Authorization restirction at VL01N

Similar Messages

• Authorization Object required to run VL01N

  Dear All,
  Recently we were asked to assign VL01n T-code to a user. We have created a role and added the t-code and assigned to the user.By default there is only one auth. object comes with the tcode ie:(V_LIKP_VST)  at the time when we have assigned the t-code to the user.
  The user come back saying  authobject missing with su53 screenshot showing the requirement of the auth. object (M_MSEG_BWA) . We added this auth. object to the role but user is still facing auth issue (auth object missing).
  Now how we can understand what are the necessary authorisation object required for the t-code VL01N to run and  support the std.scenarios. We have checked through  su24 and found the auth. object required, but as a basis person i feel that adding all the auth object through su24 is not the correct option and its a tedious job to do also . Is there anyother workaround for this or how we can do this.
  Thanks
  Tom

  Hi,
  Thanks lot  for the reply.
  I have few things to clear,
  1. In su24 of VL01N I can see around 43 authorisation object .
  a). Is it required to add all the 43 auth. object to my role inorder to work all the scenario of the VL01N tcode ? or not or any other way out?
  b).
  Status          Object                     Object description                                   Checkind     proposal
  Maintained        M_MSEG_BWA       Goods Movements: Movement Type     Check       NO
  Here I would like to understand  what is the proposal means? As I can see only one thing below with the proposal yes for obj V_LIKP_VST
  Maintained      V_LIKP_VST     Delivery: Authorization for Shipping Points     Check     YS
  By default when we add tcode vl01n only this object V_LIKP_VST alone is present in the role.
  Thanks
  -Tom

• Authorization to restrict G/L Account

  Dear All
  I am looking to restirct postings to GL account based on the user in T Code F-02. Can any one highlight which authorization objects can i use to restrict user for posting to GLs and Cost Elements
  Your valuable input is required in this aspect.

  HI,
  On the GL master in FS00 there is authorisation group field in the control data tab, you can use this. It is a free text and the user will need this assigned to him in his role.

• Authorization for UB document type in PO create

  Hi All,
  We wanted to restirct some user from creating PO other than UB. We want them to give authorization only for UB document type in ME21N. What is teh best way to make it work?
  Thanks for your support.
  KHAN

  Hi Khan,
  If you want to restrict the User for creating PO other than UB document type. You need to discuss with Basis consultant.
  For that particular user you need to restrict the activites like Create, Change , display for  the authorization object "M_BEST_BSA" which is assigned for Document type for Purchase order.
  Based on your requirement inform the basis consultant to remove the  all other document type or * symbol  and assign only UB document type to that user. So he/she will be restricted to that document type only when ever he creates any PO.
  rgds
  Chidanand

• Authorization object for 351 movement type

  Dear expert
  Please guide me
  How to restrict 351 movement type for created STO for self plant in self plant?
  for eg : there are 2 plant 1001, 2001.
  STO CREATED IN 1001 PLANT
  IN THIS  suppling plant : 2001 & Recieving plant : 1001
  Now, suppling plant has to do 351 movement type & Recieving plant has to do 101 movement type.
  Now my doubt is receving plant should not do 351 movement type.
  but it shows that my 1001 plant (receving plant) doing 351 MOVEMENT TYP.
  Logically it should not do this.
  So , How to restrict 351 movement type for created STO for self plant in self plant?
  Regards
  SANTOSH KADAM.

  M_MSEG_BMB
  M_MSEG_BWA
  M_MSEG_BWE
  M_MSEG_BWF
  M_MSEG_LGO
  M_MSEG_WMB
  M_MSEG_WWA
  M_MSEG_WWE
  M_MSEG_WWF
  if your 1001 plant never needs a 351 movement, then dont assign the 351 together with 1001 in these objects for roles that are used in 1001 plant.
  But if 1001 needs to perform as well a 351 to any other plant, then you cannot use authorization to restirct it.

• Planning changes to Authorizations for migration to V7

  Hello Experts,
  I researched the new authorization concept but I have 2 basic questions:
  1) Do Bex reports need to have authorization variables defined on Authorization Relevant Infoobjects to force a selection within the set of authorized rows. From the PPTs I downloaded from SDN, it seems that this is no longer necessary and that the security engine will prevent the display of non authorized rows?
  2) We intend to ugrade to v7 but continue to deploy V3.5 Infocubes under V7. Assuming we do not change the default and work with the new authorization concept, will the old, non upgraded  infocubes be subject to the old concept authorization objects or will the new authorization concept apply to these cubes?

  David,
     The answer to your first question is : If you need to restrict the value for the relevant Infoobject then you need to create a Authorization variable in the BEX Queries . If you have defined your Info object as Authorization relevant and if that object is a part of the query ( Not used to restirct by any values), then in your analysis authorization object you have to have that Infoobject with "*" otherwise it will give authorization error. 
  When you upgrade to 3.5 to BI 7 and still used the old transfer rules, update rules and old authorization functionality will still work. But it is recommended that you migrate it BI 7.
  Hope it helps,
  Cheers,
  Balaji

• VL01N creation

  Dear all,
  I am trying to create delivery through VL01N,the system says Not authorised to perform this action and SU53 dump says All authorisation checks successful.
  From another id Delivery creation for the same order is possible.
  I have maintained same roles and parameters for both the user-ids,but still the same error persists.
  Can anyone guide me in solving this issue.
  Regards
  XYZ

  Hi,
  Perhaps the id does not have the authorization for the shipping point. The object is V_LIKP_VST.
  All the best,
  Nikhil

• Post goods issue - restriction on plant -  VL01N tCode

  Hi All!
  I have an authorization/restriction problem  as regards posting goods in VL01N and VL02N.
  I have more users (U1, U2...) and each user has the authorization to post goods just for one plant (U1-P1, U2-P2......) . The user U1 can create delivery for P1, P2 but he must post goods only for P1.
  I created 2 type of roles: one role for all users with no restriction on plant but with restriction on movement type (no authorization for 601) and the other type role has the authorization for movement type 601 and the plant (Role1 for 601 and P1 assigned to U1, Role2 for 601 and P2 assigned to U2). And is working if the user wants to post goods from VL02N. But if the user posts goods from VL01N (before saving the delivery)......U1 can post goods for P2...
  I don't know if I made clear which one is my need. If I succeed, please let me know if there is one solution. Maybe there is a way to disable the button Post goods issue for tcode VL01N.
  Thanks in advance.
  Best regards,
  Florina Cheta

  Florina,
  tried what you explained.
  I created a role with just VL01N transaction and system asks for shipping point and assigns actions 01 and 06.
  Later I added transaction VL02N and system doesnt add any new authorization but just adds activity 02.
  Now, I do not understand what activity type you are refering by 601.
  Otherwise, its very simple to restrict access as yiou mentioned. Its perfect.

• Open and close posting period authorization control TCODE: S_ALR_87003642

  HI All,
  Is there any chance to control the user to open and close another company code posting period variant in TCODE: S_ALR_87003642.
  In our system we are using the same client for different countries. So user can able to change the other country company code posting periods.
  We would like to control either on the country (or) organizational unit(company code) (or) posting period variant so that user can only open/close  their country / company code posting periods.
  Our present authorization role for open and close posting period contain the auth.Obj. : S_TABU_DIS.
  Please share your knowledge if you come across this problem..
  Thanks in advance..

  Hey Sandhya,
  Congratz, this can be done using linbe item authorization with the object S_TABU_LIN.
  Field ORG_CRIT - Value 02
  Field ORG_FIeld1 - Value ZT001B
  We have successfully done it in our client.
  You need to contact your BASIS consultant for this.
  Thanks,
  Nitish

• Analysis Authorization in BO 4.0 Webi report

  Hi All,
  I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
  We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
  However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
  I have tried:
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
  Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
  (BO 4.0 no service pack or fix pack installed on the system yet)
  Thanks - Appreciate your help !
  Prasad Rasam

  Ingo,
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  >> Correct you need to setup you OLAP Connection with SSO.
  >>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
  Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
  Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  >> The variable in the BEx query needs to be an authorization variable.
  >>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
  Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
  regards
  Ingo Hilgefort

• Analysis Authorization Issue 7.3

  Hello Friends,
  System BW 7.3, Currently there are 80 odd analysis authorization objects
  We want to introduce a new info object (GL Account) to be authorization relevant, ( there are few objects in the system which are already authorization relevant in the system with proper analysis authorization objects and they are working fine)
  Things done, made the GL Account object authorization relevant in RSA1, Created 2 analysis authorization objects with GL Account and TCT objects and one with hierarchy restrictions and one open access.
  Added this object to the user in addition to its already existing authorization objects. Created authorization variable in BEx.
  Some how the authorization is not picked up and it gives us all the values in the report. But if I add the GL Account info object to the existing analysis authorization objects then it works fine.
  I do not want to change all the existing analysis authorization objects to add GL Account.
  Your inputs are most welcome.
  Thanks
  Ed.

  Gajesh- I have added the new analysis authorization object to the user in RSECadmin.
  Subhendu- Problem statement: What are the steps involved in making a new info object(GL Account) authorization relevant. Authorizations are given at hierarchy level. Can we create a new analysis authorization with  GL Account only or do we have to add it to every existing analysis authorization
  I have done the following steps
  1. Made the GL Account object authorization relevant in RSA1,
  2. Created 2 new analysis authorization objects with GL Account ( with hierarchy restrictions) and TCT objects and one with GL Account open access.
  3. Added this object ( which has restrictions) to the user in RSECADMIN, in addition to its already existing authorization objects.
  4. Created authorization variable in BEx.
  5. No existing analysis authorization objects have been changed.
  When I test the report, It does not restrict based on the hierarchy that I have given, it gives open access.
  But If I add GL Account with restrictions to the existing analysis authorization object, it works good.
  Guess I am missing some thing here.
  Do you need any other screen shots.
  Thanks
  Ed.

• Analysis Authorization Issue

  Hi:
  I created an analysis authorization ZCO_CODE to trstrict it by a company code.
  I added following objects in authorization with values.
  0COMP_CODE = 1000
  0TCAACTVT = 03
  0TCAIFAREA = *
  0TCAIPROV = *
  0TCAVALID = *
  Then I created a role Z:00:BW_REPORT, where I added following authorization objects S_RS_AUTH and restricted it by value ZCO_CODE. Then I assigned this role to a user test01.
  When I execute a program RSEC_MIGRATION for this specific user, I do not see authorization object ZCO_CODE on 2nd step of this program. Any Idea Why? I think this object should show up as I want to migrate this specific object.
  Help will be appreciated.

  Hi Sachin:
  Okay here is my issue.
  I have a Reporting authorization Object created earlier which is ZCOCODE. I though I'll have to create a new Analysis authorization object e.g. ZCO_CODE and then restrict it with other chars. as mentioned in Marc Bernards presentation and then you have to migrate it.
  In selection list I can see old Reporting authorization object. If I select it and use option "Enhance existing profile" then It will update profile and not role? right....
  How can I see whether it has updated existing profile?????
  Do I need to create new Analysis Auth. for Company code or I can use old Reporting authorization for company code?
  For testing purpose, I created a test user and assigned all reporting roles but It will not show up in RSEC_MIGRATION step???

• BW Analysis authorization issue on cost center range

  Hello BIW security experts
  I have a problem where I created an analysis authorization on a cost center range and it looks like the interval is not working. The report is just a list of cost centers (demo to users to prove that analysis authorizations work in order to skip 2 managerial cost centers.
  . Cost centers are numeric. Example:  2000100. In the drop down list they appear as such.
  . I want to have the following cost center range: 1000000 to 1000771, 1000773 to 2000771, 2000773 to 9999999.
  Thereofore 1000772  and 2000772 should not appear in the list.
  . In the analysis authorization I have put the 3 ranges above on 3 separate lines. 'BT' is the operator. The cost centers have been selected from the drop down list.
  Results:  I get only 1 record from the report....  2000772. (which is one I want to exclude..
  Steps tried to debug:
  . When I put a list of cost centers in the analysis authorization on separate line with the 'EQ' operator, then the report works.
  . I tried putting ' ' delimiters since cost center is a char field but it fails.
  . I tried adding leading and trailing zeros to fill up the char(10) but no luck.
  . I tried creating a hierarchy with the interval and put it in the hierachy auth. tab and it does not work either. It gives the same number of records than the first step.
  . A hierarchy with single values work.
  I do not know what else to try..
  Thanks.
  YB.

  Good morning
  Here it is from RSECVAL
  ZCC_TEST     0COSTCENTER                    I       BT        1000000                                                      1000771
  ZCC_TEST     0COSTCENTER                    I       BT        1000773                                                      2000771
  ZCC_TEST     0COSTCENTER                    I       BT        2000773                                                      9999999
  ZCC_TEST     0COSTCENTER                    I       EQ        #
  ZCC_TEST     0COSTCENTER                    I       EQ        :
  ZCC_TEST     0INFOPROV                         I       CP        *
  ZCC_TEST     0TCAACTVT                        I       EQ        03
  ZCC_TEST     0TCAIPROV                         I       CP        *
  ZCC_TEST     0TCAKYFNM                       I       CP        *
  Thank you for your help.

• BW Analysis authorization issue... need help urgently....

  We have one BW query which is pulling data from Contract Division info-object. Now this report does not variable selection object so it is pulling data from all values of Contract Division. Values of  Contract Division are CNC, CNS, CNE and CNL.
  Now we have created an analysis auth. object called z_es_3 and added Contract division info-object. Now we have added that z_es_3 into role and given value to CNS. now when we are running report, we are getting No Authorization error. When we are giving * value in z_es_3, it is running fine.
  Now we have to restrict report to contract division. please help.
  Thanks in advance

  Are you running unrestricted search on Contract division in your queries? You should restrict it to value which is maintained in the authorization for the InfoObject.
  Also please run the analysis authorization trace from RSECADMIN. That will give you a clearer picture of what is wrong.

• BW Analysis authorizations issue in BO Webi Report

  Dear All,
  I have one webi report which is on BEx Query-universe.
  Query has 6 authorization variables with ready for input(optional).
  User has authorizations for all 6 fields.
  But when we execute the webi report it is throwing error message  like" query do not retrive data"
  One of the  6 authorization fields has only few values , when we give " * " to this field the user can able to execute the report.
  Could  anybody tell me what is need be done here
  regards
  mhreddy

  Hi!
  Probabily the combination of authoriztions funcions are executing considering "and".
  See your configuration to considerer "or".
  Test one by one.
  bye