Question:
Hi
We are in 4.7 Enterprise version. In CO module, we have these standard Cost center reports starting with S_ALR_*.
We want to restrict the authorization of users by cost centers., i.e user A who is attached to cost center '1' should not be able to view cost center report for cost center '2'.
I understand that tehre are no 'auth. objects for reports starting wiht S_ALR*.
How can we restict the authorization?
Thanks in advance for the help
Answer:
Many of the CO S_ALR* reports do have restrictions but the checks are hidden in logical databases and won't be picked up via SU53/trace.
There are a couple of OSS notes around this, I can't remember what the numbers are off the top of my head but if you search OSS for S_ALR and authorizations you should be able to find them. Once these are in it makes it much easier to work with the reports from a security perspective.
Answer:
In Release 4.0, a new authorization concept has been implemented in CO
to replace as many old authorization objects as possible.
The 'Responsibility area' concept works as follows:
You define a new responsibility area and grant a user authorization for
this area. The purpose of this is that this user has authorization for
all objects in this area. That is, if the area is a group, authorization
is passed on to all objects in this group.
This new logic has been implemented in the authorization objects K_CCA,
K_ORDER, K_ABC und K_PCA.
In Release 4.0, you can enter the cost center standard hierarchy node
for the authorization object K_CCA, for example. The user then
automatically receives authorization for all cost centers included in
this node (of course divided up by activities).
As of Release 4.5, there is another tab page named 'Cost Center Group'.
This is very different to the 'Stand. hier. nodes' tab page.
If you enter a group as 'Cost Center Group', the user only has
authorization for the name of the group. This is useful for
summarization reports without drilldown and for group maintenance.
However, the user does NOT have authorization for the cost centers in
this group.
Thus, you can only use standard hierarchy nodes on the 'Stand. hier.
nodes' tab page to assign authorizations for cost centers at group
level.
At cost center group level, you only assign 'node authorizations'
without inheritance logic.
For the authorization objects K_ABC, K_ORDER und K_PCA, no distinction
is made between the groups. The inheritance logic for standard hierarchy
nodes always applies.