Profit-Cost Center Restriction in SAP

The purpose of this article is to provide an overview on how Cost & Profit center authorization restriction can be managed efficiently in an SAP environment.

Introduction

First, it is important to understand the main concepts that are the basis of the Profit and Cost Center authorization restriction in SAP.

Organizational Value Configuration:

When defining accesses in an SAP system, apart from what activities a user can carry out (change, display, etc.), it is important to restrict in which organizational unit the user can perform such activity (in which company, sales organization, etc.).

Having that in mind, SAP roles can be managed in accordance following a master-derived model in which roles share the same authorization between them, except for the organizational restriction.

When managing authorization roles, SAP already provides default certain organizational restrictions that can be used to restrict in which organizational unit a user can perform his/her activities.

However, customers, due to their specific needs, can as well convert regular authorization values into organizational values. To perform this, SAP delivers standard transaction SUPO (Maintain Org Levels – Prof. Generator).

So, to completely define and configure a solid restriction within Profit and Cost Centers, and if it is not already in SAP system, it is recommended to convert following authorization values into organizational values:

1. $PRCTR = Profit Center
2. $KOSTL = Cost Center
3. $RESPAREA = Responsibility Area

Importance of Responsibility Area:

To implement a solid restriction for Profit & Cost Center, and as mentioned above, it is recommended to consider the Responsibility Area (RESPAREA) as well.

The relevance of this organizational value relies on the fact that certain transactions related to CO module, are not only validating against which Profit or Cost center the user is working, but also the Responsibility Area. However, in certain transactions, it is possible as well that only the Responsibility Area is validated.

This is the reason that, to achieve a solid restriction, Responsibility Area should be considered as well.

Configuration to be applied for proper restriction

One of the key points for such projects would be to involve the business in the reviews and definition of the restriction, basically for the following two points:

1.  To understand the different business processes which involve those organizational values and hence, set up the accesses (SAP roles) to comply with the special features of the business activities (such as intercompany processes or other specific business needs). 
2. To involve all the stakeholders to understand the benefits of a proper segregation, such as most efficiency and as well, avoiding failures in accountability.

After a brief introduction of the restrictions to be implemented, the following points will also be shown:

• How to fill up the values in roles for each authorization restriction previously explained.
• Most common/relevant authorization objects in CO module for Profit Center & Cost Center.

Cost Center

First of all, the way to identify the Cost Center that are available in the system and their relationship with other organizational values such as Companies would be to review the information stored in the table CSKS (Cost Center Master Record).

Other ways to identify this structure and define the role model in accordance could be to review the specific transactions that provide such information. The most interesting ones could be the following:

• KS03 >> Display Cost Center
• KS05 >> Cost Center: Display Changes
• KS13 >> Cost Centers: Master Data Report

Finally, below are the most relevant authorization objects that have Cost Center restriction and should be considered:

• I_KOSTL >> PM: Cost Centers
• K_CSKS >> CO-CCA: Cost Center Master
• K_CSKS_PLA >> CO-CCA: Cost Center Planning
• K_REPO_CCA >> CO-CCA: Reporting on Cost Centers/Cost Elements

Profit Center

On the other hand, regarding the identification of the Profit Centers that are available in the system, the information is stored in the table CEPC (Profit Center Master Data Table) for basic information.

Other ways to identify this structure and define the role model in accordance could be to research the following tables:

• SETNODE: filtering by SETCLASS=0106, there is information regarding the structure (relationship Profit Center Group-Subgroup).
• SETLEAF: filtering by SETCLASS=0106, there is information regarding the relationship Profit Center Group-Subgroup and specifics Profit Centers.

Other way to review this data would be to reach the specific transactions that provide such information. The most interesting ones could be the following:

• KE53 >> Display Profit Center
• KE5X >> Profit Center: Master Data Index
• KE5Z >> Profit Center: Actual Line Items

Finally, below are the most relevant authorization objects that have Profit Center restriction:

• C_PROJ_PRC >> PS: Profit center for project definition
• C_PRPS_PRC >> PS: Profit Center Authorization for WBS elements
• K_PCAR_REP >> EC-PCA: Summary and Line-Item Reports.
• K_WIP_PC >> CO-PC-OBJ: WIP Calculation and Results Analysis

 

Cost and Profit Center Role restriction

In this section, it is going to be shown the way to restrict these organizational values in the role model. The review will be done for both Cost and Profit Centers together, as the procedure is very similar for both.

First, once defined the information of the relationships between other organization value master data and the cost and profit centers, it is time to establish the values that will apply in each role. 

This mapping will rely on the relationship between the organizational values in each system and the way that the roles are being derived (by what organizational value), so the strategy for definition will be different in each client.

What should be similar for all clients would be the hierarchical structure, this is, how the Cost and Profit Centers are maintained in SAP.

Cost and Profit Centers in SAP are stored in a hierarchy, where clients can create different groups and subgroups that allow to store the Cost & Profit Centers that should be in the same level and have similar characteristics.

There are different ways to create this hierarchy, as it is customizable. For example, some clients prefer to create groups by Business Units, others prefer to group them by Functional Areas, or similar.

Below is an example of the standard hierarchy that SAP provides by default, where the information of the profit/cost center structure in the system and how the inclusion of a new one might look like (TEST_COST).

One important fact that should be considered when creating the structure is that, to fill up the values of Cost and Profit Centers in the roles, is mandatory to give access to the specific Cost/Profit Centers or to establish wild cards (using *).

The key point here is that is not possible to select a whole structure to give access to those organizational value, as the system only allows to select a specific value.

Because of that, the recommendation when creating the structure is to follow a naming convention for the Cost and Profit Center and the Cost and Profit Center Groups, that allows to use wildcards in case the users should have access to the entire group in the hierarchy.

For instance, in the example above, if the users should have access to the all-administration group, the roles could have the value “0001-1*”, instead of selecting the Cost Centers one by one. This tip is also helpful when a new Cost or Profit Center is created within the structure, as it is already defined that the roles should provide access to the whole groups by using those wildcards.

RESPAREA

Finally, the configuration of the responsibility area would be different from the others organization values, as some values for this one are locked by default in the role management, and a previous configuration needs to be performed prior to start filling up the organizational values in SAP Roles.

The first step would be to configure the table KBEROBJ (Settings for authorization objects in Cost Center Accounting), to specify the fields that are required to be restricted within the RESPAREA organizational value.

Basically, within this organizational value, there are different restrictions that can be performed, based on the following fields:

• KS: Cost center
• HI: Authorization Hierarchy (Cost center hierarchy nodes)
• KN: Cost Center Group
• PC: Profit Center
• PH: Profit Center Group
• BP: Business Process
• BH: Business Process Nodes
• OR: Orders

It is important to remark not all this fields are validated once executing a transaction in SAP. The most relevant ones would be the first 5 restrictions. In fact, the Business Process structure could be not even defined in some systems.

The technical steps to perform this configuration are explained in SAP note 698401 (RESPAREA as organizational level field).

To summarize, it is needed to register in the table KBEROBJ the organizational values that are needed to be restricted within the RESPAREA in the role model. To do so, as mentioned in the note, the key field OBJECT must remain empty and the field CURRENTOBJ must be filled, because otherwise, no initial screen can be determined (the value included in this field is not relevant for the role management, so will not be taken as configured if it is not included in the following fields).

Once this configuration is finished, the next step would be to fill up the needed organizational values in the role model, using the RESPAREA field (CO-OM Responsibility Area).

RESPAREA Role restriction

As previously mentioned, this organizational value stores multiple restrictions. To fill up the values, first it is needed to select in the first place the option “change” in the definition of organizational values, and then a new window pops up, with the different tabs that were previously configured in the table KBEROBJ.

Then, roles can be restricted with different variables. 

Each one of these variables needs to be defined using the corresponding tab and all except of the Order must be related to a specific Controlling Area.

Finally, below are the most relevant authorization objects that have this type of restriction:

• K_CCA>> CO-CCA: Gen. Authorization Object for Cost Center Accounting
• K_PCA>> EC-PCA: Responsibility Area, Profit Center

KEY POINTS:

• The organizational values in the SAP systems are the way that SAP provides to restrict roles in the system following an organizational behavior.
• To achieve the most complete restriction within Profit and Cost Centers authorizations, it is very important to properly define and configure the Responsibility Area restriction as well.
• One of the key points for such projects to be successful would be to involve the business in the reviews and definition of the restriction.
• The hierarchical structure that stores how the Cost and Profit Centers are maintained in SAP is similar in most of the cases, but the relationship between the organizational values in each system and the way that the roles are being derived will be different in each system.
• The configuration of RESPAREA organizational value requires some previous steps, such as configuring the table KBEROBJ to open the fields for role management. SAP provides a step-by-step procedure for this matter within the note 698401 (RESPAREA as organizational level field).