Authorization based on division

Similar Messages

• Analysis Authorization based on Hier node with multiple display hierarchies

  Hi guys - I've got a problem where s.o. might have an idea of how to switch on the light at the end of the tunnel, I am currently standing in:
  Requirement:
  Cost Center Authorization should be given through RSECADMIN, reporting should be possible for any hierarchy that exists for the authorization relevant info object.
  Preferred solution:
  The Cost Center Analysis Authorization should be given through RSECADMIN - Hierarchy node assignment.
  u2022     A dedicated Authorization Cost Center Hierarchy will be maintained in ECC6 as an alternative cost center hierarchy and extracted into BW.
  u2022     The RSECADMIN Hierarchy node assignment should be based on a particular node (Type 2).
  u2022     The display level will be specified as required (here: Level 7)
  u2022     The Authorization granted should be independent of hierarchy name and version (validity 3).
  Reporting Scenario and technical impact:
  As mentioned above, when designing and running a query the user should be able to freely select other (i.e. than the authorization) display hierarchies for the authorization relevant reporting object 'Cost Center' as well. The technical names of the semantically relevant hierarchy nodes could therefore vary. E.g. cost centers 1, 2 and 3, being assigned under hierarchy node u2018Au2019 of the RSECADMIN relevant authorization hierarchy, could be subsumed by hierarchy node u2018Bu2019 in another display hierarchy, which the user may want to display in accordance to his reporting needs. Ideally, the alternative display hierarchy should therefore display node u2018Bu2019.
  My findings so far (based on prototyping) turn out that this is not possible as long u2018Bu2019 (and its hierarchy) is not authorized in RSECADMIN. Can these findings be confirmed? And if not, would anyone have an idea of how to facilitate the reporting scenario?
  Would there be any other way to grant access, possibly based on RSECADMIN single values, and also enable the user to flexibly display hierarchies with only those hierarchy nodes whose single cost center values the user has been given access to?
  Thanks everyone for your input...
  Claus
  Edited by: Claus64 on Jul 13, 2009 4:10 AM

  HI CLause,
  On Jul 14 2009, you wrote in SDN and said:
  FYI: Found a solution...
  The hierarchy analysis authorization will be based on a navigational attribute of cost center.
  With analysis authorizations it is possible to declare the Auth object (e.g. 0COSTCENTER__RACCAUT0) as authorization relevant and leave the superior object 0COSTCENTER auth irrelevant.
  The auth will be given for 0COSTCENTER__RACCAUT0. This object will be placed as a filter of the query, being restricted by an Authorization variable for hierarchy nodes.
  Due to the concept of Analysis Authorizations, this variable will automatically pick up the nodes granted as part of RSECADMIN Hierarchy based Authorization.
  As mentioned above, 0COSTCENTER as the regular reporting characteristic remains auth irrelevant and can therefore take any hierarchy thatu2019s available. Reporting on single values will be possible, too. Only those nodes show up that hold the authorized cost centers in accordance to the authorization.
  If the auth relevant 0COSTCENTER__RACCAUT0 is not used in the query definition by either not taking it in as a filter or skipping the Auth variable, the query will launch the message that the authorization is missing. No data show up at all.
  Claus
  See this thread:
  Analysis Authorization based on Hier node with multiple display hierarchies
  I am also in the same situation as you and need to understadn your solution. I understand that you created a Nav Attr on 0COSTCENTER and made this auth relevant whilst ensuring that 0COSTCENTER is NOT auth relevant. This is all fine. The issue was you have multiple hierachies for 0COSTCENTER, how did the new Nav Attr help you solve your issue. When loading 0COSTCENTER what values did you load ino the new Nav Attribute and how did that link to the hierachies? Also, in RSECADMIN you created hiearchy nodes based on the Nav Attribute but I am confused as to what values you have in the Nav Attr.
  I appreciate if you can share your solution from the past in more details.
  many thanks

• How to restrict authorization based on profit center in ke80 report

  hi friends
  we have a situation where we need to maintain the authorization based on profit center in ke80 report. The authorzation object K_PCA is not working. whenever we assign a particular profit center and then generate the profile, we still get the message no autjorization and when we check su53 it shows it needs '' asterisk. but we cant assign the asterisk as we have 5 subsidaries and there are using 5 different set of profit centers so assigning asterisk () would be comprimising on our security.
  does anybody came across this situation and if yes how did they resolve this?
  I need your suggestions on how to maintain this restriction.
  Regards,
  Imran

  Hi Friends
  The problem has beend solved. It turns out that this is a report writer issue. We raised the issue with SAP and they informed that 'For Report Painter/Writer every item is checked if you have the authori-zation or not. Only the items with authorization fullfilled will be displayed afterwards'.
  Based on SAP answer we created different reports for each profit center/company code.
  I would like to thank you all for your time and inputs.
  Regards,

• How to check the authorization based on webdynpro application

  Hi Experts,
  I was asked to develop a webdynpro component with two webdynpro applications, one each for internal party and external party to be used.
  So how to restrict or check the authorization based on webdynpro application used?
  Do we have any authorization object like S_TCODE for webdynpro application in roles and authorizations?
  Please enlighten me.
  Regards,
  Ajay Matam

  You can assign an authorization object to the Web Dynpro Application within SICF -
  http://help.sap.com/saphelp_nw70ehp1/helpdata/en/61/d93822a88e15489a9391f309767366/frameset.htm
  Of course you could also programatically check which web dynpro application is being used from within the component and then call a custom auth-check. However maintain at the SICF is probably better for visibilty and long term maintenance costs.

• Credit management Authorization Based on Value.

  Hi All,
  Can help me out to find whether we can implement Credit management based on different level of Values or not.As i know we can do authorization based on % like 100%, 110% etc.
  But i want to activate release authorization based on the Amount like
  level 1              Rs 1 lakh( Can release upto 1 lakh) when it reaches to above of 1 lakh
  level2               Rs  2 lakh ( it will release upto 2 lakh)
  like wise.As what i understand whatever the standard roles are given relevant to % basis only.

  hello, friend.
  yes, you can do this in a few ways...
  1.  try 'Document Class' - a document class is assigned a certain value, which is assigned to a user (the link to credit management is indirect)
  2.  the traditional way is to use 'Risk Category', and you can set specific values (e.g. maximum document values) when doing OVA8. 
  i seem to recall there may also be a way to assign values to risk category, but i will check on this.
  regards.

• Implementing authorization based on database roles

  Hi,
  I am trying to implement authorization in my sample jdeveloper application.
  I have the list of users stored in LDAP and my database table contains the roles for those users.
  Now how can I get the roles from the database table and implement authorization based on the roles?
  I am using jdev 11 and weblogic 10.3
  Thanks

  Hi,
  Checkout [this post|http://forums.oracle.com/forums/thread.jspa?threadID=928304]
  Sireesha

• Authorization based on t.code and screenvariant

  All,
  Suppose I have created screenvariant in particular transaction .
  For eg MB52 , I have created one variant , ZVAR1
  Is it possile to give authorization based on t.code MB52 and screen variant  ZVAR1?
  Or t. code and layout of report.
  For eg I have changed the layout and save the report as Z111.
  Now is it possible to give authorization ,MB52 and Z111?
  Please advise.
  regards

  Thanks Alex.
  Suppose I am creating new t.code for MB52 program .
  Now in SE93 which object I should I select :
  - program and screen
  - program and selection screen
  - Method of a class
  - transaction with variant
  - transaction with parameters
  Pls advice.
  regards

• Debtors Ledger Standard report based on Division

  Hi SAP gurus,
  Pl let me know is there any Standard Report in Debtors based Division of a customer.
  (Or Debtors report based on Division?)
  Pl help
  Thanks in advance
  regards
  Ediga

  Hi Ediga,
  what exactly do you mean by Division?
  If you mean the division from SD (field SPART, you know, sales organization + distribution channel + division = sales area, you can see it in every sales order or SD invoice), or probably the business area (field GSBER)?
  A report customer by division (SD) should be available from CO-PA or even directly from sales. However, I do not think there is something standard here, but it should not be a problem for your CO-PA and/or SD guys to let it create easily.
  If you mean the business area, there is also nothing delivered in standard. Customer balances are not stored by business area (see fields in table KNC1). A possible workaround is if you go for line item reporting like FBL5N. However, this is not very performant and after the documents (+ index table records from table BSAD) are archived, it can get more difficult. My recommendation here would be to set up FI-SL for this purpose: transfer the customer number and the business area (plus company code, of course) to your new Special Ledger application and you'll get the information within a few minutes. Also, FI-SL could be a solution if you meant the SD division (technical field name SPART) and not the business area (technical field name GSBER).

• Status profile based on division in sales organization

  Hi,
  Status profile are configured at document type level. However, the requirement is to configure the status profile based on division field of sales.
  Is there any way some one has achieved this solution?
  Please provide your inputs for the same.
  BR
  Kanishak

  Hi Soumya,
  Are you using TPVS or R/3 to do this split?
  In case you are using TPVS, and you have one Sales Org and Dist Ch, you can maintain the conditions on the Division and use these conditions to select Split rules.
  Then you can split the orders based on these split rules.
  Regards,
  Ankur

• Authorization-based formulas don't work in planning-query

  Hi specialists,
  I've got some trouble with authorization-based formulars in a query on an aggregation-level.
  The forumulars are used for filtering. The problem is, that the filters remain empty - obviously no filter-values are pulled from the authorizations. The query-execution ends in the following error-message: "You are not authorized to use the object zcomp_code 'SomeName - Authorization-Object'"
  Exactly the same variables are used in a second query as well - which is based on the the same cube as the aggregation-level. In this query the variables are filled (as expected) with the values from the authorizations.
  In RSSM one can see that the relevant info-objects are marked as authorization-relevant for the above mentioned cube. For the aggregation-level I cannot configure them as authorization-relevant (because the fields are not editable/grayed-out).
  Does anybody know this problem ?
  Are there any hints how to check-out the concrete problem ?

  In iOS7, location-based reminders won't fire if the Reminders app is explicitly terminated by the user.
  That is if the user removes an application from the Multi-Tasking application list (brought up with a double-press of the Home button), iOS 7 will conclude that the user doesn't want this app to get any more run-time. That implies that Reminders won't be launched again to display your location-based reminders.
  The Reminders app needs to be running in the foreground or to be put in the background for location-based reminders to work.
  This is not a bug. This is intended behavior.

• Purchase Requisition Authorization based on Storage Location

  Hi MM Gurus,
  Our client has got a specific requirement to control the security of purchase requsition creation, change and release based on the storage locations. We have found the authorization object M_BANF_LGO which is to restrict the access of PR based on storage location in purchase requsitions.
  The issue is the purchase requsition BAPI does not check this authorization object as per standard SAP.
  Does anyone know how to handle the security of purchase requsition based on storage location?
  FYI - Our PR release strategy is at item level and not at document level.
  Thanks,
  Shekhar

  Thank you for the reply. In case of purchase requsition for cost center, you can still enter the value of storage location. The storage location comes into picture when the goods receipts are posted against this purchase. However, the storage location value can be entered at PR level.
  We have storage location field as "Required" field in all purchase requsitions as there is only one plant and each storage location represents the division.

• Authorization based on STD Cost Centre Hierarchy - different hier levels

  Hello,
  I need to create an Authorization scenario where the same user, which have autorization based on Cost Centre Standard Hierarchy, would have access to Cost Centre Hier "NODE A" for "CUBE 1" and Cost Centre Hier "NODE AB" for "CUBE 2". The challange is that he cannot access "NODE A" on "CUBE 2".
  How can I have this? Would it work if I create 2 different authorization objects based on cost centre, each one for a different cube?
  Current authorizations are set up for CUBE 1 based on roles assigned to users and this affects more than 300 User ID. So I need a solution with few impact on what is already set up...
  BW version 3.1
  Thanks in advance

  Just for the forum information, I have made further progress on this.
  I have created different Authorization Objects (both based on cost cecntre) and assigned each one o a different cube. I will then have 2 roles assigned to the user: one role with Auth Object X will provide access to cube A only; the other role with Auth Object Y will provide access to cube B only.
  Regarding the hiearchy level, as this does not depend of the Authorization Object but on the Cost Centre Object itself, I dont need to create (Tcode: RSSM) duplicated hierachy technical names for the same node of the hiearchy depending on the auth. Object.
  Hope this helps who's browing on the forum and have a similar issue. Otherwise, please contact me.
  Regards

• BW authorizations based on assigned PPM users/roles + inherited roles

  Dear experts,
  We using PPM 5.0 SP7, and we are having trouble defining authorizations for BW reports.
  We would like to use the same authorizations as in PPM business client, so that BI would use/check the authorization from business client.
  This check would include:
  - users or roles gain access from direct assignment to an item
  - users or roles gain access that is inherited in the bucket structure, both structure and classification buckets.
  Users would have access to BW reports, but they could see data only from the same structures/classifications or direct assignments that are given to them in PPM business client.
  Can we utilize the same authorization methods, or do we need to create and maintain this in another place (BW)?
  If needed, how to create similar authorization model to BW?
  Kind regards,
  Antti Forsell

  Hello,
  Please see these docs,
  [Field Based Authorizations in BW BEx Queries|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4753ed83-0e01-0010-e186-f98413f868cb]
  [An Expert Guide to new SAP BI Security Features|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea]
  [Advanced Features of SAP BW Reporting Authorizations|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06]
  Thanks
  Chandran

• Transaction based security vs. Authorization based security

  Hi All just a general question does any one know any pro's and con's about implementing transaction based security vs. authorization object based
  Thanks Mike

  Well, the Tcode goes into an authoruization object as well, namely S_TCODE, so it always boils down to authorization objects. When properly configured, PFCG will propose all necessary authorization objects once you put a transaction in the role menu. On a new system, have a look at SU25 and it's documentation to setup PFCG.
  In my opinion putting the relevant transactions in the roles first and fine tuning the authorization values afterwards is the right way to go. Tracing may help but is no substitute for testing.

• Issuance Authorization Based on Group Membership

  Hello,
  I have what should be a simple problem but for the life of me I can't get my claims to work like I believe they should.  We use BOX with open enrollment and are looking at restricting who can access the site and have an account provisioned for them.
   The goal is to use an existing set of groups to restrict access to the BOX site.  I've read many posts about creating Issuance Authorization claims and have copied their examples for my use but nothing seems to work.
  Our group naming standard for BOX access is "app-box-*" as we have several groups that are all billable to different areas.  I want to use "app-box'*" in the language so I don't have to add 50 different rules for each group.
  Claims that are being sent to BOX right now are: Email Address, Given name, surname, name, and group.  I'm only sending BOX the app-box* groups a user is a member of by using this rule:
  c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "^App-Box-.*"] => issue(claim = c);
  That seems to work just fine as I see the groups listed in my claim to BOX in my Fiddler trace.  Next step is to create the issuance rules and restrict the access.  I've tried two different rules so far and both haven't worked.  I've also
  modified them to just refer to one of the BOX groups specifically instead of the wildcard, but still no dice...
  Claim built by the "permit or deny users based on incoming claim" wizard
  c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "^App-Box-.*"]
   => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");
  Custom rule built by me from various blog posts.
  Exists([Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "^App-Box-.*"])
   => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
  I get the dreaded event 325:
  The Federation Service could  not authorize token issuance for caller 'DOM\username
  '. The caller is not authorized to request a token for the relying party 'box.net'. Please see event 501 with the same instance id for caller identity. 
  Additional Data 
  Instance id: fe28fe86-b588-472f-9a35-7818a5be53d4 
  Relying party: box.net 
  Exception details: 
  Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity DOM\Username for relying party trust box.net.
     at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
     at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
     at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
     at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage) 
  User Action 
  Use the AD FS 2.0 Management snap-in to ensure that the caller is authorized to request a token for the relying party.
  Error 325 is eventually followed by error 364:
  Encountered error during federation passive request. 
  Additional Data 
  Exception details: 
  Microsoft.IdentityServer.Web.AuthorizationFailedException: MSIS7011: Access denied.
     at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
     at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
     at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
     at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
  Can anyone help point me in the right direction?  Using ADFS 2.0 server 2008r2.  No proxies or anything, just direct connections to the ADFS boxes.
  Thanks,
  Adam

  Issuance Authorization rules are executed BEFORE the transform rules so you're looking for a claim that doesn't exist (yet). Create a rule at the top of your authorization rule tab using "add" instead of "issue" then in a following
  rule (same tab) issue the permit depending on if the user has that claim.
  WORK