Hierarchy Authorizations in BW

Similar Messages

• Hierarchy authorization default pick

  Hi ,
     I have got a profit center hierarchy which is used in the reporting in the selection screen in BW7.0 . I had created authorisations and its working fine through RSECADMIN. but i have got a question, if i leave the selection screen variable profit center empty and execute the report, it says you are not authorized,but then it works fine if i mention a hierarchy node in there. I had mentioned the values in the authorisation, as 2*,,but it doesn' tpick up any..any clues plz..
  thanks in advance.

  Hi,
  I am working with the SAP security team to get custom authorization on the Profit Center Hierarchy in place. We need to restrict access to the hierarchy nodes (only certain users need access to certain nodes in the hierarchy).
  1) We got into RSECADMIN --> Maintenance --> Created a new authorization object --> added profit center --> in the hierarchy authorization tab, added the hierarchy node and selected the Type of Authorization and Validity range as required and saved the auth object.
  2) We created a role in PFCG and added the authorization object to the role(no other authorization objects)
  3) Assigned the role to a user and tried testing the reports.
  The user could see all the nodes in the hierarchy and also data on the nodes restricted to him/her. Is there any step I am missing? Does the auth object need to be generated in RSECADMIN?
  Please advice.
  Thanks,
  Vivek

• Hierarchy authorization based on 0CCA_O01

  Hello experts,
  I have loaded single values & intervals for costcenters authorizations into 0CCA_O01. I have no heirarchy authorizations available.
  Now user still wants to select costcenters in query by hierarchy nodes, but he should only see nodes and leaves determined by single authorizations.
  Anybody have an idea how could this be done?
  Any help will be appreciated.
  BR
  Ondrej

  Hi,
  I am not sure if we can do a load via flat file into 0CCA_O01. If yes, please create a flat file containing hierarchy authorization details and load it to 0CCA_O01.
  If not, we can create another DSO for hierarchy authorization.
  I hope it should solve your problem.
  Regards,
  Gaurav

• Restriciting BI query for Hierarchy authorization for a defined group

  Hi Friends
  We are trying to restrict the Display with respect to the company codes group.
  We have defined the authoirzation for BI w.r.t to the company code and groups ( collection of co.codes ) ..We have defined the authoirzation object under Rsecadmin and restricted the display for only group eg: GH3 . However when we ran the query we can see all the companies / groups. Also tried with putting the GHR group under Hierarchy authorization but still have the same result.
  Can you please let me know what is going wrong
  thank for all your help..

  We have defined the authoirzation for BI w.r.t to the company code and groups ( collection of co.codes ) ..We have defined the authoirzation object under Rsecadmin and restricted the display for only group eg: GH3 .
  Did you check if the infoprovider(s) which your query is hitting upon has company code and company groups checked as authorization relevant in RSA1?
  Thanks
  Sandipan

• Possible to combine Value and Hierarchy Authorizations?

  Hello Experts!
  Could anyone please tell me something about the interaction between value and hierarchy authorizations for the same info object?
  I created an authorization for an info object which makes use of both in some queries. But if you activate a hierarchy in query designer, the value authorizations seem not to work anymore. Instead the hierarchy authorizations restrict the analysis result. I get datasets in the result without having the corresponding value authorizations.
  Is there a way to ONLY use value authorizations which also work if you activate a hierarchy on an info object???
  Thanks in advance.....
  Bye,
  Joerg

  No you can't. GRE is only designed to carry routing protocols and multicast traffic over VPNs.
  It is also bad design practise to design a network that carry's L2 vlan's over a WAN or internet link.
  You have to ask yourself why you would want to carry VLANs over VPNs?
  Hope this helps.

• Profit Center Hierarchy: Authorization Error

  Hello,
  Right we are generating hierarchies for users on the object Profit center.  We want to have a separate data role that gives access to the authorization object ZPROFITCTR.  What should the values be for PROFIT_CTR and TCTAUTHH if we want to check what authorizations have already been generated for the user?  I am thinking there must be a way to do this rather than create a different data role for each user.
  I have done a lot of reading and have found if you specify the value ' ' for OTCTAUTHH as a value if only hierarchy authorizations are to be in effect.  I thought this would mean generated heirarchies would be checked and would give a user access to 0PROFITCTR, but that was not the case.
  Thanks,
  Brian

  try to re-transport PCA
  IMG; CO--> PCA --> tools --> transaport customizing set. -->
  but i believe if you transport only the "master data" Q will function fine. ( try OKEQ first)

• Hierarchy Authorization in free characteristics not working

  Hi,
  we found aproblem while running a query with authorization objects for a hierarchy node (0SALES_OFF).
  - Z_HPRODPIS (Hierarchy for sales offices) with fields:
  - 0SALES_OFF Sales Office
  - 0TCTAUTHH Authorization for hierarchy
    We create hierarchy authorization for nodes:
     - Type of authorization           2
     - Hierarchy level                    3
  We would like to have characteristic 0SALES_OFF in the free characteristics section when running the query.
  In this case we get an error "No authorizations", but after drill down in rows, hierarchy node members for 0SALES_OFF are displayed.
  Is this an usual behavior?
  We would not like to create several queries, if we could cover user requirements with one query with several characteristics as free characteristics (also 0SALES_OFF).
  Thanks, Tomaz

  Hi !
  have you tried restricting it with a variable?
  with regards
  ashwin

• Hierarchy authorization

  Hi All,
  We have upgraded our BI system to the new security approach 7. We created the corresponding roles/objects thru the RSECADMIN t-code for 0COUNTRY and some other infoObjects where the 0COUNTRY is navegational attribute, for example the 0COMP_CODE__0COUNTRY, and everything is workink fine.
  The 0COUNTRY and (i.e.) the 0COMP_CODE__0COUNTRY are checked as Authorization Relevant.
  Now, we want to create a hierarchy for the 0COUNTRY infoObject, and I would like to know if the security done at the value level is enought to restrict the data or we need to create some new roles/objects thru the RSECADMIN in order to do the same restriction done to the flat values now at the hierarchy.
  We dont mind the intermediate nodes (regions), just the country values for the hierarchy.
  For example, we need the following hierarchy:
  World
  |_ Europe
       |_ Germany
       |_ Italy
       |_ Spain
  |_ Asia
       |_ China
       |_ Japan
  With variable authorization we need:
  If user has just Spain, show Spain.
  World
  |_ Europe
       |_ Spain
  If user has Germany, Italy, Spain.
  World
  |_ Europe
       |_ Germany
       |_ Italy
       |_ Spain
  If user has *.
  World
  |_ Europe
       |_ Germany
       |_ Italy
       |_ Spain
  |_ Asia
       |_ China
       |_ Japan
  Right now, without using hierarchy, the data is showing ok depending on the authorization that user has (allways using authorization variables in the query).
  Regards, Federico

  Hi Federico,
  Yes, your approach is right. You can restrict the InfoObject 0COUNTRY and then maintain the country values in the Analysis Authorizations (its no more a hierarchy authorization).
  The EQ can be used to maintain a single country (you need to add multiple EQs if you wish to add morethan 1 country in the same analysis authorization)
  The CP can be used to maintain with a pattern such as A* countries etc
  The BT can be used to give a range.
  However, ensure that the user has authorization to all the Infoareas (bottom - up) and queries so that his/her authorization can be restricted.
  Regards,
  Raghu

• Hierarchy authorization with variables of type exit

  Hi all,
  I am trying to implement hierarchy based authorizations with variables. After collecting information from the SAP documentation and this forum, I think I know more or less how to do it, but it's not working and it has me very confused.
  These are the steps I have followed:
  - From RSSM, I have created a hierarchy authorization object including my characteristic and 0TCTAUTHH
  - From RSSM again, I have created a hierarchy authorization pointing to the node $ZG_V_008
  - From the Query designer, I have created a hierarchy node variable of processing type customer exit ZG_V_008 (are any special settings needed here?)
  - From the Query designer, I have created <b>another</b> hierarchy node variable of processing type authorization, and I have used this variable to restrict the hierarchy for my characteristic
  - I have edited the EXIT_SAPLRRS0_001 to watch for I_STEP = 0 and give values to ZG_V_008 (we'll get to my code later in case we solve this issue first
  It is my understanding that with this setup, the user exit will be called to process the value of ZG_V_008 in I_STEP = 0, however, when debugging, I don't see any calls for the function with I_STEP = 0.
  What have I done wrong?
  Thanks a lot in advance.
  Guillermo

  Thanks, Jimmy, but that does not help much: my problem is that my user exit is not evaluated with I_STEP=0, but there are no error messages or anything like that.
  I have created a test user <b>without</b> a developer role to see if that could have any impact, but it's still not working.
  Any ideas?

• Hierarchy Authorization Problem

  Hi experts!
  I am implementing Analysis Authorization Using Variable and one of the object is Org unit hierarchy authorization. The idea is to populate the personnel's authorized value of org unit into the hierarchy authorization and it is then allowed to see its node and anything below its node.
  Say for example I am Authorized to Orgunit A0 and I should see A1 and A2 as well which are the children of A0 and when I ran the query I am only able to see A0 only thou there are records of A1 and A2
  What should I toggle to be able to see A0 together with its children (A1 and A2)?
  The settings in for hierarchy authorization is TYPE 1( Subtrees below the node ) and Validity Range 2 (Name Identical)
  Points will be awarded !
  Edited by: Chee Jason on Aug 20, 2008 9:08 AM

  Just an update on the problem here
  I suspect it is the problem with my customer exit because when I maintain the value directly it, appears correctly.
  I wonder if I do it correctly. Here is a snippet of the code... Please advise me. Thanks!
  DATA: L_S_RANGE  TYPE RSR_S_RANGESID
  L_S_RANGE-LOW = 'A0'.
  L_S_RANGE-SIGN = 'I'.
  L_S_RANGE-OPT = 'EQ'.
  Append L_S_RANGE TO E_T_RANGE
  Edited by: Chee Jason on Aug 20, 2008 11:40 AM

• Hierarchy Authorization using Variable via Customer Exit

  Hi experts,
  I am wondering if I can do Hierarchy Authorization using Variable via Customer Exit? I know it can be done on normal value authorization by putting $+(the variable name). So can we do the same for Hierarchy authorization?
  For my case I have a 0ORGUNIT and I would allow the role to access anything below its node. So do I put $VARORGUNIT in Technical Node Name and Hierarchy name as ORGEH, Type of authorization = 1 and Area of Validity = 3.
  Points will be given!
  Thanx!

  Hello Chee Jason,
  Are you working with version 3.5 or 7.0
  How do you specify Hierarchy variable?
  Any advise you can share is very much appreciated.
  Thanks,
  Patrick

• Bw time dependent hierarchy authorization in Hr - Key date problem - 0orgunit

  Hello Gurus,
  I'm facing a problem with the 0Orgunit hierarchy authorization.
  In the Rsecadmin screen we set the hierarchy authorization for 0orgunit characteristic, before selecting the hierarchy node, we enter the key date.
  I tried many cases, but neither of the key dates gives the correct results in the report. (Todays date, 01.01.1900, 31.12.9999 etc..)
  In the report the key date variable is generated by RSTHJTMAINT transaction. I guess, this is creating a problem with the authorization key date.
  A similar problem is told in the following link as well:
  http://scn.sap.com/thread/1437951
  I spend some hours, and tried many possibilities (validity period etc.), but I could'nt get it worked.
  I'm not sure if I had this error before 7.31 update.
  With this opportunity, I want to thank you every one in the Sdn community. It helps a lot for resolving our issues and sharing the knowledge.
  Thanks a lot.
  Regards.

  Hi Norbert,
  Can you check that the SAP note 1301644 has been applied in your system.
  Best Regards,
  Des Gallagher

• Hierarchy authorization pbm in BI7.0 with Front end of BW3.5

  Hello All,
  We have a problem regarding authorizations for the hierarchies in BW7.0
  We have migrated from BW3.1 to BW7.0. Authorization are OK in our BW3.1 server, the authorization on hierrachy work well.
  Current Issue (in BI7.0) :
  An authorization object for XCOMPROD for a hierarchy 'ZMAT_HIER'.
  There are 2 queries which have variables of XCOMPROD & ZCOMPROD in selection criteria, ZCOMPROD has variable of type 'Hierarchy node'
  I've a test_user which has authorization on Product Group 5 (one of the nodes in the hierarchy-ZMAT_HIER).
  When i run the queries independently with this test_user, the user has access to Group 5 only, which is correct. 
  When i run a web template report with any one query (from the 2 queries), the user has access to Group 5 (as in first case) - correct.
  However when i run a web template report having above 2 queries together, the authorization fails, as user gets access to root node (instead of only Group 5).
  FYI, we're using BW3.5 front end (no PORTALS)  with the OLD authorization concept (of BW3.1).  Not 'Analysis Authorization' as in BI7.0.
  Looking forward to an explanation/solution to the above.
  Regards,
  Nagendra.

  Hi,
  Check out the customization of SPRO to select the authorization concept. I suspect that it's set on the new authorization concept.
  Tomer.

• Hierarchy Authorization Aggregate (:)

  There is a thread for this question in Bex discussion but this issue is not entirely belong to Bex so I am duplicating here also.
  I have successfully set up the Cost Center Hierarchy Node variable using authorization in our BI environment. One last issue I am facing is following.
  When the data appears for a user who has access to 4 out of 10 cost centers in a hierarchy node, the summarized node data is showing the totals for all the cost centers included in the node. User would like to see the subtotal of only the cost centers they have authorization for. Of course the reason aggregated values are displayed is due to the : authorization provided for Cost Center in AA object, what I am wondering is if there are any other alternatives of ":" to force the query aggregate only the values from Authorization Hierarchy Node variable. Although SAP note 727354 suggests the following
  A colon authorization is not taken into account when you use a
  variable of the type "Fill from authorization", since it is not known at the
  time of the variable processing whether or not the affected characteristic is in
  the drilldown.
  I do have Authorization Hierarchy Node variable for Cost Centers in use but still the hierarchy node displays the summarized values for all the cost centers. I am hoping someone has run into this issue before me and there is a solution.
  Any help will be highly appreciated.
  Thanks!
  -Aslam

  Following is what I received from SAP, although disappointing but it is I what I thought too.
  Suggestion is not to use hierarchy node variable and replace with single values.
  Well the reason of choosing the hierarchy node variable was a business requirement. So I have delivered the news to business and now it will be up to them to go ahead with what comes from SAP by default (Total for all cost centers in the node regardless of user authorization) with the usage of hierarchy node or go in another direction...
  Thanks everyone to take the time and provide your input.
  09/08/2014 - 16:30:39 EST - Reply by SAP     
  Dear customer,
  I believe this is your case. Let me know if I get this wrong.
  Since the user is authorized for the TOP node, he's able to see the
  aggregated values of non-authorized cost centers, although these nodes
  are not authorized. Please notice that this is not an error. The
  system behaviour is as designed.
  If you don't want to have the aggregated values in the nodes, please
  try to change your query-design and filter according to "single
  values" instead of "nodes" in the authorization variable.

• Hierarchy authorization details show only last level

  Hi,
  I am facing on a hierarchy problem displayed on the Bex: The hierarchy has 9 levels, e.g. the organisation structure of the company from level 1 to level 9.
  I made from the transaction RSSM :
  Authorization from the hierarchy i entered for each level from 1 to 9 :
  Type of authorisation : 1 (subtree below node)
  Hierarchy level       : blank
  Validity period       : blank
  Node variable default value : blank
  I made from the transaction PFCG :
  Created a role for the user with the authorization :
  Sap Business information warehouse - reporting (RSR)
  value : 8055 (company code)
  Unique ID for authorization : level_3
  I need to authorize the user to execute a querry of his level (exemple level 3) and all the level below him (to the 9th level)
  When the query is generated,(the query is using a variable hierarchy ) I get the lowest level displayed and shows only 2 key figures and values.
  Any ideas ?
  You assistance will be appreciated.
  Thong VANNAXAY

  Hi,
  1007372 wrote:
  Hi,
  How to get only the last level in Oracle SQL Hierarchy Query?Depending on your requirements:
  WHERE   CONNECT_BY_ISLEAF  = 1 
  I hope this answers your question.
  If not, post a little sample data (CREATE TABLE and INSERT statements, relevant columns only), and also post the results you want from that data.
  Explain, using specific examples, how you get those results from that data.
  If you can show what you want to do using commonly available tables (such as scott.emp, which contains a hierarchy), then you don't need to post any sample data; just the results and the explanation.
  Always say which version of Oracle you're using (e.g., 11.2.0.2.0). This is always important, but especially so with CONNECT BY queries, because every version since Oracle 7 has had significant improvements in this area.
  See the forum FAQ {message:id=9360002}