Skip to Content
Technical Articles

SAP Profitability and Performance Management – Dual Control Overview

It is a fact that every corporation and company in the business world primarily aims to consistently meet their customer requirements and to increase customer satisfaction. These entities mostly utilize a kind of quality management system to ensure utmost quality is met every time. This may vary from one industry to another – but it is generally built around two phases which involve two sets of people or groups, those who “perform” the task and those who “review” how the task was performed as inaccuracies and errors are likely to happen. This concept describes a principle known as the “four-eyes principle” which main goal is to ensure that at least two people or groups have verified and confirmed the action.

SAP Performance and Profitability Management (also known as PaPM) has an existing mechanism referred as Dual Control which was developed based on the “four-eyes principle”. This mechanism facilitates approvals and workflows in the system and in relation to this being the highlight of this blog, I will be showing you how this dual control is performed.

Prior to this, we will be focusing first on the access and the different authorization restrictions defining how a user can utilize the application and as promised I will be showing you how we will be utilizing this mechanism.

But before you proceed in reading this blog post, it is essential that you read first The Impact of Teams on PaPM Process Management and Execution, so that you can have a better understanding on how to 1) define a process template in the Calculation Unit 2) create a process instance in Manage and Deploy Processes and 3) deploy the created process instance in My Activities. These topics are essential for you to better understand the content of this blog post.

Now going back to our blog post, let us clear up the following topics that comprise Dual Control such as Authorization and Dual Control.

For the authorization section, we will be looking into the different objects that a user would need to access the My Activities application where the performer and reviewer can perform the dual control mechanism. Once we have discussed the needed authorizations for access, I will show you the different activity restrictions that can be applied to an execution user.

After, I will discuss the dual control section and show you how to 1) enable the dual control mechanism 2) How to submit, approve and reject an activity and 3) how an execution user can reset the state of a completed activity.

Authorization: Access and Restriction

As seen in the authorization section of the PaPM administration guide the solution offers role templates that can act as a guide by security administrators to define the authorizations that can be used by different user roles such as Administration, Modeling, Execution, Execution Management and Operations/System roles.

For this blog post we will focus on the execution role template that was further enhanced in PaPM SP09 which gives the user the needed authorization activities to display, execute, and analyze,and how to access different applications such as My Activities, My Events, and My Reports which is relevant for the execution user.

In the Execution role(/NXI/P1_EXECUTION_USER_ALL), we can see the important objects that are relevant for the access to different transactions (S_TCODE) and authorized activities(/NXI/P1F) for the execution user.

For object S_TCODE, the security administrators can maintain the transaction code that is relevant for the execution user. By default the following transaction codes are maintained for this user template:

 

For object /NXI/P1F there are different values that the security administrator can tweak.

For Authorization Activities, the activities that can be maintained here are Display(03), Execute(16), and Analyze(71) that would restrict the users capability on what actions can be performed in the My Activities application.

Hint:
The other activity values are relevant for the data modeler role and modeling applications.

While for Environment, Function, Function Type, Parent Calculation Unit, and Version, the security administrator can optionally restrict the environment, function type and drill down up to the version of the environment where the authorization activities(03, 16, 71) are to be applied on.

Just a friendly tip, if your solution is still in a lower version(SP08 and below) you must first implement note 2904880 – FS-PER Rel 3.0 SP09: Display authorization in My Activies – authorization check doesn’t work and its prerequisites to have the latest authorization checks for My Activities application in your system.

Now let us break down the different authorization activities.

Display(03)

For display, this authorization restricts the users view of the configuration of the function in the modeling application. The display of activities in the application will still depend on how you have maintained the performer and reviewer for that activity. This was also mentioned in the blog post : The Impact of Teams on PaPM Process Management and Execution.

In the execution application, this authorization activity applies if an execution user doesn’t have the display authorization or the display is only restricted to a certain environment. In such cases the user will not be allowed to display the configuration of that activity once he selects it and chooses Go To > Configuration button.

Once the execution user chooses the Configuration in the dropdown list, the user will be prompted an error message indicating that the user is not authorized for activity “Display”.

Execute(16)

If the execution user doesn’t have the execute activity, this user would not be allowed to run the function from the My Activities application. If the user chooses the Run button, he will receive an error message that he is not authorized for the activity “Execute”. On another note, the Run button will only be visible if your activity is an execution type.

Analyze(71)

Now for Analyze, the Launch and Launch in Excel buttons will only be visible if the activity is of type Input / Output. But when you choose any of the two, same as the Run, you will receive an error message that you are not authorized, but this time for activity “Analyze”

Now that we already tackled the authorization: access and restrictions let us now focus on how we can utilize this mechanism in the My Activities application through Dual Control.

Dual Control

Before we start to discuss how the dual control mechanism works we must first ensure that we have performed the following, so that we can execute the workflow.

  1. The dual control customizing settings has been setup in the system.
  2. The process template has been created in the Calculation Unit.
  3. The user groups are maintained for the Performer and Reviewer.
  4. The process instance created is deployed in the My Activities application.

Your question here might be “how should we perform these?”

Let me give an overview of these items.

To ensure that the dual control customizing settings has been activated, I would like to refer you to the Set Up Workflow for Dual Control Usage in Process Execution (Optional) section of the administration guide, wherein system administrators need to perform this post installation step that would be essential in setting up the workflow for dual control in PaPM.

If there is an instance that after performing the said step in the administration guide, you still encounter problems in executing workflow. I would refer you to sapnote 2687008 – FS-PER Rel 3.0 – Dual Control Framework for My Activities not working which contains a list of checks that your system administrators should perform prior to executing the workflow.

Now that we have ensured that you have technically setup the workflow for dual control, the next points (2. The process template has been created in the Calculation Unit, 3. The user groups are maintained for the Performer and Reviewer, 4. The process instance created is deployed in the My Activities application) are to be performed and you can get more information on how to do it by reading the blog post The Impact of Teams on PaPM Process Management and Execution.

Now let us get serious and discuss how dual control works.

As mentioned in the blog post The Impact of Teams on PaPM Process Management and Execution, dual control only kicks in when both performer and reviewer user groups are maintained for a process instance. The workflow starts when a performer submits an activity. But before submitting an activity bear in mind that if the activity being submitted is of type execution, the performer must perform a Run of the activity before he submits it. For those of you who are technically inclined, this means that the run process is essential to populate the corresponding Y-Table of that particular activity.

My Activities application: Performer screen

Once the performer has executed the activity, the activity can now be submitted by choosing the SUBMIT button.

My Activities application: Performer screen

Now that the activity is submitted, the status of that activity would then change from Open to In Approval.

My Activities application: Performer screen

Now that the activity has been submitted, the Performer would then notice that the submit button would be greyed out and the Reviewer will have the capability to either Approve or Reject it.

If the Reviewer opts to reject the activity, then the Reject button should be selected.

My Activities application: Reviewer screen

On another note, the Reviewer can add a comment to an activity giving some information or reason on why this activity was rejected.

My Activities application: Reviewer screen

Once it is rejected, the activity status will be set from In Approval back to Open.

My Activities application: Reviewer screen

Now that the activity has an Open status the Performer can submit the activity once more, after adjustments and re-processing via RUN button has been performed.

Once the activity is submitted and the Reviewer has confirmed that the activity is already “okay” the Reviewer can now approve the activity.

My Activities application: Reviewer screen

Once this is approved, the status will change from In Approval to Completed.

My Activities application: Reviewer screen

The changes from the start can also be viewed by choosing the Workflow Log which will show you the needed information on when the activity was submitted, rejected, or approved and who was the responsible person who made those changes. Giving the user an overview of the dual control mechanism that was performed in this activity.

Workflow Log:

Now that we have finished one cycle of dual control workflow, we can proceed into some details that are also essential in utilizing this mechanism. We will be discussing the Previous Activity and the Reset State functionality.

For previous activity based on the word itself, we have an idea that assigning an activity in this column would give dependency between the “main activity” and the assigned “previous activity”.

Meaning the previous activity needs to be completed first before running the main activity. Once the previous activity is completed, the state of the main activity would then change from Pending to Open. From there, the Performer will now have the capability to perform dual control once he executes the activity.

Now that we have discussed the previous activity and we understand how to process them, I will be giving you some information on how to reset the state of a completed activity.

Activity state “completed” is the final state for an activity workflow, meaning no more changes can be done and activity execution is no longer possible until Reviewer resets the activity through Manage and Deploy Process application.

After reset, the activity will be Open again and will be reflected in the My Activities application wherein the Performer can re-do the workflow steps discussed above.

Hopefully you have learned something about Dual Control authorization and workflow processing through this blog post.

If you find this post helpful click on the LIKE button and share it with a friend or colleague.

Thank you for your time!

 

Be the first to leave a comment
You must be Logged on to comment or reply to a post.