The context of this blog is a situation where in a customer has undergone a divestiture and for some reason, the split company code data continues to reside in the parent ERP, which shall need to be accessed by applications of the new company. This is an interim situation until the new company code data is completely removed from the parent ERP. The new company used MS BI and had a requirement to extract only Company Code specific data. It turned out to be a little tricky in restricting access to the new company code for extract modules from MS BI.
Theobald Software:
Xtract IS –
Xtract IS one of the products of Theobald Software.
Plug'n'Play for SAP and SQL Server Integration Services.
Integrate your SAP system (ERP, S/4HANA, BW) with SQL Server Integration Services. With a few clicks of the mouse, you can extract mass data with high performance and stability.
The Xtract IS Component Suite offers nine components to provide all kinds of SAP interface technologies. Implement your data flows in a secure and type-safe way with a graphical editor.
How to send SAP data to Microsoft DW via Theobald software:
How to restrict Theobald functions to a specific company code at SAP.
The transport containing the theobald modules shall need to be imported into Sap ERP system.
Z_XTRACT_IS_REMOTE_REPORT
Z_XTRACT_IS_TABLE
Z_XTRACT_IS_TABLE_COMPRESSION
Z_XTRACT_IS_TABLE_JOIN.
To send specific company code and sales organization to Microsoft DWH, below two steps required.
- Create authorization object for the company code and sales organizations.
- Create authorization role and assign role to the required users.
- Maintain filter criteria for the company code and sales organization in the function module Z_XTRACT_IS_TABLE.
1)Steps to create authorization object for company code and sales organization:
Created two Line Organizational Criteria VKORG (Sales org), BUKRS (Company code) as below
SPRO Tcode ->Create an organizational criteria-> maintain the table for which restriction is required.
Here we have created org criteria as ZBKPF for Company code (BUKRS) and ZKNVP for Sales organization (VKORG).
Add field/column name of the table in which company code is available.
2)Create authorization role and assign role to the required users.
Create an RFC role from T-code PFCG and maintained below objects as shown in the below screenshot.
- a) S_RFC - Authorization to execute function modules via SE37
- b) S_TCODE - Authorization to restrict access to transaction code
- c) S_ TABU_LIN Authorization to restrict access to tables based on organizational criteria
- d) S_TABU_NAM Authorization to restrict access to tables
- e) S_DEVELOP - Authorization for ABAP Workbench
a) S_RFC - Authorization to execute function modules via SE37.
Maintain below function modules in S_RFC authorization objects.
DDIF_FIELDINFO_GET
RFCPING
RFC_GET_FUNCTION_INTERFACE
RFC_GET_NAMETAB
RFC_READ_TABLE
Z_XTRACT_IS_REMOTE_REPORT
Z_XTRACT_IS_TABLE
Z_XTRACT_IS_TABLE_COMPRESSION
Z_XTRACT_IS_TABLE_JOIN.
b) S_TCODE - Authorization to restrict access to transaction code.
Here we are giving authorization for the T-code SE37 to run the above function module.
c) S_ TABU_LIN Authorization to restrict access to tables based on organizational criteria
Maintain organizational criteria name under ORG_CRIT and Sales organization/Company code values under ORG_FIELD1.
d) S_TABU_NAM Authorization to restrict access to tables
Maintain table names which table have company code and sales organization.
e) S_DEVELOP - Authorization for ABAP Workbench
Create remote system user from SU01 and assign the role which we have created from PFCG.
3)Maintain filter criteria for the company code and sales organization in the standard function module RFC_READ_TABLE
Refer the standard function module RFC_READ_TABLE to modify the select queries for filtering the required company code and sales organization:
* ----------------------------------------------------------------------
* Include the authorization object and remote user which we have created
* to filter company code and sales organization.
* ----------------------------------------------------------------------
CALL FUNCTION 'SUSR_USER_AUTH_FOR_OBJ_GET'
EXPORTING
* NEW_BUFFERING = 3
* MANDANT = SY-MANDT
user_name = sy-uname
sel_object = 'S_TABU_LIN'
TABLES
values = lt_values
EXCEPTIONS
user_name_not_exist = 1
not_authorized = 2
internal_error = 3
OTHERS = 4.
IF sy-subrc <> 0.
* Implement suitable error handling here
WRITE:/ sy-uname ,'does not have authorization'.
ENDIF.
* ----------------------------------------------------------------------
* read required sales organization data from the database and copy relevant
* portions into DATA
* ----------------------------------------------------------------------
READ TABLE fields INTO ls_fields WITH KEY fieldname = 'VKORG'.
IF sy-subrc EQ 0.
READ TABLE lt_values INTO ls_values WITH KEY von = 'ZKNVP'.
IF sy-subrc EQ 0.
SELECT * FROM (query_table) INTO <wa> WHERE vkorg = 'SE02' AND (options)
ORDER BY PRIMARY KEY.3
* ----------------------------------------------------------------------
* If there is no sales organization data exist then read required company
* code data from the database and copy relevant portions into DATA
* ----------------------------------------------------------------------
READ TABLE fields INTO ls_fields WITH KEY fieldname = 'BUKRS'.
IF sy-subrc EQ 0.
READ TABLE lt_values INTO ls_values WITH KEY von = 'ZBKPF'.
IF sy-subrc EQ 0.
ls_value_field = ls_values-von.
CLEAR ls_values.
SELECT * FROM (query_table) INTO <wa> WHERE bukrs = 'SE02' AND (options)
ORDER BY PRIMARY KEY.
* ----------------------------------------------------------------------
* If there is no sales organization data and company code data then
* copy relevant portions into DATA
* ----------------------------------------------------------------------
IF data IS INITIAL.
SELECT * FROM (query_table) INTO <wa> WHERE (options)
ORDER BY PRIMARY KEY.
ENDIF.
Post these changes, the split company trying to extract its data from the parent SAP ERP, will have no access to company code/sales org data beyond its own.