Authorization Check on Multiprovider level

Similar Messages

• Authorization check at diff levels

  I need this functionality:
  several authorization checks should be implemented.
  ·         Selection on Plant level (authorized yes or no is then taken care within the authorization role)
  ·         When this was successful, check further whether User is authorized for Change, or only for Display mode. When User is only authorized for Display mode, the different button’s e.g. ‘Approve’ ‘Cancel’… are not visible at all or great out. (this is as well then on user level maintained via authorization role)
  How should we do this using ABAP?
  Regards

  Check with below link :
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a92195a9-0b01-0010-909c-f330ea4a585c
  Thanks
  Seshu

• No Authorization check for MultiProvide (S_RS_MPRO)

  Hello Every body
  We have a problem regarding the authorization check for MultiProviders. We have assigned the auth. object S_RS_MPRO to a user for one specific MultiProvider. We have also turned on the settings for "MultiProvider" and "MultiPro. (Query) in IMG.
  Unfortunately the user has access to all the MultiProviders. We have traced the user and have found out, that there is no authorization check for the MultiProviders.
  We have tried to remove the settings mentioned above and use “InfoCube (Query)” setting instead in conjunction with S_RS_ICUBE. No luck here neither.
  One thing that could be important to mention is that the Settings for "MultiProvider" and "MultiPro. (Query) in IMG has been implemented before the object has been assigned to a user.
  For that We removed the settings from all Roles, and then we assigned the object to a user, and at last we activated the settings for "MultiProvider" and "MultiPro. (Query) in IMG. No luck here neither.
  Bottom line is that the system does not check for S_RS_MPRO
  Any kind of suggestion would be appreciated
  /FZA
  SAP_BW 350
  SP 12
  BI_CONT 353
  PI_BASIS 2004_1_640

  0.820 BW-BEX-OT-OLAP-AUT 619778 No check of S_RS_ICUBE for Multiprovider 16.10.2003
  2. 0.800 BW-WHM-DST-AUT 626385 Multiprovider: Authorization in query fails 07.10.2003
  3. 0.790 BW-BEX-OT-OLAP-AUT 662617 Activity is 'Change', but only 'Display' is checked 07.01.2004
  4. 0.760 BW-WHM-DST-AUT 626574 MultiProvider authorization check during query 17.10.2003
  5. 0.760 BW-WHM-DBA-MPRO 520588 New authorization object S_RS_MPRO 05.11.2003
  6. 0.750 BW-WHM-DST-AUT 736996 Authorization check performed on S_RS_MPRO 28.06.2004
  7. 0.700 BW 693363 SAPBWNews BW SP03 NW'04 Stack 03 RIN 22.04.2005
  8. 0.690 BW 692636 SAPBWNews BW SP02 NW'04 Stack 02 RIN
  hallo
  Please have allok at the mentioned OSS note
  Mike

• LDB PNP authorization check at record level - rp_provide_from_last

  hi,
  i am using LDB PNP,
  I am using macro 'rp-provide-from-last' .
  I neeed to place a authorization check so that the user of the program should only be allowed to view records of the people which comes under the same personnel area as of the user of the program.
  Can you please guide me on how to implement this?
  thanks in advance,
  akash.

  Hi,
  (1)
  Actually, if you're wirting report with PNP LDB, you do NOT need to do this hard-coded auth checking at all. Because the LDB abap code behind PNP has already do this job for you.
  So all you need to do is to ask you HR consultant or Basis consultant to modify the authority config of certain ROLE with t-code PFCG, and then assign that ROLE to certain user with t-code SU01.
  ABAP code behind PNP will automatically verify the current user according to his ROLE setting.
  (2)
  In some case you do not work with LDB report, then you need to do the authority check by yourself. General function  AUTHORITY_CHECK is what you need.  AUTHORITY_CHECK do the authority check by means of Authority Object.Belows are authority objects used in HR module(you can also see in PFCG if technial name switched on):
  P_ORGIN    HR: Master Data
  PLOG       Personnel Planning
  P_PCLX     HR: Clusters
  P_TCODE    HR: Transaction codes
  Sample of checking personal area:
  CALL FUNCTION 'AUTHORITY_CHECK'
       EXPORTING
            FIELD1              = ' PERSA'
            OBJECT              = 'P_ORGIN'
            USER                = 'SAPSUPPORT1'
            VALUE1              = 'Z001'  
       EXCEPTIONS
            USER_DONT_EXIST     = 1
            USER_IS_AUTHORIZED  = 2
            USER_NOT_AUTHORIZED = 3
            USER_IS_LOCKED      = 4
            OTHERS              = 5.  
  IF SY-SUBRC NE 2.
  MESSAGE E001(01) RAISING AUTH_FAILED.
  ENDIF.
  Reward if helpful pls!

• Direct database data access without data level authorization check

  Hello,
  My customer raised issue about direct database data access. Due to the customeru2019s strong security policy, it shouldnu2019t be allowed.
  To prevent this kind of illegal data access, customer ask me to list up all the possibilities to display data without data level authorization check.
  The things in my mind are
  SQL Command Editor (for Oracle based system) : ORASPACE, DB02, ST04
  Query Based : SQVI (Quick Viewer), SQ01/SQ02/SQ03 (SAP Query)
  Data Browser : SE11, SE12, SE16, SE16N, SE17
  Table Maintenance : SM30
  Function Module : RFC_READ_TABLE
  Function Module : DB_EXECUTE_SQL (DML)
  Anyone knows anything which is not listed above?
  Thanks

  HI,
      Generally in production user's should not be given all these authorizations.
  Ram.

• SM30 Field level authorization check

  Hi,
  I have a requirement to add the authorization check in SM30 for the company field in the custom table. Please suggest.
  Thanks,
  Gagan Chodhry

  Hi,
  I have this requirement for both type of tables i.e. custom as well as standard. Tables has got field profit center.. I need to show the table based on the loggedin user authorization to the profit center.
  If it is a custom table then as mentioned by Siva, there is a way I heared that we can check the authorization in PAI event, but when I tried to do a small test, I could get the field symbol with the values, but I was not able to skip that record for disply.
  If anyone can send the sample or the way to skip the record based on the check.
  Also is there any other way to add the field level authorization to custom and standard tables...
  Thanks,
  Gagan Chodhry

• Cost element group authorization check on controlling area level

  Hi!
  When maintaining cost element groups (KAH1, KAH2, KAH3) is it possible to run an authorization check on controlling area level?
  We have one global chart of account but several controlling areas. When we create a cost element group it is created at chart of account level for all the controlling areas. When someone changes a cost element group it changes in all controlling areas. I cannot restrict user's authorization to be able to change cost element groups only in their own controlling area.
  Is it possible somehow?
  Thanks for your help.

  Hi,
  Like how the global chart of accounts is at the client level, the cost element groups are also independent of the controlling areas.  Infact, the cost element groups are created at the global COA level. 
  In such a case, I don't think it is possible to restrict the authorizations to amend the cost element groups at controlling area level.
  Thanks and Regards,
  Bhuvaneswari.S

• Authorization Check of Multiproviders

  Dear all,
  we have a scenario like this:
  Two Basiscube (A & B) with two authorization objects created in RSSM (AUT_A and AUT_B).
  The assignment in RSSM is like this:
  Cube A checked by AUT_A
  Cube B checked by AUT_B
  No we created a Multiprovider where A and B are assigned to.
  We thought that the authorization check of the underlying Basis Cubes is also carried out in the Multiprovider.  Therfore we thougth it is necessary to assign the user both authorization objects AUT_A and AUT_B to run a query on the MC. Now I found a OSS note (921820) that says:
  "(XIII) For queries on MultiProviders, you must activate the relevant authorization objects for this MultiProvider (in transaction RSSM). The setting for individual basis providers is not relevant."
  For me that would have the following implications:
  We can assign either
  only AUT_A or
  only AUT_B or
  both AUT_A and AUT_B or 
  a new authorization object to MC.
  As long is the authorzation object that is assigned to the MC is also used in the roles the users can run the queries.
  Can anyone confirm this?
  Thanks in advance!
  Thomas

  You will be fine with setting the authorization at the multi provider level as far as the cubes are concerned.
  But you seem to have authorization objects based on info objects. Is that correct?
  If so, then you need to maintain authorization for the objects regardless of how you maintain authorization at the cube level.
  Ravi Thothadri

• Analysis Authorization failed for Multiprovider

  Hi all,
  We are facing an issue pertaining to the Analysis Authorization for a multiprovider. When we attempt to access a query base on a multiprovider, the program complains that it has insufficient authorization. So we did debugging in the customer exit and we realise it fails to populate the rest of the authorization variables in I_step = 0. Base on our initial investigation this only happens on queries on multiprovider, so is there anything I need to set or do to curb this error?
  Many thanks!

  Best solution is to trace the authorization for your issue in ST01.
  Switch on the trace in ST01 and start your work. if you face authoirzation check failed. look into the trace there you will find the logs and authorization failed for your userid.
  And one more thing, have you got anything in SU53 as authorization check failed?
  Hope this would help you.

• Authorization check in LDB PNP

  Hi All,
  I am using logical database PNP in my report program and GET PERNR to fill the infotype tables. Infotype level authorization checks are performed but not Org data level (organizational assignments). The role assigned to me has access to data of specific personnel areas but I am able to retrieve data of all personnel areas (this was maintained in the authorization object P_ORGIN).
  I read the level of simplification should have a value 1 in the authorization object P_ABAP for Org Level authorizations to be performed. I have updated my role but still org level authorizations are not performed.
  Can you please let me know if  any special setting are to be done like in Tcode OOAC or set some flags/parameters in the report program to perform org data level authorization.
  Any information provided will be really helpful.
  Thanks,
  Pavan

  Hi,
  A separate ID was created in an environment similar to production and proper authorization were assigned to it (I mean roles with authorization objcts P_ABAP - level of simplfication 1 and P_ORGIN - restricting based on personnel area). Still Org level authorizations were not performed while using the LDB PNP. Is there anything I am missing?
  Thanks,
  Pavan

• CRM - Process Flow of Authorization Check in Business Transactions

  Hello Folks:
  I have implemented CRM security using Process Flow of Authorization Check in Business Transactions.
  What I have in place:
  CRM_ORD_OP (inactive, don't want access to own documents)
  CRM_ORD_LP (inactive, not using standard org level values Distribution Channel, Sales Group, Sales Office, Sales Organization, and Service Organization.)
  CRM_ACT (active)
  CRM_CMP (active)
  CRM_ORD_OE (active, restricted to display with dummy value ' ' for Distribution Channel
  Sales Group, Sales Office, Sales Organization and Service Organization, as we are not restricting on them)
  CRM_ORD_PR (active and restricted to display)
  Issue:
  Restrictions to display for documents works fine when using CRM backend system and the system throws out a message that you are not authorized to change. But, when i come in through Portals (PCUI), i dont get the display at all and it throws out a message insufficient access authorizations.
  Traces on backend CRM reveal failing on change access for CRM_ORD_LP and CRM_ORD_PR, which we dont want to give out b/c we dont want to provide change for documents.
  OSS notes to SAP have resulted in no results....please advise what is wrong here.
  Thanks
  KT

  Thanks for the Priyanka for the reply, but what you mention is not correct.
  BSP errors are different from what I am refering to.
  The issue is still open...and looks like a SAP bug, which even they havent been able to fix so far.
  Regards,
  KT

• Create authorization check for a report

  Hi,
  I need to create an authorization check for a report. It means that I need to restrict the usage of the report to couple of users ( 'USER1' and 'USER2' ). How can I do that? I did read through a lot of threads regarding this piece got a bit confused and stuck while creating the authorization object.
  Say the report name is ZHR_TIMEABC.
  Can anyone explain how to create an authorization object and how are they tied to the object and call them in the abap code?
  Thanks in advance,
  VG

  Hi,
  Thanks. Here is my understanding, S_C_FUNCT calls a system generated function module to make an authority check. So, if different users say USER1 and USER2 have different authroization levels, defined in their user profile, just adding this piece code will take care of authroization check for the program OR do I need to take care of something else?
  If so, when do we need to create the authorization objects using SU20 and assign the group and follo this process? When do we use this approach ( lot of threads on authority check have mentioned this procedure)?
  Your inputs will be helpful to understand this concept.
  Thanks,
  VG

• Authorization Check on Radio Button

  Hi,
  I have a custom report which has a radio button. Can I provide the authorization on this radio button, meaning only selected no. of users can run this report with radio button checked. I know it's possible through maintaining a list of users in custom table, But I want to check if we can do it using authorization object/group etc...

  Birendra, you're absolutely correct that we need to consider future maintenance efforts. But this is exactly a weak side of the parameter approach that you've suggested. The jet analogy is impressive, but way out of proportion in this case.
  Using authority check command in ABAP code and modifying screen elements is not hard-coding. The parameter approach also requires writing some code, so it has no advantage here.
  Also it requires someone (a Basis admin?) to update the user profile and a table entry that you've mentioned. To use the standard authorizations, only one authorization object will need to be created (although it may even be possible to use another, existing object if it's the same authorization level). It won't take more space or more time to create than an SM30 entry. Updating the roles might be more of a hassle than updating the user parameter, but the difference can hardly be considered significant and it's a one-time thing anyway.
  It is a matter of preference whether to hide a control, disable it or display a message. (By the way, in many standard transactions you'll find that controls or menu options are hidden/disabled based on authorization, so it is nothing exotic.) But I stand by my suggestion of using standard authorization check functionality specifically because it makes the future maintenance easier.
  1) Basis admins most likely already maintain some document regarding the role assignment. It might be actually easier to them to maintain the roles than to keep track of the additional profile parameter and remember it in future.
  2) Imagine years from now you're gone and all the new people are maintaining the system. The user gets a 'no authorization' message and, naturally, contacts a system admin. Again, naturally, admin will check security trace. Now guess what - your parameter thingy cannot be tracked anywhere. No one knows about it and it will take an ABAPer to figure this out.
  With standard approach it will only take a second to run SU53 and a few minutes to resolve an issue by a Basis admin. Additionally, authorization objects have 'where used' button, so it would be easy to check if and where the object is used (e.g. if the report has been changed/deleted it will be easy to spot the 'orphaned' object). With the profile parameter sooner or later someone will have to wonder what the heck it is for and might accidentally delete it. By the way, sometimes users actually have access to their own parameters, so it's not a very secure option either.
  I understand you mean well, but, unfortunately, in my work quite frequently I have to deal with some things that were developed by well-meaining consultants who overlooked some long-term effects of their approach.

• Authorization Check Infotype Header

  Hi all,
  i posted the following threat in HCM Forum, but i think it is also a question for ABAP Forum
  Authorization Check Infotype Header
  Thanks & regards

  1. authorisations in hr cannot be controlled at infotype-header level and/or infotype field level.
  2. If only a few fields of a specific infotype are to be allowed for a user the most efective way of doing it is by way of creating a view for the infotype with only the allowed fields in it.
  3. another way of doing it is by way of a custom authorisation object (potentially) but then again your requirement is not going into explicit details,. so this option is a possibility you may want to do some due diligence on.
  cheers

• Re: Setting Authorization Check in Report Writer

  Hi,
  In ABAP Query or ABAP customized program, it is possible to set authorization object checking.
  In Report Writer, how can I do it?
  <REMOVED BY MODERATOR - REQUEST OR OFFER POINTS ARE FORBIDDEN>
  Thanks
  Edited by: Alvaro Tejada Galindo on Dec 26, 2008 10:59 AM

  Hi Colin,
  I would like to suggest,
  Creating an Authorization object & then using it in the report program is the preffered way.
  I would like to suggest a couple of references, quite similar to your issue,
  [SDN - Reference for using authorization checks at the report level|User authorisation check in ABAP-HR program;
  [SAP HELP - Standard Reference for Programming Autorization checks|http://help.sap.com/saphelp_nw04/helpdata/en/52/6712ac439b11d1896f0000e8322d00/frameset.htm]
  [SAP HELP - Standard Reference for Authorization checks|http://help.sap.com/saphelp_nw04s/helpdata/en/fc/eb3ba5358411d1829f0000e829fbfe/frameset.htm]
  Hope that's usefull.
  Good Luck & Regards.
  Harsh Dave