Authorization restriction for executing the ABAP queries

Similar Messages

• FCH7 Authorization Restriction for voiding the checks

  Hi Sap Guru,
  There is a requirement in FCH7 where we need to provide to User A - just to put the void reason and save and to User B- just to reprint the checks.
  Please let me know if any user exist for the same.
  Thanks,
  M

  It is not possibel to provide authorization at this level.

• No ICF authorization CHECK for executing /sap/bc/bsp/sap/hap_document

  In EP we are trying to access bsp
  and we are getting error ,User T000209 (client 350) has no ICF authorization CHECK for executing /sap/bc/bsp/sap/hap_document
  How to give authorization please help
  venkateswararao

  First Check is the ICF service is active using the SICF transaction.
  Then Check for the authorization objects SAP_HR_HAP_EMPLOYEE
  and SAP_HR_HAP_MANAGER.
  Add the above roles to your user , it should work

• Authorizations: restrictions for InfoObjects and InfoProvider

  Hi Gurus,
  I am trying to define authorizations via RSECADMIN in 7.0 for a specific InfoObject and specific InfoProviders. The situation is: I want user USER1 to see only Company 4360 on Cube 'XXXXX', but he must be able to see all the Companies in all the other Cubes.
  I have used in RSECADMIN the icon "InfoCube Authorizations" to introduce the single Cube and corresponding single values for my Company, but it seems that the system use this restriction for all the Cubes.
  Please help me.
  Ciao.
  Riccardo.

  Problem solved.

• Need a Syatem variable for Executing the report by RFC.

  Hi Experts,
  Need a Syatem variable for Executing the report by RFC.
  what i mean to say is,i can execure the report directly ...then no issues.
  But if i execute the Report by RFC ,then i should put a condition with system variable...
  Please suggest me ,how can put a condition when i am executing the report through RFC.
  Thanks
  Babu

  Hello Friend,
  what I understood that you want to put some extra condition if that report is getting called from RFC...
  you can use the system variable SY-CPROG....it will hold the value of the report when it is geeting executing directly...
  but when it is getting executed therough RFC...it will hold that RFC name...
  Thanks
  Krish

• Authorizations setting for running the process chain

  Hai
  Iam planning to run the process chain for loading the data into ODS. But i dont have authorization for it.
  so what are the authorizations i need to run the process chain in my system. And how can i set all those authorizations to my user-id.  I have all authorization rights .
  Pls let me knw
  kumar

  Hi,
  Authorizations for Process Chains
  Use
  You use authorization checks in process chain maintenance to lock the process chain, and the processes of the chain, against actions by unauthorized users.
  ·        You control whether a user is allowed to perform specific activities.
  ·        You control whether a user is allowed to schedule the processes in a chain.
  The authorization check for the processes in a chain runs when the system performs the check. This takes place upon scheduling or during synchronous execution. The check is performed in display mode. The check is performed for each user that schedules the chain; it is not performed for the user who executes the chain. The user who executes the chain is usually the BI background user. The BI background user automatically has the required authorizations for executing all BI process types. In attribute maintenance for the process chain, you can determine the user who is to execute the process chain.
  See also: Display/Maintenance of Process Chain Attributes ®  Execution User.
  Features
  For the administration processes that are bundled in a process chain, you require authorization for authorization object S_RS_ADMWB.
  To work with process chains, you require authorization for authorization object S_RS_PC. You use this authorization object to determine whether process chains can be displayed, changed or executed, and whether logs can be deleted. You can use the name of the process chain as the basis for the restriction, or restrict authorizations to chains using the application components to which they are assigned.
  Display/Maintain Process Chain Attributes
  Use
  You can display technical attributes, display or create documentation for a process chain, and determine the response of process chains during execution.
  Features
  You can display or maintain the following attributes for a process chain:
  Process Chain ® Attribute ® ...
  Information
  Description
  ( Rename)
  You can change the name of the process chain.
  Display Components
  Display components are the evaluation criterion in the process chain maintenance. Assigning the process chains to display components makes it easier to access the chain you want.
  To create a new display component, choose Assign Display Components in the input help window and assign a technical name and description for the display component in the Display Grouping dialog box that appears.
  Documents
  You can create and display documents for a process chain.
  For more information, see Documents.
  Last Changed By
  Displays the technical attributes of the process chain:
  ·        When it was last changed and who by
  ·        When it was last activated and who by
  ·        Object directory entry
  Evaluation of Process Status
  If you set this indicator, all the incorrect processes in this chain and in the overall status of the run are evaluated as successful; if you have scheduled a successor process upon error or always.
  The indicator is relevant when using metachains: Errors in the processes of the subchains can be evaluated as “unimportant” for the metachain run. The subchain is evaluated as successful, despite errors in such processes of the subchain. If, in the metachain, the successor of the subchain is scheduled upon success, the metachain run continues despite errors in “unimportant” processes of the subchain.
  Mailing and alerting are not affected by this indicator and are still triggered for incorrect processes if they have an upon error successor.
  Polling Indicator
  With this indicator you can control the response of the main process for distributed processes. Distributed processes, such as the load process, are characterized as having different work processes involved in specific tasks.
  With the polling indicator you determine whether the main process needs to be kept until the actual process has ended.
  By selecting the indicator:
  -         A high level of process security is guaranteed, and
  -         External scheduling tools can be provided with the status of the distributed processes.
  However, the system uses more resources; and a background process is required.
  Monitoring
  With the indicator in the dialog box Remove Chain from Automatic Monitoring?, you can specify that a process chain be removed from the automatic monitoring using CCMS.
  By default CCMS switches on the automatic process chain monitoring.
  For more information about the CCMS context Process Chains, see the section BW Monitor in CCMS.
  Alerting
  You can send alerts using alert management when errors occur in a process chain.
  For more information, see Send Alerts for Process Chains.
  Background Server
  You can specify here on which server or server group all of the jobs of a chain are scheduled. If you do not make an entry, the background management distributes the jobs between the available servers.
  Processing Client
  If you use process chains in a client-dependent application, you can determine here in which client the chain is to be used. You can only display, edit, schedule or execute the chain in this client.
  If you do not maintain this attribute, you can display, edit, schedule or execute the process chain in all clients.
  Process variants of type General Services that are contained in a process chain with this attribute set will only be displayed in the specified client.
  This attribute is transported. You can change it by specifying an import client during import. You must create a destination to the client set here in the target system for the import post processing (transaction RSTPRFC)  The chain is activated after import and scheduled, if necessary, in this client.
  Execution User
  In the standard setting a BI background user executes the process chain (BWREMOTE).
  You can change the default setting so that you can see the user that executes the process chain and therefore the processes, in the Job Overview. You can select the current dialog user who schedules the process chain job, or specify a different user.
  The setting is transported.
  The BI background user has all the necessary authorizations to execute all BI process types. Other users must assign themselves these authorizations so that authorization errors do not occur during processing.
  Job Priority
  You use this attribute to set the job priority for all of the jobs in a process chain.
  Hareesh

• Authorization issues in executing the chain

  Hi Techies,
  When im triying to execute the chain, the chain allows me to do so and went well but all the jobs corresponding it were running under my ID. Later I tried to schedule the chain on ALEREMOTE, but it throws error saying ALEREMOTE do not have authorization to execute the infosources as it hits its first infosource.
  We made the Trace On and tried to find any unauthorized hits in it, but the trace went well wthout any error.
  Need to confirm:
  1. ALEREMOTE was assigned with CPIC User role, does this effects?
  2. In BW Global Settings, for the field BW suer ALE entry have ALEREMOTE, where earlier it was not there. After making this entry, the chain does not even allow to trigger on my ID and on ALEREMOTE.
  3. If this entry effects, whats the significance of this field.
  Regards,
  Subhash.

  Hi Subhash,
  for the administration processes that are bundled in a process chain, you require authorization for authorization object S_RS_ADMWB.
  To work with process chains, you require authorization for authorization object S_RS_PC. You use this authorization object to determine whether process chains can be displayed, changed or executed, and whether logs can be deleted. You can use the name of the process chain as the basis for the restriction, or restrict authorizations to chains using the application components to which they are assigned.
  http://help.sap.com/saphelp_nw70/helpdata/en/35/c7e442e3c15704e10000000a155106/frameset.htm
  The BI background user has all the required authorizations to execute all BI process types. Other users have to assign themselves these authorizations so that authorization errors do not occur during processing.
  http://help.sap.com/saphelp_nw70/helpdata/en/d3/53e03b8235953ee10000000a114084/frameset.htm
  Hope this helps.
  Regards
  Andreas

• RRMX for executing and creating queries

  Hi,
  I have some users which are able only to create queries and another group which are only able to execute them.
  Which auth object and values should I consider in order to distinguish these 2 roles?
  Thanks and regards
  FedeX

  Hello, Firstly, may I suggest that the subject is misleading for the question asked.
  Transaction RRMX only excute the BEX analyzer add in.
  In BI/BW the authorization objects that govern whether the user is authorized to display/ execute / create / change queries are S_RS_COMP and S_RS_COMP1.
  Both these objects work in tandem. Where as S_RS_COMP covers the infocube, info area authorizations along with activity and Report IDs, S_RS_COMP1 covers the authorization to execute reports (queries) created by author /Owner  (SAP username). example: If the owner field in S_RS_COMP1 has user ID PTERRY01, a user who is assigned the role containing this authorization will only be able to execute queries created by the user PTERRY01.
  Standard Activities 03, 16 allow the user to display / execute reports while 01,02 determine whether the user can create / change reports and if he can, what reports example: If the acitivty 01 is combined with report ID Y*, the user can only create queries whose names start with Y.
  And please note, RRMX (Bex analyzer) does not allow you to create queries, Query designer does (link from BEX Analyzer opens up Designer).
  Regards,
  Prashant

• Authorization Restriction for Object Changeability :

  Hi ,
  How to restrict users from using Object changeability in Production System if they are given access to RSA1, even though the system is completely closed , with Object changeability, the users can still create a new Info package and upload data ?
  I have gone through the SDN and SAP documentation, but I could not find any such references.
  Looking forward to your valuable input on this.
  Regards,
  Ahmed.

  Hi there,
  You have an authorization object named S_RS_ADMWB (Data Warehousing Workbench - Objects).
  You can with that object restrict the several activities (display, execute, create, etc.) for different Datawarehouse InfoObjects (InfoPackage, etc.).
  Try to restrict that to the users.
  Diogo.

• How to use one WAD template for all the available queries

  Hi,
  I have created a WAD template... Now we have close to 25 queries which will use that template for displaying their output at Portal...
  Is there any way that i don`t have to create multiple copies of my WAD template...
  I.e. all queries would call that same template through portal...

  Hi,
  The Bex report uses the Standard Template 0ANALYSIS_PATTERN while it is executed.
  So if your sure that the look and feel of all the Reports is going to remain same, you don't need to even attach all these Queries to Templates in WAD.
  When you execute the BEx query, it would pick up the standard template and run it in portal.
  But if you want to customize the Report Template:
  1) You can change this standard template 0ANALYSIS_PATTERN  and customize it according to ur requrement in WAD.
  2) Or you can create a copy of this standard template and change it as required. Then change the template in spro (transaction RSCUSTV27) to point to this Z template.
  Let me know if you need more details.
  Regards,
  Forum

• Authorization restriction for Goods issue against an Order

  Hello All,
  We have a situation wherein the user is able to issue goods using tcode MIGO by choosing Goods issue --> Others and mentioning an order number that belongs to another plant in the account assignment tab and issues a material which belongs another plant.
  For eg we have material A that has been created for plant 1. The user issues the material (movement type 261)and the account is assigned to an order which has been created for plant 2.
  I could not find any authorization object that restricts this.
  I checked the objects M_MSEG_BWA and M_MSEG_WWA and he has authorizations only for plant 1 and all movement types.
  Any pointers to restrict this access will be appreciated.
  Thanks & Regards,
  Subramaniam Iyer

  Hi,
  MIGO transaction by default restricted with Plant.  If you say that the user A is having access to only Plant 1 & 3, but not for 2, please check the below authorization objects does not have any manual objects inserted into the Role and restricted with the value only in organization field.
  M_MSEG_LGO
  M_MSEG_WMB
  M_MSEG_WWA
  M_MSEG_WWE
  This issue may occur because if the objects are maintained manually in the role.  If so, when you check in the organization field, it may not be showing the value which are manually added into the manual object.
  Also, please check the other roles are assigned to the user.  If any of the other roles assigned to the user having any of the above objects with * value, this may provide the user to do the Goods movement for any plant.
  To check the issue, please go to SUIM and check the user under "Roles by Complex Selection Criteria" and make sure that you are checking the objects for the particular user.  This should be able to identify whether the user is getting access from any other roles assigned to the user.
  Regards
  Anandm

• Authorization restriction for Goods issue . others radio button in migo tcode

  Hello All,
  We have a situation wherein the user is able to issue goods using tcode MIGO by choosing Goods issue --> Others and  the movement type 201
  the above mentioning details i need to block the others tab only for specific user ids i have checked the MIGO objects But its not worked
  please give me solution for block the others button on the drop down box
  please find the attachment of screen shot its helpful to sort out the issue
  Best Regards
  suresh

  Dear Anandan,
  Please use trace t.code ST01 to fix the issue.
  You can restrict the movement type using the authorization object M_MSEG_BWA.
  If you can provide the step by step screens where you want to exactly restrict we can fix it.
  Regards,
  Venkatesh

• How to write a JAVA program to execute the SQL queries

  I have a database in the Microsoft Access queries and I need to execute the query by some how write the Java program to make it execute the query. because I need to get the different of time so I know how fast each query run.
  Thank you

  You need jdbc-driver for MSAccess for run this example:
  JDBCClient.java
  import java.util.Properties;
  import java.lang.String;
  import java.sql.DriverManager;
  import java.sql.Connection;
  import java.sql.PreparedStatement;
  import java.sql.ResultSet;
  import java.sql.ResultSetMetaData;
  import java.io.FileInputStream;
  import java.io.FileOutputStream;
  import java.io.BufferedOutputStream;
  import java.lang.System;
  import java.lang.Class;
  import java.sql.SQLException;
  import java.util.Date;
  import java.util.Locale;
  import java.text.DateFormat;
  import java.sql.Time;
  public class JDBCClient{
      private String DriverName = new String();
      private String DatabaseURL = new String();
      private String UserName = new String();
      private String Password = new String();
      private String SQLFile = new String();
      private String OutputFile = new String();
      private String Separator = new String();
      private boolean NeedColumnHeaders;
      private String EncodingParamName = new String();
      private String EncodingValue = new String();
      private String OutputEncoding = new String();
      private boolean AfterLastColumnSeparator;
      JDBCClient( String propfilename){
       System.out.println( "Initializing...");
       Properties properties = new Properties();
       try{
           properties.load( new FileInputStream( propfilename));
       catch( Exception e){
               System.out.println( "Error: " + e.toString());
           System.exit( 0);
       DriverName = properties.getProperty( "DriverName");
       DatabaseURL = properties.getProperty( "DatabaseURL");
       UserName = properties.getProperty( "UserName");
       Password = properties.getProperty( "Password");
       SQLFile = properties.getProperty( "SQLFile");
       OutputFile = properties.getProperty( "OutputFile");
       Separator = properties.getProperty( "Separator");
       if( properties.getProperty( "NeedColumnHeaders").compareToIgnoreCase( "yes") == 0 ||
           properties.getProperty( "NeedColumnHeaders").compareToIgnoreCase( "true") == 0)
           NeedColumnHeaders = true;
       else
       if( properties.getProperty( "NeedColumnHeaders").compareToIgnoreCase( "no") == 0 ||
           properties.getProperty( "NeedColumnHeaders").compareToIgnoreCase( "false") == 0)
           NeedColumnHeaders = false;
       else{
               System.out.println( "Invalid value for \"NeedColumnHeaders\" property (logical expected)");
           System.exit( 0);
       EncodingParamName = properties.getProperty( "EncodingParamName");
       EncodingValue = properties.getProperty( "EncodingValue");
       OutputEncoding = properties.getProperty( "OutputEncoding");
       if( properties.getProperty( "AfterLastColumnSeparator").compareToIgnoreCase( "yes") == 0 ||
           properties.getProperty( "AfterLastColumnSeparator").compareToIgnoreCase( "true") == 0)
           AfterLastColumnSeparator = true;
       else
       if( properties.getProperty( "AfterLastColumnSeparator").compareToIgnoreCase( "no") == 0 ||
           properties.getProperty( "AfterLastColumnSeparator").compareToIgnoreCase( "false") == 0)
           AfterLastColumnSeparator = false;
       else{
               System.out.println( "Invalid value for \"AfterLastColumnSeparator\" property (logical expected)");
           System.exit( 0);
       try{
           byte[] EOL = new byte[2];
           EOL[0] = 13;
           EOL[1] = 10;
           Class.forName( DriverName);
           Properties connInfo = new Properties();
           connInfo.put( "user", UserName);
           connInfo.put( "password", Password);
           if( EncodingParamName.length() != 0 && EncodingValue.length() != 0)
            connInfo.put( EncodingParamName, EncodingValue);
               Connection connection = DriverManager.getConnection( DatabaseURL, connInfo);
           FileInputStream in = new FileInputStream( SQLFile);
           byte[] buffer = new byte[in.available()];
           in.read( buffer);
           in.close();
           String SQL = new String( buffer);
               PreparedStatement statement = connection.prepareStatement( SQL);
           Date d1 = new Date();
               System.out.println( "Database connected at " + d1 + " Executing statement...");
              ResultSet resultSet = null;
           if( statement.execute())
            resultSet = statement.getResultSet();
           else{
                System.out.println( "Script updates " + statement.getUpdateCount() + " records.");
            System.exit( 0);
               ResultSetMetaData metaData = resultSet.getMetaData();
               BufferedOutputStream out = new BufferedOutputStream( new FileOutputStream( OutputFile));
           if( NeedColumnHeaders && metaData.getColumnCount() > 0){
            String head = new String();
            for( int i = 1; i < metaData.getColumnCount(); i++)
                head += metaData.getColumnName( i) + Separator;
            head += metaData.getColumnName( metaData.getColumnCount());
            out.write( head.getBytes( OutputEncoding), 0, head.length());
            out.write( EOL, 0, 2);
           String record = new String();
           while( resultSet.next()){
            record = "";
            for( int i = 1; i < metaData.getColumnCount(); i++)
                record += resultSet.getString( i) + Separator;
            record += resultSet.getString( metaData.getColumnCount());
            if( AfterLastColumnSeparator)
                record += Separator;
            out.write( record.getBytes( OutputEncoding), 0, record.length());
            out.write( EOL, 0, 2);
           out.close();
           Date d2 = new Date();
               System.out.println( "Done at " + d2);
               System.out.println( "Executing time " + new Time( d2.getTime() - d1.getTime() - 10800000));
       catch( ClassNotFoundException e){
               System.out.println( e.toString());
       catch( SQLException e){
               System.out.println( e.toString());
       catch( java.io.IOException e){
               System.out.println( e.toString());
       System.exit( 0);
      public static void main( String args[]){
       if( args.length == 1)
           new JDBCClient( args[0]);
       else
           System.out.println( "Usage JDBCClient <properties_file>");
  }JDBCClient.properties ( for Oracle database)
  DriverName=oracle.jdbc.driver.OracleDriver
  DatabaseURL=jdbc:oracle:thin:@192.168.1.1:1521:test
  UserName=test
  Password=test
  SQLFile=test.sql
  OutputFile=test.csv
  Separator=*
  NeedColumnHeaders=yes
  EncodingParamName=
  EncodingValue=
  OutputEncoding=windows-1251
  AfterLastColumnSeparator=yestest.sql
  select * from users;

• Recursive Java programming method for executing recursive SQL queries

  Anybody has a Java/JDBC example method to execute recursive SQL queries and print results? The method has to work for any number of queries and levels and the first query passes the parameter to the second query.
  Edited by: user4316962 on Jun 12, 2011 1:59 PM

  user4316962 wrote:
  Guys, the problem what I am trying to solve is much more complex and I don’t think SQL level recursion is enough. I am looking for Java solution with SQL queries in it to make it more flexible and DB independent.
  If you want to do recursion in SQL then it has nothing to do with Java.
  And if you want to do recursion in Java then the idiom itself has nothing to do with SQL.
  Other than that you have provided enough detail for anyone to even guess at what you are asking.
  As a start I am not even sure that you understand what recursion is nor how JDBC works. (But it could be that you are using the terms to mean something else.)
  And looking at your original post it could be nothing more than that you are looking for a design pattern - perhaps the interpreter.

• Authorization restriction for BP transaction

  Hi,
  We need to restrict the BP transaction access to user in the below mentioned way in our SRM system.
  1. Restricting BP access to all the users with display access.
  2. Restricting BP access to security users with create, change and display access.
  What is the main object for BP transaction for restricting access in the above mentioned scenarios?
  Here, we have observed one more issue like....
  Let say object-B_BUPR_BZT(not sure) is a main object for transaction-BP. If we restrict activity to 03 in that object, it will give display access when we are executing transaction-BP.
  Some of other transactions(like PPOMA_BBP) are there in SRM, those are also maintaining same object with all activities(create,change,Display).
  In this scenarios, how the above mentioned restriction is going to help the user.
  Please check and advice in this.
  Thanks & Regards,
  KKRao.

  > Let say object-B_BUPR_BZT(not sure) is a main object for transaction-BP.
  It may be a "main object" for BP, but that doesn't tell you much at all about the security aspects or where in the logic of the transaction it is used. This object is for example not a part of the business logic of transaction SE80, or that I am sure.
  If you have no clue, then start in SU21 and read the application help documentation on the transaction (to understand it's context) and the use-cases of the object - also to find the other transactions. Then you will become more sure.
  You also need to understand that in the same way the transactions, reports and the "real checks" are layers in the security, objects themselves can also be selective and layered in a conceptually consistent way, or (to make it more interesting...) transaction dependently.
  There are lots of shortcuts (even out-of-the-box roles which someone might try to sell you...) but ultimately if you use a SAP system to "build" your business processes, then you need a concept to secure your build. SAP owns the authority-checks in standard programs to enable the process to comply with legal requirements and some common sense.
  => So, you need to choose your transaction (or other entry point) carefully and understand the objects which they use.
  Cheers,
  Julius