In this blog, we would like to share some technical details from Group Reporting perspective so that customer may try to explore the possibility to achieve authorization control on consolidated profit center hierarchy level in short term as workaround. (** Please bear in mind that the authorization control against consolidated profit center hierarchy may have negative impact on matrix consolidation against profit center feature.)

1. Directly build DCL on CDS query view does not work since authorization actually is checked on the CDS Cube level. Please refer to link for detail Illustrate how Analytical Queries are executed and... - SAP Community

2. Group Data Analysis (GDA) is Fiori app for customers to retrieve data from ACDOCU. The underlying CDS query view (consumption) is 2CCSRPT30Q (C_CnsldtnRpt30Q). Such CDS query view is on top of the CDS cube view (I_MatrixCnsldtnFndnCube). If you check the annotations for this CDS cube view, you will notice annotation readClassName

@AbapCatalog.sqlViewName:'IMCFNDNCUBE'
@AbapCatalog.compiler.compareFilter: true
@AbapCatalog.buffering.status: #NOT_ALLOWED
@AccessControl.authorizationCheck: #CHECK
@analytics: { dataCategory: #CUBE, internalName: #LOCAL }
@ClientHandling.algorithm: #SESSION_VARIABLE
@Metadata: { allowExtensions:true, ignorePropagatedAnnotations: true }
@ObjectModel.usageType: { sizeCategory: #XL, dataClass: #MIXED, serviceQuality: #D }
@analytics.readClassName: 'CL_FINCS_GRA_CUBE'
@VDM.viewType: #COMPOSITE
@EndUserText.label: 'Matrix Consolidation Foundation Cube'

This annotation means that as long as CDS query view is directly on top of it, the specific ABAP implementation will be triggered and underlying SQL stack of I_MatrixCnsldtnFndnCube as well as the DCL of I_MatrixCnsldtnFndnCube are bypassed. So technically directly build custom DCL with REDEFINITION to overwrite DCL I_MatrixCnsldtnFndnCube does not take effect. (The reason why we say "technically" is due to bulletin 4)

3. The ABAP implementation actually retrieves the data by calling CDS view I_MatrixCnsldtnFndnPeriodic. So the DCL of I_MatrixCnsldtnFndnPeriodic actually takes effect. This could be confirmed by taking security trace via transaction code STAUTHTRACE.

4. The content of DCL I_MatrixCnsldtnFndnPeriodic actually inherits the DCL of I_MatrixCnsldtnFndnCube.

@EndUserText.label: 'DCL for I_MatrixCnsldtnFndnPeriodic'
@MappingRole: true
define role I_MatrixCnsldtnFndnPeriodic {
grant select on I_MatrixCnsldtnFndnPeriodic inherit I_MatrixCnsldtnFndnCube;
}

Such inheritage does not check the final DCL of I_MatrixCnsldtnFndnCube. So back to bulletin 2 that DCL REDEFINITION directly against I_MatrixCnsldtnFndnCube does not get inherited, but against I_MatrixCnsldtnFndnPeriodic directly works. ( Even though there might be a way to make DCL REDEFINITION of I_MatrixCnsldtnFndnPeriodic to check final DCL REDEFINITION of I_MatrixCnsldtnFndnCube, this will make REDEFINITION to both DCL rather than only one. In addition, we also do not recommend customer to change the pre-delivered DCL I_MatrixCnsldtnFndnCube directly, though it might be the most straightforward way. )

5. Group Reporting and FI/CO actually shares the same profit center master data, though the hierarchy is different (CS04 for GR). So when trying to reuse authorization object K_PCA_HIER -> (PCTRHIER, PCTRHIERND), you need to fully understand how it works with CDS I_PROFITCENTERHIERAUTH, I_ProfitCenterHierSubTree and I_ProfitCenterHierarchy so that you could build similar CDS views for Consolidated Profit Center Hierarchy as you need to a) filter against CS=04 hierarchy type b) recurse all it's sub nodes to retrieve all the base members of the node.

Hope the above information could give you some idea on how to 
1. make DCL REDEFINTION take effect for GR CDS views
2. harmonize authorization object K_PCA_HIER for Consolidated Profit Center Hierarchy