Authorization on company variable

We are using company as Variable in the query so that when user runs the query it selects the company and gets the result for that company.
Question : How to restrict each user so that they can run the query only for that company and not for any other company which appear while selection in variable.?
thanks

Restrict on company in the authorization roles of the users.

Similar Messages

Authorization Hierachy Node Variable in Web Report

Hi friends,
I have a Authorization Hierachy Node Variable on 0COMPANY and this is placed in Free Characteristics in BEx Query.
Now i want to catch the value of this Company in Web Template either using Text Element web Item or etc. and then pass this value to the Print Layout of the same report.
Could some body help me on this.
Thank you very much advance.

Hello Aneesh,
these is how i have BUT NOT WORKING.
i am thinking, if it in free characteristics, then it wont give values !!..
var COMPNM = '<object>
         <param name="OWNER" value="SAP_BW"/>
         <param name="CMD" value="GET_ITEM"/>
         <param name="NAME" value="TEXTELEMENTS_5"/>
         <param name="ITEM_CLASS" value="CL_RSR_WWW_ITEM_TEXT_ELEMENTS"/>
         <param name="DATA_PROVIDER" value="DP"/>
         <param name="GENERATE_CAPTION" value=""/>
         <param name="WIDTH" value="453"/>
         <param name="BORDER_STYLE" value="NO_BORDER"/>
         <param name="SHOW_COMMON_ELEMENTS" value=""/>
         <param name="SHOW_FILTERS" value=""/>
         <param name="SHOW_VARIABLES" value="X"/>
         <param name="ELEMENT_TYPE_1" value="VARIABLE"/>
         <param name="ELEMENT_NAME_1" value="IVCMP_H"/>
         <param name="ONLY_VALUES" value=""/>
         ITEM:            TEXTELEMENTS_5
</object>';

Infotype authorizations at Company Code level

The project I am working on has two company codes 1000 & 1100. The user requirement is that a person working in one company should be able to make changes only to employee data of employee's in his/her company and to have only read authorizations for employee data from the other company.
I've tried creating a role for Company 1000's employees where the authorization object P_ORGIN has Personnel Areas for that company code itself and all permissions (read, write etc.) and another role with read access to all Personnel Areas. However, when assigned to a user, they are still able to access data from the other company (i.e. the company whose personnel areas were not listed in the first role).
Any ideas what I am doing wrong and how I can resolve them?

Authorization level            *
Infotype                       *
Personnel Area                 1000's Personnel Areas
Employee Group                 *
Employee Subgroup              *
Subtype                        *
Organizational Key             *
Authorization level            R
Infotype                       *
Personnel Area                 1100's Personnel Areas
Employee Group                 *
Employee Subgroup              *
Subtype                        *
Organizational Key             *
This config should work.
Or can you post the values you entered in all the HR authorization objects in your role so that we can check. (P_ORGIN, PLOGI, P_PERNR etc)

Authorization at Company Code Level for table FEBKO

Hello Experts,
I need to add authorization check on my report program that accesses and displays data from table FEBKO. However the user should only be able to access the data of table FEBKO particular only for their company code. How can I apply this? Thanks in advance for all your responses!
Best Regards,
Kurtt

Hi,
if it is in your own report, you can define your own authorization object with field for company code. Check transaction SU21 or ask your security guy. Then you will check if an user have authorization for this object.
Cheers

Authorization with OLAP Variable

Dear all,
we have the following scenario: we need to built a report where we show e.g. a value per employee.
In order to establish that user A can only see his own data and not data from user B we did the followoing:
- Creation of a table ZUSER which contains User-ID (logon) and employee number, e.g. smith / 12345
- Creation of an authorization variable with type customer exit (Y_SU202) and assign it to InfoObject employee
- In the customer exit for OLAP variable the coding reads from ZUSER
So if user A executes the report the system reads the table and fills the variable with the corresponding entry.
It works fine.
But I have to assign in the PFCG Role for the corresponding authorization object * (all values); if I enter the name of the OLAP value it doesnt't work. But I need to do that due to the fact that otherwise the user can select via filtering in the report all values as the auth. variable just works for the exection but not for the filtering (when a * is assigned) in the authorization object.
I tried to enter Y_SU202 and $Y_SU202 in the authorization object; both ways doesn't work.
Thanks for your support
Marc
P.S.: I'm not sure if I should have post this topci to the security forum.

yes, RSSM setting is fine; i have there two InfoObjects (employee number and costcenter).
i changed in the role the value to * for both fields for testing. (after $Y_SU202 did not work for the employee).
It seems that this has something to do with the i_step = 0; if I change it to i_step = 2; the initial execution works.
But if I filter afterwards in teh query on the employee (select filter value) I see all values which is wrong.
If i change the coding to i_step = 0 and the variable to input ready I do see all values, too.
it seems that the auth. check does not work

No authorization for company code in MRBR

Transaction MRBR is currently wide open. Anyone with authorization to this transaction can unblock invoices in any company code.
Standard security profiles can only restrict users at universal (*) or purchasing group level. We require control on company code.
OSS 399953 suggests creating validation rule (GGB0) to test user authorizations for transaction MRBR and authorization object F_BKPF_BUK.
Can anyone supply the validation coding to solve this security problem?
Is anyone familiar with this problem ? Do you have a solution ? also None standard SAP solutions are welcome
Thanks in advance
Greetings,
Vincent

Hi Vincent
Another option could be to implement an authorization check in the BAdI MRM_RELEASE_CHECK - this is, of course not Standard.
The code could look somthing like this:
DATA: wa_rbkp_blocked TYPE mrm_tab_rbkp_blocked.
LOOP AT i_rbkp_blocked INTO wa_rbkp_blocked.
    AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
             ID 'BUKRS' FIELD wa_rbkp_blocked-bukrs
             ID 'ACTVT' FIELD '02'.
    IF sy-subrc EQ 0.
      APPEND wa_rbkp_blocked TO e_rbkp_blocked.
      CLEAR wa_rbkp_blocked.
    ENDIF.
ENDLOOP.
Regards
Morten Nielsen

T-code CJ88 role authorization using company code?

Hi expert!
who can tell me how to control CJ88 T-code using company code .
the business is below:
1, the user have 10 company code and only one control ares.
2, one employee cannot use CJ88 to settlement the project of the other company code.
can any one tell me how can i control
Please explain me all the steps to be required.
Thanks in advance!

I am not sure about CoCode wise authorization for CJ88...you said you have 10Cocodes, if the Person Responsible of the projects are different for each cocode, then use authorization object C_PROJ_VNR (Project Manager for Proj Def) or C_PRPS_VNR(project manager for WBSE) for running CJ88, so that person repsonsible of other company code project cannot run settlement of other projects.

CO authorizations by company code

Dear all,
I am looking for a solution to the following requirement: given is
1 CO Area for mutliple company codes
Authorization shall be given to the controller for MOVEMENT DATA only for the company code he works for. So this could be controlled via RESPAREA in authorization object K_CCA. However, the same user shall be able to see ALL cost center hierarchies (standard and alternative hierarchies) and ALL cost center master data for all company codes. Thus RESPAREA would need a "*" with the effect that movement data can then be seen also from all company codes.
Any idea how to resolve this, e.g. by using another authorization object or value? Thanks in advance.
Peter
Moderator: You'd better ask this in Security forum. As soon as you do, I'll close this thread

Hi,
I guess you should be able to control the authorisations with a single User ID.
Follow the below steps :
1. Create a new Role for the user.
2. In the Role, for the authroisation object K_CSKS ( CO-CCA: Cost Center Master), you allow all cost centers. Thus, the user can get access to the master data of all cost centers in the given controlling area.
3. For the reports, the authorisation object is K_REPO_CCA ( CO-CCA: Reporting on Cost Centers/Cost Elements ), here you need to restrict the cost centers for which he is allowed to view the reports . The pain here is that you don't have the option of entering the Cost center groups, rather you can give the cost center values in the range.
4. In the authorisation object, K_CCA ( CO-CCA: Gen. Authorization Object for Cost Center Accounting), you try giving all cost centers in the controlling area , if it does not work then, don;t give any cost center so that it will take from the above authorisation objects in 2 & 3 above.
I suggest you discuss with Basis consultant, who will guide you through the above process.
Njoy
Siva

Authorization variable not filled with authorization values

Hello All
I post a similar message earlier this week, I thought that my issue was solved, but it was not.
I've got a workbook with 4 differents queries.
There as an authorizations variable in each query. This variable properties is as follows :
**General tab**
Type of variable : characteristic value
Processing type : authorization
Characteristic : company code
**Details**
Variable represents : selection options
Variable is : optional
Variable is ready for input : yes
I've followed recommandations from OSS notes 976680
My issue is : if I run each query individually, variable is filled with authorized values
If I run the workbook, variable is not filled with authorized value, so when end user run the workbook, BW consider that end user wants to see all data and get "No authorization".
I don't understand why variable within the workbook doesn't show the authorized values and why the queries do.
Any suggestion about this issue ????
Thanks
Catherine

Hi
thanks for replying
I ran the query with UserID from RSECADMIN and I could open the query. But if I want to select 0profit_ctr I get this error No authorization to characteristic values.
I checked the log and this is the message.
Value Authorization
InfoProvider FIGL_MP1
Value Authorization for Characteristic 0PROFIT_CTR
Building the Buffer...
Building the Buffer...
No Authorization for Values
thanks

Authorization with customer exit variable (CP, BT, EQ)

Hi SDN-Experts,
I have a question concerning the new authorization concept.
I created an authorization for 0COSTCENTER which also contains the 3 special characters 0TCAACTVT, 0TCAIPROV and 0TCAVALID. I inserted a customer exit variable for 0COSTCENTER. The exit reads datasets from a db table which contains authorizations for the actual user. The authorizations have different formats, e.g. "1000", "1000;1200", "25*" etc.
The internal table e_t_range is filled as followed in the exit:
i   eq   1000
i   bt   1000   1200
i   cp   25*
This does not work. It works if I only use "eq" OR "cp". But not both at the same time.
How can I achieve to use the different authorizations in the db table for the bi authorization?
Thanks in advance...
Joerg

Hi Olivier.
Yes, the variable is defined as selection option and I did also try to use "EQ" instead of "CP".
I tested again with another variable which is "ready for input" and is not used in an authorization. The Variable is filled in the customer exit. This is the code:
WHEN 'ZJGR_COSTCTR_TEST'.
l_s_range-sign = 'I'.
l_s_range-opt = 'BT'.
l_s_range-low = '0000001000'.
l_s_range-high = '0000001200'.
APPEND l_s_range TO e_t_range.
l_s_range-sign = 'I'.
l_s_range-opt = 'CP'.
l_s_range-low = '0000002*'.
APPEND l_s_range TO e_t_range.
The result in the variable screen in BEx Analyzer is the following:
1000 - 1200;0000002*;
And it still does not work. It seems that you could not mix EQ, BT and CP. But this is exactly what I have to do with the authorization variable...
Do you have any other tipps that I might try out?
Thanks,
Joerg

Hierarchy Analysis Authorization in BW and BOBJ Webi Report

Hello,
We have a scenario wherein we have implemented Analysis Authorizations (Hierarchy) on Organizational Unit info object (0ORGUNIT) and need to report on BOBJ WEBI. Our scenario is as following
ORGUNIT    - L0 (Overall Enterprise Level)
-     L1 (Enterprise - Continent Wise Split)
-     L2 (Enterprise u2013 Country Wise Split)
-     L3(Enterprise u2013 City Wise Split)
E.G-
      LO (Company ABC) MANAGER 0 will have access to the entire organization
           -L1 (ASIA) MANAGER1 will have access to ASIAN Subcontinent
                  -L2 (India) MANAGER 2 will have Access to country India
                            -L3 (New Delhi) MANAGER 2.1 will have access to city Delhi
                            -L3 (Mumbai) MANAGER 2.2 will have access to city Mumbai
                   -L2 (Malaysia) MANAGER 3 will have access to Country Malaysia
                              -L3 (Kuala Lampur)
                              -L3 (pahang)
             - L1 (Europe)
                                        u2026..
The requirement is that the CEO of the company should be able to see the entire set of data ( L0-L4).We have continent managers who can see that data specific to their continent, similarly at L3 Level the city manageru2019s should see the data only for their specific city.
In BI we have used analysis authorization based on hierarchies. We have created an authorization object say ZAUTH1 and have assigned the hierarchy L0 from RSECADMIN. Now, in Webi when we create a report a sample row comes as :
L0 Org Unit     L1 Org Unit     L2 Org Unit     L3 Org Unit     SALES Key Figure
Company ABC     Asia          India          Mumbai          1000
Now, we have MANAGER 2.2 who has only access to the data specific to his city (Mumbai). There is an Analysis Authorization object created for him ZAUTH2, by ONLY assigning the org unit hierarchy L3 (for Mumbai). When we run the bex report with the user MANAGER 2.2 u2013 it correctly displays the result and the user is only able to see the data for L3 Org Unit (Mumbai). However when you bring this data to Webi u2013 the report comes in the below format:
L0 Org Unit     L1 Org Unit     L2 Org Unit     L3 Org Unit     SALES Key Figure
Mumbai                                           1000
The L3 org unit has now got assigned to L0 Org unit , as this is the only org unit assigned to the MANAGER 2.2 user .
In such a case we are not able to write any generic formulae for the report. Is there a way to correct this issue? u2018Mumbaiu2019 should either get assigned to the L3 OrgUnit column is webi report , or is there a workaround that is possible ?
Thanks and Best Regards,
Vj

Hi Vijay,
The problem you speak of is known and comes from the fact that the hierachy is flattened in the process of delivering it to WebI. Therefore there is no real 'solution' to the problem, just some work-arounds you can think of...
1)
Create a report variable that starts looking at the lowest level, if it is empty check one up, and so on until you found what you were looking for (the lowest leaf available), which by definition must be there (even if it is top level).
Using similar logic you can also get a 'number of levels avaible' and so fill in the complete tree (duplicating the highest level).
This is difficult to explain when end users create their own reports, though you could provide a template report with these variables in there already.
2)
Extend the hierarchy with duplicates below the lowest level.
So i.e. L0 Company - L1 Continent - L2 Country - L3 City- L4 City - L5 City- L6 City.
This will give back on the four levels for top authorization
L0 Company - L1 Continent - L2 Country - L3 City
For authorization on Continent:
L0 Continent - L1 Country - L2 City- L3 City
For autorization City
L0 City- L1 City - L2 City- L3 City
So in all situations the fourth level, the L3 Object will hold the City level.
This you can then use in your report.
Hope this helps,
Marianne

Authorization Issue while running a report

Hi Experts,
We are facing strange issue in authorizations while runnung a report. When we givel '*' company code access to the users they are able to run the report. When we give one single company code specific access to the users they get error message : No Authorization or everything filtered Out".
Please let me know how can i debug the same.
Company code specific access along with sales grp, profit ctr, sales employee are maintained in a ODS in BW.
Thanks
Gaurav

Hi,
When you use authorization relevant char in your report, you should create a variable of type authorization.
The variable input may be mandatory or optional.
By doing this, the default values will pop-up in the variable input screen when the user tries to execute the report.. It is also relevant to mention that the user cannot enter any blank values for the authorization variables unless he/she got * access for that particular character.
Also do not hardcode any values for authorization relevant char inthe report.
It will throw error No Authorization.
Guru.

BEx authorization issue with colon value

Hi All,
I have created few reports in 3.5 version on a cube. Two reports are having authorization object company and remaining don't have authorization object. If i do not give value colon( for company, authorization is failing for those reports do not have company. If i give colon value for company in authorization object, both reports with company and without company are working fine. If i do not specify any input value for the reports which are having company are giving all company values( but it should give no authorization message instead of displaying all companies). I'm using characteristic variable of type authorization and Ready for input. Can you please advise me how to fix this issue.
Cheers,
MKR

Hi MKR,
If you have custom authorization object and you have ticked it against a cube, then every query/report on that cube should have that authorization object.
Please chage the queries accordingly and check
hope this helps

Authorization issue with colon value

Hi All,
I have created few reports in 3.5 version on a cube. Two reports are having authorization object company and remaining don't have authorization object. If i do not give value colon( for company, authorization is failing for those reports do not have company. If i give colon value for company in authorization object, both reports with company and without company are working fine. If i do not specify any input value for the reports which are having company are giving all company values( but it should give no authorization message instead of displaying all companies). I'm using characteristic variable of type authorization and Ready for input. Can you please advise me how to fix this issue.
Cheers,
MKR

Hi MKR,
If you have custom authorization object and you have ticked it against a cube, then every query/report on that cube should have that authorization object.
Please chage the queries accordingly and check
hope this helps

Authorization check in SAP Queries.

Hi All,
We have created a SAP query and infoset for displaying invoices. We want to restrict the users from viewing data of company code for which they don't have display authorization. For instance if user is authorized only for displaying data for US company code then he should not be able to see the data for company Italy. Also the company code parameter is a select option in SAP query.
So the user can enter '*' also. In that case we want to display the data for all company codes for which user is authorized to. We tried to do change in code in infoset on AT SELECTION SCREEN but its not working as the variables in the program generated for query are not visible in Infosets. Please let us know how can we fix this requirement.
KR Jaideep,

Hi All,
Thanks alot for your valuable inputs.
I have made following modifications in the infosets.
*---Authorization for Company code entered by the users.
*---This code will restrict users to see data for company
*---codes which they are not authorized to.
*---Select all the company codes based upon selection entered by the
*---user
SELECT bukrs
   FROM t001
   INTO TABLE li_bukrs
WHERE bukrs IN bukrs.
IF sy-subrc EQ 0.
*---Clear Screen variable for Company code
   CLEAR bukrs.
   REFRESH bukrs.
*---Filter and prepare Select options for Company code table to be
*---passed to query. Table will only have values of company codes he is
*---authorized to for display.
   LOOP AT li_bukrs INTO lwa_bukrs.
     AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
                       ID 'BUKRS' FIELD lwa_bukrs
                       ID 'ACTVT' FIELD '03'.
     IF sy-subrc = 0.
       bukrs-sign = 'I'.
       bukrs-option = 'EQ'.
       bukrs-low = lwa_bukrs.
       bukrs-high = space.
       APPEND bukrs.
     ELSE.
       lv_flag = 'X'.
     ENDIF.
   ENDLOOP.
*---Give warning message to the user in case he is not authorized to see
*---data for all the company codes that he has entered.
   IF lv_flag = 'X'.
     MESSAGE ID 'ZF_MSS_FNG' TYPE 'W' NUMBER '015'.
   ENDIF.
ENDIF.

Authorization on company variable

Similar Messages

Maybe you are looking for