We’re facing a critical issue with cost center hierarchy replication from our legacy system to SAP S/4HANA Cloud 2020. The synchronization job fails with a CDS view authorization error, preventing our monthly cost reporting from completing on schedule.
The error message we’re receiving:
CDS View Authorization Error: I_COSTCENTERTEXT
User TECH_USER_SYNC lacks DCL authorization
SQL Error: INSUFFICIENT_PRIVILEGE [403]
Our technical user has been granted the standard business role for cost center management and appears to have the necessary authorizations in PFCG. The replication worked fine in our development environment but fails consistently in production. The CDS view I_COSTCENTERTEXT is being accessed during the hierarchy synchronization process, and the DCL rules seem to be blocking the technical user’s access. Has anyone dealt with CDS view authorization issues for technical users in cloud deployments, particularly with Data Control Language restrictions?
Martin raises a good point. Also verify that your replication job is using the correct authentication method. If it’s an OData-based integration, the communication arrangement must explicitly grant access to the CDS view’s associated service. The error code [403] suggests an HTTP-level authorization failure, which points to communication arrangement configuration rather than pure ABAP authorization.
The CDS view authorization error for cost center hierarchy synchronization requires addressing three interconnected authorization layers specific to S/4HANA Cloud 2020.
CDS View Authorization (DCL):
The CDS view I_COSTCENTERTEXT implements Data Control Language (DCL) based on the access control definition:
@AccessControl.authorizationCheck: #CHECK
define view I_COSTCENTERTEXT
with parameters P_ControllingArea
This DCL evaluates authorization object K_CSKS with specific field-level checks for controlling area (KOKRS) and cost center (KOSTL). Your technical user must have K_CSKS authorization with:
- Activity (ACTVT): 03 (Display)
- Controlling Area (KOKRS): * (or specific areas)
- Cost Center (KOSTL): * (or specific ranges)
The critical issue is that DCL authorization in cloud environments performs additional runtime checks beyond the authorization object. The view validates that the user has display authorization for ALL cost centers in the hierarchy being synchronized, not just individual cost centers.
Technical User Roles:
Technical users in S/4HANA Cloud require specific role configurations:
-
If TECH_USER_SYNC is a communication user (type S), authorization must be granted through a communication arrangement, not PFCG roles. Navigate to Communication Arrangements and verify that your cost center replication scenario includes:
- Inbound service: API_COSTCENTER_SRV
- Communication user: TECH_USER_SYNC
- Service status: Active with read access
-
If TECH_USER_SYNC is a system user (type L), assign business role SAP_BR_COST_ACCOUNTANT with the following critical catalog:
- SAP_CA_BC_IC_LRD_CO_PC (Cost Center Processing)
The role must include unrestricted access to all controlling areas present in your production environment.
Data Control Language (DCL) Configuration:
The production environment likely has tenant-specific DCL restrictions not present in development. To resolve:
- Verify organizational level assignments:
SE16N -> Table AGR_TCODES_ORG
Filter by: Role = <technical_user_role>
Check: KOKRS values include all production controlling areas
-
For communication users, ensure the communication arrangement includes organizational context:
- Open Communication Arrangement for cost center integration
- Navigate to Additional Properties
- Add controlling area parameters matching your production environment
- Save and activate the arrangement
-
Check DCL trace for detailed authorization failures:
- Transaction STAUTHTRACE
- Enable trace for user TECH_USER_SYNC
- Run synchronization job
- Analyze trace for specific DCL evaluation failures
The [403] error code indicates the authorization failure occurs at the service layer before reaching ABAP authorization checks. This confirms the issue is with communication arrangement configuration or missing service-level permissions.
Resolution Steps:
- Confirm user type (communication vs system user) in SU01
- For communication users: Update communication arrangement to include explicit controlling area scope
- For system users: Verify K_CSKS authorization includes organizational level values matching production data
- Add the technical user to the DCL-authorized group by assigning business role SAP_BR_ADMINISTRATOR_C with restricted scope to cost accounting
- Test authorization with STAUTHTRACE to identify remaining DCL restrictions
The development-to-production discrepancy typically results from different organizational data (controlling areas, company codes) between environments, causing DCL to filter differently even with identical role assignments.
CDS view DCL authorization is more restrictive in cloud environments than on-premise. Technical users need explicit DCL role assignments beyond standard PFCG authorizations. Check if your technical user has the DCL role for I_COSTCENTERTEXT assigned through the Maintain Business Roles app in Fiori launchpad.
Have you checked the technical user type? In S/4HANA Cloud 2020, communication users have different authorization evaluation paths than dialog users. If TECH_USER_SYNC is a communication user, it needs authorization through communication arrangements rather than traditional PFCG roles.
The issue is that CDS views with DCL (Data Control Language) have their own authorization layer independent of traditional authorization objects. Your technical user needs to be included in the DCL access control definition for I_COSTCENTERTEXT. In S/4HANA Cloud, you typically can’t modify the delivered DCL directly, so you need to ensure your technical user is assigned to a role that’s granted access in the DCL annotation. Check the CDS view definition to see what roles or authorization objects are referenced in the @AccessControl.authorizationCheck annotation. The development vs production discrepancy suggests different role assignments or DCL configurations between environments.