Authorization issue on comapay code in BI 7.0
Hi All,
We are facing some issue with the company code authorization.We have created analyses auths and these are included in the respective roles. These roles are assigned to the users based on the requirement. We have used a exit variable for comapny code in the analyses auth and following code is used to populate the company code from DSO where we maintain the authorizaiton values for differernt users.
We hav restricted the users only on the company code,activity and infoproviders. Users have access to all the info providers.
we have given * access for all others objects.
The below code was working fine till last month. But now users are getting the error message "you don't have analyses authorization for any of the char values of char 0comp_code" irrespective of the query they execute. Only BW consultants (have vast access) are able to execute the query. we are unable find a single user id who cacan access so that we can comapare the other ids. We have checked the logs. No one has changed the code.
Any pointer on this is highly appreciable.
*& Report ZBWI_YLQU01 *
REPORT zbwi_ycompcod.
*--- Mandatory local variable for the User exit program
TYPE-POOLS: rro01, "Do not delete
rrs0, "Do not delete
rsr, "Do not delete
sbiwa. "Do not delete
DATA: l_s_range TYPE rsr_s_rangesid, "Do not delete
loc_var_range TYPE rrrangeexit. "Do not delete
--- local data definition (if any) -
TYPES : BEGIN OF st_compcode,
comp_code LIKE /bic/azal_comp00-comp_code,
/bic/zauth_val LIKE /bic/azal_comp00-/bic/zauth_val,
END OF st_compcode.
DATA : t_compcode TYPE st_compcode OCCURS 0 WITH HEADER LINE.
*& Form variable_user_exit
text
-->I_VNAM text
-->I_VARTYP text
-->I_IOBJNM text
-->I_S_COB_PRO text
-->I_S_RKB1D text
-->I_PERIV text
-->I_T_VAR_RANGE text
-->I_STEP text
-->E_T_RANGE text
-->E_MEEHT text
-->E_MEFAC text
-->E_WAERS text
-->E_WHFAC text
-->C_S_CUSTOMER text
FORM variable_user_exit
USING i_vnam LIKE rszglobv-vnam
i_vartyp LIKE rszglobv-vartyp
i_iobjnm LIKE rszglobv-iobjnm
i_s_cob_pro TYPE rsd_s_cob_pro
i_s_rkb1d TYPE rsr_s_rkb1d
i_periv TYPE rro01_s_rkb1f-periv
i_t_var_range TYPE rrs0_t_var_range
i_step TYPE i
e_t_range TYPE rsr_t_rangesid
e_meeht LIKE rszglobv-meeht
e_mefac LIKE rszglobv-mefac
e_waers LIKE rszglobv-waers
e_whfac LIKE rszglobv-whfac
c_s_customer TYPE rro04_s_customer.
CHECK ( i_step = 0 ).
REFRESH t_compcode.
SELECT comp_code /bic/zauth_val FROM /bic/azal_comp00
INTO CORRESPONDING FIELDS OF TABLE t_compcode
WHERE username EQ sy-uname
AND tctiobjnm EQ '0COMP_CODE'.
LOOP AT t_compcode.
CLEAR l_s_range.
l_s_range-low = t_compcode-/bic/zauth_val.
l_s_range-sign = 'I'.
l_s_range-opt = 'EQ'.
APPEND l_s_range TO e_t_range.
ENDLOOP.
ENDFORM. "execute_user_exit
Hi Meghana,
As Mohan suggested take the screenshot of SU53 Tcode and send it to Basis to add the respective company code Authorisation object in the role.
Thanks & Regards,
Dinakar.
Similar Messages
-
Authorization issue with Company code/ Cost center combination
Hi,
I am currently trying to restrict user access by company code and cost center combination.
We have roles defined for each user and I am trying to use the standard authorization object A_S_KOSTL in this role . It seems that since it is not a 'maintianed' object no activity can be assigned to this autorization object.
currently the values are :
company Code : 1110 , 1112, 1114
Cost Center : *
i am getting sy-subrc as 0 even when i test for company code : 1110 for a user with the above role.
My code is :
AUTHORITY-CHECK OBJECT 'A_S_KOSTL'
ID 'BUKRS' FIELD '1110'.
F sy-subrc EQ 0.
AUTHORITY-CHECK OBJECT 'A_S_KOSTL'
ID 'KOSTL' FIELD '*' .
IF sy-subrc EQ 0.
MESSAGE 'Success with KOSTL also' TYPE 'S'.
ELSE.
MESSAGE 'Success with BUKRS only' TYPE 'S'.
ENDIF.
ELSE.
MESSAGE 'Failure' TYPE 'S'.
ENDIF .
I get a subrc NE 0 for the KOSTL part. The test passes for BUKRS.
Please advise on how to proceed.
Thanks and Regards
SoumyaOkay, I misread the "NE". Sorry.
Have you done a syntax check on it?
Also compare to:
AUTHORITY-CHECK <object>
ID 'KOSTL' '*'.
I cannot confess to ever have done a "full" AUTHORITY-CHECK myself, but it is most likely the same as with DUMMY -> you should not use the FIELD statement as '' value if the data element does not know what a '' is...
Cheers,
Julius -
Authorization Issue for Transaction Codes PA10,PA20,PA30 &PA40
Hi Experts,
I have created Custom role for accessing ALL HR Transaction codes in IDES System and added to the user & Tested.
All transactions codes are working except PA10,PA20,PA30 &PA40
Please help me regading this.
Advance Thanks,
BBCHi,
I had check with basis Team, they told that I have all authorizations.
This is New Installation for R/3 HR IDES System. even basis Team also created role for above transaction code but not getting access.
We can accesss all transaction codes except these.
All are new for HR. here anything needs to be configure for access PA10 to PA40 Transaction codes.
Please advice me.
Thanks & Regards,
BBC -
Variable screen/variant screen authorization issue
HI All,
We have implemented standard Cost Center Overview Report(0SR_C02_Q0002) in BI 7.
We have three selection fields:
1.Company Code which is mandatory
2.My controlling Area which is also mandatory
3.Costcenter which is not mandatory
The requirement we are facing over here is that in the Variable screen/variant screen when I enter a company code, then I need to display dynamically only those "My Controlling Area" values which are assigned to that particular company code and not all. In the same way after selecting the appropriate "My controlling area" value, I need to display only those cost centers in the cost center selection field which are assigned to the selected company code and My controlling area combination and not all.
can anyone guide me on how to go about on this authorization issue at the variable screen itself.
Please treat this issue/requirement on high priority.
Appreciated in advance.
Regards,
raps.Hi,
I think that an alternative to solve your concern could be using Web Application Designer (WAD). In this respect, there are several design options, with different levels of complexity.
As the simplest alternative, you could create a WAD including your query and three Dropdown Boxes: one for Company, a second for Controlling area and another for Cost center. The four mentioned elements should be linked to the same dataprovider so, when you select a company, the options in the other two Dropdown boxes and the information in the query are updated.
In order to enforce mandatory filter selection at Company and Controlling area level, you should set NO_REMOVE_FILTER='X' in both two Dropdown boxes, so that "All values" option -which would mean no filtering- is not offered.
I hope this helps you.
Regards,
Maximiliano -
Authorization issue - help request
Hi guys,
One of the consultants is having an authorization issue ( He is not abele to run a t-code)
I ask him to run a su53 report and i am not sure how to proceed with this.
Please help.
Here are the details from the SU53 report.
DISPLAY AUTHORIZATION DATA FOR USER VYXXXX
User : VYXXX profile parameter authorization buffering 4
Authorization Object: F_KNA1_GRP
Description
Authorization check failed:
+ Authorization object F_KNA1_GRP Customer Account Group Authorization
Activity 08
Customer Account Group ZM01
Users Authorization Data :
+ Authorization object F_KNA1_GRP Customer Account Group Authorization
Authorization T-PD19002300
Authorization T-UG39000900
Authorization T-UG39001000
Please help me guys what need to be performed.
Regards,
Vamsi.Hi Vamsi,
SU53 shows us the last failed authorization for a user. However, it might not only be the failed authorization object failed.
Hence, "just to learn" , you can use transaction ST01 to enable and run a trace for particular users. Be sure to use in a test environment first, and with proper filters. (for a particular user only).
Then check-> which auth object is failing.
RC=4 means a object value is failing.
RC=12 means an object is missing!
Check, which tcode is calling that object and this tcode is present in which role. Then.........proceed.
You can check the SAP documentation on running traces on the help portal of SAP. I think you will find the answer yourself by troubleshooting more and may be massaging some test roles here and there!
Likewise, if you are new to security, I would encourage you to start by reading some books on SAP security. Authorizations made easy is a good book to start with.
Let me know if you have any questions
EOD for me :P . take care
Abhishek -
Authorization issue in BI system.
Hi,
Having a authorization issue in BI system.
user trying to run a query in and attempt to drill down by customer, he gets customer details but some of the customers are missing...
Does the authorization granted in BI system based on customers? Is it a security issue?
pls help...
Thanks...Hi,
Please execute the query with your id(developer id who will be having access to all data) first. Check if you are able to see all the customer data. If you are able to see all the data then the user is restricted with some authorizations. ( usually the authorizations are done on sales organization, company codes, plant..etc.. please check how it is in your project...)
If you are not able to see all the customer data, then check in the infoprovider on which the query is built and do your analysis.
Check in the roles assigned to the user.
Hope it helps.
Edited by: Maddy on Apr 21, 2011 6:42 AM -
Authorization issue with VA02 radio buttons
Hello All,
We are stuck at one authorization issue. The user navigates using tcode VA02.
1) Execute Tcode -VA02=>
2) 2) puts order number # 100001 =>
3) press enter =>
4) press enter =>
5) Screen: Change (Company Name) Return 100001: Overview =>
6) Option: Display doc. Header details (looks like a magnifying glass beside PO_date) =>
7) This bring us to Change (Company Name) Return 100001: header Data =>
8) select status tab =>
9) on Status tab lower end there is a button u201CObject Statusu201D =>
10) Press it =>
11) Come to Change Status :
12) On this screen There is Status with status no. on the right side with 7 options
e.g:
u2022 1 BLK Approval Required for,
u2022 2 BL1 Approval for Credit,
u2022 3 BL2 Approval for material Replacer
We need to restrict the radio button access for user for which we are unable to find the authorization object.
Could any one help.
Thanks & Regards
gabHi,
Use ST01 to trace the user activities and check which objects its hitting when you click on those buttons, then you can restrict radio buttons using those objects.
I have'nt run the tcode myself and performed the steps you mentioned, but if you think its calling other transaction from those buttons you can manage tht in SE97, or add the t-code VA02 in the S_tcode auth object in PFCG.
Hope this should get you going
Thanks,
Vijay -
Authorization issue in BI 7.0 query
Hi,
The user has the authorization for the company code 0001, 0002 and 0003. The three different roles for each respectively company code 0001, 0002 and 0003 has been assigned to this user.
When the User executes the query for only one company code, he has no problem. When he executes the query for ranges 0001 u2013 0003 (in Variable), he gets the error message: no authorization.
Our System is SAP NetWeaver BI 7.0 (Support Package SAPKW70016).
Thanks for the answer.Hello Moha,
Yes it is stupid, but that's how the Analysis authorization of SAP works!! Incredible hum?
I've seen an OSS note stating exactly that:
Having 3 authorizations for values 1, 2 and 3 respectively for the same characteristic is different than having authorization for the range 1 - 3, and therefore you receive a lack of authorization.
You should tell your users not to put the range (or use authorization variables, this will automatically fill the values the user has authorization), or you must create a new authorization for the range values instead of single values.
I once had to do that with mass generation, i.e., created a program that trys to find sequential values and creates new authorization with the range values, to fix that issue.
Diogo. -
S_CTS_ADMI Authorization issue
Hi Experts,
Every now and again a user sends me a SU53 with the error requesting access to S_CTS_ADMI field TABL. The user of this morning is trying to release a purchase order using transaction ME29N. Why would the SU53 indicate that the user want to maintain the control tables of the Change and Transport System in Production when they are trying to release a purchase order? I am running a trace ST01 but it's not helping.
Could you please help me to resolve issue.
Thanks
PavelHi
Gowri is perfectly ok. Below Objects checked.
M_BEST_BSA
M_BEST_EKG
M_BEST_EKO
M_BEST_WRK
Along with that M_EINK_FRG also get checked.
Check for access to all of the above Objects in user master records. Before that check with MM team to get these values of the PO that the approver is trying to release.
1) Document Type : Relate with M_BEST_BSA
2) Purchasing Group : Relate to M_BEST_EKG
3) Purchasing Organization : Relate to M_BEST_EKO
4) Plant : Relate to M_BEST_WRK
5) Release code & release Group : Relate to Object M_EINK_FRG
You also can get these information through ME23N
If all of the above matches with user master record and PO then there is no further authorization issue. Rest on MM team !!!!!
Best of luck...
Arpan -
Regarding BI Authorization Issue
Dear Friends,
can anyone help me to solve this issue..
I have a Authorization Issue, u201CNO Authorization u201C
Error : EYE 007 ( Insufficient Authorizations )
I have follow this stepsu2026
Steps 1 :-
Define Authorization-Relevant Characteristics ( ZCUSTOMER )
Note : I have 0Division values C100 and C200, I want to restrict the user on ZCUSTOMER = 100.
Steps 2 :-InfoObjects as u201Cauthorization-relevantu201D
Eg: 0TCAACTVT
0TCAIPROV
0TCAVALID
0TCAKYFNM
ZCUSTOMER
Steps 3 :-Using T-code : (RSECADMIN) created the Analysis Object
For example : ZAUTH In That I have taken
ZCUSTOMERrestricted with value C100.
0TCAACTVT with 3 ( Display )
0TCAIPROV with * ( Astric )
0TCAVALID with *
0TCAKYFNM with *
Steps 4 :-
Assign Authorizations to Roles
Use authorization object S_RS_AUTH for the assignment of
authorizations to roles.
Maintain the authorizations as values for field BIAUTH
Ex: ZTESTA1
S_RS_AUTH
Here I have given my Authorization Analysis Object ( ZTESTA1) which I have created in RSECADMIN.
S_RS_COMP
Activity Create or generate, Change, Display, Delete, Execute <...>
InfoArea : ZDEMO_ MIHI
InfoCube : ZCUBET
Name (ID) of a reporting compo : ZTEST_Q0001
Type of a reporting component Calculated key figure, Query View, Query, Restricted key figure <...>
S_RS_COMP
Activity Create or generate
InfoArea :ZDEMO_ MIHI
InfoCube : ZCUBET
Name (ID) of a reporting compo :ZTEST_Q0001
Type of a reporting component :Query
S_RS_COMP1
Activity Display, Execute
Name (ID) of a reporting compo : ZTEST_Q0001
Type of a reporting component :All values
Owner (Person Responsible) for *
S_RS_COMP1
Activity Change, Display, Delete, Execute, Enter, Include, Assign
Name (ID) of a reporting compo ZTEST_Q0001
Type of a reporting component All values
Owner (Person Responsible) for :*
S_RS_ICUBE
Activity Create or generate
Infocube Sub Objects: DATA, Update rules, Data Definition, Aggregats
InfoArea :ZDEMO_ MIHI
InfoCube : ZCUBET
S_RS_IOBC
Activity Create or generate
InfoArea :ZDEMO_ MIHI
Infoarea Catalog : zioc_test, Zkf_test
S_RS_IOBJ
Activity Create or generate
InfoArea :ZDEMO_ MIHI
InfoObjets: ZCUSTOMER, ZDOCNO,ZMATERIAL
Steps 5 :-
AND Assign this Role to User.
Steps 6 :- ERROR
When I execute the Report it is showing u201CNO Authorization u201C
u201C Insufficient Authorization u201C
EYE 007.
Regards
SivaHi,
In RSECADMIN try to put on the trace with your user id & execute the query . System will give you list of authorization object with red color which needs to be reconsidered in order to execute report without error.
Hope that helps.
Regards
Mr Kapadia -
Authorization issue when using MB1B
Hello to all,
Please help me identify why the user is having authorization issue on MB1B...there's an error message that displays
"no authorization for delivery from shipping pont 1234"
Please advise on how to proceed with this error. What are the checks needed?
Thanks.Dear Patvin
BASIS consultant is the one who helps in your project for authorization
related,transporting related.
See the problem which you are facing is due to authorization ,so a BASIS
consultant can solve this issue,or just convey the same to your Team Leader.
The problem is for that T code you can not deliver from Shipping point 1234,you
can try for some other option.
Regards
Mangal -
Authorization Issue to Upload file in Integrated Planning
Hi All
I have included the planning role for the user...which is the same as mine..I can execute and upload the file..when I login with the user iD, it says you are not authorize to upload zFILE_SEQ/...in my role..there is Z* values also..
No idea how to rectify as I dont see any problem??
pppls help..Hi,
Could you please look into the authorizations that restrict data selection for the user, say if he control one or two costcenters and you have access to all costcenters. Also you need to have that object in the Aggregation level that allow the user selection. You need to include that info object restriction based on authorization value in the aggregation level and in the upload file.
Also try to execute the input ready query from RSECADMIN T-CODE . Use the 3rd tab and choose the user id and choose with log .Then on the next screen will be RSRT and choose your input ready query and execute. Then choose back button and the pervious screen choose display log, which will give you detail log on the authorization issue ...
hope it helps...
cheers,
Balaji
Edited by: Balaji NS on Jun 4, 2011 1:47 AM -
Dear Gurus,
I am having an issue with regard to Authorizations. In BW3.x with respect to query designer an end user can just change the local view of a query. How about the same thing in BI7? What are the procedures i need to follow to give an user authorizations to only the edit query local view. Is there any BC role or Profile that i can just add to get the desired result. Kindly give the inputs in a detailed manner as I am new to BASIS part.
Your Kind Inputs will be definitely rewarded with a great honour.
Regards
Mohan Kumar
Message was edited by:
mohan kumarDid you tried defining authorization objects using transaction code RSECADMIN, as this is working of me for Profit Centers.
Thanks.
Sachin -
Authorization issue regarding Bex Query
Hi All,
User Requirement: When ever the user is executing the report in Design Studio, user can able to see all the company codes (summary data) in the main page of the dashboard. If user wants to drill down to a particular Comp code, then user should access only which are authorized. Ex: If the user Test4444 is executing the report, then he/she can able to see all the comp codes data in the main page of the dashboard. If the user wants to drill down further to see the comp code wise data, then he/she should not allowed to see except comp code-4444 or what and all authorized .
Back ground work:
I have a Bex query, which is using the Design Studio. In this query, "0COMP_CODE" is a char InfoObj and I have created a Auth variable on this InfoObj. There are 4 autho objects created based on this "0COMP_CODE". And also 4 Roles and 4 users have created.
Each autho_Objet has assigned to that corresponding Role and that Role is assigned to that correspond User. Details are as follows.
Autho_Objet
Role
UserID
ZTEST_MAIN (which includes all - 23 compny codes)
ZMain_Role
All users have to access this role
ZTEST_1111 (which includes only CC- 1111
Z1111_Role
Test1111
ZTEST_2222 (Which Includes only CC - 2222)
Z2222_Role
Test2222
ZTEST_3333 (Which Includes only CC - 3333)
Z3333_Role
Test3333
ZTEST_4444 (Which Includes only CC - 4444)
Z4444_Role
Test4444
To achieve this requirement, I have created 1 auth.object for all Comp.Codes and assigned to one main role and this role is assigned to all users. This looks fine and hopefully it will work.
The problem is the next step of drill down to comp.code. Here I have created individual autho.object per Role per User and mapped accordingly. Unfortunately, user can able to access all the comp.codes data because of the main role assigned. I got stuck here in this second level restriction. Could some one can through a light how we can achieve this in authorization. It would be a great assistance if some one help here. I would be much appreciated and grateful to your assistance and inputs. Thank you in advance!
BR
Venkat...In the role ZTEST_MAIN,
You need to remove all company codes as this is overriding the rest
Then add aggregate authorization, ie "0COMP_CODE" = ":"
This is a special authorization which grants authorization to see the summation of all the 0COMP_CODE without giving detailed authorization to any.
The rest of your design is fine.
You should then use RSECADMIN to check any authorization issue you have. -
Authorization Issues with fresh Installation of BWI 3.10
Experts,
I did fresh installtion of BWI 3.10. After installtion I've loged on client 000 with sap* user and created new client. To the new client I've assigned sap_all profile. Under this new client I've created a user and assigned sap_all, s_new_46a0, s_new_50a0 profile. Loged on to BWI with the new user and trying run RSA1. It's giving me arror "You are not authorize to run transaction code RSA1". Matter fact this new user does not have any authorization to run any transaction codes.
Would appriciate any help in resolving this issue.
RegardsHi I Am Having the same problems as you My HP Laserjet 1012 stop working after the update windows10.not only that I have some games that not working . So you are not the only one Me tooI my go back to windows 7 I was very satesfied. Thanks ZAG
Maybe you are looking for
-
Removing the CORRECT iTunes files from a hard drive
Help! Does anyone have any idea how to remove the old iTunes files. I want to delete them to free up space on my computer. I tried to move my library from this computer to a laptop. See below. I went through all the steps to move my iTunes library us
-
Allowing only ONE instance of a PDF to be open
I'm trying to work out a new system for proofreading and commenting in our business using the Comment and Markup tools in Acrobat 8 Professional. I'd like to allow multiple users on a network to interact and markup a PDF easily. I'd like to make it s
-
Satellite P300-1EU: I cannot use my keypad
Hi everybody, I have a big big problem, I have got a Toshiba P300 1EU, and for yesterday i can't use my keypad. When i click on "Num Lock" I see on the screen the same thing if I press "FN". I already make a system restore but it's don't work :/ I do
-
Spellcheck in pages on ipad - can it do multi language?
Is it possible to get pages on ios (ipad) to do spellcheck in more than the one language (the ipad default language)? Other apps, including apple apps, seem to be able to take language from the keyboard and spellcheck accordingly, but pages doesnt se
-
IP address not used correctly at RT Ping Controllers.vi
It seems to me that the IP address provided to RT Ping Controller.vi and RT Reboot Controller is not used correctly. What I do is: Set the Subnet flag true and give a numerical IP adress to RT Ping Controller.vi What I get is the controller informati