Symptom
A user that has company code authorization maintained can still access data from company codes outside of their authorization.
Note: This issue may also occur in viewing I_OperationalAcctgDocCube or a custom CDS view that uses I_OperationalAcctgDocCube
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
Environment
SAP S/4HANA Cloud
Reproducing the Issue
- Open the 'Maintain Business Roles' app.
- Choose the role assigned to the user.
- Choose 'Edit' followed by 'Maintain Restrictions'.
- Maintain each instance of the 'Company Code' restriction as required.
- Open the 'Manage Journal Entries' app, for example, and see restricted data from all company codes.
Note: The above example is based on a user with a single business role assigned.
Cause
- The cause of this issue may be due to maintaining the 'Company Code Hierarchy' restriction as 'Unrestricted'.
- In such cases, Unrestricted authorization is evaluated to TRUE irrespective of any instance of Company Code Hierarchy. As this affects the authorization of restriction type Company Code, access for Company Code is evaluated to TRUE.
Resolution
Maintain the 'Company Code Hierarchies' restrictions, which can be found under 'Read, Value Help', as 'Not Maintained':
See Also
The following documentation describes the authorizations and relation of the different restriction types for Company Code in more detail -
https://help.sap.com/docs/SAP_S4HANA_CLOUD/6b39bd1d0e5e4099a5b65d835c29c696/76c59195039142338af63e8a1a7c016f.html?locale=en-US
Keywords
company, code, restriction, authorization, not working, failing, user, restrictions, authorizations, I_OperationalAcctgDocCube, CDS view, custom , KBA , FI-GL-IS , Information System , FI-GL-IS-2CL , Information System (Public Cloud) , How To