cancel
Showing results for 
Search instead for 
Did you mean: 

CDS Access Control - how to use authorizations for Profit Center Hierarchies

afordham
Participant
0 Kudos
914

Hi All,

I am trying to set up a CDS Access Control on CDS view C_PurReqnItm in order to restrict the items shown in the My Purchasing Document Items app by Profit Center. I would like to use the authorisation object K_PCA_HIER to do this, as it should allow me to specify a hierarchy node (profit center group) and see all the Profit Centers below that node.

I have marked the Profit Center Hierarchy as Reporting Relevant (txn HRY_REPRELEV) and replicated the runtime hierarchy into the HRRP* tables (txn HRRP_ERP). When I look at a data preview of CDS view I_ProfitCenterHierSubTree, I can see all nodes and Profit Centers.

I looked at another place the K_PCA_HIER auth object is used - access control I_GLAccountLineItem - and have copied that line into my custom access control. I have had to change the names of fields used, as the Profit Center field is in a view extension of C_PurReqnItm, so starts with a ZZ.

However, I can only pass the auth check if I set all the fields to '*' in my user role. As soon as I try and put in a restriction on the Hierachy ID or the Hierarchy Node, the auth check fails.

My question is: should this work? Should I be able to create a role using K_PCA_HIER for a Profit Center Group somewhere in the hierarchy and then expect to restrict a CDS view by only Profit Centers that are in that Group? Am I expecting too much of the system? There is so little documentation on either K_PCA_HIER or the DEFINE ACCESSPOLICY syntax that I don't have a good example to follow.

Many thanks,

Andrew

Accepted Solutions (0)

Answers (1)

Answers (1)

pbist0103
Participant
0 Kudos

I saw your 2 questions on SCN for Profit Center and Cost Center Hierarchies and you also provided a solution. I was also looking for one but then I decided to search, using the where used of K_PCA_HIER. And I came across a few DCLs that SAP has written using this auth object and for Profit Center Hierarchies.

And one can simply use the below code and check the documentation for PFCG_MAPPING for learning what this offers - https://help.sap.com/doc/abapdocu_cp_index_htm/CLOUD/en-US/abencds_f1_define_pfcg_mapping.htm

@EndUserText.label:'Access control on
profit center hier'
@MappingRole:true
defineroleZI_JOURNALENTRYITEMCUBE{
grant
select
on
I_JOURNALENTRYITEMCUBE
where
(PROFITCENTER)=ASPECTPFCG_AUTH(K_PCAR_REP,PRCTR,ACTVT='03')
or
(GLACCOUNT,{PROFITCENTER,CONTROLLINGAREA})=ASPECTPFCG_AUTH(K_PCA_HIER,KSTAR,ACTVT='03',PFCG_MAPPING=I_PROFITCENTERHIERAUTH);
}