Authorization check failed

Similar Messages

• Authorization Check Failed for HR P_ORGIN on VDSK1

  Hi Experts,
  We have an issue where an HR secretary is making an address change to an employee via pa30.  She is successfully able to save the change with no warning on the screen.  However, when we run /nsu53 immediately after, we see that there was an authorization check failed.  The check failed is in class HR, object P_ORGIN.  The field is VDSK1.  We have values defined there, whereas SAP is requesting a *.  We do not want to use the *, but the value in VDSK1 is correct and should not be failing.
  Anyone ever see this issue before?
  Thanks
  Shane

  Hi Shane,
  Since the secretary was able to save the record I assume there is no issue with the role. SU53 always shows last failed authorisation check. Even if transaction has been succesful you normally find failed authorisation checks from SU53. In your case I assume that PA30 checks first that if user happens to have P_ORGIN with * value in VDSK1. If not then it checks employees infotype 0001 and organisational key and tries to match that to the value in the role. If you pass this check SU53 will still show failed check where VDSK1=*.
  So this is normal behaviour for SU53 and nothing to be worried about. Annoying is when SU53 gives something sill as last check after error. Annoying are SU53 reports from users to add S_DEVELOP with Debug object because programmer has decided to leave break-point to program.
  cheers, s

• "ADFC-0619: Authorization check failed" on standalone WLS10.3.2

  Hi,
  After migrating from 11.1.1.1.0 to 11.1.1.2.0 we run into the following authorization problem:
  ADFC-0619: Authorization check failed: 'pages/UIShell.jspx' 'VIEW'. (as popup, logging at debug level doesn't give more info)
  This error occurs after the user has logged in with correct username/password, and continues from Home.jspx to UIShell.jspx.
  - When testing with JDeveloper on embedded WLS, everything works fine. But as soon as we deploy to standalone WLS 10.3.2, this problem starts.
  - We checked jazn-data.xml on the standalone WLS, but it no missing parts there compared to the 11.1.1.1.0 deployment version.
  - A difference between embedded WLS and standalone WLS is that for the standalone we use LDAP for user authentication. We had this setup working on 11.1.1.1.0, so what has changed?
  A similar situation is described here:
  ADF 11g security: deploy to WebLogic 10.3.1
  Any clues or directions?
  Thanks alot,
  Gerben

  I found a workaround for my problem. Because we're using custom authorization (JHeadstart) in our applications, we don't need adf authorization. So I've just simply set authorizationEnforce to "false" in adf-config.xml, which works in our case.
  Following blogposts helped alot:
  http://hardnoxjava.blogspot.com/2009/02/how-we-handled-adf-security.html
  http://andrejusb.blogspot.com/2009/01/practical-adf-security-deployment-on.html
  -- Gerben

• HCM Transfer process - Authorization Check Failed

  Hi All
      We are trying to run the Standard Transfer  process of HCM . We are trying to run the tcode u201C HRASR_TEST_PROCESSu201D  Can anybody Tell us what authorization objects does a user  require to run this process if the user does not have SAP_All Authorization.
  We have already added u201CP_ASRCONTu201DAuthorization object  as suggested by sap .
  We are failing in some HR authorization check but we have already added the same in useru2019s profile and it has already been genereated . 
  Note : We have already ran this process with SAP_All Authorization and it ran succesfully . Employee was Succesfully transferred to the new position .
  Please check the shreen  shots (click the links) below to get an idea of the problem .
  Authorization Check Failed :
  Link : [http://www.mediafire.com/?edtznzkmdm0]
  Process flow :
  Link : [http://www.mediafire.com/?ytxz3wlmjiz]
  Please click on " Click here to start download.. "  to check the screenshots.

  Hi, Mr. Joe Bo.
  Thanx for your reply. We are using ECC6 (HP Unix with Oracle)
  Basis Patch - 15, Kernel 159
  I have seen the the note but it's showing ccms method defination settings, but for my case we are yet to go live we have not made any settings from sap they are planning to run a session for the go live. When i am running sdcc i am getting a error in the system log "Failed to activate authorization check for user SAPSYS"
  Thanks & Regards
  Venkatesan J

• ADFC-0619: Authorization check failed

  I am running JDeveloper 11.1.2.4
  ADF Security is enabled for the application.
  Security model is ADF Authentication and Authorization.
  I have created roles for employee, manager and admin.
  The roles are used to hide/display menu items and to allow/disallow access to task flows.
  I have dozens of task flows and this approach has worked well for some time.
  I added a new task flow that is accessible only to the admin role. The menu item is rendered only if the user is in the admin role. View access to the task flow is only granted to the admin role.
  As with new task flows in the past, I created and deployed an .ear file on my stand alone WLS. I then tested the functionality. This works as expected.
  I then gave the .ear file to our system admin to deploy on the sun server WLS. The deployment went fine but when I log in as an admin user and try to access the new menu item and task flow, the menu item is rendered but it says that the user is not authorized for the task flow.
  ADFC-0619: Authorization check failed: '/WEBINF/PlnDollarsSpentLineGraphTF.xml#PlnDollarsSpentLineGraphTF' 'VIEW'.
  Since the menu item is rendered I know that the user is assigned to the admin group. Access to all other menu items and task flows in the application is correct. Only having a problem with the new task flow.
  It would appear that the problem is with the .ear file rather than WLS. However, it works fine on my stand alone WLS and I looked at the jazn-data.xml file in the .ear file. It looks normal. The entry for the task flow looks like all the other task flow entries.
  Any ideas?
  Thanks for your help, Steve

  I examimed the system-jazn-date.xml file and found that the entry for the new task flow did not make it from the jazn-data.xml file into the system-jazn-data.xml file. I had the server system administrator do the deploy a second time. This time the system-jazn-date.xml file was updated properly and the new functionality is working.
  If anyone has an idea why system-jazn-date.xmp did not get updated in the first deployment I would be very interested.
  Thanks, Steve

• ADFC-0619: Authorization check failed implementing popup through taskflow

  Hi All,
  I receive the error ADFC-0619: Authorization check failed: '/WEB-INF/main-task-flow-template.xml#main-task-flow-template' 'VIEW'. when accessing the taskflow that will show as a popup as described in this blog: http://andrejusb.blogspot.com/2013/03/reusable-adf-region-with-dialog.html. I created a sample application and I have it working as expected.  The sample app has no security configured.  When I put the functionality into our main app the error occurs.  I have checked the jazn-data.xml and have granted a role to both the task flow and the web page.
  Our app is setup where I have a task flow template that most taskflows inherit from.  The calling page is inherited from the template which uses page fragments.  The taskflow for the popup is not inherited from the template and does not use page fragments.
  I am using 11.1.1.6.  The error happens when deploying to the Integrated server as well as a local WLS.  I read a few forum posts on this subject and some folks removed the anonymous role.  I have this role defined but is is only used for my login page so I don't want to remove it from there.
  Appreciate the help as this is blocking me from working on the functionality within the popup.
  Thank you - Rudy

  Resolved.  Our Application is setup as described by Jobinesh in the book "Oracle ADF Real World Developer's Guide".  In this case we have a separate application called "Common", within that we have projects for the ADFFrameWorkExtension, CommonModel, CommonUtilities and CommonUI.  The CommonUI project contains the main-task-flow-template and errorPage.jsff as well as the MainTemplate.jspx.  Each of these projects are deployed as a jar and imported into the main project.
  In the jazn-data.xml under Resource Grants, Resource Type = Task Flow, check the option to "Show task flows imported from ADF libraries".  This showed the main-task-flow-template which I granted the anonymous-role view action.
  When I run it now shows the popup.

• Web Composer Admin Customization:'Authorization check failed' error

  Hi,
  The purpose of Web Composer Admin Customization is to enable the administration link in the UI pages so that the administrator will be able to customize the pages.
  The steps to be followed to enable admin customization in the required pages are given in the following link under the subheading 'Web Composer Admin Customization':
  https://stbeehive.oracle.com/teamcollab/wiki/Fusion+Applications+Technical+Architecture:Enabling+Customizations
  I ensured that:
  The jazn-data.xml file has a privilege role "FND_VIEW_ADMIN_LINK_PRIV", and a grant to access the admin menu.
  A duty role "FND_ADMINISTRATION_LINK_VIEW_DUTY" had been defined, and was a member of FND_VIEW_ADMIN_LINK_PRIV.
  The FND_ADMINISTRATION_LINK_VIEW_DUTY is inherited by the administrator enterprise role.
  A new privilege role (Customize <Family> UI) had been created.
  I then granted the 'customize' and 'personalize' actions on the pages and the corresponding task flows (for which customization had to be enabled) to the new privilege role.
  Also, ensured that:
  A new app role (Customize <Family> UI) was created and was a member of the new privilege role. The app role was inherited by the administrator enterprise role.
  The testing administrator role has both the administrator enterprise role and the enterprise role that has view access to the page.
  Now, when i tried to run one of the pages (for which customize and personalize actions were granted to the new privilege role) from JDeveloper, i got the following error:
  oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef@d94f3e' 'VIEW'.
  at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:180)
  at oracle.adf.controller.internal.security.AuthorizationEnforcer.internalCheckPermission(AuthorizationEnforcer.java:160)
  at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:114)
  at oracle.adfinternal.controller.state.ControllerState.checkPermission(ControllerState.java:632)
  at oracle.adfinternal.controller.state.ControllerState.initializeUrl(ControllerState.java:669)
  at oracle.adfinternal.controller.state.ControllerState.synchronizeStatePart2(ControllerState.java:447)
  at oracle.adfinternal.controller.application.SyncNavigationStateListener.afterPhase(SyncNavigationStateListener.java:46)
  at oracle.adfinternal.controller.lifecycle.ADFLifecycleImpl$PagePhaseListenerWrapper.afterPhase(ADFLifecycleImpl.java:531)
  at oracle.adfinternal.controller.lifecycle.LifecycleImpl.internalDispatchAfterEvent(LifecycleImpl.java:120)
  at oracle.adfinternal.controller.lifecycle.LifecycleImpl.dispatchAfterPagePhaseEvent(LifecycleImpl.java:168)
  at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$PhaseInvokerImpl.dispatchAfterPagePhaseEvent(ADFPhaseListener.java:124)
  at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.afterPhase(ADFPhaseListener.java:70)
  at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.afterPhase(ADFLifecyclePhaseListener.java:53)
  at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:398)
  at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:185)
  When i granted the view action on the page ( in addition to the customize and personalize actions) to the new privilege role and ran the page from JDeveloper, the page came up fine but the administration link that is supposed to appear was not seen.
  Can any of you please provide suggestions regarding the cause of the above error and how i should go about debugging it.
  Thanks,
  Rohan

  Posted it in the forum suggested by Frank.

• ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormD

  JDev version : 11.1.1.4
  WLS : 10.3.4
  Hi All,
  Recently we have migrated JDev from 11.1.1.3 to 11.1.1.4 and WLS from 10.3.3 to 10.3.4. We had security enabled in our application and use to work without any issues in our previous version (before migration). We are getting below error after migration and not able to access our application.
  Error 500--Internal Server Error
  oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef@d856cd' 'VIEW'.We get this exception as soon as log in is successful. We have tried with different users including administrator who has complete permissions but got same exception. Note that same application is working in previous version.
  Please help us in resolving this issue. Below I have mentioned complete stack trace.
  More details:
  Policy store : jaxz-data.xml
  Identity store : integrated WLS LDAP
  WLS : standalone WLS
  Error 500--Internal Server Error
  oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef@d856cd' 'VIEW'.
  at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:180)
  at oracle.adf.controller.internal.security.AuthorizationEnforcer.internalCheckPermission(AuthorizationEnforcer.java:160)
  at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:114)
  at oracle.adfinternal.controller.state.ControllerState.checkPermission(ControllerState.java:632)
  at oracle.adfinternal.controller.state.ControllerState.initializeUrl(ControllerState.java:669)
  at oracle.adfinternal.controller.state.ControllerState.synchronizeStatePart2(ControllerState.java:447)
  at oracle.adfinternal.controller.application.SyncNavigationStateListener.afterPhase(SyncNavigationStateListener.java:46)
  at oracle.adfinternal.controller.lifecycle.ADFLifecycleImpl$PagePhaseListenerWrapper.afterPhase(ADFLifecycleImpl.java:531)
  at oracle.adfinternal.controller.lifecycle.LifecycleImpl.internalDispatchAfterEvent(LifecycleImpl.java:120)
  at oracle.adfinternal.controller.lifecycle.LifecycleImpl.dispatchAfterPagePhaseEvent(LifecycleImpl.java:168)
  at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$PhaseInvokerImpl.dispatchAfterPagePhaseEvent(ADFPhaseListener.java:124)
  at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.afterPhase(ADFPhaseListener.java:70)
  at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.afterPhase(ADFLifecyclePhaseListener.java:53)
  at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:398)
  at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:185)
  at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
  at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
  at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
  at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
  at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:106)
  at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
  at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
  at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
  at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271)
  at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177)
  at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:175)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
  at java.security.AccessController.doPrivileged(Native Method)
  at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
  at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
  at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
  at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
  at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
  at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
  at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
  at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)Thanks,
  Ravindra

  What we observed is that non of our application security policies are getting migrated to system-jazn-data.xml file during deployment. This was working in previous version.
  weblogic-application.xml file contents:
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <weblogic-application xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/weblogic-application http://www.bea.com/ns/weblogic/weblogic-application/1.0/weblogic-application.xsd" xmlns="http://www.bea.com/ns/weblogic/weblogic-application">
    <xml>
      <parser-factory>
        <saxparser-factory>oracle.xml.jaxp.JXSAXParserFactory</saxparser-factory>
        <document-builder-factory>oracle.xml.jaxp.JXDocumentBuilderFactory</document-builder-factory>
        <transformer-factory>oracle.xml.jaxp.JXSAXTransformerFactory</transformer-factory>
      </parser-factory>
    </xml>
    <application-param>
      <param-name>jps.credstore.migration</param-name>
      <param-value>OVERWRITE</param-value>
    </application-param>
    <application-param>
      <param-name>jps.policystore.migration</param-name>
      <param-value>OVERWRITE</param-value>
    </application-param>
    <listener>
        <listener-class>oracle.communications.brm.pdc.server.common.PricingApplicationLifeCycleListener</listener-class>
    </listener>
    <listener>
      <listener-class>oracle.adf.share.weblogic.listeners.ADFApplicationLifecycleListener</listener-class>
    </listener>
    <listener>
      <listener-class>oracle.mds.lcm.weblogic.WLLifecycleListener</listener-class>
    </listener>
    <listener>
      <listener-class>oracle.security.jps.wls.listeners.JpsApplicationLifecycleListener</listener-class>
    </listener>
    <listener>
      <listener-class>oracle.security.jps.wls.listeners.JpsAppVersionLifecycleListener</listener-class>
    </listener>
    <library-ref>
      <library-name>adf.oracle.domain</library-name>
    </library-ref>
    <library-ref>
      <library-name>oracle.jsp.next</library-name>
    </library-ref>
  </weblogic-application>

• ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef

  JDev version : 11.1.1.4
  WLS : 10.3.4
  Hi All,
  Recently we have migrated JDev from 11.1.1.3 to 11.1.1.4 and WLS from 10.3.3 to 10.3.4. We had security enabled in our application and use to work without any issues in our previous version (before migration). We are getting below error after migration and not able to access our application.
  Error 500--Internal Server Error
  oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef@d856cd' 'VIEW'.
  We get this exception as soon as log in is successful. We have tried with different users including administrator who has complete permissions but got same exception. Note that same application is working in previous version.
  Please help us in resolving this issue. Below I have mentioned complete stack trace.
  More details:
  Policy store : jaxz-data.xml
  Identity store : integrated WLS LDAP
  WLS : standalone WLS
  Error 500--Internal Server Error
  oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: 'oracle.jbo.uicli.binding.JUFormDef@d856cd' 'VIEW'.
       at oracle.adf.controller.internal.security.AuthorizationEnforcer.handleFailure(AuthorizationEnforcer.java:180)
       at oracle.adf.controller.internal.security.AuthorizationEnforcer.internalCheckPermission(AuthorizationEnforcer.java:160)
       at oracle.adf.controller.internal.security.AuthorizationEnforcer.checkPermission(AuthorizationEnforcer.java:114)
       at oracle.adfinternal.controller.state.ControllerState.checkPermission(ControllerState.java:632)
       at oracle.adfinternal.controller.state.ControllerState.initializeUrl(ControllerState.java:669)
       at oracle.adfinternal.controller.state.ControllerState.synchronizeStatePart2(ControllerState.java:447)
       at oracle.adfinternal.controller.application.SyncNavigationStateListener.afterPhase(SyncNavigationStateListener.java:46)
       at oracle.adfinternal.controller.lifecycle.ADFLifecycleImpl$PagePhaseListenerWrapper.afterPhase(ADFLifecycleImpl.java:531)
       at oracle.adfinternal.controller.lifecycle.LifecycleImpl.internalDispatchAfterEvent(LifecycleImpl.java:120)
       at oracle.adfinternal.controller.lifecycle.LifecycleImpl.dispatchAfterPagePhaseEvent(LifecycleImpl.java:168)
       at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$PhaseInvokerImpl.dispatchAfterPagePhaseEvent(ADFPhaseListener.java:124)
       at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.afterPhase(ADFPhaseListener.java:70)
       at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.afterPhase(ADFLifecyclePhaseListener.java:53)
       at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:398)
       at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:185)
       at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
       at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:106)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
       at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271)
       at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177)
       at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:175)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
       at java.security.AccessController.doPrivileged(Native Method)
       at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
       at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
       at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
       at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
       at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)

  Usually, the security policy of the application is bundled in the EAR file. When you deploy the application the security policy is automatically migrated (e.g. added) to domain's security policy repository (e.g. <tt>system-jazn-data.xml</tt> file, if neither LDAP or DB repository is used). Also when you undeploy an application its security policy is removed from domain's security policy repository.
  My practical experience says that both of these happen only if the application has been targetted to WLS domain's admin server (i.e. if the application is targetted only to managed servers but not to the admin server, then the security policy is neither migrated nor removed).
  The trick I apply is to do the following:
  (1) Target and deploy the application to the admin server (so the security policy is migrated into <tt>system-jazn-data.xml</tt>);
  (2) Copy the migrated application's policy section from <tt>system-jazn-data.xml</tt> to the clipboard;
  (3) Undeploy the application from the admin server (the security policy is removed from <tt>system-jazn-data.xml</tt> in result);
  (4) Paste the security section back into <tt>system-jazn-data.xml</tt> file and save it;
  (5) Deploy the application to managed servers;
  (6) Restart the servers.
  (It is not necessary to undeploy the application at step 3, it is enough to remove the admin server from application's targets).
  I am not sure that this is the right approach, but it works and I have not found anything in the documentation about this topic.
  One more thing - the automatic migration of the security policy that is included in the EAR is controlled by the following parameter in <tt>weblogic-application.xml</tt> file:
  <application-param>
      <param-name>jps.policystore.migration</param-name>
      <param-value>OVERWRITE</param-value>
  </application-param>The policy is not migrated if this parameter is not set.
  If you deploy the application from JDeveloper, it will not be necessary to set this parameter in <tt>weblogic-application.xml</tt> manually because JDeveloper will do it for you. Just open the Application Properties dialog in JDev, go to page "Deployment" and check the checkbox "Application Policies". Then JDeveloper will automatically add this parameter into <tt>weblogic-application.xml</tt> file within the EAR files generated from this time onwards (do not be confused that it will not be added to the file in the IDE).
  Dimitar

• Authorization check failed Auth. Obj. M_MSEG_LGO Goods Movements

  Hello security team.
  We are using two roles for one authorization object to be checked in the MIRO transaction. One role (1) checks the S_TCODE and the authorization object M_MSEG_LGO for ACTVT and  BWART  fields. The other role (2) checks for the same authorization object M_MSEG_LGO for LGORT and WERKS fields. I mean that the complementary effect between the two profiles attached to one and only user and employing the same authorization object M_MSEG_LGO could satisfy the return code SY-SUBRC = 0.
  I have the detailed error message in a file. Please let me know if the issue is clear enough.
  Best Regards,
  Victor Sarabia
  Edited by: Victor  Sarabia Rangel on Mar 16, 2010 2:16 PM

  Hello  Prasant and Julius.
  When you enter a goods movement  using transaction MIGO  I use the movement type values for a good movement. vgr. movement type 987 - Init. entry of state balance or movement types 101,102 GR goods receipt & GR PO reversal BWART field from the authorization object  M_MSEG_LGO.  We gather the movement type values into groups that represents the structural basis that distinguish between , for example:  Goods Receipt with Outbound delivery or  Place in Storage with Material Document .
  Authorization profile 1 for Outbound Delivery with transaction MIRO.
  S_TCODE: MIRO
  M_MSEG_LGO: Inactive
  Authorizat. T-C161126200
  Profl. T-C1611262
  Role MM_AL_OPERACION_ENTRADAS MMA_GRC: OPERACIONES ALMACENES
  Authorization profile 2 Bolton
  M_MSEG_LGO maintained
  Authorizat. T-C161137500
  Profl. T-C1611375
  Role NIVORG_ALMACENENTRADAS_4515  BOLTON:  PLANT ORG LEVEL
  Authorization Field ACTVT Activity
  01, 02, 03
  Authorization Field BWART Movement Type (Inventory Management)                                                                                101, 102, 103, 104, 105, 122, 123, 543, 544, 901, 902, 903, 904, 905, 906, 915,                                                                                916, 925, 926, 947, 948, 979, 980, 981, 982, 987, 988, DMS, RMS
  Authorization Field LGORT Storage location
  1000-1100, 1071, 1CBE, 2000, 3000, 3500, 4000, 5000, 6000, 7000, REHA, T000
  Authorization Field WERKS Plant
  4013-4019
  Profile 1: transaction_code MIRO binds with Profile 2: M_MSEG_LGO, movement type 987 and Authorization Field WERKS Plant 4013 and Storage Location 3000 to satisfy the return code SY-SUBRC = 0 for Goods recepit&Oubound Delivery position in the organization
  The  binding between master profile 1 and the bolton profiles 2,3,4u2026u2026.n  results  in an  organized role framework and greater specificity for handling different positions in the organization.
  Thank you.
  Victor Sarabia

• RH_STRU_AUTHORITY_CHECK authorization check fails

  Hi,
  Authorization issue:
  The transaction codes PO10D and PO13D are used to display Organization Unit and Position details resp., but if the user does not have authorization to view all objects these Tcodes should not allow the user from seeing the details of the objects outside his structure. But in my case this authorization thing is failing and the system is allowing the user to view details of the Objects that does not fall under his structure...
  Please help me to understand how this thing can be restricted.
  Thanks in advance

  different function code
  AKTI     Activate
  GENE     Approve
  HITS     Career plan simulation
  HITK     Career planning hit list
  AEND     Change
  AENK     Change canteen field
  AENT     Change temporarily
  COP     Copy
  COPY     Copy object
  COPR     Copy room
  INSE     Create
  MASS     Create
  INSG     Create from OS/2
  DEL     Delete
  DELO     Delete object
  CUTI     Delimit
  CUT     Delimit object
  DISP     Display
  DUTY     Essential relationship
  QUIC     Fast Data Entry
  HITW     Hit list for E&T Planning
  INIT     Initialization
  INTE     Integration
  LISD     List display
  LIST     List display with change
  NEWL     New Language
  PLVO     Propose change
  PLVG     Proposed plan from OS/2
  ABLN     Reject
  SIMU     Simulation
  BEAN     Submit
  VORS     Succession plan screening

• Authorization-check P_PCR fails...

  Hey Guys,
  I have a little authorization problem... 
  I created a role with authorizationobject P_PCR. 
  Payroll Area                   B8    
  Activity                       Change
  In my program i have following code to check authorization :
  GET pernr.
    AUTHORITY-CHECK OBJECT 'P_PCR'
      ID 'ABKRS' FIELD pernr-abkrs
      ID 'ACTVT' FIELD '02'.
    IF sy-subrc NE 0.
      REJECT.
    ENDIF.
  * further processing..
  Everytime i execute this code, sy-subrc eq 4... :(.
  When i look into SU53 :
  The authorization check failed
    Authorization obj. <i>P_PCR</i>  HR: Payroll Control Record
      Object Class <i>HR</i>  Human Resources
                                      B8
        Activity                      02
  My user is added to the role, so i don't see anymore why i can't execute this report ...  Does anyone has an idea for me ?
  Thanks,
  Kind Regards,
  Tom

  Bon...  Found the error...
    AUTHORITY-CHECK OBJECT 'P_PCR'
      ID 'ABKRS' FIELD pernr-abkrs
      ID 'ACTVT' FIELD '02'.
    IF sy-subrc NE 0.
      REJECT.
    ENDIF.
  In object P_PCR the field is not AB<b>KR</b>S, but the field is AB<b>RK</b>S.
  So, problem solved...
  Greetz,
  Tom

• Authorization check by Cost centers

  Hello all,
  I developed a report in Report Painter and the requirement is that the users be able to run it only for their own CCtrs - challenge is that we are trying to not use variants, custom transactions and also modifying / checking authorization at at SU01 level.
  Is there any other way to do this and if yes can you pls provide some details.
  Thanks,
  Richa

  hi richa,
  Authorizations with Variables
  Definition
  Instead of using a single value or interval, you can also use variables in authorizations. The Customer Exit is called up for these variables while the authorization check is running. The call is carried out with I_STEP = 0. The intervals of characteristic values or hierarchies for which the user is authorized can be returned here. By doing this, the maintenance load for authorizations and profiles can be reduced significantly.
  Every cost center manager should only be allowed to evaluate data for his/her cost center. Within the SAP authorization standard, a role or a profile with the authorization for the InfoObject 0COSTCENTER equal to ‘XXXX’ (XXXX stands for the particular cost center) would have to be made for every cost center manager X. This then has to be entered in the user master record for the cost center manager.
  Using variables reduces the authorization maintenance workload with the InfoObject 0COSTCENTER equal to ‘$VARCOST’, as well as with the role or the profile, which is maintained for all cost center managers. The value of the variable ‘VARCOST’ is then set for runtime during the authorization check by the CUSTOMER-EXIT ‘RSR00001’.
  Maintaining the authorizations restricts the entries for the values to the length of the existing InfoObject. It is possible, however, to use both limits of the interval. In the example 0COSTCENTER with 4 spaces, the variable ‘VARCOST’ is, therefore, entered as ‘$VAR’ – ‘COST’.
  There is a buffer for these variables. If this buffer is switched on, the customer exit is only called up once for a variable with the authorization check. In doing so, you avoid calling up the customer exit for variables over and over, as well as decreasing performance. If you want to call up the customer exit each time, you have to deactivate this buffer in the Setting Up Reporting Authorizations. To do this, go to the main menu and choose Extras  ® Compatibility  ® Buffer for Variables (Customer-Exit)  ® Deactivate..
  You can also call up the customer exit for authorizations for hierarchies. There are two ways to do this:
         1.      Enter the variable in the authorization for characteristic 0TCTAUTHH. The customer exit is then called up while the authorization check is running. In the LOW fields of the return table E_T_RANGE, the system anticipates the technical name for the hierarchy authorization that you specified in the authorization maintenance (transaction RSSM).
  As a result, all parameters are available for such an authorization. Nevertheless, you must also create a new definition for each node.                                    
         2.      Where many authorizations differ from an authorization for a hierarchy only in respect to the nodes and not to the other authorizations, we suggest the following solution: Different users can be authorized for a specific hierarchy area (subtree). The highest node is different for each user.                                          
  Do this by creating an authorization for a hierarchy in the transaction RSSM and enter this in the authorization or role. Instead of specifying a particular node, you specify the variable in the authorization maintenance (transaction RSSM). The customer exit is then called up for the node while the authorization check is running. The return table E_T_RANGE must be filled according to the customer exit documentation (nodes in the LOW field, InfoObject of the node in the HIGH field
  Setting Up Reporting Authorizations
  Use
  Before you are able to set up reporting authorizations, you have to create authorization objects.
  As soon as an authorization object is saved, it can be checked when a query is run. The user may not have the appropriate authorizations if he or she has not yet been assigned this authorization object.
  Only when the user has been assigned the appropriate authorizations can he/she define and execute a query or navigate in an existing query.
  If in the query a characteristic value or a node is excluded, a complete authorization check “*” is required.
  Procedure
  Creating an authorization object
         1.      In the SAP Easy Access initial screen of the SAP Business Information Warehouse, choose the path SAP Menu ® Business Explorer ® Authorizations ® Reporting Authorization Objects.
         2.      Choose Authorization Object ® Create. Give the authorization object a technical name and a regular name. Save your entries.
         3.      On the right-hand side of the screen, an overview of all the InfoObjects that are authorization-relevant is displayed.
  Only those characteristics that have been flagged as authorization-relevant previously in the InfoObject maintenance screen can be assigned as fields for an authorization object. See also: Creating InfoObjects: Characteristics
         4.      Assign the InfoObject fields to the authorization object:
  ¡        Select the characteristics for which you want an authorization check of the selection conditions to be carried out.
  ¡        Select the InfoObject key figure (1KYFNM) if you want to restrict the authorization to a single key figure.
  ¡        Select the InfoObject (0TCTAUTHH) if you want to check authorizations for a hierarchy.
  ¡        Include the authorization field activity (ACTVT) in the authorization object if you want to check authorizations for documents.
         5.      Save your entries.
         6.      Go back to the initial screen of the authorization maintenance.
         7.      Choose Check for InfoProviders ® Display to get a list of the InfoProviders that contain the InfoObjects that you selected and are therefore subject to an authorization check (where-used list). In the change mode you can exclude individual InfoProviders from the authorization check for this authorization object by removing the flag.
  Authorization object:           S_RSRSAREA
  Name:                   Sales area
  Fields:                         DIVISION, CUSTGROUP, 1KYFNM
  Creating authorizations
  Authorizations are created and maintained in the role maintenance screens.
         1.      Choose Authorizations ® Roles ® Change.
         2.      Specify the roles that you want to change and choose Change. This takes you to the role maintenance screen.
         3.      On the Authorizations tabstrip, choose the Expert mode for generating profiles option.
         4.      Choose the Enter Authorization Objects Manually option, and specify the objects that you require. Choose Enter. The authorization object is added to the role.
         5.      Choose Generate.
  For more information, see Changing and Assigning Roles.
  Result
  The user is now able to work with queries
  Authorizations to Work with a Query
  Use
  Authorizations to work with a query are first checked in the dialog box to open a query.
  Furthermore, when a query is opened, the authorizations for the individual objects are checked.
  See also: Authorization Check When Executing a Query..
  Structure
  Check in the Open Dialog Box:
  When you open a query, you will see four buttons in the dialog box. The History, Favorites and Roles buttons only display your own queries and those queries intended for you per role definition.
  The InfoAreas button enables you to look at all queries for which the user has display authorization. If this display authorization is not restricted to queries, the user will see all available queries in the system here. It is possible to hide the InfoAreas button if you do not want the user to see all queries in the system. The authorization object S_RS_FOLD with the field SUP_FOLDER can be used here. In order to hide the InfoArea button, set this field to X when authorizing, otherwise leave the field blank “ “ or set it to * (asterisk – all authorizations).. The button will be displayed if the authorization check fails.
  Authorizations by User
  It is also possible to make queries from particular users (= OWNER = query creator) available to other users (= USER) for display or processing. The authorization object S_RS_COMP1 with four fields (COMPID, COMPTYPE, OWNER, ACTVT) is used here.
  You can grant this authorization to a particular team or use the variable $USER to give all users the authorization for queries that they created themselves. $USER is replaced by the corresponding user name during the authorization check.
  See also the Example for Reporting Authorizations.
  Authorizations for the BEx Broadcaster
  Using the authorization object S_RS_BCS, you can determine which user is allowed to register broadcasting settings for execution and in which way.
  Note:
  ·        The only authorization necessary for the online execution of broadcasting settings is the authorization for the execution of the underlying reporting objects (for example, the Web template).
  ·        Every user that has authorization to create background jobs also has authorization for direct scheduling in the background.
  ·        If you need to work under the name of another user to execute broadcast settings (for example with user-specific precalculations), the authorization object S_BTCH_NAM for background scheduling is also required for the other user. For more information, see Authorizations for Background Processing and Definition of Users for Background Processing
  Authorizations for Selection Criteria
  Definition
  The selection criteria of a query determine which data can be displayed after you have entered it in a workbook.
  An authorization check for certain InfoObjects only takes place if an authorization object with this InfoObject was already created in the authorization object class Business Information Warehouse.
  As soon as an authorization object is created, only authorized users can select query data.
  Use
  To decide whether a user should be authorized to work with a query, you should check whether authorization has been given to him/her for all selection criteria.
  Essential to the authorization of selection criteria is the authorization object S_RS_ICUBE.
  Definitions of authorizations for working with certain InfoCubes must be transported separately.
  See: Transporting Additional Information
  In general, it is not sufficient to give authorizations for individual InfoObjects (characteristics and key figures), or to check them separately from one another. It more usual that specific authorizations should be given for combinations of characteristics and key figures.
  It is therefore feasible that a "Sales Manager" is allowed to view the respective total sales figures for all sales areas, but is only authorized to break down "his/her" area (0001) according to the individual sales personnel. In this case, the following authorizations, which are grouped together, would be created and assigned.
  Sales area = *
  Sales personnel = :
  Key figure = Sales figures
  (‘:’ represents the authorization to view the values aggregated with the characteristic.
  Sales area = 0001
  Sales personnel = *
  Key figure = Sales figures
  The user frequently uses these "multidimensional" authorities in companies that are regional as well as product-oriented (matrix organization). In this way, you could arrange for the person responsible for the combination of a certain division and a certain sales area to have the exact authorization for the output of the relevant values, without him/her necessarily also having access to the data for the whole division or the whole sales area.
  Authorizations for the Query Definition
  Authorizations can be granted for the following objects for the query definition in the Business Explorer:
  The entire query
  Structures
  Calculated key figures
  Restricted key figures
  Variables
  The activities for the query definition are specified in the authorization object S_RS_COMP (Business Explorer - components). The authorization object has the following fields: InfoArea, InfoCube, component type, component name and activity.
  The following values are possible for the component type:
  REP: Entire query
  STR: Structure
  CKF: Calculated key figure
  RKF: Restricted key figure
  VAR: Variables
  By specifying an InfoArea or an InfoCube, you can further restrict the component types. By specifying a component name, you can specify the authorization for individual components in more detail. Components that begin with 0 are delivered by SAP and cannot be changed. Components that are within the customer name range must begin with a letter of the alphabet.
  Valid activities are:
  01 (create)
  02 (change)
  03 (display)
  06 (delete)
  At the moment, activities 16 (Execute) and 22 (Save for Reuse) are not checked for the query definition.
  User A is allowed to create, change or delete queries beginning with A1 and A6 within InfoArea 0001 in InfoCube 0002. In addition, the user is allowed to change the calculated key figures and structures (templates) already defined in this InfoProvider.
  Related authorizations for user A:
  InfoArea: ‘0001’
  InfoProvider: ‘0002’
  Component type: ‘REP’
  Component Name: ‘A1’, ‘A6’
  Activity: ‘01’, ‘02’, ‘06’
  InfoArea: ‘*’
  InfoProvider: ‘0002*’
  Component type: ‘STR’, ‘CKF’
  Component name: ‘*’
  Activity: ‘02’
  Authorizations for Display Attributes
  Definition
  Authorization-relevant display attributes are hidden in the query if the user does not have sufficient authorization to view them.
  Use
  For characteristics:
  The user needs to have complete authorization (*) to see the display attribute in the query.
  For the characteristic 0EMPLOYEE, the 0EMPLSTATUS attribute is authorization-relevant. Only users with authorization "*" for 0EMPLSTATUS can display the attribute in the query.
  For key figures:
  Key figures cannot be marked as authorization-relevant. To use this function nonetheless for key figure attributes, the system checks against meta object 1KYFNM. For this, the user requires authorization for the field 1KYFNM in the authorization object.
  The key figure attribute 0ANSALARY is contained in the 0EMPLOYEE characteristic.
  If the user has the 1KYFNM field in his or her authorization object, and authorization "*", he or she can display all key figure attributes.
  If the user has the 1KYFNM field in the authorization object and the 0ANSALARY key figure as a value of the authorization, he or she can only see this key figure attribute. If the user is not supposed to see this attribute, do not give the authorization "*" but only assign the key figures for authorization that are to be displayed.
  Authorizations for Navigation Attributes
  Use
  During authorization checks for navigation attributes, it is always the characteristic that is being used as a navigation attribute that is checked.
  Integration
  If referencing characteristics are used as navigation attributes, authorization for the basic characteristic is checked. You should, however, change this logic so that the referencing characteristic is checked for instead. In the maintenance screen for reporting authorizations, choose the following path from the main menu Extras  ® Compatibility  ® Navigation Attributes ® Switch Off.
  This function exists for reasons of compatibility. The authorization logic of referencing characteristics worked differently with the beginning of Release BW 2.0. From BW 2.0, Support Package 20 and in all of the releases that follow, for referencing characteristics as well, the authorization for exactly this characteristic (and not the basic characteristic, as was the case previously) is checked.
  Example
  In the query, you use characteristic A with the navigation attributes A__B and A__R. Characteristic R references characteristic B. For these navigation attributes, authorization for the basic characteristic B is checked. If you switch off the compatibility for navigation attributes option, B is checked for A__B, and R is check for A__R.
  Maintaining Authorizations for Hierarchies
  Use
  Authorizations for hierarchies determine up to which subarea of a hierarchy a user may drilldown.
  Prerequisites
  Before you can set authorizations for hierarchies, you must first transfer and activate the InfoObject 0TCTAUTHH from the Business Content. Make sure that the indicator Relevant for Authorization is set. You must also create an authorization object for which you want to set the authorization.
  Authorization for a hierarchy on the Profit Center characteristic (0PROFIT_CTR):
  Define an authorization object with 0PROFIT_CTR and 0TCTAUTHH.
  Example: You define a hierarchy for the basic characteristic B. For characteristic B there is a referencing characteristic R. If you use this hierarchy for characteristic R in the query, authorization for the basic characteristic B is checked. However, you can change this logic so that characteristic R is checked for instead. In the maintenance screen for reporting authorizations, choose the following path from the main menu Extras ® Compatibility ® Ref. Characteristics with Hierarchy ® Switch Off.
  You need the characteristic 0TCTAUTHH to specify the hierarchy in the authorization. If you add this characteristic to an authorization object, you can specify authorizations for hierarchies for all InfoObjects in the authorization object.
  Procedure
         1.      In the SAP Easy Access initial screen of the SAP Business Information Warehouse, choose SAP Menu ® Business Explorer ®Reporting Authorization Objects.
         2.      Choose Authorizations ® Authorization Definition for Hierarchies ® Change.
         3.      In the Definition, select the InfoObject, hierarchy and node.
  If there are several users who are authorized to work with just one part of a hierarchy (subtree) but the top node is different for each, you have the option of specifying a variable instead of a node.
  See also: Variable Types
  Instead of selecting a node, you can also set the Top of hierarchy indicator. This enables you to ensure that a user is authorized to use a hierarchy from the top node down to a determined level.
  You can select the top node here. However, if the hierarchy is being used in a query without a filter on this node, the user will not be able to execute the query.
  This is because the top-most visible node does not represent the actual top of the hierarchy. As, for example, there are other Remaining Leaves, there should always be exactly one internal node at the top of the hierarchy. Therefore, there is one internal node above the top-most visible node. If the hierarchy is used in a query without the top-most node being determined, it is compared with this unseen, internal node. So that the user has the correct authorizations, select the internal top of the hierarchy for this option.
         4.      Select the authorization type:
  ¡        0 for the node
  ¡        1 for a subtree below the node
  ¡        2 for a subtree below the node up to and including a level (absolute)
  You must define a level for this type. A typical example of an absolute level is data protection with regard to the degree of detail of the data (works council ruling: no reports at employee level only at more summarized levels).
  ¡        3 for the entire hierarchy
  ¡        4 for a subtree below the node up to and including a level (relative)
  You must specify a level that is defined relative to the node for this type. It makes sense to specify a relative distance if an employee may only expand the hierarchy to a certain depth below his or her initial node, but this node moves to another level when the hierarchy is restructured.
         5.      For types 2 and 4 you can specify, in Hierarchy Level, the level to which the user can expand the hierarchy.
  ¡        With authorization type 2 (up to and including a level, absolute) the level refers to the absolute number of the level in the hierarchy where the top-most node of the hierarchy is level 1.
  ¡        With authorization type 4 (up to and including a level, relative) the level number refers to the number of levels starting from the selected node itself which is level 1.
         6.      In the Validity Area you specify in exactly which ways a hierarchy authorization has to match a selected display hierarchy for it to be included in the authorization check.
  ¡        Type 0 (very high) : The name, version and key date of the hierarchy on which the hierarchy authorization is based have to agree with the selected display hierarchy.
  ¡        Type 1: The name and version of the hierarchy on which the hierarchy authorization is based have to agree with the selected display hierarchy.
  ¡        Type 2: The name of the hierarchy on which the hierarchy authorization is based has to agree with the display hierarchy.
  ¡        Type 3 (lowest) : None of the characteristics have to match.
  Note that in some circumstances, setting a check level that is too low may lead to more nodes being selected using hierarchy node variables that are filled from authorizations, than actually exist in the display hierarchy for the query. This can cause an error message.
  As a general rule, select the highest possible level for the check.
         7.      If you set the Node variable default value indicator, this definition of an authorization for a hierarchy is used as the default value for node variables.
  If more than several authorizations are assigned to a user for different subareas of the same hierarchy, one of these authorizations has to be defined as the default value. Only one node can be selected for a node variable on the variable screen of a query. So that this variable can be filled from the authorizations, the correct variable type has to be selected and an authorization has to be determined as the default value.
         8.      Specify a technical name for this definition. If you do not enter a value, a unique ID is set.
         9.      Now create an authorization for the new authorization object. To do this, enter the technical name of the definition as a characteristic value for the characteristic 0TCTAUTHH. Hierarchy authorizations and authorizations for characteristic values are added:
  ¡        Specify the value ‘ ‘ (a blank character) as a characteristic value if only hierarchy authorizations are to be in effect. If you specify more values these are authorized additionally.
  ¡        Specify the value “:” (a colon) when queries are also allowed without this characteristic.
  The value '’ (all characteristic values) is not supported for the characteristic 0TCTAUTHH. Nevertheless, if you specify the value ‚’ a ‚:’ is automatically generated instead because no other valid value is found.
  If you would like the user to be able to see all values and hierarchies for a characteristic, use the value '*' for this characteristic.
  If you use a drilldown hierarchy in the query, you restrict the highest node by a fixed node or a node variable.
  Definitions of authorizations for hierarchies must be transported separately. See: Transporting Additional Information
  Alternative Procedure:
  Manually Maintaining Reporting Authorizations
  Use
  You usually maintain authorizations in the role maintenance. However, in exceptional cases it could be more practical to create authorizations manually. This is the case if you have to assign every user his/her own role.
  Prerequisites
  Reporting authorization objects have been created.
  Procedure
  Assign Authorization Objects
         1.      In the SAP Easy Access initial screen of the SAP Business Information Warehouse, choose SAP Menu ® Business Explorer ® Authorizations ® Reporting Authorization Objects.
         2.      Choose Authorizations ® Authorizations for Several Users. Enter an interval and choose Change.
         3.      Select a characteristic from the left side of the screen. You can then display master data as a list or as a hierarchy. The right side of the screen shows you a list of all the selected users with the authorization profiles and roles you assigned.
         4.      You can now use Drag&Drop to assign additional authorization objects to the user.
         5.      Choose Generate authorizations. The system creates the authorizations and assigns them to the users.
  Assigning Authorizations for Hierarchies
  You can also make authorizations for hierarchies in the same transaction.
         1.      Select a characteristic.
         2.      You can use the context menu on the authorization object to determine up to which hierarchy level the authorization should apply.
  You can currently select exactly 1 level for each hierarchy and user.
         3.      Choose Generate authorizations. The system creates the authorizations and assigns them to the user.
  Result
  The system has created individual authorization profiles.
  thanks
  karthik
  reward me ipoints if the above is usefull to you

• Authorization access failed

  Hi Experts,
  I am trying to do the Reversal of PGI. Using VL09 I entered the document num and tried execute REVERSAL. System was throwing an error " You are not authorised to reverse goods issue for shipping point XXX". Then I tried SU53 checking my authorization.I find no information except ''Authorization check failed''. Can you please help me find some solution for this.
  Thanks in Advance,
  Kanna.

  Hi,
  On the node after Authorization check failed, you will see the object class, authorization object, etc.
  Just capture these info and forward to Basis team to added into your user id.
  Cheers.

• Failed to activate authorization check for user SAPSYS

  Hi Experts
  I am trying to run the sdcc, it was throwing time_out error. i have increased the work process runtime. now
  i am getting a error Failed to activate authorization check for user SAPSYS.
  Please help me to solve this issue.
  Regards
  Venkat

  Hi, Mr. Joe Bo.
  Thanx for your reply. We are using ECC6 (HP Unix with Oracle)
  Basis Patch - 15, Kernel 159
  I have seen the the note but it's showing ccms method defination settings, but for my case we are yet to go live we have not made any settings from sap they are planning to run a session for the go live. When i am running sdcc i am getting a error in the system log "Failed to activate authorization check for user SAPSYS"
  Thanks & Regards
  Venkatesan J