Authorization check on navigation attribute

Similar Messages

• Authorization Relevant BI Navigational Attribute

  Hello All,
     I have one quick question on auth relevant navigational attributes.
  Say I have characteristics A and B.  B is a nav attribute of A i.e. A__B and is marked auth relevant. 
  Does this means that A will also have to marked as auth relevant and be placed in the RSECADMIN profile along with A__B?
  Thanks

  >    I have one quick question
  I have one quick answer...
  > Total Questions:  6 (6 unresolved) 
  Read the forum rules!
  Thread locked and duplicate deleted.

• Authorization check by Cost centers

  Hello all,
  I developed a report in Report Painter and the requirement is that the users be able to run it only for their own CCtrs - challenge is that we are trying to not use variants, custom transactions and also modifying / checking authorization at at SU01 level.
  Is there any other way to do this and if yes can you pls provide some details.
  Thanks,
  Richa

  hi richa,
  Authorizations with Variables
  Definition
  Instead of using a single value or interval, you can also use variables in authorizations. The Customer Exit is called up for these variables while the authorization check is running. The call is carried out with I_STEP = 0. The intervals of characteristic values or hierarchies for which the user is authorized can be returned here. By doing this, the maintenance load for authorizations and profiles can be reduced significantly.
  Every cost center manager should only be allowed to evaluate data for his/her cost center. Within the SAP authorization standard, a role or a profile with the authorization for the InfoObject 0COSTCENTER equal to ‘XXXX’ (XXXX stands for the particular cost center) would have to be made for every cost center manager X. This then has to be entered in the user master record for the cost center manager.
  Using variables reduces the authorization maintenance workload with the InfoObject 0COSTCENTER equal to ‘$VARCOST’, as well as with the role or the profile, which is maintained for all cost center managers. The value of the variable ‘VARCOST’ is then set for runtime during the authorization check by the CUSTOMER-EXIT ‘RSR00001’.
  Maintaining the authorizations restricts the entries for the values to the length of the existing InfoObject. It is possible, however, to use both limits of the interval. In the example 0COSTCENTER with 4 spaces, the variable ‘VARCOST’ is, therefore, entered as ‘$VAR’ – ‘COST’.
  There is a buffer for these variables. If this buffer is switched on, the customer exit is only called up once for a variable with the authorization check. In doing so, you avoid calling up the customer exit for variables over and over, as well as decreasing performance. If you want to call up the customer exit each time, you have to deactivate this buffer in the Setting Up Reporting Authorizations. To do this, go to the main menu and choose Extras  ® Compatibility  ® Buffer for Variables (Customer-Exit)  ® Deactivate..
  You can also call up the customer exit for authorizations for hierarchies. There are two ways to do this:
         1.      Enter the variable in the authorization for characteristic 0TCTAUTHH. The customer exit is then called up while the authorization check is running. In the LOW fields of the return table E_T_RANGE, the system anticipates the technical name for the hierarchy authorization that you specified in the authorization maintenance (transaction RSSM).
  As a result, all parameters are available for such an authorization. Nevertheless, you must also create a new definition for each node.                                    
         2.      Where many authorizations differ from an authorization for a hierarchy only in respect to the nodes and not to the other authorizations, we suggest the following solution: Different users can be authorized for a specific hierarchy area (subtree). The highest node is different for each user.                                          
  Do this by creating an authorization for a hierarchy in the transaction RSSM and enter this in the authorization or role. Instead of specifying a particular node, you specify the variable in the authorization maintenance (transaction RSSM). The customer exit is then called up for the node while the authorization check is running. The return table E_T_RANGE must be filled according to the customer exit documentation (nodes in the LOW field, InfoObject of the node in the HIGH field
  Setting Up Reporting Authorizations
  Use
  Before you are able to set up reporting authorizations, you have to create authorization objects.
  As soon as an authorization object is saved, it can be checked when a query is run. The user may not have the appropriate authorizations if he or she has not yet been assigned this authorization object.
  Only when the user has been assigned the appropriate authorizations can he/she define and execute a query or navigate in an existing query.
  If in the query a characteristic value or a node is excluded, a complete authorization check “*” is required.
  Procedure
  Creating an authorization object
         1.      In the SAP Easy Access initial screen of the SAP Business Information Warehouse, choose the path SAP Menu ® Business Explorer ® Authorizations ® Reporting Authorization Objects.
         2.      Choose Authorization Object ® Create. Give the authorization object a technical name and a regular name. Save your entries.
         3.      On the right-hand side of the screen, an overview of all the InfoObjects that are authorization-relevant is displayed.
  Only those characteristics that have been flagged as authorization-relevant previously in the InfoObject maintenance screen can be assigned as fields for an authorization object. See also: Creating InfoObjects: Characteristics
         4.      Assign the InfoObject fields to the authorization object:
  ¡        Select the characteristics for which you want an authorization check of the selection conditions to be carried out.
  ¡        Select the InfoObject key figure (1KYFNM) if you want to restrict the authorization to a single key figure.
  ¡        Select the InfoObject (0TCTAUTHH) if you want to check authorizations for a hierarchy.
  ¡        Include the authorization field activity (ACTVT) in the authorization object if you want to check authorizations for documents.
         5.      Save your entries.
         6.      Go back to the initial screen of the authorization maintenance.
         7.      Choose Check for InfoProviders ® Display to get a list of the InfoProviders that contain the InfoObjects that you selected and are therefore subject to an authorization check (where-used list). In the change mode you can exclude individual InfoProviders from the authorization check for this authorization object by removing the flag.
  Authorization object:           S_RSRSAREA
  Name:                   Sales area
  Fields:                         DIVISION, CUSTGROUP, 1KYFNM
  Creating authorizations
  Authorizations are created and maintained in the role maintenance screens.
         1.      Choose Authorizations ® Roles ® Change.
         2.      Specify the roles that you want to change and choose Change. This takes you to the role maintenance screen.
         3.      On the Authorizations tabstrip, choose the Expert mode for generating profiles option.
         4.      Choose the Enter Authorization Objects Manually option, and specify the objects that you require. Choose Enter. The authorization object is added to the role.
         5.      Choose Generate.
  For more information, see Changing and Assigning Roles.
  Result
  The user is now able to work with queries
  Authorizations to Work with a Query
  Use
  Authorizations to work with a query are first checked in the dialog box to open a query.
  Furthermore, when a query is opened, the authorizations for the individual objects are checked.
  See also: Authorization Check When Executing a Query..
  Structure
  Check in the Open Dialog Box:
  When you open a query, you will see four buttons in the dialog box. The History, Favorites and Roles buttons only display your own queries and those queries intended for you per role definition.
  The InfoAreas button enables you to look at all queries for which the user has display authorization. If this display authorization is not restricted to queries, the user will see all available queries in the system here. It is possible to hide the InfoAreas button if you do not want the user to see all queries in the system. The authorization object S_RS_FOLD with the field SUP_FOLDER can be used here. In order to hide the InfoArea button, set this field to X when authorizing, otherwise leave the field blank “ “ or set it to * (asterisk – all authorizations).. The button will be displayed if the authorization check fails.
  Authorizations by User
  It is also possible to make queries from particular users (= OWNER = query creator) available to other users (= USER) for display or processing. The authorization object S_RS_COMP1 with four fields (COMPID, COMPTYPE, OWNER, ACTVT) is used here.
  You can grant this authorization to a particular team or use the variable $USER to give all users the authorization for queries that they created themselves. $USER is replaced by the corresponding user name during the authorization check.
  See also the Example for Reporting Authorizations.
  Authorizations for the BEx Broadcaster
  Using the authorization object S_RS_BCS, you can determine which user is allowed to register broadcasting settings for execution and in which way.
  Note:
  ·        The only authorization necessary for the online execution of broadcasting settings is the authorization for the execution of the underlying reporting objects (for example, the Web template).
  ·        Every user that has authorization to create background jobs also has authorization for direct scheduling in the background.
  ·        If you need to work under the name of another user to execute broadcast settings (for example with user-specific precalculations), the authorization object S_BTCH_NAM for background scheduling is also required for the other user. For more information, see Authorizations for Background Processing and Definition of Users for Background Processing
  Authorizations for Selection Criteria
  Definition
  The selection criteria of a query determine which data can be displayed after you have entered it in a workbook.
  An authorization check for certain InfoObjects only takes place if an authorization object with this InfoObject was already created in the authorization object class Business Information Warehouse.
  As soon as an authorization object is created, only authorized users can select query data.
  Use
  To decide whether a user should be authorized to work with a query, you should check whether authorization has been given to him/her for all selection criteria.
  Essential to the authorization of selection criteria is the authorization object S_RS_ICUBE.
  Definitions of authorizations for working with certain InfoCubes must be transported separately.
  See: Transporting Additional Information
  In general, it is not sufficient to give authorizations for individual InfoObjects (characteristics and key figures), or to check them separately from one another. It more usual that specific authorizations should be given for combinations of characteristics and key figures.
  It is therefore feasible that a "Sales Manager" is allowed to view the respective total sales figures for all sales areas, but is only authorized to break down "his/her" area (0001) according to the individual sales personnel. In this case, the following authorizations, which are grouped together, would be created and assigned.
  Sales area = *
  Sales personnel = :
  Key figure = Sales figures
  (‘:’ represents the authorization to view the values aggregated with the characteristic.
  Sales area = 0001
  Sales personnel = *
  Key figure = Sales figures
  The user frequently uses these "multidimensional" authorities in companies that are regional as well as product-oriented (matrix organization). In this way, you could arrange for the person responsible for the combination of a certain division and a certain sales area to have the exact authorization for the output of the relevant values, without him/her necessarily also having access to the data for the whole division or the whole sales area.
  Authorizations for the Query Definition
  Authorizations can be granted for the following objects for the query definition in the Business Explorer:
  The entire query
  Structures
  Calculated key figures
  Restricted key figures
  Variables
  The activities for the query definition are specified in the authorization object S_RS_COMP (Business Explorer - components). The authorization object has the following fields: InfoArea, InfoCube, component type, component name and activity.
  The following values are possible for the component type:
  REP: Entire query
  STR: Structure
  CKF: Calculated key figure
  RKF: Restricted key figure
  VAR: Variables
  By specifying an InfoArea or an InfoCube, you can further restrict the component types. By specifying a component name, you can specify the authorization for individual components in more detail. Components that begin with 0 are delivered by SAP and cannot be changed. Components that are within the customer name range must begin with a letter of the alphabet.
  Valid activities are:
  01 (create)
  02 (change)
  03 (display)
  06 (delete)
  At the moment, activities 16 (Execute) and 22 (Save for Reuse) are not checked for the query definition.
  User A is allowed to create, change or delete queries beginning with A1 and A6 within InfoArea 0001 in InfoCube 0002. In addition, the user is allowed to change the calculated key figures and structures (templates) already defined in this InfoProvider.
  Related authorizations for user A:
  InfoArea: ‘0001’
  InfoProvider: ‘0002’
  Component type: ‘REP’
  Component Name: ‘A1’, ‘A6’
  Activity: ‘01’, ‘02’, ‘06’
  InfoArea: ‘*’
  InfoProvider: ‘0002*’
  Component type: ‘STR’, ‘CKF’
  Component name: ‘*’
  Activity: ‘02’
  Authorizations for Display Attributes
  Definition
  Authorization-relevant display attributes are hidden in the query if the user does not have sufficient authorization to view them.
  Use
  For characteristics:
  The user needs to have complete authorization (*) to see the display attribute in the query.
  For the characteristic 0EMPLOYEE, the 0EMPLSTATUS attribute is authorization-relevant. Only users with authorization "*" for 0EMPLSTATUS can display the attribute in the query.
  For key figures:
  Key figures cannot be marked as authorization-relevant. To use this function nonetheless for key figure attributes, the system checks against meta object 1KYFNM. For this, the user requires authorization for the field 1KYFNM in the authorization object.
  The key figure attribute 0ANSALARY is contained in the 0EMPLOYEE characteristic.
  If the user has the 1KYFNM field in his or her authorization object, and authorization "*", he or she can display all key figure attributes.
  If the user has the 1KYFNM field in the authorization object and the 0ANSALARY key figure as a value of the authorization, he or she can only see this key figure attribute. If the user is not supposed to see this attribute, do not give the authorization "*" but only assign the key figures for authorization that are to be displayed.
  Authorizations for Navigation Attributes
  Use
  During authorization checks for navigation attributes, it is always the characteristic that is being used as a navigation attribute that is checked.
  Integration
  If referencing characteristics are used as navigation attributes, authorization for the basic characteristic is checked. You should, however, change this logic so that the referencing characteristic is checked for instead. In the maintenance screen for reporting authorizations, choose the following path from the main menu Extras  ® Compatibility  ® Navigation Attributes ® Switch Off.
  This function exists for reasons of compatibility. The authorization logic of referencing characteristics worked differently with the beginning of Release BW 2.0. From BW 2.0, Support Package 20 and in all of the releases that follow, for referencing characteristics as well, the authorization for exactly this characteristic (and not the basic characteristic, as was the case previously) is checked.
  Example
  In the query, you use characteristic A with the navigation attributes A__B and A__R. Characteristic R references characteristic B. For these navigation attributes, authorization for the basic characteristic B is checked. If you switch off the compatibility for navigation attributes option, B is checked for A__B, and R is check for A__R.
  Maintaining Authorizations for Hierarchies
  Use
  Authorizations for hierarchies determine up to which subarea of a hierarchy a user may drilldown.
  Prerequisites
  Before you can set authorizations for hierarchies, you must first transfer and activate the InfoObject 0TCTAUTHH from the Business Content. Make sure that the indicator Relevant for Authorization is set. You must also create an authorization object for which you want to set the authorization.
  Authorization for a hierarchy on the Profit Center characteristic (0PROFIT_CTR):
  Define an authorization object with 0PROFIT_CTR and 0TCTAUTHH.
  Example: You define a hierarchy for the basic characteristic B. For characteristic B there is a referencing characteristic R. If you use this hierarchy for characteristic R in the query, authorization for the basic characteristic B is checked. However, you can change this logic so that characteristic R is checked for instead. In the maintenance screen for reporting authorizations, choose the following path from the main menu Extras ® Compatibility ® Ref. Characteristics with Hierarchy ® Switch Off.
  You need the characteristic 0TCTAUTHH to specify the hierarchy in the authorization. If you add this characteristic to an authorization object, you can specify authorizations for hierarchies for all InfoObjects in the authorization object.
  Procedure
         1.      In the SAP Easy Access initial screen of the SAP Business Information Warehouse, choose SAP Menu ® Business Explorer ®Reporting Authorization Objects.
         2.      Choose Authorizations ® Authorization Definition for Hierarchies ® Change.
         3.      In the Definition, select the InfoObject, hierarchy and node.
  If there are several users who are authorized to work with just one part of a hierarchy (subtree) but the top node is different for each, you have the option of specifying a variable instead of a node.
  See also: Variable Types
  Instead of selecting a node, you can also set the Top of hierarchy indicator. This enables you to ensure that a user is authorized to use a hierarchy from the top node down to a determined level.
  You can select the top node here. However, if the hierarchy is being used in a query without a filter on this node, the user will not be able to execute the query.
  This is because the top-most visible node does not represent the actual top of the hierarchy. As, for example, there are other Remaining Leaves, there should always be exactly one internal node at the top of the hierarchy. Therefore, there is one internal node above the top-most visible node. If the hierarchy is used in a query without the top-most node being determined, it is compared with this unseen, internal node. So that the user has the correct authorizations, select the internal top of the hierarchy for this option.
         4.      Select the authorization type:
  ¡        0 for the node
  ¡        1 for a subtree below the node
  ¡        2 for a subtree below the node up to and including a level (absolute)
  You must define a level for this type. A typical example of an absolute level is data protection with regard to the degree of detail of the data (works council ruling: no reports at employee level only at more summarized levels).
  ¡        3 for the entire hierarchy
  ¡        4 for a subtree below the node up to and including a level (relative)
  You must specify a level that is defined relative to the node for this type. It makes sense to specify a relative distance if an employee may only expand the hierarchy to a certain depth below his or her initial node, but this node moves to another level when the hierarchy is restructured.
         5.      For types 2 and 4 you can specify, in Hierarchy Level, the level to which the user can expand the hierarchy.
  ¡        With authorization type 2 (up to and including a level, absolute) the level refers to the absolute number of the level in the hierarchy where the top-most node of the hierarchy is level 1.
  ¡        With authorization type 4 (up to and including a level, relative) the level number refers to the number of levels starting from the selected node itself which is level 1.
         6.      In the Validity Area you specify in exactly which ways a hierarchy authorization has to match a selected display hierarchy for it to be included in the authorization check.
  ¡        Type 0 (very high) : The name, version and key date of the hierarchy on which the hierarchy authorization is based have to agree with the selected display hierarchy.
  ¡        Type 1: The name and version of the hierarchy on which the hierarchy authorization is based have to agree with the selected display hierarchy.
  ¡        Type 2: The name of the hierarchy on which the hierarchy authorization is based has to agree with the display hierarchy.
  ¡        Type 3 (lowest) : None of the characteristics have to match.
  Note that in some circumstances, setting a check level that is too low may lead to more nodes being selected using hierarchy node variables that are filled from authorizations, than actually exist in the display hierarchy for the query. This can cause an error message.
  As a general rule, select the highest possible level for the check.
         7.      If you set the Node variable default value indicator, this definition of an authorization for a hierarchy is used as the default value for node variables.
  If more than several authorizations are assigned to a user for different subareas of the same hierarchy, one of these authorizations has to be defined as the default value. Only one node can be selected for a node variable on the variable screen of a query. So that this variable can be filled from the authorizations, the correct variable type has to be selected and an authorization has to be determined as the default value.
         8.      Specify a technical name for this definition. If you do not enter a value, a unique ID is set.
         9.      Now create an authorization for the new authorization object. To do this, enter the technical name of the definition as a characteristic value for the characteristic 0TCTAUTHH. Hierarchy authorizations and authorizations for characteristic values are added:
  ¡        Specify the value ‘ ‘ (a blank character) as a characteristic value if only hierarchy authorizations are to be in effect. If you specify more values these are authorized additionally.
  ¡        Specify the value “:” (a colon) when queries are also allowed without this characteristic.
  The value '’ (all characteristic values) is not supported for the characteristic 0TCTAUTHH. Nevertheless, if you specify the value ‚’ a ‚:’ is automatically generated instead because no other valid value is found.
  If you would like the user to be able to see all values and hierarchies for a characteristic, use the value '*' for this characteristic.
  If you use a drilldown hierarchy in the query, you restrict the highest node by a fixed node or a node variable.
  Definitions of authorizations for hierarchies must be transported separately. See: Transporting Additional Information
  Alternative Procedure:
  Manually Maintaining Reporting Authorizations
  Use
  You usually maintain authorizations in the role maintenance. However, in exceptional cases it could be more practical to create authorizations manually. This is the case if you have to assign every user his/her own role.
  Prerequisites
  Reporting authorization objects have been created.
  Procedure
  Assign Authorization Objects
         1.      In the SAP Easy Access initial screen of the SAP Business Information Warehouse, choose SAP Menu ® Business Explorer ® Authorizations ® Reporting Authorization Objects.
         2.      Choose Authorizations ® Authorizations for Several Users. Enter an interval and choose Change.
         3.      Select a characteristic from the left side of the screen. You can then display master data as a list or as a hierarchy. The right side of the screen shows you a list of all the selected users with the authorization profiles and roles you assigned.
         4.      You can now use Drag&Drop to assign additional authorization objects to the user.
         5.      Choose Generate authorizations. The system creates the authorizations and assigns them to the users.
  Assigning Authorizations for Hierarchies
  You can also make authorizations for hierarchies in the same transaction.
         1.      Select a characteristic.
         2.      You can use the context menu on the authorization object to determine up to which hierarchy level the authorization should apply.
  You can currently select exactly 1 level for each hierarchy and user.
         3.      Choose Generate authorizations. The system creates the authorizations and assigns them to the user.
  Result
  The system has created individual authorization profiles.
  thanks
  karthik
  reward me ipoints if the above is usefull to you

• Navigational Attribute Authorization

  Hello,
  We have a requirement to turn on the authorizatiorelevant flag for number of navigational attributes in a master data. 
  After turning on the flags we have created an analysis authorization object and included the navigational attributes with :.
  We were expecting the report to return with no data. 
  Security tracing did not show any authorizty check against the navigation attributes which were turned on as the athorizatiorelevant on the master data.
  The Master data is authorization relevant however the individual navigation attributes are not authorization relevant objects.
  Do I need to turn the authorization relevant flag for individual nav attributes on their own maintenance screen?

  Hi,
  Check whether this doc helps
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/7052dee3-bce5-2d10-5299-cd5d00ebeb72?QuickLink=index&overridelayout=true
  The Authorization at the Navigational attribute will restict the data for that attribule at the report level.
  You can restrict that Nav Attr specific to  InfoProvider, Roles etc.
  Thanks & Regards,
  Vishnu

• Not able to check navigation attribute in Multiprovider

  Hi Gurus
     I am trying to check the navigation attribute in the multiprovider which is built against Infoobject, ODS, & Infoset. I am not able to do it bcoz it is grayed out in the multiprovider.
  I checked in the infoobject definition, there it is turned on navigation.
  FYI, i am using version 3.1C
  Please help me out.
  Thanks
  Sansen.

  Hai San,
  If you want to make the object under Navigational in the multi provider that object should come from Cube(Possible).
  If you want to bring that object under navigational through Infoset(not Possible).
  Regards,
  Vijay

• Authorization check without using variable of type u0093Authorizationu0094

  In WEB-reporting we want to authorize on a navigational attribute without using the variable of type
  “ Authorization”. Why would we do this?
  1. In a lot of queries we have to replace the existing variable of type “User entry” to a variable of type “Authorization”. We would like to avoid this work.
  2. When the variable is not ready for input the Report will always include all the characteristic values for which the user is authorized. We don’s want this.
  3. When the variable is ready for input on the selection screen all the authorized values are displayed and the user is able to select / deselect the values he/she wants to report. In case of a lot of authorized characteristic values the screen does not appear user-friendly.
  What we want is a behavior like some parts of R/3. For example: Controlling Area X consists of the Costcenters C1000, C2000, C3000, C4000, C5000 and C6000. A particular user has authorization for Cost centers C1000, C3000 and C5000. When running a ABAP-report with Cosctcenters the user is able to select certain Costcenters. Three possibilities:
  1. The user selects Costcenter C1000, C3000 and / or C5000: the ABAP reports the selected Costcenters.
  2. The user selects Costcenter C2000, C4000 and / or C6000: the ABAP gives an error-message: “no authorization”.
  3. The user does not select any Costcenters: the ABAP reads all the Costcenters and reports – on the basis of the users authorization – only Costcenters C1000, C3000 and C5000.
  In term of BW: we would like to introduce authorizations for a specific InfoObject which is used as an navigational of an other InfoObject. In the queries a variable is used of the type “User entry”. The user can select one or more values on the selection screen; an authorization check is fulfilled. He may – however – choose to leave the selection field empty; in this case the OLAP processor should report only the authorized values (in our case the last situation results directly in an error-message “no authorization”).
  Anyone has a suggestion?
  Thx in advance,
  Henk

  If you change the variable to type exit, and user input enabled, you can then build your logic in the user exit.
  If users have entered unauthorised values, it will be checked (by the system??). If this assumption is correct then all you need to do in your exit is to continue with the values entered by the user; and in case user has entered no values, populate the variable with values valid for the user (by reading the user authorization and corresponding charactertistics values and moving these to the variable).
  --> Adding further
  Since the authorization will not be checked by the system (I missed that these are not of authorization type variables), user exit will need to do this check. The logic for doing authorization checks / error messages / restricting based on authorizations - will have to be done in the user-exit.
  cheers,
  Message was edited by: Ajay Das

• InfoSET - Characteristic restriction by navigational attribute.

  Created an infoset on 3 ODS's
  Checked the navigational attributes i wante in ODS. (eg 0country as attribute from ZVENDOR)
  When building the query it is not possible to have the field as a navigational attribute,only as attibute.
  When I want to use it as navigational attribute I have to add it to the ODS.
  Only then it is available as Navigational attribute in the query.
  When I Add ZVENDOR in characteristics restrictions and create a variable with replacement path "Attribute value" I get the message Replace variable with INFOOBJECT.
  "Value 'I' is invalid for property 'Replace Variable With' of element 'ZVENDOR_ATTR'"
  Define a valid value for property 'Replace Variable With' of element 'ZVENDOR_ATTR'
  How do I resolve this variable error ?

  navigational attributes are not visible in infoset, you need to include those nav-attrubetes physically in to your ods-data part to be able to navigate/filter.

• Need help on Authorization on Navigational Attribute.

  Hi All,
  I am working on Authorizations.
  I am using the info Object "Material group" which is the Navigational Attribute of 0MATERIAL.
  In Reporting, I have created the Authorization Variable for Material group.
  And after this, i have created the Authorization Object in RSECADMIN and added the info Object "Material group" and harded coded the value as "1000". After this, i have created the Authorization Role in PFCG and added this authorization Object over there.And this role is assigned specific User.
  While Running the report on specific User, for Material group, filteration is not happening over there (Material group = 1000). It is showing all values for this user.
  Can you please help on this issue.
  Thanks,
  Shahina A

  Thanks for your reply. I was on leave for the past 2 days. I have checked as you suggested.
  In 0MATERIAL, 0MATL_GROUP is the attribute and i have made Authorization Relvent for this Attribute.
  And i activated the Info object 0MATERIAL.
  Then i have run the query in RSRT and found an error while running the Report.
  Can u pls help on this issue.
  Diagnosis
  The system determined the authorized characteristic values for the characteristic 0MATERIAL__0MATL_GROUP. It determined that you do not have the (analysis) authorization to view transaction data for any characteristic values or range.
  System Response
  If this situation occurs when a variable is being filled, the query cannot be executed.
  Procedure
  You must have authorization for at least one characteristic value for the characteristic 0MATERIAL__0MATL_GROUP.
  Create the appropriate analysis authorizations for the user.
  If you are only authorized for evaluations that aggregate using the characteristic 0MATERIAL__0MATL_GROUP (for ":" authorizations), use a query without this characteristic. If the characteristic is not used as a filter or in the drilldown, variables should not be used.
  Procedure for System Administration
  Notification Number EYE 018 
  Thanks,
  Shahina A

• Authorization for navigational attribute

  Hi Gurus,
  I am facing an authorization issue with respect to infoobject hierarchy. I have created authorizations as below.
  There one infoobject 'A' and a navigational attribute 'B' in infoobject 'A'. This navigational atribure A_B is used in an infocube.  And hierarchy is uploaded to Infoobject 'B'. Now I want to give authorization for this hierarchy in infoobject 'B'.
  Now coming to authorization.
  1. I have made Infoobject 'B' as authorization relevant in Business explorer tab.
  2. Created authorization object say ABC in RSSM and inculded infoobject 'B' & 0TCTAUTHH (since I want to authorize the hierarchy and we are using 3.5 authorization concepts in BI 7.0).
  3. Activate this authorization object for the infocube.
  4. Included this authorization object in the role included for my user. In the field 'B' of authorization object I have given ' ' (space) and in the field 0TCTAUTHH I have given the technical name of the hierarchy.
  4. In 3.5 query designer I have put this navigational attribute A_B in the filter area and activated the hierarchy in the properties tab for the same hierarchy that I inculded in previous step.
  5. Created a variable with processing type authorization.
  Now when I run this report I get an error as no authorization for object ABC.
  Can someone help me if I have done anything wrong.
  Thanks,
  Sandeep

  Hi,
  In the infoobject A maintenance screen check the chekc box for field "AuthorizRelevant" for B to make it authorization relevant navigational attribute.
  Then go to RSECADMIN and ope your relevant authorization.
  In the menu bar just above the "Authorization Structure" you will find the button with icon of infoobject.
  Chick on this icon this will give you a screen to enter characteristic name of which attributes are to be added to authorization.
  Enter the infoobject A name here and click on continue.
  This will give you list of all authorization relevant navigational attributes present for A.
  Add B from this list to the authorization.
  Hope this helps.
  - Geetanjali

• Analysis Authorization on Navigational attribute

  Hi All,
  We are using RSECADMIN (BW 7.0), I want to know whether its possible to make a navigational attribute - ZPAYE_SA__0SALES_OFF - to authorization relevent. The object (ZPAYE_SA) with this is associated is not an authorization relevent.
  Even if I am able to make it authorization relevent is there any other setting changes to be done for it to work properly.
  Regards
  Deepesh

  Hi Deepesh
  First need to check Authorization relavent check box for navigational info object "ZPAYE_SA__0SALES_OFF"
  Tcode RSA1 --> Info Object --> Find "ZPAYE_SA" ---> Attributes tab ---> Detail/Naviogation Attibute --> Authorization Check box in front of "0SALES_OFF".
  Goto to RSCEADMIN
  Create a Authorization object and maintain this navigation attribute "ZPAYE_SA__0SALES_OFF"
  Pls let me know incase of further details
  Best Regards
  Rohit

• Authorization on Navigation Attribute

  Hi experts,
  i'm faced with a problem. I have a navigation attribute in my data model which is authorization relevant. The problem is that the basic characteristic is not authorization relevant. I am not able to make my setting in the analyse authorization as the basic characteristic is not authorization relevant. The basic characteristic is used in some other projects so that i am not allowed to make this characteristic an an authorization relevant one.
  Has anyone an idea how to solve this problem?
  Thanks all in advance.
  Best Regards,
  Ali

  You did not mention what BW version you are on.  This scenario is allowed in 7.0 Analysis Authorizations, but is not allowed in 3.x 
  In 7.x you can make any navigational attribute authorization relevant on the Attributes tab in RSD1, and the base characteristic does not have to be authorization relevant.
  What problems are you having?

• How to check Navigational attribute in Planing book?

  we have 5 characteristics and 1 navigational attribute in our MPOS.
  after loading data into PA and checking planning book, I do not see navigational attribute in the planninng book selection window. on the left side object selection and drill down my planning book shows only 5 charactercis and not the navigational attribute..
  how can I view data in the planning book using navigation atttribute as a selection? Thx
  Edited by: SCM0925 on Jul 27, 2010 10:06 PM

  My infocube shows  that nav attr field  is populated with the values. but for some reason nav attribute is not shwoing up in the planning book. any reason do u guys think of?
  CVC shows that nav attribute field
  infocube shows nav attr field and values
  but planning book doesnot show that attrbute.. only its shows chars
  Edited by: SCM0925 on Jul 28, 2010 2:32 AM

• Reporting Authorization - InfoObject/Navigational Attributes

  We have a custom infoobject for Vendor to which access needs to be controlled. Certain users are not supposed to have access to a number of the navigational attributes on the object however we want these users to have access to all other navigational attributes (meaning we don't want these 'fields' to be visible but everything else). We have other reporting authorization objects that prevent access to the entire 'record' if the user is not authorized for a certain value (cost center, etc.).
  Thanks.

  Hi Joerg,
  navigational attributes are treated like characteristics. You can make them authorization relevant and restrict access, e.g. by granting ":", which allows to see overall results without details on this attribute.
  Regards, Klaus

• WAD - Navigation Attribute authorization

  Hello Expert,
  I have created a WAD report containing analysis and two dropdown items.
  One filters a characteristics (profit centrum) and the other one filters navigation attribute of the same characteristics (resp. person of PC). Both the caracteristics and the attiribute are marked as authorization relevant.
  If I run the report under my account having profile SAP_ALL and analytical authorizaction 0VI_ALL the reports works as it should. But if I run it under a test account that has a role ZBI_BEX_ENDUSER that should contain all sufficient authorizations to run any report and analytical authorization 0BI_ALL then the report runs also OK,  just the dropdown with the navigation attribute (responsible person) is disabled (greyed out) with a text "no data". The other dropdown (PC) works fine.
  The navigation attribute is even included in the analysis and all the values are displayed there and I can even filter on it and then the filtered value is populated into the previously disabled dropdown list.
  Since I do not see any difference between the two users beside the authorisation I reckon that the issue must be somehow authorization related but I cannot find how.
  Can anyone help?
  Regards
  Jiri

  Hi Haran,
  You have to consider in ABAP code of user exit variable this:
  In a DSO you alreay have the user name and vaules, which he is allowed to see. Just go into this DSO and read the entries from DSO with user ID as selection criteria. Example:
  USERID     PLANT
  XY     1000
  XY     2000
  YZ     3000
  DSO name: ZOPLANT
  iKey fields in DSO: UserID & Plant
  Abap code would look like: select plant from /bic/azoplant00 where userID = sy-uname.
  I hope this helps.
  Aban

• Navigation attributes authorization

  Hi,all
  In NW2004s new auth concept allows to create auth for nav attributes as for chars. But! We have situation when one char is used as nav attribute in several chars. I.e. Char A, used in B__A, C__A and D__A. Is that nesesary to create auth for every nav attr use, or maybe there is a setting not to use nav attrs separately.
  I'm afraid, it can be difficult to administer such situations.

  Hi Emerald,
  maybe an approach to resolve some irritations.
  Let consider your scenario, one char is used as nav attribute in several chars. i.e. Char A, used in B__A, C__A and D__A.
  If you want to protect the usage of the characteristic A as navigational attribute in the characteristics B, C or D, you have to set the flag 'Authorisation relevant' in the attribute section of the respective characteristics B, C or D (which means up to 3 flags and corresponding 3 authorisations).
  If you want to use the characteristic A in its on right in an InfoProvider, you have to set the flag 'Authorisation relevant' in the InfoObject maintenance of characteristic A.
  If I have stated something different in my previous replies, please neglect them.
    Cheers
      SAP NetWeaver BI Organisation