the standard report.
Cheers.
Tom

Purchase requisition and cost center authorization check

Hi all,
in a R/3 4.7, I need to check the cost center (or profit center) when managing (create/modify/view) purchase requisitions.
I have not found any auths object which perform this check.
Any idea ?
A BADI seems to be he only solution, inserting an authorizaton check.
Thanks
Andrea

Hi
use the BADI in SE18 Tcode
ME_REQ_POSTED
implement this and use
the Method POSTED has the parameter IM_EBKN which has KOSTL field
this will work
see the sample code for this BADI
BAdI Name: ZPUR_RFQ (Implementation name) Purchase Requisitions
Definition Name: ME_REQ_POSTED
Interface Name : IF_EX_ME_REQ_POSTED
Implementing Class: ZCL_IM_PUR_REQ
Method :            POSTED
METHOD if_ex_me_req_posted~posted .
TYPE-POOLS: pgrt.
DATA: t_txpdat TYPE STANDARD TABLE OF txpdat.
DATA: s_txpdat TYPE txpdat.
DATA: t_ident TYPE pgrt_t_obj_ident.
DATA: s_ident TYPE pgrt_obj_ident.
DATA: ident_tmp TYPE eketkey.
DATA: nmrid_init TYPE txpdat-nmrid.
DATA t_obj_event TYPE pgrt_t_obj_event.
DATA s_obj_event TYPE pgrt_obj_event.
DATA t_event     TYPE pgrt_t_event.
DATA s_event     TYPE pgrt_event.
DATA change_yes TYPE c.
    IF l_s_eban-estkz NE 'B'.
      CLEAR v_mtart.
      SELECT SINGLE mtart INTO v_mtart FROM mara WHERE matnr = l_s_eban-matnr.
      IF v_mtart EQ 'ZERS' OR v_mtart EQ 'FHMI' OR v_mtart EQ 'UNBW'.
        MESSAGE e000(zm_msg) WITH 'You are not allowed' 'to create PR for stock items'.
      ENDIF.
    ENDIF.
    IF l_s_eban-knttp NE 'F' OR l_s_eban-pstyp NE '9'.
      IF l_s_eban-knttp NE 'A'.
        IF ( l_s_eban-pstyp NE '9' AND l_s_eban-pstyp NE 'D' ) AND l_s_eban-matnr EQ space.
          MESSAGE e000(zm_msg) WITH 'You cannot create' 'a PR without material number'.
        ENDIF.
      ENDIF.
    ENDIF.
ENDLOOP.
ENDMETHOD.
reward points if useful
regards
Anji

Cost Centers & Profit Centers in PM Order Settlements

Dear All,
Can anyone please explain me the exact use of following Fields in the PM Order?
Additional Data Tab    -     Responsible CCt , Profit Center , Object Class
Location Tab             -   Account Assignment u2013 Cost Center
Settlement Rule         - Settlement Receiver (When category is CTR-Cost Center)
Also would appreciate if the explanation can be given on the impact on above in settling the Orders.
(CAPEX Orders as well as OPEX Orders)
Thanks & Regards,
Thushantha

Hi,
Additional Data Tab
Responsible Cost Center: - The responsible cost center is the responsible area for authorization check on internal orders.
This does not have to be the cost center to which the order settles its costs.
(ex The cost center "site office" is the responsible cost center).
Profit Center:- Operating results for profit centers can be analyzed using either the
cost of sales approach or the period accounting approach.
By analyzing the fixed capital as well, you can expand your profit
centers for use as investment centers.
Location Tab
Cost Center:- which belongs to Equipment Master or Functional Location. This cost will be comes under Account Assignment Category
Settlement Reveiver:- Its the set of cost elements which receives the Actual cost from the work order & transfers to the cost center.
regards,
Venkatesan Anandan
Edited by: Venkatesan Anandan on Mar 11, 2009 3:03 PM

Authorization check without using variable of type u0093Authorizationu0094

In WEB-reporting we want to authorize on a navigational attribute without using the variable of type
Authorization. Why would we do this?
1. In a lot of queries we have to replace the existing variable of type User entry to a variable of type Authorization. We would like to avoid this work.
2. When the variable is not ready for input the Report will always include all the characteristic values for which the user is authorized. We dons want this.
3. When the variable is ready for input on the selection screen all the authorized values are displayed and the user is able to select / deselect the values he/she wants to report. In case of a lot of authorized characteristic values the screen does not appear user-friendly.
What we want is a behavior like some parts of R/3. For example: Controlling Area X consists of the Costcenters C1000, C2000, C3000, C4000, C5000 and C6000. A particular user has authorization for Cost centers C1000, C3000 and C5000. When running a ABAP-report with Cosctcenters the user is able to select certain Costcenters. Three possibilities:
1. The user selects Costcenter C1000, C3000 and / or C5000: the ABAP reports the selected Costcenters.
2. The user selects Costcenter C2000, C4000 and / or C6000: the ABAP gives an error-message: no authorization.
3. The user does not select any Costcenters: the ABAP reads all the Costcenters and reports on the basis of the users authorization only Costcenters C1000, C3000 and C5000.
In term of BW: we would like to introduce authorizations for a specific InfoObject which is used as an navigational of an other InfoObject. In the queries a variable is used of the type User entry. The user can select one or more values on the selection screen; an authorization check is fulfilled. He may however choose to leave the selection field empty; in this case the OLAP processor should report only the authorized values (in our case the last situation results directly in an error-message no authorization).
Anyone has a suggestion?
Thx in advance,
Henk

If you change the variable to type exit, and user input enabled, you can then build your logic in the user exit.
If users have entered unauthorised values, it will be checked (by the system??). If this assumption is correct then all you need to do in your exit is to continue with the values entered by the user; and in case user has entered no values, populate the variable with values valid for the user (by reading the user authorization and corresponding charactertistics values and moving these to the variable).
--> Adding further
Since the authorization will not be checked by the system (I missed that these are not of authorization type variables), user exit will need to do this check. The logic for doing authorization checks / error messages / restricting based on authorizations - will have to be done in the user-exit.
cheers,
Message was edited by: Ajay Das

Authorization check creating Work Orders (IW31)

Hello everyone,
We need to make an authorization check when creating a Work Order in transaction IW31.
That check is based on the field "Main work center for maintenance tasks"
No check apart from the plant associated to the work center is done, but the problem is that there exist different Work Centers associated to the same plant, and we need to restrict it.
Our authorization model considers the Cost Center associated to the Work Center, but the Cost Center is not checked in this IW31 when entering the Work Center.
We have also tried using the classification system, but despite activating authorization obejct C_KLAH_BKL, is neither checked.
(It is amazing the difference between the number of objects marked to be checked in SU24 for this IW31 and the objects really checked when looking at authorizations trace)
We know that Work Center field exit could be used, but we would prefer not to change ABAP code.
Could you please give us a hint about how we can restrict this field?
Thank you very much.
Best regards.
Jose Sanz.

Hi Jose,
You can look at the object C_ARPL_WRK,
if you work with this , i hope you would be able to find a solution for this situation.
Thanks,
Vijay

Restrict access in report based on compnay codes and cost centers

Hi,
We are using a standard report, which is assigend to a Z transaction and assigend to the role.
The report need to be restricted based on the company code and cost center ?
but i could not find any AUTHORITY- CHECK statements in the code ( there is only authority check statement for object G_803J_GJB which has authorization groups and aCTVT field.)
Please let me know what steps need to be followed to restrict the report based on company codes and cost centers.
Thanks for your help in advance.

Thanks all for the quick response.
Steps to be followed:
1) incorporatomg AUTHORITY-CHECK statements for K_KOSTL and F_BKPF_BUK objects in the program.
2) adding the objects as check yes in SU24 for the Z transaction.
and restricting in the role.
The program name is "GP3O4ZGOOF3HA68QMGHF8S7I9ER250".
Please let me know if any more steps need to be followed.
Based on this i have to send a estimate to my client.
Thanks,
Sanketh.

SAP Security - Cost Centers and Profit Centers

Hi All,
We want to have the ability to restrict roles on cost center and profit center per the cost center/profit center owner. For example, we only want to allow users whom own cost centers to be able to see the cost centers they own. The problem that I am faced with is that I do not want to restrict via cost center authorization object because this would essentially lead to every user having their own individual role.
I did notice that each cost center has a user ID field that you can assign and maintain. I was thinking if it was possible to create some customization where this is checked against the uid logged onto the system but not sure if this could be done without modifying each program. Does anyone have any thoughts on how to restrict via cost center and profit center?
Thanks in adavnce

Hi,
did you check if a view could help in your context?
What I mean is this: create a view on top of your basetable where some predicates like
user = basetable.userid-column
is used.
This view has to be granted to all users and the basetable should NOT be granted at all.
If you do not want to change all applications, you could rename the basetable and create this new view with the old basetable-name to allow the unchanged applications to work.
Elke

Authorization check by Cost centers

Similar Messages

Maybe you are looking for