Hierarchy Authorisation

Similar Messages

• Problem in hierarchy authorisation

  Dear all, I have two questions now regarding as the hierarchy authorisation:
  1, As you know the infoObject 0TCTAUTHH should be actived and allowed to be authorised? How do I know that  is already activated?
  And how to activated it?
  2, When I define the authorisation for the hierarchy, in the option "Type of authorisation". I don't understand the use of "2". Can anybody explain it to me?
  Thanks!

  Hi,
  I tried ur sugesstion but the same problem persists.i tried it in other way by giving the unit price at the item master level itself.in such case the unit price field in the PO displays the value.But the TAB pointer jumps to the next row directly instead of moving to the Tax Code Field in the PO.it means it doesn't allow me to enter the tax code.I think the problem is due to mistake in setting user authorisation.Could u clear me.
  Regards,
  Badri.

• Hierarchy Analysis Authorisation

  Hi All
  We are trying to limit the output of a HR Sickness report depending on the user's position in the Org Structure hierarchy. We can't use structural authorisation as its not maintained in ECC.
  We have the org struct in BI and we want to setup dynamic Analysis Authorisation (AA). So we want to create AA with hierarchy restriction on 0orgunit based on a variable. Then at runtime the variable is populated by ABAP with the user's org unit. The report then shows the data for the user's org unit (and all other org units below in the org structure).
  In RSECADMIN I can create a new authorisation object and add 0orgunit to it. On the Hierarchy Authorisations tab  I hit the create button and select orgeh hierarchy . Then I press the 'select variable' button and I get the error message 'No variable of type Customer/SAP exit for characteristic 0ORGUNIT exists'.
  What am I doing wrong? Where do I specify a variable for 0ORGUNIT so that it can be available in the selection screen?
  Thanx
  Asif

  https://wiki.sdn.sap.com/wiki/display/BI/AuthorizationinSAPNWBI
  http://www.sdn.sap.com/irj/scn/events?rid=/library/uuid/ded59342-0a01-0010-da92-f6b72d98f144&overridelayout=true
  Go through these links. Hope this would help you.

• Authorisation on 0ORGUNIT Hierarchy

  Hi Everyone,
  I have a requirement wherein I need to assign authorisation to each employee as per his/her ORGUNIT. We have a hierarchy on ORGUNIT and the authorisation should be such that the employee should be able to see the data from his ORGUNIT and all the from all the ORGUNITs which are below his node in the hierarchy.
  ORGUNIT is an attribute of EMPLOYEE. I've created an authorisation object on ORGUNIT and created a hierarchy authorisation structure. Now I'd like this Authorisation object to pickup the ORGUNIT values from the EMPLOYEE master data when I assign the Authorisation object to a certain EMPLOYEE instead of me creating an Auth. object for each ORGUNIT node in the hierarchy and assigning it to each EMPLOYEE manually.
  I'd like to automate it so that the ORGUNIT is picked up from the EMPLOYEE master data. Any ideas how I can achieve this?
  Thanks,
  Ram
  Edited by: Ram Pandey on Jul 23, 2009 6:06 PM

  Alright Ram,
  There are standard DSO that do this for you.  Look at the following:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/01/a7fb3a72a05546e10000000a114084/frameset.htm
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/business-intelligence/a-c/bw_hr%20authorization%20-%20asap%20for%20bw%20accelerator
  cheers,
  Nick

• Two analysis authorisation

  Dear Gurus,
  I have the turned two navigation attributes as auth. relevant,
  global cost center: this is based on hierarchy authorisation
  local cost center: this is based on value authorisation.
  There is one-to-one mapping between glocal cost center and local center. Users would request authorisation on either of them but they can ask for authorisation for more than one role with different combination.
  I have created three analysis authorisation for the below scenarios:
  1: Role_1 has Auth_1 with the below values
  global cost center: X (node)
  local cost center: * (as users have no knowledge about the mapping)
  This works fine.
  2: Role_2 has Auth_2 with the below values
  global cost center: * (as users don't know the mapping)
  local cost center: A
  This works fine as well.
  3: Role_3 has auth_1 and auth_2.
  This doesn't work. It throws authrisation error.
  Can you please suggest how can scenario 3 work.
  Thanks in advance
  Regards

  Hi Max,
  Unlike ECC Auth Objects, Analysis Auths always work on the concept of Intersection. Which means when you run query for a particular input selection and you have multiple analysis auth assigned, then queries will only be executed if input selection falls within the intersected region for the characteristics in two analysis auths.
  Therefore effectively when you assign auth_1 and auth_2 to an user, user gets the following access:
  global cost center: Node
  local cost center: A
  Can you confirm if the user is selecting the above values while executing queries and still getting authorization error?
  I didn't understand the requirement of Role_3 = Auth_1+Auth_2 though, but if you can explain the requirement, I can try to suggest some solution.
  Thanks,
  Deb

• Authorisation Check during CO-Retraction

  Hi,
  I am retracting CO-Data (CCA and OPA) from BW-BPS to CO. All went well until hierarchy-authorisations for InfoObject 0COSTCENTER have been activated on the planning-cube.
  In the planning level/package the selection for InfoObject 0COSTCENTER is 1-ZZZZZZZZZZ.
  This value will be delivered for authorisation check during CO-retraction.
  When checking hierarchy-authorisations, the explicite value ':' for 0COSTCENTER is expected. So I changed the selection in the planning area to 1-9999999999, ':' and A-ZZZZZZZZZZ.
  But the value ':' will be deletet during the preparation for the value check (RSSB_AUTHORITY_VAR_CHECK). So the hierarchy-check does not work properly.
  Please give me any advise, how to make authorisation check possible.
  Greetings Andreas

  Hello Andreas,
  as always the BPS selection needs to be a subset of your authorizations. You seem to select all cost centers so a hierarchy authorization is not enough.
  - Do an authorization trace in RSSM and check the log
  - Adapt the BPS selections or use a BPS authorization variable
  Regards,
  Marc
  SAP NetWeaver RIG

• Regarding BW issue

  Hi,
  How do you assign Hierarchy node to a paticular role in BW system.
  How can we find out a query executed by whom..?
  thanx in adv
  ravi

  Hi Ravi,
  Authorisation on a hierarchy is implemented with the Info Object 0TCTAUTHH of the technical content(Infoobject catalogue 0BWTCT_CHA01).
  Below steps
  1.You need to transfer this Infoobject 0TCTAUTHH first from the content and then activate it.
  2.Create the reporting object by using 0TCTAUTHH and leaf Infoobject in transaction RSSM
  3.Define a description of a hierarchy authorization
  4.Create an authorization of the new authorization object. Enter the technical name of the description of a hierarchy authorization as value for field 0TCTAUTHH.
  5.You need to maintain the authorisation values of hierarchi Infoobject and 0TCTAUTHH in PFCG.
  SDN link given below provides detailed screenshots of working with BW Hierarchy Authorisations.
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/90323a2c-fe1c-2a10-d89b-d79342061b3d
  Regards,
  Nagendran

• Analysis Authorization Mass Load got wrong

  Hi,
  First:
  I accidently made a rubbish CSV massupload via a 0TCA_DS04 formatted DSO and than a
  RSEC_GENERATE_AUTHORIZATIONS for Assignment of authorization to users.
  Second:
  I want to clear up this rubbish completely out  again.
  Third:
  Loading a one line one field CSV File like this:
  0TCTUSERNAME -     D_E_L_E_T_E
  ;0TCTAUTH -               <BLANK>
  ;0TCTADTO -              <BLANK>
  ;0TCTOBJNM -           <BLANK>
  ;0TCTSIGN -                <BLANK>
  ;0TCTOPTION -           <BLANK>
  ;0TCTLOW -                <BLANK> 
  ;0TCTHIGH -                <BLANK>
  ;0TCTOBJVERS -          <BLANK>
  ;0TCTADFROM -           <BLANK>
  via a 0TCA_DS01  formatted DSO
  and RSEC_GENERATE_AUTHORIZATIONS
  does not seem to work.
  Fourth;
  The rubbish Assignment of authorization to users still exist.
  Fivth:
  Something else to do ? The doc ,Generation of Analysis Authorizations - Business Intelligence - SAP Library,
  isn't to clear to this.
  Something more to do ?
  CSV wrongly formatted ?
  Assitant is appreciated.
  Thanks
  Martin

  Hi Petra,
  the message is only thrown when one of the named DataStore Objects is really empty.
  Could it be:
  1.) That you have a typo in your DataStore Object name
  2.) The message should also name a DataStore Object. Which one is it (for which authorisation generation)
  3.) Are you on a Support Package Stack level lower than 14, and try to generate hierarchy authorisation. If so, please check OSS note # 1041515.
  If none of the above is solving your issue, you might have to open a customer message.
    Cheers
       SAP NetWeaver BI Organisation

• BI7 Analysis Authorisations - relationship between value & hierarchy auths

  Hi all
  Does anybody know how we can set up the new analysis authorisations to allow a user to use a Query selection for cost centre based upon a hierarchy and yet restrict the cost centre data they can display by value authorisations?

  SDN is the place to discuss technical problems..
  Please avoid such weird post.
  G@urav.

• DB error with Authorisation on Hierarchy

  Hi,
  In both web reporting and BeX I get an error that says:
  "An exception with the type CX_SY_FILE_AUTHORITY occurred, but was neither
  handled locally, nor declared in a RAISING clause
  Message no. RS_EXCEPTION000"
  It occurs when expending a hierarchy node in one hierarchy, when a (authorisation) filter is set on a node in another hierarchy.
  Problem does not occur when using profile sap_all / sap_new
  When going to system logs I see the error in the DB occuring:
  BY2 Database error -471 at EXE
  BY0 > DSNT408I SQLCODE = -471, ERROR: INVOCATION OF FUNCTION OR
  BY0 > PROCEDURE SYSPROC .DSNUTILS FAILED DUE TO REASON
  BY0 > 00E7900C DSNT418I SQLSTATE
  BY0 > 55023 SQLSTATE RETURN CODE
  BY0 > DSNT415I SQLERRP = DSNX9WCA SQL PROCEDURE DETECTING ERROR
  BY0 > DSNT416I SQLERRD = 0 0 0 -1 0 0 SQ
  BY0 > DIAGNOSTIC INFORMATION DSNT416I SQLERRD =
  BY0 > X'00000000' X'00000000' X'00000000' X'FFFFFFFF'
  Any ideas how this can be resolved?
  thanks,

  Hi,
  A PROCOBJ is a procedural object. There are objects in a database the can't be exported in a normal way so there are annonymous pl/sql blocks written that the datapump code calls. These anonymous blocks will generate the infromation that the datapump needs to export and then import these types of objects. It looks like this anonymous block has an error in it.
  I would talk to Oracle customer support and tell them what is happening.
  You could always restart the job
  impdp user/password attach=user.jobname
  The user.jobname is the information it gave you at the beginning of the job. If you didn't specify job_name, then it would be something like:
  SYS_IMPORT_SCHEMA_01
  SYS_IMPORT_FULL_01
  etc. When you get to the impdp prompt do this:
  start=skip_current
  It will continue the job, but skip the current object being worked on.
  Hope this helps
  Dean

• No authorisation for displaying hierarchy

  Hello all,
  some user mentioned that there can not activate hierarchy for an InfoObject within an web application. When I do this, the hierarchy is displayed correct. Also within the simulation for those users in TA RSSMQ the hierarchy can be displayed.
  However: The user gets the message: No authorisation for reporting hierarchy.
  Where can I allow the user to see the hierarchy?
  The BW release is 3.5. Any ideas would be great.
  best Regards,
  Stefan from Munich/Germany

  Hi Stefanos.
  Please check the authorizations for the user. Make sure that he has the S_RS_HIER object specified correct.
  Hope it helps.
  BR
  Stefan

• Authorisation in Hierarchy node variable type

  Hi,
  Is it possible to have a Hierrachy Node variable that is processed by Authorisations ?
  Regards,
  Saurabh Diwakar

  https://wiki.sdn.sap.com/wiki/display/BI/AuthorizationinSAPNWBI
  Create BEX variable for authorization 
  1. Right click on the IO -> choose 'Restrict'
  2. Choose 'Selection' = 'Single Value' and 'from Hierarchy' = 'flat list'
  If a hierarchy exists, select the hierarchy for the IO
  3. Go on the variables tab -> Right click -> 'New variable'
  4. For a restriction without hierarchy, the type of variable is 'Characteristic Value' and if you have choose a hierarchy, the type of variable is 'Hierarchy node'
  5. Select a variable name & a description
  6. Choose 'Processing by': = 'Authorization' then check the characteristic and click 'next'
  7. Choose the display area for the variable -> Variable represents: = 'Single Value' or 'Selection Option'
  8. Choose if the variable entry is Optional or mandatory,
  9. Don't select 'Ready for input' and 'Can be changed in query navigation
  10. Next to the end
  Hope this would help you ...

• Hierarchy Objects - Authorisation in Roles

  Hi I have created a role which is causing me few problems. The role is reporting role and the queries associated to it have 0MAST_CCTR & 0ORGUNIT in them. when I run the queries I got a error message:
  No authority for the node from characteristic 0MAST_CCTR, hierarchy SYMBCONTROL (00000000,)
  Message no. BRAIN819  
  Diagnosis                                                                               
  The system determined the authorized areas (nodes) for the characteristic 0MAST_CCTR and the hierarchy PATCONTROL (00000000, ). In doing so, it was determined that you do not have authorization for any area.
  System response            
                                                               If this situation occured when filling a variable, then the query cannot be executed or the hierarchy cannot be displayed.
  Procedure
      For the characteristic 0MAST_CCTR and the hierarchy SYMBCONTROL (00000000,), you have to have authorization for at least one node or leaf for something to be displayed.        
  I have given * for hierarchy name in S_RS_COMP in the role for the infoObject 0MAST_CCTR. Still the role is failing and I am not able to run the query. Where is the problem? Help is appreciated.
  Thanks in advance,
  -Ravi.

  Ravi,
  Just checking. Did you create a authorization variable and added it in the query for that characteristic?
  Gova

• Authorisation Error - Hierarchy Node

  Hi All,
  I have the following error when I try to run a report, there are madatory fields on the variable screen for Cost Centre Hierachy & Cost Element Hierarchy.  When using BEx Analyser I can enter passed this error message & the report will display results, however when I use the Portal, a different error message appears.
  I need this report to run successfully in the Portal, please can you help
  BEx ANALYSER ERROR MESSAGE
  Diagnosis
  The system has determined the authorized areas (nodes) for the characteristic and the hierarchy (,). It also determined that you do not have authorization for any of these areas.
  System Response
  If this situation was determined while a variable was being filled, the query cannot be executed or the hierarchy is not displayed.
  Procedure
  You have to have authorization for at least one node or leaf for the characteristic and the hierarchy (,) so that something can be displayed.
  If the selection only comprises end nodes ("leaves") and all of these leaves are covered by value authorizations, a query result is still displayed.
  Procedure for System Administration
  PORTAL ERROR MESSAGE
  WARNING EYE (019): No authority for the node from characteristic ASCH407D, hierarchy YIR BI-KPIGRP (00000000,)
    MSGV1: ASCH407D
    MSGV2: YIR BI-KPIGRP
    MSGV3: 00000000
  ABEND RSBOLAP (000): Program error in class SAPMSSY1 method : UNCAUGHT_EXCEPTION
    MSGV1: SAPMSSY1
    MSGV3: UNCAUGHT_EXCEPTION
  & it will not display results

  Hi,
  Using the T-code SU01 check what are the authorization do you have. Identify the authorization which is related to cost center/cost element. In the T-code PFCG check if that authorization includes that cost center/cost element hierarchy node or not?
  In order that query should run in Portal, relevant authorization must be transported to portal.
  Hope it helps.
  Regards,
  Prakash

• SAP BW Authorisation in Bo

  In our organisation SAP BW and BO XIR3 (3.1) has been installed. And SSO being implemented between both the system . User accounts are created at BW level which were used for BO even.
  We have maintained authorisation by hierarchy at BW side and wanted to make use of these same authorisation at BO side ..but we were popped with error "No Data to retrieve" (even though data exists ..
  Scenario:
  (1) WEBI report on BW Query (through universe connection has SSO)
  (2) user created "XYZ at BW level
  (3) Hierarchy level: Region (NORTH , SOUTH , WEST , EAST) maintained at BW level
  For user "XYZ" authorisation has been maintained at region level (Ex: AUTH_NORTH)
  Now , "XYZ"user has to restricted to view only NORTH region data ..at this case we were
  prompted with specified error "No data to retrive" at BO side ..and when same user access the same Query in BW ..he is able view only NORTH region data
  But when we provide REGION_ALL authorisation to user XYZ at BW level ..now user able to view data in BO for all regions ..without any error ..
  Can you please help us ...in maintaining authorisation for a single REGION (ex: AUTH_NORTH)
  Help will be really appreciated ....
  Regards,
  Kamal

  Hi,
  any data level authorization should get done in the BI Authorizations and with the usage of a authorization variable in the BEx query.
  regards
  Ingo