BW Authorizations/Report. Auth Object/KF's vs. Calc. KF's

We implemented a custom/reporting auth. object to protect key figures (1KYFNM) and it works well. The issue is that our user community never ceases to come up with new and even more creative requirements.
Let me illustrate the latest requirement:
I have locked-down access to certain key figures (let's call them 'KF A' and 'KF B') and therefore subsequently secure all combinations involving either one of the two meaning calc. KF D (KF A plus KF C) is locked down as well. I also need to mention that users are supposed to be able to create their own ad-hoc queries, which eliminates the option of limiting them to a query or set of queries that accomplish the following requirement.
There are certain totals, which are calc. KF's that the users are allowed/required to see even though they are not supposed to see what makes up these numbers (they should see calc. KF K which is made up of KF A, KF B, and KF H, etc. but not KF A and KF B).
Without the option of providing the users with rather static queries, I see another option as calculating 'KF K' (from the previous example) at the time of the load and just making it another key figure in the cube which then can be excluded from the auth. check previously mentioned based on the naming convention. The problem with that is that this will make reporting rather inflexible, increase load times as this calculation is rather complicated, and it will also create redundant information in an environment that is already experiencing substantial growth and volume.
Does anyone see any other solution?
Thanks,
Joerg

Jeorg,
I'm afraid that there's no special authorization handling for calculated key figures. To my best knowledge, the approach to create another key figure at data load time via transfer rules or update rules would be the only one can work. While this approach may not be flexible, but the load time should not increase significantly if you just add two key figure values into a new one.
If you find this is approach is unacceptable or it is a common requirement among BW community, you might consider submit such requirement through ASUG BI Group or via OSS development request.
Thank you for your question and patience.
Regards,
Amelia Lo
SAP NetWeaver RIG, US
SAP Labs, LLC

Similar Messages

  • Reporting Auths get switched on automatically?

    We have 0COMP_CODE made "authorization relevant" in our BW system, and have set up a custom auth object in RSSM, switched it on for specific InfoProviders ("Check for InfoCubes".  We do not have it switched on system-wide, only in specific cubes.
    Everything works as we expect, except that whenever new InfoProviders are created that contain 0COMP_CODE, it seems that the RSSM "Check for InfoCubes" automatically gets switched on for that cube!  Is this what others of you have observed?  What has sometimes happened to us then is the InfoCube gets transported with this switch turned on even if we never intended the authorization to be active in this cube.
    Just wondering if this is the way it is supposed to work - if others of you have faced this issue.
    Thanks,
    Chris

    hi Chris,
    yes, it's the way it works,
    oss note 746811
    Automatic assignment of Custom Auth objects to new infoproviders
    Symptom
    If an InfoProvider is recreated and then activated, all of the relevant reporting authorization objects are automatically activated for this InfoProvider.
    Other terms
    Authorization object, create, activate, InfoProviders, InfoCubes, RSSM RSSTOBJDIR
    Reason and Prerequisites
    <b>This is due to strict security guidelines</b>, which prohibit data from being displayed until it is explicitly permitted.
    Solution
    The security guidelines cannot be altered.
    If you do not require an authorization check, you must once again deselect the reporting authorization objects that were made; make this deselection in transaction RSSM under "Check for InfoProviders" --> "Change".

  • New t-codes & auth. objects

    Hi All-
    we are upgrading form 4.6c to ECC 6.0
    Can any pleas give the list of T-codes & Auth. objects that are new in ECC 6.0 compared to 4.6C
    Thanks in advance,
    Vj

    > I guess you can view all the new authorization objects by looking at SAP_NEW profile which contain all the latest modifications.
    Or, if you delete SAP_NEW after the previous upgrade, then all of SAP_NEW will be new.
    > For new tcode entries may be a download of TSTC tables from both the versions and comparing them will fetch you some new tcodes.
    Or use the search to find the table which contains the release dependency of "transactions"... -)
    Cheers,
    Julius
    PS: When searching, if you find any absolutely useless posts which clogg up the search, then please use the "Report Abuse" button and I will investigate them and clean them out.

  • Assign auth. object to infoprovider

    Hello,
    i have transported a auth object zsales_orgn to production. have transported the queries, roles etc.
    i realised that the infoproviders are not assigned to this object.
    when i go to rssm->enter this object->select check for infocubes->change
    i dont see any cubes in the list. how do i assign this object to a cube??
    PLEASE SUGGEST?

    hi S B,
    to transport the authorization object itself, try SE03-> change object directory entry, in next screen, use SUSO (type in below DTEL) and reporting authorization object name, after that change package with icon pencil 'object directory'.
    RSSM for infoobject assignment to infoprovider
    How to Transport the Authorization Object
    hope this helps.

  • How can I limit/control the addition of auth. objects to security roles?

    Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
    Edited by: Armando Salas on Nov 29, 2011 7:41 PM

    Hi Armando,
    Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
    I hope this helps you
    Regards
    Eduardo

  • Can we control Work center group links using auth object UIU_COMP

    Hello All,
    We are running into an issue while doing our PFCG role configuration.
    I need to know if we can control Work center group links in a business role through auth object UIU_COMP.
    We can control Workcenter's but not 'Work Center Group Links'.
    Here is what we did:
    - We have a business role Z_RA_DEFAULT.
    - The Nav Bar Profile SRV-PRO for this business role has some work center group links that are checked in menu and visible.
    - I'm trying to find the values in the auth object UIU_COMP to restrict Work center group links.
    - Even though the values Work center group links are in menu and visible,
    I want to remove these Work center group links from the screen using the auth object.
    - If we remove the check from in menu and visible in the business role the Work center group links disapper from the screen.
    Right now this is only way we are able to controle Work center group links.
    Question:
    - Can I use UIU_COMP to restrict Work center group links?
    - any another auth object that controle Work center group links?
    - any document/ website / info  available which tells us what can we restrict with auth object UIU_COMP?
    - or any other way of doing this... like code change, user exit, ....?
    Really appreciate your help.
    Thanks,
    Nasir

    I am not sure if I have understood the issue correctly, but still what stops you from actually creating a clone business role to your existing business role and deactivating the in menu visible work center group links. Use this new business role for users who need to be prevented from viewing the work center groups links in question.
    If you are going to use authorization objects to control the visibility wont it impact all users (still defeating your original purpose?)
    Again apologies in case I have got the question wrong.

  • Authorization Issue for Object CRM_ORD_PR

    Dear All,
    When user search sales orders in PCUI by sales org, Distributional Channel and Division criteria it shows the result list. But it is also throwing the error as "You are not authorized to Display this transaction"
    I am not sure why system is showing this message.
    I have checked the auth objects for this user.Authorization Objects CRM_ORD_PR and Object CRM_ORD_OE are inactive for the Role.
    When I searched the sales order in SAP GUI and when I click on the sales order from Locator it is giving the message as "You are not authorized to Display this transaction". When I checked the SU53 dump it is giving the message "Authorization check failed
    Authorization Obj CRM_ORD_PR Authorization Object CRM Order -Business transaction Type.
    So my question is though we have made the CRM_ORD_PR object inactive why system is showing the message in SU53.
    Also when I checked the trace system is also checking this object.
    Please help.
    Pankaj

    Rika,
    Thanks for taking the time to reply, it's really appreciated.
    I will pass the details of this note over to our Basis team to see if this helps us resolve our issue also (we are trying to prevent unauthorised objects showing in user search result lists).
    We are on CRM 2007 though, so I am not sure whether it will still be relevant.
    Many thanks again,
    Andrew G.

  • Authorization checks and objects

    Do you have a tutorial for this topic for dummies? thanx in advance

    Hi
    In general different users will be given different authorizations based on their role in the orgn.
    We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
    USe SUIM and SU21 T codes for this.
    Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
    If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
    This means you have to allocate an authorization object in the definition of the transaction.
    For example:
    program an AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT <authorization object>
    ID <authority field 1> FIELD <field value 1>.
    ID <authority field 2> FIELD <field value 2>.
    ID <authority-field n> FIELD <field value n>.
    The OBJECT parameter specifies the authorization object.
    The ID parameter specifies an authorization field (in the authorization object).
    The FIELD parameter specifies a value for the authorization field.
    The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
    http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
    To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
    Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
    You program the authorization check using the ABAP statement AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
    ID 'ACTVT' FIELD '02'
    ID 'CUSTTYPE' FIELD 'B'.
    IF SY-SUBRC <> 0.
    MESSAGE E...
    ENDIF.
    'S_TRVL_BKS' is a auth. object
    ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
    The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
    This Authorization concept is somewhat linked with BASIS people.
    As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
    Take the help of the basis Guy and create and use.
    Thanks
    Seshu

  • Insufficient authorization to create object namespace definition in PI

    Hi,
    I have a user who's getting  "insufficient authorization to create object namespace definition" when creating a name space in enterprise service builder in PI.  The users has sap_all and sap_new in profile but still getting the same error. Any suggestions??

    Hi,
    please try to set  the following parameter in the Exchange Profile  to " false ".                                                                               
    'com.sap.aii.util.server.auth.activation'  
    Afterwards restart the J2EE engine and retest....
    b.rgds, Bernhard

  • CV02N Authorization only to Object Link - Material

    Hi Gurus,
    I want to give special authorizations to a group of users where they can assign materials only in CV02N.
    When they enter Document Info Record there he should be accessing only Object Link - Material only, so that he can enter the relevant Materials.
    I found the Auth Object: C_DRAD_OBJ, but this is not helping me.. Please let me know if there is any alternative.
    Regards
    Naveen

    Hi,
    Apart from Ravi suggestion, you can also create a new document type from DC10 and define only one Object link i.e. material for that doc type. And after that you can provide this doc type authorization (with object C_DRAW_TCD) to your concern users. Its just other way around solution.
    Regards
    Shishir

  • Auth Objects in ABAP Programs

    Dear All,
    how could I find the auth object being validated in programs?
    Using SU24 I am able to find transactions checking auth object...but I am not quit sure sure if there are some other programs using/checking those auth objects.
    In general I want to check one specific auth object where is used/checked.
    I will appreciate your help.
    Regards
    FedeX

    Please use the standard report RSABAPSC to check the authority check statements used in the program for any TCode. Also you can look into ABAP codes in more details by using the program RSANAL00.
    Regards,
    Dipanjan

  • Insufficient authorization to display object Message Mapping

    Hi there
    Every now and then when I try and open a message mapping object I get this error: Insufficient authorization to display object Message Mapping. I then restart my Integration Builder then it works again.
    Any Idea how I would fix this?
    Thanks,
    Jan

    hi,
    apart from what was said you can try changing
    com.sap.aii.ib.util.server.auth.activation
    parameter in exchangeprofile to false
    if you don't use any data-dependent authorizations
    then you should never see this error
    maybe this will help
    but remember that if you want to use data-dependent authorizations
    in the future you need to put it back to true again
    Regards,
    Michal Krawczyk

  • Deletion of auth objects Corresponding to tcodes

    Q1.
    If a transaction is deleted from the menu wthr the Corresponding authorization objects are deleted.
    Q2.Eg
    What if the tcode MM02 is deleted from the role which has MM01/MM02/MM60/MM03 transaction codes, In this case some of the auth objects of MM02 are same as the other tcode auth objects, then how does deletion of MM02 from role ensure that only the corresponding object--> values are removed.?
    Rakesh

    Q1.
    If a transaction is deleted from the menu wthr the Corresponding authorization objects are deleted.
    It depends..
    If the auth object's status is 'standard' and it is coming from only one t-code which is being removed, then it gets removed. If the status is 'changed', then it doesn't get removed.
    Q2.Eg
    What if the tcode MM02 is deleted from the role which has MM01/MM02/MM60/MM03 transaction codes, In this case some of the auth objects of MM02 are same as the other tcode auth objects, then how does deletion of MM02 from role ensure that only the corresponding object--> values are removed.?
    No, the auth object won't get removed as that is coming from su24 from other t-codes also.
    If different t-codes are bringing different field combination values, then the instance which is coming from MM02(if it is being deleted) will get removed, again assuming that the instance is standard and not changed.

  • Error "Inconsistancy in the auth object P_ORGIN"

    Hello Gurus,
    I have to add a tcode which involves auth object P_ORGIN. When I add the tcode and go to authorization tab then it gives the error as "Inconsistancy in the auth object P_Orgin"
    Please let me know how should I add the tcode now. Thank you !
    Regards,
    MA

    PLease provide tcode
    The reason why the profile generator cannot correctly insert the
    default values of these transactions is due to a data inconsistency in
    table USOBT_C (default values for customers). The table does not
    contain an entry for field BTRTL of authorization object P_Orgin.
    You can immediately correct the incomplete data in your customer table
    USOBT_C using the following steps:
    Step 1 Execute transaction SU24
    Step 2 Enter the transaction affected by this error ie XXXX
    Step 3 "Change check indicator" (F6) in the application toolbar.
    Step 4 With "Display field values" (F7) you check the default values of
    P_Orgin. Please document the values.
    Step 5 Go back to the previous screen and set the check indicator from
    "Check/maintain" to "Check" for P_Orgin.
    Step 6 Set the indicator for P_Orgin back to "Check/maintain".
    Step 7 Choose the function "Change field values" (F6) and insert the
    formerly documented values for AUTHC in object P_Orgin.
    Now you see also the field BTRTL being presented.
    Save the changes.
    Repeat steps 3-7 for each of the transactions affected.
    Hope you are clear with the steps.
    Thanks,
    Prasant
    Edited by: Prasant K Paichha on Mar 3, 2010 3:01 PM

  • Auth objects required for creating super,power,end user roles

    Hi ,
    I need to create 3 roles according to the below requirement. can you tell me what auth objects req inorder to fulfill customer requirement.
    1.     Super User: 
         Have the access to Create/Modify/Delete own queries
         Can create Variables, CKF, Structures, Formulas & RKF at the cube level (global)
    2.     Power User :
         Have the access to Create/Modify/Delete own queries
         Can create Structures, Formulas at the query level
    3.     End User
         Have the access to run and navigate reports at the local level
    Hope I will get reply soon
    Thanks

    Karunakar -
    Few things you have to keep in mind when you are giving access to the reports and queries.
    S_RS_COMP only will not do.
    have you assigned S_RS_COMP1 and S_RS_MPRO for info areas and multi/info providers.
    and one more auth object S_RS_ICUBE for info cubes. you have to assign what ever the info cubes that you need to give access to the users.
    Then only user will get full access.
    precisely in order you can say,
    S_RS_COMP
    S_RS_COMP1
    S_RS_ICUBE
    and S_RS_MPRO.
    These are main auth objects which are related to info cube, info area access and BEx access.
    Hope this would give you clear pic.

Maybe you are looking for

  • Controlling the output when purhcsae order item is deleted

    HI Here is our scenario, we have two outputs automatically determined ( by condition records) when a purhcase order is changed, now when we delete the purchse order item we want only one put type to be triggered and not the other one. NEU    - When t

  • Upgrade to JSTL 1.2 and JSF 1.2

    I created a Portal project in weblogic workspace studio 1.1 (weblogic portal 10.2). The portal was created with the default facets. I did not add JSF facet etc. Now all I am trying to do is upgrade to JSTL 1.2 from the add/remove project facets page.

  • FI and SD integration

    Hello, We are doing SD invoice but we don't want to send any data into COPA what should we do but we need to turn the COPA on as we are sending the data from FI.The reason for this is we do very few invoices  in SD and we don't want to capture those

  • Best way to write stream to OutputStream?

    Hi, I need to write a string into an OutputStream (socket). I am a little confused how is the best way (most elegant, efficient) to do it. Should I use a OutputStreamWriter? Sometimes, I also need to write raw bytes directly. Currently, I am using: B

  • HP Tablet OS non responsive

    A friend gave me his old OS tablet. I reset settings to set it up with our information, but now all I get is the software Manager saying "You have no services installed". The touch screen is non responsive and I can't power it off. None of the button