We are having a real tough time managing authorizations / restrictions for branch level accountants within same company code.
We have defined each Branch within the company code as individual Profit Center, Plant and Purchasing Organization.
Question 1 - Has any one of you found a better way to define branches within a company code with ability to report CO based P&L reporting at branch level?
There are 3 major authorization issues that we have come across till date for which we have not been able to figure a workaround -
1. App 'Manage Journal Entries'
The restrictions maintained in the role & catalog do not restrict the view of the Journal entries for another branch (by profit center or plant or purchasing org)
This causes a risk of exposing transactions of another branch to these accountants, thereby causing a data view policy guidelines violation.
2. App 'Manage Supplier Line Items'
We have Suppliers that are common to all the branches.
However, we require to restrict the view of the supplier line item entries by the particular branch to that branch's AP Accountant, but apparently the restrictions by profit center or plant or purchasing org are not helping to restrict the view.
Clearly, again, this limitation is causing a risk of exposing supplier line items of another branch to these accountants.
3. App 'Post Outgoing Payments'
Branch level AP Accountants must not be able to post Outgoing Payments on Bank G/Ls that are from other branches, using this app.
We tried to build a restriction on the House Bank ID and Bank Account ID and also entered this data in the G/L Master Data, but the restriction does not work, and allows branch AP Accountants to see the other branch bank G/Ls in the search help as well as post the payments on the non-relevant G/Ls.
We tried to search if there was a G/L Account Authorization group feature just like in On-Prem, but realized that there isn't one.
This issue is a huge risk as it allows branch accountants to post payments on bank accounts from other branches.
Question 2 - Has any one of you faced one of the above issues & has figured out a workaround on these challenges?
Or if there are some BADIs where we could build some hard-coded restrictions?
Any help on the above topics would be very helpful and highly appreciated.
We are at a point where we are really questioning the practicality of the authorization concept in the S4 HANA Cloud solution.
We don't understand - did SAP not think of so many companies using branch level accounting, while building the solution?
Thanks in anticipation.