Cost center view missing in Fiori cost management app after role update in PFCG

PLM SAP PLM
, , , , , , , ,
1

After updating user roles in PFCG to include new cost center authorizations, the Fiori Cost Management app no longer displays the cost center view. Users can access the app and see project-level costs, but the cost center breakdown is completely missing.

SU53 trace after attempting to access cost center view:


Object: F_CSKS, Field: ACTVT=03, KOKRS=1000, KOSTL=*
Return: Not checked (no authority check performed)

The authorization object F_CSKS is included in the updated role with ACTVT=01,02,03 and KOSTL=*. Role generation shows green status, and users have logged out/in multiple times. The backend RFC call for cost center data returns empty results, but when I test with transaction KS03, the same users can view all cost centers without issues.

This only affects the Fiori app - traditional GUI transactions work fine. Has anyone seen Fiori authorization issues where SU53 shows ‘Not checked’ even though the object is in the role?

2

I checked /IWFND/MAINT_SERVICE and found the cost management service (ZCOST_MGMT_SRV) has authorization checks enabled. However, I notice the service configuration was last modified on the same day as our role update. Could there be a connection?

The service shows F_CSKS in the authorization object list, but there’s a checkbox ‘Enable Backend Authorization Only’ that’s unchecked. Should this be enabled?

3

The ‘Not checked’ status in SU53 indicates the authority check was never executed, which means the Fiori app isn’t calling the authorization check at all. This is different from a failed check.

Check if the Fiori app has a separate authorization configuration in /UI5/THEME_DESIGNER or Gateway service authorization. Fiori apps sometimes have their own authorization layer that’s independent of the backend authorization objects.

4

I’ve diagnosed this exact issue multiple times. Here’s the comprehensive solution covering all three focus areas:

1. Fiori Role Assignment - Root Cause Analysis: Your role update inadvertently affected the Fiori catalog assignment. When you modified the role in PFCG, the Fiori cost center catalog (SAP_CA_BC_IC_LRR_PC) was likely removed or not properly regenerated. This catalog contains the authorization for the cost center view component.

Verify in PFCG under the ‘Menu’ tab:

  • Check if catalog SAP_CA_BC_IC_LRR_PC is present
  • Verify the cost center tile has the correct semantic object assignment
  • Regenerate the role completely (not just authorization data)

2. Authorization Object Configuration - The Gateway Layer Issue: The ‘Not checked’ status in SU53 confirms the authorization check is happening at the Gateway layer, not the backend. Your Gateway service configuration needs adjustment:


// Transaction /IWFND/MAINT_SERVICE settings:
Service: ZCOST_MGMT_SRV
Enable Backend Authorization Only: ✓ (checked)
Authorization Objects: F_CSKS, F_CSKS_CHA

The service configuration change on the same day as your role update suggests someone modified the Gateway service settings. Enable ‘Backend Authorization Only’ to ensure F_CSKS checks execute properly.

3. SU53 Trace Analysis - Diagnostic Procedure: The ‘Not checked’ status requires a different diagnostic approach than failed checks:


// Pseudocode - Gateway authorization diagnostic:
1. Enable Gateway logging in /IWFND/ERROR_LOG with filter:
   User: affected_user, Service: ZCOST_MGMT_SRV
2. Reproduce the issue (access cost center view)
3. Check /IWFND/ERROR_LOG for authorization messages
4. Look for HTTP 403 responses or empty entity sets
5. Cross-reference with SU53 timestamp to confirm Gateway vs Backend check
// Gateway logs show the actual authorization flow

Complete Fix Implementation:

Step 1: Fix Gateway Service Configuration

  • Go to /IWFND/MAINT_SERVICE
  • Select ZCOST_MGMT_SRV service
  • Click ‘Configure’ button
  • Enable ‘Backend Authorization Only’ checkbox
  • Add authorization objects: F_CSKS (primary), F_CSKS_CHA (for hierarchy views)
  • Save and activate the configuration

Step 2: Correct Fiori Role Assignment In PFCG, edit the affected role:

  • Navigate to ‘Menu’ tab
  • Add Fiori catalog: SAP_CA_BC_IC_LRR_PC (Cost Center Analysis)
  • Under ‘Authorizations’ tab, verify these objects are present:
    • F_CSKS: ACTVT=01,02,03, KOSTL=*, KOKRS=1000
    • S_SERVICE: ICF_VALUE=ZCOST_MGMT_SRV
    • S_ICF: ICF_FIELD=/sap/opu/odata/sap/*
  • Generate the role completely (Full Generation, not just authorization data)

Step 3: Clear Authorization Buffers Users must clear their authorization cache:

  • Log out from Fiori launchpad completely
  • Clear browser cache (important for Fiori apps)
  • Wait 5 minutes (authorization buffer refresh interval)
  • Log back in and test cost center view

Verification Steps:

  1. Test with transaction KS03 - should still work (backend check)
  2. Access Fiori cost management app - cost center view should now appear
  3. Run SU53 after accessing cost center view - should show ‘Return: 0’ instead of ‘Not checked’
  4. Check /IWFND/ERROR_LOG - should show successful GET requests with no authorization errors

Why This Happened: When you updated the role in PFCG, the Fiori catalog assignment was not preserved. Additionally, someone modified the Gateway service configuration on the same day, disabling backend authorization checks. This combination caused the service to return empty results because:

  1. The Gateway layer couldn’t perform authorization (backend checks disabled)
  2. The Fiori role didn’t include the cost center catalog
  3. The service returned an empty entity set instead of an authorization error

The key indicator was ‘Not checked’ in SU53 - this always points to Gateway-layer authorization issues rather than backend authorization failures. Traditional GUI transactions worked because they bypass the Gateway layer entirely and check F_CSKS directly in the backend.

5

Yes, that checkbox is critical. When ‘Enable Backend Authorization Only’ is unchecked, the Gateway service performs its own authorization checks using a different mechanism than the backend. This can cause the ‘Not checked’ status in SU53 because the check happens at the Gateway layer, not the backend layer.

Enable that checkbox and retest. This will force the service to use the backend authorization objects (F_CSKS) that are already in your user roles. The service configuration change on the same day as your role update might have accidentally disabled this setting.

6

This sounds like a Gateway service authorization issue rather than a backend authorization problem. The Fiori app calls an OData service that has its own authorization checks. If the service isn’t properly configured to check F_CSKS, it will return empty results even though backend authorization is correct.

Check transaction /IWFND/MAINT_SERVICE and verify the authorization settings for the cost management OData service. The service might be configured to skip certain authorization checks after your role update.