topic Re: Authorization variable in Application Development and Automation Discussions

Authorization variable

Former Member — Fri, 23 May 2008 19:02:36 GMT

Is it possible to create a role and pass a variable to the authorization data?

I am trying to create a cost center inquiry role that allows an end user access to their own cost center, but to no other cost center. Obviously, this needs to vary for each end user.

Thanks,

Margaret

Re: Authorization variable

Former Member — Fri, 23 May 2008 21:43:39 GMT

Hi Margaret,

What system/s do you need this in?

In BW auth variables are a standard feature & you can achieve this without too much trouble.

In R/3 is it much, much harder & involves significant changing of standard code just for the usual transactions. Unless you have £'000s to available then I would not recommend going down this route. I would add to that and say that unless absolutely necessary I would not even consider granular cost centre security. There are enough flaws in the implementation of that part of the auth concept to cause you plenty of headaches!

Often value roles are used in this situation, unfortunately that's a role per cost centre which can be assigned to the user to give just those auths to support the more generic functional role giving the particular transactional access

Re: Authorization variable

Former Member — Wed, 28 May 2008 15:48:38 GMT


> Is it possible to create a role and pass a variable to the authorization data?  
> 
> I am trying to create a cost center inquiry role that allows an end user access to their own cost center, but to no other cost center.  Obviously, this needs to vary for each end user.
> 
> Thanks,
> 
> Margaret

if you could manage to get your funkies to setup the cost-centers as a hierachy you will not face a probem, you could then access it using the org-levels (something with RESPAREA ...). if you proceed to setup one role and derive as many children as you need for your end-users, you would only have to adjust the org-level to the appropriate hierachy.

Re: Authorization variable

ChrLid_Swe — Fri, 15 Aug 2008 13:05:53 GMT

Hi,

I just tried to convert the field RESPAREA to an Organizational level field, but it would not work. It would not convert correctly. I received the $ sign in front of it. But the field were never visible under the Org level field button.

Has anyone else experience from this?

(We are running ECC 6.0, SAP BASIS 700)

Thanks!

/Christer

Re: Authorization variable

Former Member — Fri, 15 Aug 2008 13:17:48 GMT

Hi Christer,

Did you use PFCG_ORGFIELD_CREATE (note 323817) and also follow note 698401 for the RESPAREA specific tasks?

I am on ECC6/700 at my current client and set up RESPAREA as Org level OK with the guidance in 698401

Re: Authorization variable

ChrLid_Swe — Mon, 18 Aug 2008 15:30:35 GMT

Hi Alex,

Thanks for your answer!

Yes, I did use the standard report PFCG_ORGFIELD_CREATE. But I can't find any reason to SAP note 698401 since everything is looking ok in the table. It looks just the way we want it.

Neither can I see any use of note 565436 since this should be in the system since way back.

Please let me know if you did any magic in table KBEROBJ. It is object K_CCA that is of most importance to us.

By the way there is no trace of field RESPAREA in table AGR_1252. So it is not converted correctly from the report.

Thanks for any additional input!

/Christer

Re: Authorization variable

ChrLid_Swe — Tue, 19 Aug 2008 09:51:46 GMT

Alex,

Yes, note 698401 really did solve the problem. I just had to read the note a bit more carefully!!!

For other readers in this forum: You have to enter a new entry in table KBEROBJ, but make sure to leave the first field (Object) empty. This is the trick that makes it work.

Thanks anyway Alex!

/Christer

Re: Authorization variable

Former Member — Tue, 19 Aug 2008 10:01:42 GMT

Hi Christer,

I just saw your earlier post, glad the KBEROBJ tweak worked for you!

Cheers

Alex

Re: Authorization variable

Former Member — Tue, 19 Aug 2008 10:47:56 GMT

Hi,

There are always issues when it comes to reporting within Controlling, and I agree that granular checks are not ideal.

However, there is an exit that could possibly be used to solve some problems around checks for Cost Centres - namely COCCA001.

For example this could be used to add a custom lookup against a table which maps users to cost centres. Although the challenge remains that standard auth checks will still apply.

I would only consider this if the requirement is absolutely necessary and as mentioned in previous posts I would avoid getting into hundreds of roles to control access.

Regards

Edited by: S Morar on Aug 20, 2008 2:14 PM