Question:
Hello authorisation gurus!
I have a problem to restrict access to hierarchy nodes. I found this comment in the K_CCA object docu that I dont really understand:
"If the CO-OM area of responsibility is a node in the standard hierarchy of Cost Center Accounting, then authorization is valid for all nodes and their cost centers."
Does that mean that it does not work if I restrict on the standard hierarchy? But what to do if we only have standard hierarchy?
Thanks for your help!
Answer:
I just tried K_CCA. I am in 4.7. The restriction works with non-standard-hierarchy nodes but does NOT work with standard hierarchy node. What do you think? Thank you!
Answer:
Sorry, I missed to say that these are separate clients where it works and where it does not work.
The strange thing is that the trace of one client shows that the hierarchy node is checked, while the other trace shows that only cost centers are checked.
Do I need to activate the general check on hierarchy node level somewhere? I am quite helpless at the moment.
Thank you very much!
Answer:
I can't offer any more advice than to speak to your CO guys to make sure that the config is the same??
Answer:
I know that in 4.6 only the standard hierarchy is possible for cost center /profit center authorizations (responsibility areas). In 4.7 I believe it is possible to select the standard or alternate hierarchies and I think there is an OSS Note on it. I would start there. If you find it, please post back here.
Answer:
Yes, as I said, it is possible in 4.7 to restrict on alternative hierarchy. But the problem is that in client 001 I see in the trace that the auth. check of K_CCA is on node level ("HI001123123123"). But in client 002 the trace of K_CCA only checks on cost center level ("KS000112345678").
I asked our CO guy but he said that there is no activation of authaority check on node level or any other auth. relevant config possible. Have no idea any more and will start to put the single cost centers into the K_CCA cost center tab - otherwise the poor users cannot see anything because it ignores the hierarchy, even if I put a "*" in the hiararchy tab.
Answer:
Sorry I missed that the first time around. The K_CCA auth check is recursive. It checks (depending on screen input - CC or group) cost center first. Then it backs up the hierarchy until you are authorized for a node. It goes up the whole node and if you are not authorized for the root then you get a failure on the root, even though you could have had 12 failed auth checks before that one. If you enter an individual CC, the auth check starts at the CC and then goes up the node. If you enter a group it starts at the group and goes up the node.
I haven't heard of this before. If you haven't already done so already, I would trace the Tcodes with exactly the same input and then compare the traces. I would also compare the hierarchies because they may not be actively maintaining them in both clients. Don't ask the configurators, look for yourself. I would still check OSS because you're in for a maintenance nightmare if you are entering individual cost centers.