Monday, August 21, 2017

1730900 - How to use Authorization Groups for Funds Center and/or Commitment Item.

1730900 - How to use Authorization Groups for Funds Center and/or Commitment Item.

Symptom

  • You want to build your authorizations for Commitment Item or Funds Center Master Data and need additional information about this topic or
  • You are expecting to receive authorization errors in reporting or posting regarding restricted Funds Center or Commitment Items and system is allowing to show the data restricted by you
  • You may have defined your authorization checks already but the authorization objects used are not being considered

Environment

  • Financial Accounting (FI)
  • SAP R/3
  • SAP R/3 Enterprise 4.7
  • SAP ERP Central Component
  • SAP ERP
  • SAP enhancement package for SAP ERP
  • SAP enhancement package for SAP ERP, version for SAP HANA
  • PSM-FM Add-On is active (transaction SFW5, EA-PS is on)

Reproducing the Issue

  1. Run a report where you want to restrict commitment items or funds center but the data appear in the report.
  2. Post a document where you want to restrict commitment items or funds center but the data can be saved.
  3. You receive an authorization error message in a report or posting but you have authorization for it as per your authorizations defined in transaction PFCG.

Cause

Authorization checks for Commitment Item are done only in the case that the commitment item is assigned to some Authorization group. Therefore, the commitment item will be always displayed in reports/transactions until some authorization group is assigned. The same explanation is valid for Funds Center. In addition, if you have activated "Old Authorization check" in your customizing, you must use the old authorization objects. If you have not activated "Old Authorization check" in your customizing, you must use the new authorization objects.

Resolution

  1. Use Authorization Groups for Funds Center and/or Commitment Item Master Data
        In case of Funds Center, within transaction code FMSC (fund center master data) the 'Authorization Group' field is available (the same used in the authorization rules). It is not the 'fund center' field itself, it is the group that you are grouping the fund centers only for authorization purposes.
Example: Authorization Group field in Funds Center Master Data

FMSA_AuthGroup.png

If, in the FMFCTR table for your FM Area, you have the same content for all records to this field, it means that all your funds center will be part of the SAME authorization group. Therefore, you should consider within your company to divide the authorization groups according your needs and adjust your roles in transaction PFCG accordingly.
If we take as an example the way that funds center works, if you do not have authorizations group in your funds center, there is no check regardless if you specify something or not in the role definition. In any case, * will mean that authorizations exist for the authorizations group. You should either specify a list of authorized funds center in the role, or assign a specific authority group to the funds center for which you do not want to allow posting.
The same is valid to commitment item where you will find the authorization group field within transaction FMCIA (commitment item master data) and table FMCI.
  1. Find which authorization objects are available for the transaction that requires an authorization restriction
You should use available authorizations in transaction code SU24. The most common authorization objects available for Funds Center and commitment items are the following:
  • F_FICA_FPG Funds Management: authorization group for the commitment item
  • F_FICA_FSG Funds Management: authorization group for the funds center
If you are using BCS you have to use also the authorization object 'F_FMBU_ACC'. There is a short documentation in SU03 for this authorization object. Assigning only the authorization object F_FICA_FSG (in case of commitment item F_FICA_FPG) could not be enough sometimes. Use transaction SU53, SU56, SU01 and SU24 to trace authorizations.
  1. Check which strategy you have customized for PSM-FM Authorizations in your system: Old Authorization Objects or New Authorization Objects
Please check the following menu path in your IMG: SPRO -> Public Sector Management -> Funds Management Government -> Basic Setting -> Authorization check -> Activate Old authorization check.
  • If the flag is checked -> you are using the old authorization check.
  • If the flag is not checked -> you should use the new authorization checks.
If you activate the old authorization objects, the following objects are used for the authorization check:
F_FICB_FPS  Cash budget management/Funds Management commitment item
F_FICA_FTR  Funds Management FM account assignment
F_FICA_CTR  Funds Management funds center
F_FICA_WCT  Funds Management funds center internal
F_FICA_CCT  Funds Management cross-funds center
F_FICA_FCD  Funds Management fund
These objects were referred to for the authorization check in Funds Management (FI-FM) up until release 46C.
  1. Check which authorization objects you are using to be checked
To be sure about which authorization objects you are using for commitment items and funds center enter in transaction PFCG, check your rule assigned to user and activate the technical names (Menu -> Utilities -> Technical names on), then you will see if you are using the old objects or the new ones.
PSM-FM customizing must be in synch with PFCG. There is no problem to use old authorization checks but if you want to use it, the customizing of old authorization must be checked and PFCG should also use the old authorization objects for the authorization rules.
If you see that PSM-FM customizing is not in synch with PFCG, you have two options:
  1. Keep the old authorization objects and set the customizing
  2. Keep the customizing deactivated for old authorizations
In case you want to know more about Authorization in PSM-FM and see some examples, please check, in SAP help, the information about Authorization.
In Authorization Objects in Funds Management you will find the new authorization objects available.
NOTE: You must have for all the records of your master data (funds center or commitment item) the 'Authorization Group' field with content, otherwise it will not work. Due to a restriction in the technical design, the authorization group functionality will only work properly if you have all the records with this field fulfilled (it cannot be blank).

See Also

If you follow the instructions available in Resolution Section on how to use authorization groups and your issue still persists, make sure that you have implemented the following SAP Notes:
SAP Note 1885424 FM Report Writer: Authorizations sometimes don't work
SAP Note 1819104 RW: Wrong selection routines are executed

Keywords

FMBB, authorization object, F_FICA_FSG, F_FMBU_ACC, F_FICA_FPG, PFCG, SU24, funds management, FMKU162, FMKU 162, authorization_group, authorization, report writer, report painter.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)