Authorization  for Report Execution

Similar Messages

• Do we have any option to set time limit for report execution

  Hi Experts,
  Please Could any one clarify is there atime  limit to set  for report execution and if it crosses the limit it wud not display a data,
  Thanks in advance
  Nitya

  Hi,
  Basis should be help you in timeout settings on various cases. Time out setting while execution from portal is there.
  Regards,
  Akshay

• Object level authorizations for reports

  HI
  I have 20 charactesr in cube , around 15 have navigational attributes.
  i need to give authorizations for 5 objects only .( navigational attributes).
  i have 10 reports, i need 2 reports only authorizations relavant.
  if i restrict 5 objects authorizations , its effect all queris? in this scenerio i need to create 2 cubes?
  ple let me know

  hi suneel,
  As you said you require authorization for 2 reports, you can restrict those Infoobjects with the authorization variables and in the other 3reports use that object but do not restrict to the authorization variables..
  So, the user will be able to see whole data for 3 reports where authorization is not used.
  Hope it is clear.
  Thanks
  Lavanya

• Authorizations for Tcode Execution

  Hi. 
  I understand that users assigned a particular Tcode eg. PFCG might not be able to execute this Tcode if he is not assigned the corresponding Authorization object and related activity field values for the PFCG transaction to work.
  One tedious method of verifying that the user does indeed have authorization is to require the user to login and execute the transaction PFCG itself.
  Is there a faster way for the Administrator to check if the end-users does have the relevant authorizations/authorization_objects to support the execution of a tcode PFCG? This applies to all other tcodes.
  Thank you very much.

  Hi Chong,
  SAP delivers the tables USOBX and USOBT.
  Table USOBX defines which authorization checks are to be performed within a
  transaction and which not. This table also determines which authorization checks are maintained in the Profile Generator.
  Table USOBT defines for each transaction and for each authorization object which
  default values an authorization created from the authorization object should have
  in the Profile Generator.
  The tables are maintained in transaction <b>SU24</b>. This transaction displays the check indicators of a transaction. Check indicators determine if an authorization check will run within the transaction or not. Any object with CM(Check/Maintain) status will be pulled into PFCG when you add a transaction.
  To check this:
  Enter transaction SU24-->Enter any transaction which you want to check in "Transaction Code"->execute->Display check indicator-->Display field values.
  This would show you the authorzation objects along with there field values which will be pulled into a role when you add a transaction.
  Hope it helps.
  Please award points if it is useful.
  Thanks & Regards,
  Santosh

• Authorization for Report Painter

  Hi,
  we have a report in report painter with Company Code selection. May I know how to restrict the company code selection such that userA will see only company codeA data?
  i see there's an authorization group. may i know how to use the authorization group? may i have the detailed steps? thanks.

  ZL Goay,
  Follow these steps.
  1. Go to T-code <b>SE54</b> there is radio button for authorization group just click it and create. authorization group say ZGOAY
  2. You can assign this to your report painter - go to header information and press F4 you should get 'ZGOAY' there.
  3. Assign this object group to the userA (Get help from Security team or BASIS)
  You may check the table TBRG for auth object and group relation
  reward if useful

• Authorizations for report PC00_M99_CIPE  by field PayrollArea

  Hi experts.
  I have the following requirement:
  I need that by authorization the system allows to the managers of HR execute the  report standard PC00_M99_CIPE .
  only for the employee that have in the infotype 0001 field payroll area the same value that have the manager
  in his role.
  Example :
  Employee1
  Payroll area = A1
  Employee2
  Payroll area = A2
  Employee3
  Payroll area = A1
  Employee4
  Payroll area = A1
  Employee5
  Payroll area = A3
  Employee6
  Payroll area = A3
  When the Manager of HR execute the report, the system just take into account the employee that have Payroll area = A1 and A3 and not the employee with  Payroll area = A2.
  How can do this using roles, if the object P_ORGIN not have the field  Payroll area . I checked the t.code SU24.
  Thank in advance for your help,
  Best Regards

  As far as I understand your issue you require 2 things.
  1. You want to segregate the access to Employees by their Payroll Area.
  2. You require that segregation only for transaction PC00_M99_CIPE.
  As you have mentioned already P_ORGIN does not check the Payroll Area.
  I would apporach that as follows.
  Solution for number 1.
  A new Authorisation Object is required which will allow to check the Payroll Area. That can be done in transaction SU21. If you haven't created any object class in the customer naming space before I suggest you create a new customer object class first. That is what looks like a folder and than you create in that object class a new Authorisation Object which has the field Payroll Area.
  You than assign the new authorisation object to the manager roles and just give them access to their payroll area.
  Solution for number 2 (enabling the new Authorisation Object).
  That will require some ABAP development. However you will get away without any modification. SAP has provided a BAdI to get that working.
  Lets step through that:
  You will need to implement SAP BAdI Definition HRPAD00AUTH_CHECK. BAdIs can be implemented with transaction SE19.
  When implementing the BAdI you must ensure that you always call the SAP standard. If we do not do that the SAP HR standard checks will not work.
  Therefore when you implement the BAdI do the following.
  - Create a class attribute in the implementing class of the BAdI. The attribute is a reference to the SAP standard authorisation class. The attribute should have Type : TYPE REF TO CL_HRPAD00AUTH_CHECK_STD
  - Create a Class Constructor in the implementing class of the BAdI. The class constructor should now create an instance of the SAP standard authorisation class. That instance is the attribute you have declared before.
  - Now you go through ALL the methods. In every method you must check first if your class attribute is not initial otherwise create an instance of the SAP standard authorisation class (That instance is the attribute you have declared before and should normally exist as result of the Class Constructor). Than you call the Interface Method of the SAP standard authorisation class. The interface method must have the same method name in comparison to the method you are working on.
  - If that has been done in ALL methods SAP standard is working again.
  Now the ADD ON for the new authorisation object.
  - Go in METHOD IF_EX_HRPAD00AUTH_CHECK~CHECK_AUTHORIZATION of the BAdI implementation.
  - After the call of the standard authorisation check at the end of the method you add your code for the new authorisation object.
  - First check the SY-TCODE is equal to PC00_M99_CIPE
  - now Read Infotype 0001 of the employee which is passed in the BAdI Method as import parameter.
  - Call the authorisation check (use the pattern function in the ABAP editor) for your new authorisation check. You pass the payroll area of the employee which you will have retrieved in the previous step.
  - check the SY-SUBRC after the authorisation check.
  - if SY-SUBRC is not initial, clear the Method export parameter IS_AUTHORIZED.
  Hope that helps.
  Best regards
  Karsten
  I
  Edited by: Karsten Arold on Jul 25, 2010 12:12 PM
  I have created a documentation with screen shots on how to do it.
  Please follow the link. http://www.mediafire.com/file/k6r4yb862w7revi/Creation of a new HR Authorisation Checks.pdf

• Authorizations for report by field PayrollArea

  Hi experts.
  I have the following requirement:
  I need that by authorization the system allows to the managers of HR execute the  report standard PC00_M99_CIPE .
  only for the employee that have in the infotype 0001 field payroll area the same value that have the manager
  in his role.
  Example :
  Employee1
  Payroll area = A1
  Employee2
  Payroll area = A2
  Employee3
  Payroll area = A1
  Employee4
  Payroll area = A1
  Employee5
  Payroll area = A3
  Employee6
  Payroll area = A3
  When the Manager of HR execute the report, the system just take into account the employee that have Payroll area = A1 and A3 and not the employee with  Payroll area = A2.
  How can do this using roles, if the object P_ORGIN not have the field  Payroll area . I checked the t.code SU24.
  Thank in advance for your help,
  Best Regards

  HI,
  Check how the payroll area is defaulted in feature "ABKRS".
  Include the PA/EG/ESG in P_ORGIN for the employee.
  Also check if any structural authorizations are there or not.
  Still if this doesnot resolves user TCODE -su53 after executing the report.
  -Param

• BW 3.5: flexible Authorizations for reporting

  Hi Experts,
  I am looking for a solution for flexible reporting authorizations.
  The background:
  There are lots for Profit Centers in our system. Currently, we have created lots of Roles/Profiles which include fix values defined to limit access for users. The maintenace effort is getting higher and higher.
  I heard there could be a flexible solution to use BEX variable typed Authorization and the authorization values can be determined via BEx user exit. Finally, I need only one profile for all users. But I don't know how to implement this flexible solution.
  If anyone out there could share the knowledge it would be great.
  Thanks for your help in advance!
  Regards,
  Sally

  Hi
  First make the info object authorization relevant in the business explorer tab of the info object.
  Plz follow the below steps:
  1. Goto RSECADMIN tcode to create analysis authorization object for Profit centre
  2. Click on Maintenance
  3. Give a name and click on create
  4. Give the info object name as profit centre under char/ dimension
  5. double click on info object profit centre or click on details
  6. Under value authoriztion tab, give the variable name. (The variable name should start with $ symbol ex $test).
  Write the logic for the customer exit variable in the function module EXIT_SAPLRRBR_001 inside of enhancement RSR0001 via tcode CMOD.A variable of processing type authorization reads the values from authorizations of a user. A variable of processing type customer exit reads the variable values using a selection routine placed in the function module.
  Assign the authorization object to all the user instead of creating new profile with the hard coded values.
  The advantage of this method is that you can give all users the same authorization by placing the variable name with a $ sign in front of it instead of a value in the characteristic value (or the hierarchy node).
  The variable can also of course be used in the query, but this is not absolutely necessary. You can also filter using another variable or with fixed value restrictions in the query.
  Hope it helps.
  Regards
  Sadeesh

• Authorizations for report

  hi
  i have this report
  employee emp group emp sub group number of employees
  what steps i need follow at rsa1
  what steps i need follow at rsecadmin
  what setps i need follow at pfcg
  can i gets tep by step process

  Hi,
  Do you want to restrict your report based on Employee ?? If so follow the below steps.
  RSA1 - Make the Employee InfoObject as Authorization revlevant in the Business Explorer tab of the InfoObject.
  RSECADMIN - Create an analysis authorization( AA ) with the following InfoObjects.
  0TCAACTVT
  0TCAIPROV
  0TCAVALID
  0TCAKYFNM
  and Employee InfoObject and restrict them with the values you feel you need to give authorization to.
  Now assign the analysis auth to the user directly in RSECADMIN or you can create a role in PFCG and under the Authorization Object S_RS_AUTH give the new AA name.
  Hope it helps.
  You can go through the following document for detailed infomation on Authorizations.
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea
  Regards,
  Gaurav
  Edited by: Gaurav Kothari on Oct 15, 2008 5:10 PM

• User Authorization for a Query

  Hi,
  I have assigned a single role to a user, in which I have authorization for all the Infoproviders, including authorization for reporting. The user is able to access most of the queries, except one query. If there is a problem, he should not have accessed all the queries.
  What problem could have prevented the user from accessing on particular query???
  Any Ideas will be highly appreciated,
  Thanks and Regards,
  Ravi Sankar

  Some possibilities:
  The one query which the user is not able to run , who is the author of this query?
  You need to give authirozation for the object S_RS_COMP1.
  If the user has authorization for this object, then the next possibility is:
  The query may have a filter or a characteristic value for which the value is not set for the user.
  Ravi Thothadri

• Autorization for report RPUAUD00

  Hi all,
  is it possible to create authorization for report RPUAUD00 to work like this:
  if user start report it should display only changes which he makes.
  if hr manager start report it should display all changes for all users.
  Best regards.

  Hi,
  You can find the Date & Time from PCL4 cluster table.

• BW report authorization for restrict cost center

  dear all,
  i have problem on BW report authorization for restrict cost center.....when i execute the query, after selection screen, appear error message 'you cannot change zv_cctr for characteristic 0COSTCENTER during query'.
  note : zv_cctr is variable restriction for costcenter, type processing = customer exit.
  below the customer exit :
  WHEN 'ZV_CCTR'.
      IF i_step = 2.
        DATA : gt_mstuidvscc TYPE TABLE OF  ztbw_mstuidvscc,
               gs_mstuidvscc TYPE  ztbw_mstuidvscc,
               wa_final2(10) TYPE c.
        SELECT * FROM ztbw_mstuidvscc INTO CORRESPONDING FIELDS OF TABLE gt_mstuidvscc
          WHERE userid = 'sy-uname'.
        LOOP AT gt_mstuidvscc INTO gs_mstuidvscc.
          wa_final2 = gs_mstuidvscc-kostl.
          l_s_range-opt = 'EQ'.
          l_s_range-high = wa_final2.
          APPEND l_s_range TO e_t_range.
        ENDLOOP.
      ENDIF.
  Regards,
  Tony

  i defined variable as ready for input and mandatory.
  regards,
  Tony

• Report S_ALR_87013105 : no authorization for the report/ table 7KU6_001

  Hi Gurus,
  While executing the program S_ALR_87013105 (Detailed Reports 
  For Sales Order : Plan/Actual Comparison ) system showing the selection log.
  "Have no authorization for the report/table  7KU6_001 and 7KU6_002".
  But for the user the authorization check through SU53 was successful.
  Pl can any one suggest on this issue.
  Thanks in advance,
  Vijay

  Hi,
  Contact your basis consultant to provide the missing authorisation. This is one of the authorisation object.
  Regards,
  Sankar

• How many ways we can create authorization for user groups in sap query reports

  Hi Gurus, I am getting a problem when I am assigning users to user group in sap query report .The users other than created in user groups are also able to add &change  the users .So please suggest me how to restrict users outside of the user group.
  Please send me if u have any suggestions and useful threads.
  Thank You,
  Suneel Kumar.

  I don't think it can be done. According to the link below 'Users who have authorization for the authorization object S_QUERY with both the values Change and Maintain, can access all queries of all user groups without being explicitly entered in each user group.'
  http://help.sap.com/saphelp_46c/helpdata/en/d2/cb3f89455611d189710000e8322d00/content.htm
  Although I think you can add code to your infoset and maybe restrict according to authority group, i.e.:
  Use AUTHORITY-CHECK to restrict access to the database based on user.
  Press F1 on AUTHORITY-CHECK to find out how to use it in the code

• Authorization for Web report

  Hello Experts,
  One of my user wants to see a report in the web and wants an authorization for the same. When he is trying to execute the query in the WEB he is facing the follwoing error.
  User SCANESIN has no RFC authorization for function group SDIFRUNTIME.
  What steps do i need to follow to resolve this issue.
  Regards,

  Hi,
  You can solve this problem with the help of your basis person.
  Go to the role of that use using RSECADMIN. Find the authorisation object S_RFC. Include SDIFRUNTIME in
  'Name of RFC to be protected' field. Activate the role.
  Regards
  Githen