A user that has company code authorization maintained can still access data from company codes outside of their authorization.
Note: This issue may also occur in viewing I_OperationalAcctgDocCube or a custom CDS view that uses I_OperationalAcctgDocCube
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
Reproducing the Issue
- Open the 'Maintain Business Roles' app
- Choose the role assigned to the user
- Choose 'Edit' followed by 'Maintain Restrictions'
- Maintain each instance of the 'Company Code' field
- Open the 'Manage Journal Entries' app, for example, and see restricted data from all company codes
Note: The above example is based on a user with a single business role assigned.
The cause of this issue may be due to maintaining the 'Company Code Hierarchy' restriction as 'Unrestricted'.
In such cases, Unrestricted authorization is evaluated to TRUE irrespective of any instance of Company Code Hierarchy. As this affects the authorization of Company Code, access for Company Code is evaluated to TRUE.
Maintain the 'Company Code Hierarchies' restrictions, which can be found under 'Read, Value Help', as 'Not Maintained':
company, code, restriction, authorization, not working, failing, user, restrictions, authorizations, I_OperationalAcctgDocCube, CDS view, custom , KBA , FI-GL-IS , Information System , How To