Question:
Dear security colleagues,
I have a problem with restricting display access on authorisation hierarchy level in objects K_CCA, K_REPO_CCA.
One department gave me some hierarchy knodes that I added under "Authorisation Hiararchy" in these objects that worked fine (although these are not part of the standard hierarchy under OKENN).
Another department gave me standard hierarchy knodes but these do not work at all.
Is it because of the standard hierarchy? Is there a separate authorisation hierarchy - if yes can I see what standard knode belongs to which auth. hier. knode?
Unfortunately the trace only gives me missing authorisations on cost center level but does not tell me which hierarchy knode is missing.
Thank you very much, Franz
Answer:
Check your trace:
look at the fields in K_REPO_CCA , the field is COST CENTER (KOSTL), not responsibility Area (RESPAREA) where a node can be entered, you have to enter the cost center or range of cost centers.
K_CCA has responsibility area and a trace will show the various node down to the cost center depending on what access you give.
Answer:
Thanks - good point. You are right: For the role that works fine, the trace shows the checked hierarchy node and cost center.
BUT for the role that does not work it just shows the cost center. Is it possible that the cost center hierarchy that is used for the authority-checks needs to be defined separately?? The strange thing is that when maintaining the object in the role, F4 shows me all necessary nodes so they seem to be actually there.
Any idea? THANKS!