I need to give a user access to all cost elements within a cost center.
However, I also need to give them access to one cost element across all cost centers. This seems to negate the restrictions in the above role. How can I fix this?
This can be done easily. Object K_CCA CO-CCA: Gen. Authorizations for Cost Center Accounting have fields for cost center and cost element. Create two SAP authorization objects. In one, enter the single cost center where all cost elements are allowed in the cost center field and an * in the cost element field.
In the other authorization object, enter an * in the cost center field and the single cost element in the cost element field. SAP authorizations are never aggregated to determine whether a user can access data or not. They are tested one at a time using or logic. Just think of a key chain and that ever key in the key chain is tested in the lock one at a time.
Dig Deeper on SAP security
Related Q&A from Corwin Slack
Learn how to stop SAP users from displaying HR table contents in an SAP table without restricting access to an SE16N transaction. Continue Reading
A SearchSAP.com reader who stores user email addresses within the SAP SU01 transaction code and wants to know where to locate the data. Continue Reading
Discover tips for mapping SAP roles and profiles, including how to map multiple SAP profiles to a single derived role, and why a second profile is ... Continue Reading