Question:
I have a technical question and hope someone may be of assistance.
In regards to ECC 5.0 I received an enquiry from the functional people
to restrictions on profit centre access when doing FI postings, example: (TCD FB50) This TCD presently does not have profit centre as a check object. here is the scenario they have:
------------------------------
In a standard FI posting, transaction code FB50 it is now possible to
post to the Profit Centre Object, either directly in some cases or it is
derived via the cost centre object in others. Here are two examples of what we mean:
1) A person does a 2 line journal entry on TCD FB50 in a company code,
say 6100, to Cost center 'A' and Cost center 'B', both of which belong to
company code 6100 and are wired to profit center A. In this example, both line items should pass.
2) A person does a 2 line journal entry on TCD FB50 in a company code,
say 6100, to Cost center 'A' and Cost center 'B', but in this scenario
Cost center B belongs to a different profit center than the first line.
In this situation, the person doing the journal entry is to be prevented from doing the posting.
In all cases, the idea is to prevent people in FI from posting to
profit centers other than their own, or phrased differently, from
doing cross profit center postings in the same FI journal entry
primarily t.code FB50 but there are other t.codes too.
------------------------------
Assistance to resolve this would be much appriciated
Answer:
Working a sdesigned, this is training issue and a Profit center steward repsonsibility avoidence issue and is not to be "solved" by Security. Profit center and cost center is an after the fact splitting of the dime you spent and SAP does not care. As delivered by SAP this type of control is not provided and SAP views it as low to non-existant risk , probability of low if the user is trained correctly.
If you MUST do this you will have to find a user exit or business partner function exit ( BF03) to cod ethe check , but is the cost to do so justified from an implementation standpoint and a role maintenance standpoint? This type of ill-thought out control will result in a role for every user, too granular, and costly to maintian.
If you must, use detective contorls. there is a report in FI that shows the postings for a gven user.
Has anyone consulted the Audit staff... It soulnd like a WANT control not Risk based.
Answer:
The development required to provide this level of restriction is prohibative for even the largest implementations. The problem is that SAP's implementation of the auth concept for CO is pretty poor, leading to it being full of holes and a pain to try and get proper restriction over if that is what you need. To do it properly will cost a lot of money.
To control it, there should already be a detective control in place which is monitoring of the Profit Centres by their owners.
Regardless of a restrictive control to prevent posting, they should be performing the review anyway. A few potential extra items should not be a problem for them .
Answer:
Thank you for your input. much appriciated.