Authorization on Workset
Hi Experts,
I want to hide an Workset, which is added to a Role, based on user authorizations.
For example, USER1 can see the one workset in the Role but USER2 should not be able to access it in the same Role. I want to achieve it without creating two separate Roles for each user.
Thanks,
Srinivasu
Hi Srinivasu,
This cannot be achieved by configuration solely, as in general, the roles are the leading concept what is offered within the navigation. You could still use merging so that User2 has access to a common set of content and User1 has an additional role which merges with the first one, offering an additional workset.
The only alternative would be to implement a PCD filter, see http://www.sdn.sap.com/irj/scn/events?rid=/library/uuid/17968de1-0a01-0010-1f9f-c090fbc7001a&overridelayout=true
Hope it helps
Detlev
Similar Messages
-
How to base authorization on worksets
Hi All,
I see different postings about this topic, but I'm not sure where it stands.
We have different users that access PCA reports, CCA reports and a combination of both.
We have a PCA workset and a CCA workset that has the BW iView reports assigned to them.
We would like to have one role where the worksets are "dynamic". So for the users that have authorization for both PCA and CCA reports do not need to have 2 different tabs labeled "PCA Reports" and "CCA Reports". It would be one role that has both worksets assigned.
Then for users that only have PCA authorization, they do not see the CCA workset in this one role.
Is this possible?
Thanks.For this u need to have two roles and u have to merge ur roles.
Create a role and name it as PCA Role and assign PCA reports to it and go to property editor of the role and in MERGE ID filed give a name and save it
Create a another role and assign CCA reports to it and go to property editor of the workset and in MERGE ID filed give a name(give the same name which u have given in for first workset) and save it.
Now assign roles to users as u like.
if u assign Role1 to user1 he can see only content 1.
if u assign both roles he can see both content1 and content2.
If u assign both roles also user can see PCA and CCA reports under one role .
Regards
Krishna. -
Carrer and job workset in ESS role
Hi Guys,
I have a problem in ESS role, I am having SP12 portal with ESS SP8,ADS SP10 and WebDynpro 6.4. In Ess role there is a workset called "career and job" when I try to open "Candidate Profile" under this workset I get an error regarding
com.sap.portal.appintegrator.sap.WebDynpro::WebDynpro/TopLayer
DefinitionType: Java
System : SAP_WebDynpro_XSS
DynamicParameter : sap-cssversion%3D6.0.12.0.0%26rcfLogAppl%3DPROFILE_BUILDER%26sap-wd-cltwndid%3DWID1129022201017%26sap-ext-sid%3DtR%2BgBA7MR1%2F%2FcEUuvhfClw%3D%3Dmrlts5WFF7AVeT%2FwEkiv2w%3D%3D
DebugMode : No
Can any one tell me how can I solve this error? Thanks in advance
Regards
Yasir NomanHi,
I faced with the same problem and I reported message to SAP support
SAP's unswer:
"Step 1.
Import the business package that is sent as an attachment alon with this message. It contains the latest iViews.
IMPORTANT ###
This will over right any changes that you have made in the portal. You
will need to back up you changes and import them back into the portal
after you have updated the business package.
IMPORTANT ###
Step 2.
Define a portal system that points to the WAS hosting E-Recruitment
services. This system should have an alias SAP_BSP_EREC. This is a very
important step and this will ensure that the iView can look for the
correct place to open up the BSP application.
Step 3.
In the view V_T7XSSSERRES, update the field "URL for PCD path" for the
following resources. Currently the last string of this field is
com.sap.pct.ess.serv_career_job,
this should be replaced by
com.sap.pct.ess.bsp_career_job:
This change is applicable to all the following services.
EMPLOYEE_CANDIDATE_APPLICATIONS_SERVICE
EMPLOYEE_CANDIDATE_DATA_OVERVIEW
EMPLOYEE_CANDIDATE_DIRECT_APPL_SERVICE
EMPLOYEE_CANDIDATE_FAVORITES_SERVICE
EMPLOYEE_CANDIDATE_PERSONAL_SETTINGS
EMPLOYEE_CANDIDATE_PROFILE_RELEASE
EMPLOYEE_CANDIDATE_PROFILE_SERVICE
EMPLOYEE_CANDIDATE_SEARCH_JOBS_SERVICE
There may be a need to set the right authorizations to run BSP
application on the WAS.
Otherwise we have rectified this and is available in next support pack.
You can wait till next support pack is released.
I made full portal backup - it is very important
Instead of step 1 I imported new patched ESS package (BPERP4ESS01_0-10003146.SCA, note 879075) from 05/10/05 and steps 2,3
It partially helps, but I get new error "An internal error occurred. Please try again later." I think because there are missing functionality steps regarding E-recruiting BSPs
Best regards, Elena -
Authorization questions PFCG...
Hi Guys
A Couple of questions...
We are upgrading from an older version of CRM without WEB UI to 7.0, we have composite roles on all our user, i.e. more than 1 role per user. As I have understood it you only have the possibility to assign on PFCG ROLE ID to a specific Business Role in the WEBGUI.
I know how to set up the business roles etc, these questions are more "how did they intend it to work"...
1. Overall Question, How should we use this PFCG role?
2. I have heard that you can leave it blank, what does this mean, that it the users authorization is as before i.e. as defined with the multiple composite roles stored directly on the user?
3. How does this PFCG Role on the Business Role work together with the PFCG Roles you have on the users directly? What is the meaning of the PFCG ROLE on the business role in relation to the ones on the user?
4. Should we delete the roles on the users and add them directly on the business role, we might have a problem there as many users work as "SALESPRO" but they have different authorizations, some are more senior than others. Would we then have to have several busines roles (SALESPROJR,SALESPROSR etc) as we can only have 1:1 between business role and pfcg role id.
5. What we would like to have basically is 2 or 3 Business roles that sets the layout and basic worksets, the authorization should behave as before per user not per business role.
Any relevant input on these questions will be greatly rewarded.
/JabbaUGLY for some reason there are no line breaks... I will try to fix it so it is readable after lunch....
Thanks, Very Grateful for your comments but I think we have to be abit more specific. I will try to clarify
I understand how the standard roles work together with the standard PFCG ROLE IDs assigned to them. However we already have a structure for our authorization roles that is on user level via su01 and each user has several composite roles. To merge these roles into one PFCG role and assign it to a business role is unrealistic, this will create too many business roles for the user as there can be only a 1:1 relation between a Business role and PFCG ROLE assigned to the business role.
With that said I have been recommended to leave the PFCG ROLE id on the business role blank, this will lead to that the authorization on the user level kicks in.
However this raises some additional questions...
1 The authorizations in our old CRM system could not possibly cover the authorizations in the WEB GUI as we don't have a WEBGUI today so are there any special authorizations we need to setup for the WEBGUI itself. Example: Lets say that in the old CRM system the user had authorization to create a service order. If the user keeps this authorization on su01 do we need to add any additional authorizations on the user or to the business role so he can access the workset and trigger create service order from the WEBGUI?
2 IF we had both a PFCG ROLE ID assigned to the Business Role and Composite roles directly on the user which one will actually be used? Will they both be used? What happens if the authorization on the Business role says "NO" and the authorization on su01 says "YES" Or is it really as it is stated above answer that if we specify a PFCG ROLE ID on the business role this will be used and nothing else?
3 What about our own authorization objects, is there a way to scan these and see if they are valid for CRM 7.0? How should we go about verifying our old authorizations in the new 7.0 system? Is there a report you can run? I guess also that some authorizations are not valid anymore, or how does the authorizations per transaction work. I mean we have in our roles added certain transactions, people will no longer use CRMD_ORDER how does this translate to the webgui?
4 We are using the salesorg structure today and the plan is based on what we know so far to assign business roles to the positions and not to assign a PFCG ROLE id at all to business role. Can anyone see any problems with this?
5 What is UIU_COMP is that a new auth object? What new auth objects are delivered in webgui?
Again thanks for any input on the above. Perhaps more people will be interested if we make this investigation thorough.
BTW I found this post Re: Reg: Business Role but it still leaves some questions unanswered.
Edited by: jabba hut on Nov 10, 2009 1:52 PM -
How to change the portal role presentation based on users BW authorization?
Hello,
I have created 3 BW Roles, each one contains an iView with a certain report.
For simplicity let's name the Roles A,B,C and assume that in order to see the proper report the user needs to be assigned to the matching group (A,B,C) at the BW side.
I have imported these 3 roles to the portal as worksets, created new pcd role, placed these 3 worksets inside the new role and assigned this role to a certain group of users in the portal (these users are ABAP users so they are the same at the BW side as well).
What I would like to do is this: I would like that each user that I have assigned this new role to will see only the worksets that he/she allowed to see based on it's BW authorization. Meaning, if I have been assigned roles A and B at the BW I will see only worksets A and B inside the role.
The problem is this: From the portal I cannot assign the users to the BW groups and from BW I cannot control pcd roles so this kind of change requires me to make two modifications: One for authorization from the BW and one for presentation from the portal. I would like to manage it just from one place, either from the BW or from the portal, I don't care.
How can I achieve this?I think I have found a solution: Export it as a role instead of a workset and do one to one assignments with the BW groups.
-
Runtime Error when Entering Collaboration Room (Authorization)
Hello everybody
I just upgraded NW2004s Portal from SPS05 to 13 and if I try to enter a collaboration room I get now a runtime error. I attache the defaulttrace at the end of this post.
When I access the room with the user "administrator" everything works fine. So it is clearly a authorization issue but I can not find the place to change the settings accordingly.
I guess it is a newbie question - sorry.
But nevertheless: I hope somebody can halp and thanks for that already in advance!
Cheers
Beat
Date : 01/07/2008
Time : 23:35:09:390
Message : 11:35_07/01/08_13630850
[EXCEPTION]
com.sapportals.portal.prt.runtime.PortalRuntimeException: Access is denied: pcd:portal_content/com.sap.ip.collaboration/Rooms/c0a0a078-3391-2a10-bdbd-a108b8ee10cc/workset/com.sap.netweaver.coll.OverviewWrapper/relatedItems/DynamicNavigation/com.sap.netweaver.coll.RoomRelationViewer - user: Schenker Beat at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1932) at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.refresh(PortalComponentContextItem.java:234) at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.getContext(PortalComponentContextItem.java:316) at com.sapportals.portal.prt.component.PortalComponentRequest.getComponentContext(PortalComponentRequest.java:387) at com.sapportals.portal.pb.PageBuilder.createIviewProfile(PageBuilder.java:443) at com.sapportals.portal.pb.PageBuilder.createiView(PageBuilder.java:391) at com.sapportals.portal.pb.PageBuilder.createAndAddiViews(PageBuilder.java:233) at com.sapportals.portal.pb.PageBuilder.doOnNodeReady(PageBuilder.java:636) at com.sapportals.portal.prt.component.AbstractPortalComponent.handleEvent(AbstractPortalComponent.java:388) at com.sapportals.portal.pb.PageBuilder.handleEvent(PageBuilder.java:816) at com.sapportals.portal.prt.component.CachablePortalComponent.handleEvent(CachablePortalComponent.java:703) at com.sapportals.portal.prt.pom.ComponentNode.handleEvent(ComponentNode.java:252) at com.sapportals.portal.prt.pom.PortalNode.fireEventOnNode(PortalNode.java:368) at com.sapportals.portal.prt.pom.AbstractNode.addChildNode(AbstractNode.java:340) at com.sapportals.portal.navigation.DynamicNavigationArea.doOnNodeReady(DynamicNavigationArea.java:113) at com.sapportals.portal.prt.component.AbstractPortalComponent.handleEvent(AbstractPortalComponent.java:388) at com.sapportals.portal.prt.pom.ComponentNode.handleEvent(ComponentNode.java:252) at com.sapportals.portal.prt.pom.PortalNode.fireEventOnNode(PortalNode.java:368) at com.sapportals.portal.prt.pom.AbstractNode.addChildNode(AbstractNode.java:340) at com.sapportals.portal.pb.PageBuilder.createAndAddEmbeddediView(PageBuilder.java:177) at com.sapportals.portal.pb.PageBuilder.createiView(PageBuilder.java:410) at com.sapportals.portal.pb.PageBuilder.createAndAddiViews(PageBuilder.java:233) at com.sapportals.portal.pb.PageBuilder.doOnNodeReady(PageBuilder.java:636) at com.sapportals.portal.prt.component.AbstractPortalComponent.handleEvent(AbstractPortalComponent.java:388) at com.sapportals.portal.pb.PageBuilder.handleEvent(PageBuilder.java:816) at com.sapportals.portal.prt.component.CachablePortalComponent.handleEvent(CachablePortalComponent.java:703) at com.sapportals.portal.prt.pom.ComponentNode.handleEvent(ComponentNode.java:252) at com.sapportals.portal.prt.pom.PortalNode.fireEventOnNode(PortalNode.java:368) at com.sapportals.portal.prt.pom.AbstractNode.addChildNode(AbstractNode.java:340) at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:642) at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240) at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524) at java.security.AccessController.doPrivileged(Native Method) at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)Caused by: com.sapportals.portal.pcd.gl.PermissionControlException: Access denied (Object(s): portal_content/com.sap.ip.collaboration/Rooms/c0a0a078-3391-2a10-bdbd-a108b8ee10cc/workset/com.sap.netweaver.coll.OverviewWrapper/relatedItems/DynamicNavigation/com.sap.netweaver.coll.RoomRelationViewer) at com.sapportals.portal.pcd.gl.PcdFilterContext.filterLookup(PcdFilterContext.java:422) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1248) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.proxyLookupLink(PcdProxyContext.java:1353) at com.sapportals.portal.pcd.gl.PcdProxyContext.proxyLookup(PcdProxyContext.java:1300) at com.sapportals.portal.pcd.gl.PcdProxyContext.lookup(PcdProxyContext.java:1067) at com.sapportals.portal.pcd.gl.PcdGlContext.lookup(PcdGlContext.java:68) at com.sapportals.portal.pcd.gl.PcdURLContext.lookup(PcdURLContext.java:238) at javax.naming.InitialContext.lookup(InitialContext.java:347) at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1919) ... 50 more
Severity : Error
Category :
Location : com.sap.portal.prt.runtime
Application : sap.com/irj
Thread : Thread[PRT-Async 1,5,PRT-Async]
Datasource : 13630850:X:\usr\sap\CPP\JC01\j2ee\cluster\server0\log\defaultTrace.trc
Message ID : 005056BD7D2200880000000000001530000443297901D228
Source Name : com.sap.portal.prt.runtime
Argument Objs : com.sapportals.portal.prt.runtime.PortalRuntimeException: Access is denied: pcd:portal_content/com.sap.ip.collaboration/Rooms/c0a0a078-3391-2a10-bdbd-a108b8ee10cc/workset/com.sap.netweaver.coll.OverviewWrapper/relatedItems/DynamicNavigation/com.sap.netweaver.coll.RoomRelationViewer - user: Schenker Beat at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1932) at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.refresh(PortalComponentContextItem.java:234) at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.getContext(PortalComponentContextItem.java:316) at com.sapportals.portal.prt.component.PortalComponentRequest.getComponentContext(PortalComponentRequest.java:387) at com.sapportals.portal.pb.PageBuilder.createIviewProfile(PageBuilder.java:443) at com.sapportals.portal.pb.PageBuilder.createiView(PageBuilder.java:391) at com.sapportals.portal.pb.PageBuilder.createAndAddiViews(PageBuilder.java:233) at com.sapportals.portal.pb.PageBuilder.doOnNodeReady(PageBuilder.java:636) at com.sapportals.portal.prt.component.AbstractPortalComponent.handleEvent(AbstractPortalComponent.java:388) at com.sapportals.portal.pb.PageBuilder.handleEvent(PageBuilder.java:816) at com.sapportals.portal.prt.component.CachablePortalComponent.handleEvent(CachablePortalComponent.java:703) at com.sapportals.portal.prt.pom.ComponentNode.handleEvent(ComponentNode.java:252) at com.sapportals.portal.prt.pom.PortalNode.fireEventOnNode(PortalNode.java:368) at com.sapportals.portal.prt.pom.AbstractNode.addChildNode(AbstractNode.java:340) at com.sapportals.portal.navigation.DynamicNavigationArea.doOnNodeReady(DynamicNavigationArea.java:113) at com.sapportals.portal.prt.component.AbstractPortalComponent.handleEvent(AbstractPortalComponent.java:388) at com.sapportals.portal.prt.pom.ComponentNode.handleEvent(ComponentNode.java:252) at com.sapportals.portal.prt.pom.PortalNode.fireEventOnNode(PortalNode.java:368) at com.sapportals.portal.prt.pom.AbstractNode.addChildNode(AbstractNode.java:340) at com.sapportals.portal.pb.PageBuilder.createAndAddEmbeddediView(PageBuilder.java:177) at com.sapportals.portal.pb.PageBuilder.createiView(PageBuilder.java:410) at com.sapportals.portal.pb.PageBuilder.createAndAddiViews(PageBuilder.java:233) at com.sapportals.portal.pb.PageBuilder.doOnNodeReady(PageBuilder.java:636) at com.sapportals.portal.prt.component.AbstractPortalComponent.handleEvent(AbstractPortalComponent.java:388) at com.sapportals.portal.pb.PageBuilder.handleEvent(PageBuilder.java:816) at com.sapportals.portal.prt.component.CachablePortalComponent.handleEvent(CachablePortalComponent.java:703) at com.sapportals.portal.prt.pom.ComponentNode.handleEvent(ComponentNode.java:252) at com.sapportals.portal.prt.pom.PortalNode.fireEventOnNode(PortalNode.java:368) at com.sapportals.portal.prt.pom.AbstractNode.addChildNode(AbstractNode.java:340) at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:642) at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240) at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524) at java.security.AccessController.doPrivileged(Native Method) at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)Caused by: com.sapportals.portal.pcd.gl.PermissionControlException: Access denied (Object(s): portal_content/com.sap.ip.collaboration/Rooms/c0a0a078-3391-2a10-bdbd-a108b8ee10cc/workset/com.sap.netweaver.coll.OverviewWrapper/relatedItems/DynamicNavigation/com.sap.netweaver.coll.RoomRelationViewer) at com.sapportals.portal.pcd.gl.PcdFilterContext.filterLookup(PcdFilterContext.java:422) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1248) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.proxyLookupLink(PcdProxyContext.java:1353) at com.sapportals.portal.pcd.gl.PcdProxyContext.proxyLookup(PcdProxyContext.java:1300) at com.sapportals.portal.pcd.gl.PcdProxyContext.lookup(PcdProxyContext.java:1067) at com.sapportals.portal.pcd.gl.PcdGlContext.lookup(PcdGlContext.java:68) at com.sapportals.portal.pcd.gl.PcdURLContext.lookup(PcdURLContext.java:238) at javax.naming.InitialContext.lookup(InitialContext.java:347) at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1919) ... 50 more,
Arguments : com.sapportals.portal.prt.runtime.PortalRuntimeException: Access is denied: pcd:portal_content/com.sap.ip.collaboration/Rooms/c0a0a078-3391-2a10-bdbd-a108b8ee10cc/workset/com.sap.netweaver.coll.OverviewWrapper/relatedItems/DynamicNavigation/com.sap.netweaver.coll.RoomRelationViewer - user: Schenker Beat at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1932) at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.refresh(PortalComponentContextItem.java:234) at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.getContext(PortalComponentContextItem.java:316) at com.sapportals.portal.prt.component.PortalComponentRequest.getComponentContext(PortalComponentRequest.java:387) at com.sapportals.portal.pb.PageBuilder.createIviewProfile(PageBuilder.java:443) at com.sapportals.portal.pb.PageBuilder.createiView(PageBuilder.java:391) at com.sapportals.portal.pb.PageBuilder.createAndAddiViews(PageBuilder.java:233) at com.sapportals.portal.pb.PageBuilder.doOnNodeReady(PageBuilder.java:636) at com.sapportals.portal.prt.component.AbstractPortalComponent.handleEvent(AbstractPortalComponent.java:388) at com.sapportals.portal.pb.PageBuilder.handleEvent(PageBuilder.java:816) at com.sapportals.portal.prt.component.CachablePortalComponent.handleEvent(CachablePortalComponent.java:703) at com.sapportals.portal.prt.pom.ComponentNode.handleEvent(ComponentNode.java:252) at com.sapportals.portal.prt.pom.PortalNode.fireEventOnNode(PortalNode.java:368) at com.sapportals.portal.prt.pom.AbstractNode.addChildNode(AbstractNode.java:340) at com.sapportals.portal.navigation.DynamicNavigationArea.doOnNodeReady(DynamicNavigationArea.java:113) at com.sapportals.portal.prt.component.AbstractPortalComponent.handleEvent(AbstractPortalComponent.java:388) at com.sapportals.portal.prt.pom.ComponentNode.handleEvent(ComponentNode.java:252) at com.sapportals.portal.prt.pom.PortalNode.fireEventOnNode(PortalNode.java:368) at com.sapportals.portal.prt.pom.AbstractNode.addChildNode(AbstractNode.java:340) at com.sapportals.portal.pb.PageBuilder.createAndAddEmbeddediView(PageBuilder.java:177) at com.sapportals.portal.pb.PageBuilder.createiView(PageBuilder.java:410) at com.sapportals.portal.pb.PageBuilder.createAndAddiViews(PageBuilder.java:233) at com.sapportals.portal.pb.PageBuilder.doOnNodeReady(PageBuilder.java:636) at com.sapportals.portal.prt.component.AbstractPortalComponent.handleEvent(AbstractPortalComponent.java:388) at com.sapportals.portal.pb.PageBuilder.handleEvent(PageBuilder.java:816) at com.sapportals.portal.prt.component.CachablePortalComponent.handleEvent(CachablePortalComponent.java:703) at com.sapportals.portal.prt.pom.ComponentNode.handleEvent(ComponentNode.java:252) at com.sapportals.portal.prt.pom.PortalNode.fireEventOnNode(PortalNode.java:368) at com.sapportals.portal.prt.pom.AbstractNode.addChildNode(AbstractNode.java:340) at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:642) at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240) at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524) at java.security.AccessController.doPrivileged(Native Method) at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401) at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387) at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365) at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944) at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266) at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95) at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175) at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33) at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41) at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37) at java.security.AccessController.doPrivileged(Native Method) at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100) at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)Caused by: com.sapportals.portal.pcd.gl.PermissionControlException: Access denied (Object(s): portal_content/com.sap.ip.collaboration/Rooms/c0a0a078-3391-2a10-bdbd-a108b8ee10cc/workset/com.sap.netweaver.coll.OverviewWrapper/relatedItems/DynamicNavigation/com.sap.netweaver.coll.RoomRelationViewer) at com.sapportals.portal.pcd.gl.PcdFilterContext.filterLookup(PcdFilterContext.java:422) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1248) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254) at com.sapportals.portal.pcd.gl.PcdProxyContext.proxyLookupLink(PcdProxyContext.java:1353) at com.sapportals.portal.pcd.gl.PcdProxyContext.proxyLookup(PcdProxyContext.java:1300) at com.sapportals.portal.pcd.gl.PcdProxyContext.lookup(PcdProxyContext.java:1067) at com.sapportals.portal.pcd.gl.PcdGlContext.lookup(PcdGlContext.java:68) at com.sapportals.portal.pcd.gl.PcdURLContext.lookup(PcdURLContext.java:238) at javax.naming.InitialContext.lookup(InitialContext.java:347) at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1919) ... 50 more,
Dsr Component : panda.cirrus.ch_CPP_13630850
Dsr Transaction : 9b5fb5c0bd7011dc86de005056bd7d22
Dsr User : bea_sch
Indent : 0
Level : 0
Message Code :
Message Type : 1
Relatives :
Resource Bundlename :
Session : 140
Source : com.sap.portal.prt.runtime
ThreadObject : Thread[PRT-Async 1,5,PRT-Async]
Transaction :
User : bea_schHi everybody
Really was a newbie question then. Thanks very much.
Just in another newbie reads this thread and scratches his head. There is also a document with the standartpermissions for the portal from SAP:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/00bfbf7c-7aa1-2910-6b9e-94f4b1d320e1
Cheers
Beat -
Personal ID : You have no authorization to display.
Hi,
we have EP 7.0 and have deployed ESS/ MSS 1.0 buisness package.
When i go to Personal IDs in Personal information workset of ESS. It gives me following error :-
You have no authorization to display
com.sap.pcuigp.xssfpm.java.FPMRuntimeException: You have no authorization to display
at com.sap.pcuigp.xssfpm.java.MessageManager.raiseException(MessageManager.java:112)
at com.sap.pcuigp.xssfpm.java.MessageManager.raiseException(MessageManager.java:122)
at com.sap.xss.per.helpers.MessageHelper.raiseException(MessageHelper.java:43)
at com.sap.xss.hr.per.in.pid.fc.FcPerPidIN.readRecord(FcPerPidIN.java:269)
at com.sap.xss.hr.per.in.pid.fc.wdp.InternalFcPerPidIN.readRecord(InternalFcPerPidIN.java:535)
at com.sap.xss.hr.per.in.pid.fc.FcPerPidINInterface.readRecord(FcPerPidINInterface.java:146
For some of the employee it is working, but for some its not working.. i tried giving them Administrator role still it shows same error.
I dont know what authorization i am missing..Hi Supraja,
Thanks for replying...the link you provided talk about NWDI and CMS.....i am not importing my package into NWDI..
I get following error when an employee is trying to view his personal id from ESS role in portal..
i mean..when a user clicks on Personal ID link in portal..it gives me :-
You have no authorization to display.
Thanks and regards,
Jigar Oza -
Regarding user administration authorization
Hi ALL,
i needs to give only display authorizations to the user in portal
From the content administration>>Portal content i am able to restrict at some level for system administration and content administration
but from content administration i am not able to restrict authorization for
user administration
user needs authorization for user administration
so any one please guide me how can i give display access to users
Thanks and Regards,
KishoreHi Kishore,
Iam not very clear with your question but as per my understanding u want for eg in system administration only portal display to be viewed by user??and similarly in case of user administration and so on.
In case of that you can
Browse to Conten admin>Portal Content>content provided by sap>Admin Content>System Administration(User administration acc..)copy the syst admin role and paste it in some othe folder.Open its object and remove all other worksets not required leaving portal display.Now assign this role to particular user.....Hope it helps
Regards
Radhika Kuthiala
P.S Do award points if it helps... -
Open and close posting period authorization control TCODE: S_ALR_87003642
HI All,
Is there any chance to control the user to open and close another company code posting period variant in TCODE: S_ALR_87003642.
In our system we are using the same client for different countries. So user can able to change the other country company code posting periods.
We would like to control either on the country (or) organizational unit(company code) (or) posting period variant so that user can only open/close their country / company code posting periods.
Our present authorization role for open and close posting period contain the auth.Obj. : S_TABU_DIS.
Please share your knowledge if you come across this problem..
Thanks in advance..Hey Sandhya,
Congratz, this can be done using linbe item authorization with the object S_TABU_LIN.
Field ORG_CRIT - Value 02
Field ORG_FIeld1 - Value ZT001B
We have successfully done it in our client.
You need to contact your BASIS consultant for this.
Thanks,
Nitish -
Analysis Authorization in BO 4.0 Webi report
Hi All,
I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
I have tried:
1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
(BO 4.0 no service pack or fix pack installed on the system yet)
Thanks - Appreciate your help !
Prasad RasamIngo,
1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
>> Correct you need to setup you OLAP Connection with SSO.
>>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
>> The variable in the BEx query needs to be an authorization variable.
>>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
regards
Ingo Hilgefort -
Analysis Authorization Issue 7.3
Hello Friends,
System BW 7.3, Currently there are 80 odd analysis authorization objects
We want to introduce a new info object (GL Account) to be authorization relevant, ( there are few objects in the system which are already authorization relevant in the system with proper analysis authorization objects and they are working fine)
Things done, made the GL Account object authorization relevant in RSA1, Created 2 analysis authorization objects with GL Account and TCT objects and one with hierarchy restrictions and one open access.
Added this object to the user in addition to its already existing authorization objects. Created authorization variable in BEx.
Some how the authorization is not picked up and it gives us all the values in the report. But if I add the GL Account info object to the existing analysis authorization objects then it works fine.
I do not want to change all the existing analysis authorization objects to add GL Account.
Your inputs are most welcome.
Thanks
Ed.Gajesh- I have added the new analysis authorization object to the user in RSECadmin.
Subhendu- Problem statement: What are the steps involved in making a new info object(GL Account) authorization relevant. Authorizations are given at hierarchy level. Can we create a new analysis authorization with GL Account only or do we have to add it to every existing analysis authorization
I have done the following steps
1. Made the GL Account object authorization relevant in RSA1,
2. Created 2 new analysis authorization objects with GL Account ( with hierarchy restrictions) and TCT objects and one with GL Account open access.
3. Added this object ( which has restrictions) to the user in RSECADMIN, in addition to its already existing authorization objects.
4. Created authorization variable in BEx.
5. No existing analysis authorization objects have been changed.
When I test the report, It does not restrict based on the hierarchy that I have given, it gives open access.
But If I add GL Account with restrictions to the existing analysis authorization object, it works good.
Guess I am missing some thing here.
Do you need any other screen shots.
Thanks
Ed. -
Hi:
I created an analysis authorization ZCO_CODE to trstrict it by a company code.
I added following objects in authorization with values.
0COMP_CODE = 1000
0TCAACTVT = 03
0TCAIFAREA = *
0TCAIPROV = *
0TCAVALID = *
Then I created a role Z:00:BW_REPORT, where I added following authorization objects S_RS_AUTH and restricted it by value ZCO_CODE. Then I assigned this role to a user test01.
When I execute a program RSEC_MIGRATION for this specific user, I do not see authorization object ZCO_CODE on 2nd step of this program. Any Idea Why? I think this object should show up as I want to migrate this specific object.
Help will be appreciated.Hi Sachin:
Okay here is my issue.
I have a Reporting authorization Object created earlier which is ZCOCODE. I though I'll have to create a new Analysis authorization object e.g. ZCO_CODE and then restrict it with other chars. as mentioned in Marc Bernards presentation and then you have to migrate it.
In selection list I can see old Reporting authorization object. If I select it and use option "Enhance existing profile" then It will update profile and not role? right....
How can I see whether it has updated existing profile?????
Do I need to create new Analysis Auth. for Company code or I can use old Reporting authorization for company code?
For testing purpose, I created a test user and assigned all reporting roles but It will not show up in RSEC_MIGRATION step??? -
BW Analysis authorization issue on cost center range
Hello BIW security experts
I have a problem where I created an analysis authorization on a cost center range and it looks like the interval is not working. The report is just a list of cost centers (demo to users to prove that analysis authorizations work in order to skip 2 managerial cost centers.
. Cost centers are numeric. Example: 2000100. In the drop down list they appear as such.
. I want to have the following cost center range: 1000000 to 1000771, 1000773 to 2000771, 2000773 to 9999999.
Thereofore 1000772 and 2000772 should not appear in the list.
. In the analysis authorization I have put the 3 ranges above on 3 separate lines. 'BT' is the operator. The cost centers have been selected from the drop down list.
Results: I get only 1 record from the report.... 2000772. (which is one I want to exclude..
Steps tried to debug:
. When I put a list of cost centers in the analysis authorization on separate line with the 'EQ' operator, then the report works.
. I tried putting ' ' delimiters since cost center is a char field but it fails.
. I tried adding leading and trailing zeros to fill up the char(10) but no luck.
. I tried creating a hierarchy with the interval and put it in the hierachy auth. tab and it does not work either. It gives the same number of records than the first step.
. A hierarchy with single values work.
I do not know what else to try..
Thanks.
YB.Good morning
Here it is from RSECVAL
ZCC_TEST 0COSTCENTER I BT 1000000 1000771
ZCC_TEST 0COSTCENTER I BT 1000773 2000771
ZCC_TEST 0COSTCENTER I BT 2000773 9999999
ZCC_TEST 0COSTCENTER I EQ #
ZCC_TEST 0COSTCENTER I EQ :
ZCC_TEST 0INFOPROV I CP *
ZCC_TEST 0TCAACTVT I EQ 03
ZCC_TEST 0TCAIPROV I CP *
ZCC_TEST 0TCAKYFNM I CP *
Thank you for your help. -
BW Analysis authorization issue... need help urgently....
We have one BW query which is pulling data from Contract Division info-object. Now this report does not variable selection object so it is pulling data from all values of Contract Division. Values of Contract Division are CNC, CNS, CNE and CNL.
Now we have created an analysis auth. object called z_es_3 and added Contract division info-object. Now we have added that z_es_3 into role and given value to CNS. now when we are running report, we are getting No Authorization error. When we are giving * value in z_es_3, it is running fine.
Now we have to restrict report to contract division. please help.
Thanks in advanceAre you running unrestricted search on Contract division in your queries? You should restrict it to value which is maintained in the authorization for the InfoObject.
Also please run the analysis authorization trace from RSECADMIN. That will give you a clearer picture of what is wrong. -
BW Analysis authorizations issue in BO Webi Report
Dear All,
I have one webi report which is on BEx Query-universe.
Query has 6 authorization variables with ready for input(optional).
User has authorizations for all 6 fields.
But when we execute the webi report it is throwing error message like" query do not retrive data"
One of the 6 authorization fields has only few values , when we give " * " to this field the user can able to execute the report.
Could anybody tell me what is need be done here
regards
mhreddyHi!
Probabily the combination of authoriztions funcions are executing considering "and".
See your configuration to considerer "or".
Test one by one.
bye
Maybe you are looking for
-
Crystal Report not Adopting all possible Dropdown Values from BEx Variable
Hi all, I am having an issue in a Crystal report where the drop down parameter that is sourced from a BEx query variable does not include all the possible values in the cube (or in master data). After learning my lesson the first time of not changing
-
Hi, I am facing the following issue when trying to retrieve the data from a view.If i specify literals inside the in clause (example id's inside in clause) it's working fine,but when i try to use the subquery inside in clause to retrieve the id's fro
-
How to put video files on external drive for Final Cut Pro?
Sorry for the stupid post, but I'm on day one of trying out final cut pro. (Tired of the very limiting imovie) I have a Sony HD video camera and a Go Pro HD camera. I want to store all my video on my 1TB external drive and edit from it. How do I set
-
If I have two emails for my iMessage how can I see or receive my msj or the email that is not the primary email
-
Synchronizing does not generate a preview window
When I synchronize a site, the preview window no longer appears. I don't think any changes were made to site settings, etc... This is just something that suddenly started happening a few days ago. No changes were made to the system except the additio