3037920 - Company Code authorization does not behave as intended - SAP S/4HANA Cloud Public Edition

A user that has company code authorization maintained can still access data from company codes outside of their authorization.

Note: This issue may also occur in viewing I_OperationalAcctgDocCube or a custom CDS view that uses I_OperationalAcctgDocCube

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

SAP S/4HANA Cloud Public Edition

1. Open the 'Maintain Business Roles' app.
2. Choose the role assigned to the user.
3. Choose 'Edit' followed by 'Maintain Restrictions'.
   
   
   
   
4. Maintain each instance of the 'Company Code' restriction as required.
   
   
5. Open the 'Manage Journal Entries' app, for example, and see restricted data from all company codes.
   
   
   

Note: The above example is based on a user with a single business role assigned.

There are several potential reasons for this issue:

1. One possible cause is maintaining the 'Company Code Hierarchy' restriction as 'Unrestricted'. In such cases, Unrestricted authorization is evaluated to TRUE irrespective of any instance of Company Code Hierarchy. As this affects the authorization of restriction type Company Code, access for Company Code is evaluated to TRUE.
   
   
2.  Another possible cause of the issue could be leaving the "Write, Read, Value Help" authorization as "Unrestricted.".

• To resolve the root cause one: Maintain the 'Company Code Hierarchies' restrictions, which can be found under 'Read, Value Help', as 'Not Maintained':
  
  
  
• To resolve the root cause two: Set the restrictions for company code for Write, Read, Value Help authorization as well

The following documentation describes the authorizations and relation of the different restriction types for Company Code in more detail -

https://help.sap.com/docs/SAP_S4HANA_CLOUD/6b39bd1d0e5e4099a5b65d835c29c696/76c59195039142338af63e8a1a7c016f.html?locale=en-US

company, code, restriction, authorization, not working, failing, user, restrictions, authorizations, I_OperationalAcctgDocCube, CDS view, custom , KBA , FI-GL-IS , Information System , FI-GL-IS-2CL , Information System (Public Cloud) , Problem