Authorization Control in CJ20N: How to Restrict Project Access in SAP

Introduction

CJ20N is a key transaction in SAP's Project System (PS) module, allowing users to create, edit, and manage project structures. However, in organizations with multiple users accessing CJ20N, it's crucial to control project access to ensure data security and compliance. This guide explores various methods to restrict project access within CJ20N and provides an extensive list of authorization objects checked in this transaction.

Methods to Control Authorization in CJ20N

To control who can access specific projects in CJ20N, SAP provides multiple authorization mechanisms:

1. Project Profile-Based Authorization

Each project in SAP is assigned a Project Profile, which determines various settings, including authorization controls. By configuring project profiles, you can limit access to specific user groups.

2. Profit Center Authorization

Projects can be linked to Profit Centers, allowing authorization to be controlled at the financial level. Users can be granted access to only those projects associated with specific profit centers.

3. Project Type Restrictions

Organizations can define Project Types in SAP, which can be used to restrict access to specific categories of projects.

4. Controlling Area-Based Access

Some projects fall under specific Controlling Areas, and authorization can be assigned based on this classification.

5. User-Specific Roles and Authorization Objects

By assigning the right combination of authorization objects, you can fine-tune access levels for different users.

Key Authorization Objects for CJ20N

SAP checks multiple authorization objects when a user accesses CJ20N. Below is a categorized list of the most relevant objects:

Project System (PS) Authorizations

Authorization Object Description
C_PROJ_KOK PS: Controlling Area for Project Definition
C_PROJ_PRC PS: Profit Center for Project Definition
C_PROJ_TCD PS: Transaction-Specific Authorizations in Project System
C_PROJ_VNR PS: Project Manager for Project Definition
C_PRPS_ART PS: Project Type Authorization for WBS Elements
C_PRPS_KOK PS: Controlling Area Authorization for WBS Elements
C_PRPS_KST PS: Cost Center Authorization for WBS Elements
C_PRPS_PRC PS: Profit Center Authorization for WBS Elements
C_PRPS_VNR PS: Project Manager Authorization for WBS Elements

Asset Management Authorizations

Authorization Object Description
A_A_VIEW Asset: View
A_S_ANLKL Asset Master Data Maintenance: Company Code/Asset Class
A_S_GSBER Asset Master Data Maintenance: Company Code/Business Area
A_S_KOSTL Asset Master Record Maintenance: Company Code/Cost Center

Document and Change Management Authorizations

Authorization Object
Description
C_AENR_BGR CC Change Master - Authorization Group
C_DRAW_BGR Authorization for Authorization Groups
C_DRAW_DOK Authorization for Document Access
C_DRAW_STA Authorization for Document Status

Controlling (CO) Authorizations

Authorization Object
Description
K_ORDER CO-OPA: General Authorization Object for Internal Orders
K_REPO_OPA CO-OPA: Reporting on Orders
K_VRGNG CO: Business Transactions, Actual Postings, and Plan/Actual Allocations

HR and System-Level Authorizations

Authorization Object
Description
P_ORGIN HR: Master Data
P_PERNR HR: Master Data - Personnel Number Check
S_TABU_DIS Table Maintenance (via Standard Tools such as SM30)
S_TCODE Transaction Code Check at Transaction Start

How to Implement Authorization Control in CJ20N?

To apply these restrictions effectively, follow these steps:

Step 1: Identify the Required Authorization Objects

Determine which authorization objects should be assigned based on your project control needs.

Step 2: Assign Users to Authorization Roles

Use SAP Role Maintenance (Transaction PFCG) to assign authorization objects to user roles.

Step 3: Maintain Authorization Profiles in SU01

In Transaction SU01, assign specific authorization profiles to users, ensuring they have only the necessary permissions.

Step 4: Test Access Restrictions

Before going live, test authorization settings to ensure that users can only access the permitted projects.

Step 5: Monitor and Review Regularly

Use SAP Audit and Logs to regularly review access and make necessary adjustments.

Frequently Asked Questions (FAQs)

1. Can I restrict users from modifying projects in CJ20N?

Yes, you can restrict modification access using C_PROJ_TCD and C_PRPS_ART authorization objects.

2. How can I check a user’s authorization in CJ20N?

Use Transaction SU53 to analyze authorization failures and determine missing objects.

3. What happens if a user has multiple conflicting authorizations?

SAP follows the most permissive approach, meaning if a user has one role that allows access and another that denies it, access will be granted.

4. Can authorization restrictions be applied at the WBS Element level?

Yes, use objects like C_PRPS_KOK, C_PRPS_PRC, and C_PRPS_KST to restrict access to specific Work Breakdown Structure (WBS) elements.

5. Is it possible to control CJ20N access based on Profit Center?

Yes, C_PROJ_PRC and C_PRPS_PRC authorization objects help restrict access based on Profit Centers.

6. How often should authorization settings be reviewed?

It’s recommended to review authorization settings quarterly to maintain compliance and security.

Conclusion

Controlling authorizations in CJ20N is crucial for maintaining data integrity and security in SAP Project System. By leveraging Project Profiles, Profit Centers, and Authorization Objects, you can efficiently restrict access to sensitive projects.

For a more robust authorization strategy, regularly review user roles, test restrictions, and monitor logs to ensure compliance with organizational policies. 🚀

Get help for your SAP PS problems
SAP PS Forum - Do you have a SAP PS Question?

SAP Project System Books
SAP PS Books - Certification, Interview Questions and Configuration

SAP Project System Tips
SAP PS Tips and Project System Discussion Forum

Best regards,
SAP Basis, ABAP Programming and Other IMG Stuff
http://www.erpgreat.com

All the site contents are Copyright © www.erpgreat.com and the content authors. All rights reserved.
All product names are trademarks of their respective companies.  The site www.erpgreat.com is in no way affiliated with SAP AG.
Every effort is made to ensure the content integrity.  Information used on this site is at your own risk.
 The content on this site may not be reproduced or redistributed without the express written permission of
www.erpgreat.com or the content authors.