Authorization SEM

Similar Messages

• Analysis Authorization with SEM-BPS

  Hi,
  We have performed technical upgrade from BW 3.5 to BI 7.0. We want to migrate to BI 7.0 functionality phase wise.
  We have SEM-BPS and now we want to migrate to Analysis Authorization of BI 7.0.
  Once we have igrated to Analysis Authorization, will there be any impact on SEM-BPS? Can we still use SEM-BPS with New Analysis Authorizations? We do not want to move to BI-IP in near future?.
  Please advise.
  Best Regards,
  UR

  Dear UR,
  Iu2019m going to try helping you,
  In difference of reporting functionality, in planning, the data of an InfoCube is not just read; it is also changed or created.
  There are two planning tools in BI: BW-BPS (Business Planning and Simulation), and BI Integrated Planning.
  There are two main tcode: BPS0 and RSPLAN
  There are three authorization objects to manage Integrated Planning:
  S_RS_PL_ADMIN - Planning Administrator
  S_RS_PL_PLANNER u2013 Planner
  S_RS_PL_PLANMOD_D u2013 Planning Modeler (Development System)
  The main object in the planning scenario is InfoCube real-time, where can available writing in small package that arrive in parallel. In some cases the security requirements for reporting and planning can be merging. In this case you need authorization object for checking planning, as authorization object above, and you need authorization object for using a query for planning requires as S_RS_COMP.
  In addition to authorization for displaying data, the authorizations for changing data you need analysis authorization (the analysis authorization focus in the InfoProvider, no in Aggregation Level).
  In your analysis authorization design for reporting stuff, you should use in 0TCAACTVT characteristic 03 value. In the planning stuff, you should use in 0TCAACTVT characteristic 03 and 02 values. As explain following:
  Using the characteristics 0TCAACTVT (activity), you can restrict the authorization to different activities. Read (03) is set as the default activity; you must also assign the activity Change (02) for integrated planning.
  http://help.sap.com/saphelp_nw70ehp1/helpdata/en/b1/0c9441b8972e7be10000000a1550b0/frameset.htm
  I hope this suggestion can help you answer question,
  Luis

• Authorizations for tasks (R_UC_TASK) / Best Practice SEM-BCS authorization

  Dear Experts,
  I am quite new to authorizations and in particular to SEM-BCS authorization. So I would be happy if you could help me with the following requirement:
  We have to setup an authorization concepts for SEM-BCS. Among others we want to setup authorizations for consolidations tasks using authorization object R_UC_TASK. With this authorization object certain tasks can be restricted to certain characteristic values u2013 e.g. for a certain consolidation group or a certain consolidation unit. We have defined a role each for certain consolidation tasks. These roles are not restricted to any characteristic value yet. We have for instance a role u201Cregional controlleru201D who is allowed to perform certain BCS tasks on a regional level (consolidation unit level). This would mean that we would have to create the role u201Cregional controlleru201D for all consolidation units u2013 see example below:
  Role 1: Regional Controller u2013 Cons. Unit 1000
  Role 2: Regional Controller u2013 Cons. Unit 1100
  Role 3: Regional Controller u2013 Cons. Unit 1200
  Role n: Regional Controller u2013 Cons. Unit n
  We have more than 400 consolidation units. So this would require a high effort. Is there instead a possibility of creating one role based on authorization object R_UC_TASK which just defines which activities can be performed (without restricting access to a certain consolidation unit). , and using second role which defines the consolidation unit access? u2013 see example below:
  A
  Role: Regional Controller
  Role: Cons Unit 1000
  B
  Role: Regional Controller
  Role: Cons Unit 1100
  C
  Role: Regional Controller
  Role: Cons Unit 1200
  In this case we only would have to maintain one role u201CRegional Controlleru201D and we only would have to assign the restriction for the consolidation unit. How could this be realized?  Or do you have any other ideas to solve this requirement in a simple way?
  Moreover I would be happy if you could tell me where I could find best practice scenarios for SEM-BCS authorizations.
  Thanks a lot in advance!
  Best regards
  Marco

  Hello Marco,
  you can enter a master role in the description tab of a role. All fields populated via program PFCG_ORGFIELD_CREATE can be maintained in the role. All other fields will be taken from the master role. So you only need to populate the field for unit with the program.
  Good luck
  Harry

• SEM ConsMonitor Authorization check R_UC_TASK activity A3

  Hello,
  I have a problem in the Consolidation Monitor authority check for tasks.
  We want the users to be able to set the status 'Lock by user'. The  authorization object R_UC_TASK is using the same activity (A3) for  'Lock by user' and 'Reset'.
  Is there a chance to tell the system to use different activities for these two action steps in the Consolidation Monitor?
  Thanx for any idea.
  Christian

  I posted the same question at SOLUTIONS-SEM BCS and got an answer there.

• SEM-BCS authorization or Security Guide

  Hello,
  Last year We went Live with SEM-BCS Project.Now We need to restrict all the t-Code's in SEM-BCS. During the Go-Live We have provided  Full authorization's to everyone.Now Auditor's are bugging us to restrict the access in the SEM-BCS system.If Possible anyone can provide authorization or Security Guide for BCS Project
  Vijay

  Hello Again,
  Guide Contain's Only Authorization Object's & Default SAP Defined Roles. But Here it a different Scenario. SEM-BCS team has provided me 30 T-Codes & I am supposed to Pick all the Default Values for all the T-Codes.
  I am doing it from T-Code: SU24 & Updating it in Excel. My Question's are
  1. How to get more Knowledge on the Tcodes
  2. How it will Function
  3. In what way we can restrict the Feild values & Activities for the T-codes.
  My functional team Have no Knowledge on this Objects & what activities should be there.
  Now i need to explain them each & every T-Code & what does each feild & Activity Do. If there is any Go-Live document for this it will be really helpful for me.
  For All 30 T-codes I need to create Custom Roles &  Audit need's No Astrick for new custom Roles.
  Vijay

• Semi Colon in Authorization

  Hi,
  Can anyone explain the functionality of the Semi Colon (:)in Authorization Object. I have a requirement which demands the use of semi colon. Please let me know your suggestions on this.
  Sajan.M

  Hello Sajan,
  refer to :
  SAP Note Number: 727354
  Colon authorization during query execution
  Version: 2, Note Language: EN, Released on: 20.04.2004 
  Symptom
  You experience difficulties with colon authorization when you execute a query.
  Other terms
  Colon authorization
  Reason and Prerequisites
  You require colon authorization to view the values of an authorization-relevant characteristic in aggregated form. What does this mean exactly?
  Example:
  The 0COUNTRY characteristic is authorization-relevant and is contained in the InfoProvider used. You defined a query as follows:
  1. 0COUNTRY is in the free characteristics (not in the drilldown) without any selections
                - or-
  1. 0COUNTRY is not used in the query.
  In both cases, no 0COUNTRY values appear in the query. Also, the query is not restricted to any 0COUNTRY values. The colon is required for the authorization check. You see the following message in the authorization log:
             "Check for ':' Added"
  Note the following:
  Case 2) is often overlooked: The authorization-relevant characteristic is not in the query, but rather in the InfoProvider. This does not mean that an authorization check does not take place on the characteristic. Since the key figures displayed are implicitly aggregated using all of the values for the characteristic, this must also be authorized.
  In a query, a selection can occur locally in a restricted key figure or in a structure. If the query contains other key figures, and this selection (or other selections) does not apply to these key figures, the colon is also required in the authorization.
  Solution
  If the above authorization problems occur, you must perform the following:
  1. If you want queries with no restrictions to run:
             Grant colon authorization to the user.
  1. If you do not want to grant colon authorization to the user:
              Restrict the characteristic in the query to a certain selection (single value, interval, hierarchy node, and so on) and authorize this selection explicitly.
  You must perform one of the above actions while the characteristic is being checked for authorizations.
  Other information
  The star authorization ('*') authorizes everything (of course, this also includes queries that require a colon).
  If the authorization-relevant characteristic is a navigation attribute (0COUSTOMER__0COUNTRY, for example), the behavior of the authorization check is not altered in any way. An exception occurs if the InfoObject appears both as a characteristic (0COUNTRY) and as a navigation attribute (0COUSTOMER__0COUNTRY) in the InfoProvider. You must then refer to note 642072.
  A colon authorization is not taken into account when you use a variable of the type "Fill from authorization", since it is not known at the time of the variable processing whether or not the affected characteristic is in the drilldown.
  Release Status Released for Customer
  Released on 20.04.2004
  Priority Recommendations/additional info
  Category Consulting
  Primary Component BW-BEX-OT-OLAP-AUT Authorizations
  Secondary Components BW-BEX-OT-OLAP Analyzing Data
  No attributes available 
  Soft. Component Release Track From Release To Release And Successors
  SAP_BW   30   30A   30B    
  SAP_BW   310   310   310    
  SAP_BW   35   350   350    
  No correction instruction available 
  No data available
  Number Short Text
  0000921820 Information about authorization concept of BW 3.X systems
  0000831700 BRAIN 655: No authorized data for F4 (input help)
  0000805855 Check on colon authorization despite selection condition
  0000790323 The log for reporting authorizations in BW
  0000789536 Enhancements of the authorization log
  0000642072 Authorization check on : for char./navigation attribute
  0000573725 Authorizations for documents for transaction data
  No attachments available
  SAP Notes / Patches corrected by this Note 
  No entries available
  The following SAP Notes correct this Note / Patch 
  No entries available

• Authorizations in SEM-BPS (Web Layouts)

  Hi all,
  I have a question that hopefully somebody can help me in solving it.
  We have a bps application, with authorizations maintained in the sap normal way: pfcg, rssm, etc.
  The question is that we started to build some web (alv) layouts, and need to maintain the same authorization schema.However, the authorizations are not verified in the web layouts.
  Can somebody provide some hint in solving this problem ?
  Best Regards,
  Ricardo

  Hi Raman,
  Sorry but your tip doesn't work
  That's precisely our problem: the authorization scheme we implemented in the "SAP GUI side" doesn't work in the web side". Using web layouts, I still can acess some layouts I shouldn't be allowed to (user dependent)
  Thank you anyway
  Regards,
  Ricardo

• Two authorizations objects with OR function instead of AND

  Hi,
  We have created two authorization (RSECADMIN) objects for a CRM InfoProvider:
  Organizational responsible
  Delivery unit.
  Both the two authorized relevant InfoObjects are used in the query.
  In the query we have used a two authorization variables.
  Now only values in the authorizations are checked where Organizational responsible are true AND Delivery unit are true.
  Is it possible to check the authorization where:
  Organizational responsible is true OR Delivery unit is true??
  Please help!
  Regards,
  Jos.

  Hi,
  hmmm Andreas, I must comment on that:
  what is required is to show any record having Object1 = True OR Object2 = TRUE.
  Logically it is the same than asking:
  Don't show records having (Object1 NOT True) AND (Object2 NOT True), correct me if I am wrong there (this is pure Boolean math...)
  Because BW doesn't support this it doesn't mean that ANY system cannot do it.
  Simply put with SQL
  SELECT * FROM TABLE
  WHERE OBJ1 = TRUE OR OBJ2 = TRUE works perfectly in ANY RDBMS.
  also
  SELECT * FROM TABLE
  WHERE NOT OBJ1 <> TRUE AND OBJ2 <> TRUE would work as well.
  It is just that BW always perform an AND when you filter two different objects.
  Jos could achieve what he wants by setting up some restricted key figures and work it out with conditions but definitively not with standard authorizations.
  Alternatively, as I already mentioned, compounding objects would work but not without modeling effort. Finally I believe that with user exits it would also be possible... I don't have time but I would as well investigate bringing both objects along with the provider in a multi and verify if that couldn't be done by semi/standard means finally...
  hope this shed some lights on the issue....
  regards,
  Olivier.

• RFC Call - Retracting data from BI/BPS/SEM to ECC

  Hello Gurus,
  Since there is no standard retarctors available for SKF and New GL in BPS-SEM we developed a custom retractor.
  We call a standard BAPI to post SKF and a BDC to post New G/L.
  When we call the RFC function it asks for the user id and password to login into ECC system.
  How to handle the SAP log on screen in the program.
  Do we pass the userid and password through the ABAp program ?
  Please let me know how to handle the logon screen in the foreground and also in the background.
  Again this program will be executed in the background .
  Thanks for your help guys

  This is a duplicate post. Please close the other one.
  You should be able to set up a RFC connection in SM59 with a generic userid and password embedded. Give the userid the authorizations to process this and not much else.
  Rob

• Authorization check

  Hi ,
  i new to authorization so i need help ,
  i go to transaction SU21 and i choose some object for example:
  Object R_CPM_BSC
  Text Authorization Object SEM: BSC Elements
  Class SEM Strategic Enterprise Management*
  Author STASTNY
  Field name Heading
  SEMSCARD Scorecard
  SEMOBJTYPE Scorecard Elements: Object Type
  SEMOBJKEY Scorecard Elements: Object Key
  ACTVT Activity
  And when i push on permitted activities i get:
  R_CPM_BSC Authorization Object SE
  ACTVT Activity
  activists
  01 Create or generate
  02 Change
  03 Display
  04 Print, edit messages
  1. i have always just permitted activities for ACTVT ?
  if i wont that user just have display Authorization how i have to write it like below?
  AUTHORITY-CHECK OBJECT R_CPM_BSC
  ID ACTVT FIELD '03'
  thats it i don't use the other fields?
  Regards

  Hi,
  In general different users will be given different authorizations based on their role in the orgn.
  We create ROLES and assign the Authorization and TCODES for that role, so only that user can have access to those T Codes.
  USe SUIM and SU21 T codes for this.
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/67167f439b11d1896f0000e8322d00/content.htm
  To ensure that a user has the appropriate authorizations when he or she performs an action, users are subject to authorization checks.
  Authorization : An authorization enables you to perform a particular activity in the SAP System, based on a set of authorization object field values.
  You program the authorization check using the ABAP statement AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
  ID 'ACTVT' FIELD '02'
  ID 'CUSTTYPE' FIELD 'B'.
  IF SY-SUBRC 0.
  MESSAGE E...
  ENDIF.
  'S_TRVL_BKS' is a auth. object
  ID 'ACTVT' FIELD '02' in place 2 you can put 1,2, 3 for change create or display.
  The AUTHORITY-CHECK checks whether a user has the appropriate authorization to execute a particular activity.
  This Authorization concept is somewhat linked with BASIS people.
  As a developer you may not have access to access to SU21 Transaction where you have to define, authorizations, Objects and for nthat object you assign fields and values. Another Tcode is PFCG where you can assign these authrization objects and TCodes for a profile and that profile in turn attached to a particular user.
  Take the help of the basis Guy and create and use.
  Thanks
  Vikranth

• How SEM BPS works with SAP BW

  Hi,
  How SEM BPS works with SAP BW.
  how to save planned in SAP BW.
  how to work with the data in Basic cubes and Transaction cubes.
  what is the relation between these two cubes.
  Thanks,
  cheta.

  hi,
  chk the link for BPS
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/7c85d590-0201-0010-20b5-f9d0aa10c53f
  Can any body send the material for BPS?
  Authorization for BPS
  Ramesh

• Need everyone input: authorization profiles assigned to ALEREMOTE

  If the process chain runs fine in your system, please go to SU01 to check the profiles assigned to the user ALEREMOTE and feed back with the profiles assigned to ALEREMOTE.  Anyone's input is greatly appreciated and will be rewarded with points.
  Thanks

  Hi Kevin.
  We have at my company a large implementation of systems including several BW systems. One of these also hosts SEM. Here it was first setup with SAP_ALL, but after my security review they actually could tailormake a role for these activities. The input for this role we created by a simple authorization trace.
  On request I can provide you with this information.
  It is also the recommended solution to really modify the authorization of users like ALEREMOTE, due to the large security risks you take in RFC destinations otherwise.

• ITunes keeps requiring authorization

  I use 3 machines:
  - Powerbook G4
  - Powermac G5
  - iMac G5 (recently underwent apple certified repair)
  Currently, I physically have 2 machines authorized that will play my music. 3 machines should be authorized.. but the iTunes music store says 4 are authorized.
  So.. here's the overall deal..
  Yes, I probably lost 1 authorization as a result of the repair facility doing an archive and install (without notifying me), but iTunes has still been asking for authorization in strange ways.
  For instance, the iMac G5 is asking for authorization again.. it has not been reinstalled since that time.
  My Powermac at home has also pulled up the authorization dialogue without apparent reason (it has never been reinstalled).
  So here I sit with 2 computers authorized.. 1 that needs to be authorized, and 4 that apple thinks are authorized.
  If I authorize the computer I'm sitting on right now, I could semi-permanently lose my ability to listen to music on a machine if another one starts asking for authorization.. and I don't have the option to reset my authorizations.
  So.. what am I to do? I'm seriously considering stopping using the iTMS because of this issue.. I've spent well over $300 on music there.. but if glitches like this are going to force me to stop listening to my own purchased music.. then I don't want to invest any more money into it.

  let me explain.
  I bought the song and put it in an iphoto slideshow and made a Quicktime version too.
  One computer.
  Iphoto won't play the song because it requires authorization from itunes.
  I authorize it (again, and again) at itunes. It says I am authorized just fine.
  Back to iphoto: Same error message. over and over.
  Then add:
  even Quicktime wouldn't let me play the already recorded slideshow movie. It said I could only use itunes tunes in isoftware?
  Now Quicktime has become hijacked-- demolished, actually--- and replaced by nothing but menus saying purchase the new Quicktime. Who did this?
  In another forum someone said 'all' I have to do is buy the newest versions of Quicktime and iTunes. That's all.
  Money-grubbing robbers. How dare they come onto my computer and mess things up so I have to buy new software? I can't afford it. So now what?
  Natasha

• SEM-BPS 6.0 BPS_WB generate Web Interface BSP

  Hi all,
  We recently had a redirect of the portal connected to our NW04S BW development system and had worked thorugh the issues on the portal side so existing Iviews works (SEM-BPS 6.0). 
  We are now creating some new iview for a new applications but I cannot generate the BSP page.  BPS_WB say that the BSP was generated correctly but when I try to test it, it says that http entry is missing and would I like to add it and when I say I do, it fails since I cannot generate a node under SICF since I do not have the authorization.  I did an SU53 check and asked for 01 create on S_ICF_ADM but getting a lot of questions since 01 on S_ICF_ADM is reserved for Basis only on this project.
  Another thing we are also concerned with is that some system settings that need to be done on the BW side might now have been done although Basis said all entries are changed..
  I have to admit that the last time I worked with someone to set up portal connection to BPS was back in 2003 so I have to dig pretty deep into my memory and had been doing some quick searches but have not found anything obvious yet that would solve the regeneration issue except for the authorization addition which they are very hesitant about.
  Any information or thoughts on this issue / problem would be appreciated.
  Thansk,
  Mary

  Hello Mary,
  I still work on BCS, so dont have BPS here. What I can do is to give you a summary of those things I had done in the past. Maybe it helps?
  I gues you know that there are 2 diffren types of nodes: System nodes to enable connection to the web and the node for each web interface.
  The required system nodes are describes in OSS 517484. I guess you have released them? Since BW Release 3.5 the web interface works with HTMLB. I guess you have activated thise too?`So the last possibility is from my point of view the web interface itself.
  The node for the web interface existis already?
  /default_host/sap/bc/bsp/sap/<your_web_interface>
  In develop system the web interfaces will be activated manually normally. But in Prod automaticall because of not allowed customising. If the web interface has created such an entry already I think the only chance is to give the web interface another name in Development system - or to delete the existing node in the prod system (dangerous).
  If this is not your problem, maybe another consultant has an idea?
  regards
  Eckhard Lewin

• Cannot authorize my computer

  After restoring windows to an earlier date settings,  my ADE disappeared, after reloading and trying to re-authorize my computer I get the message: "The vendor account you entered is not associated with the item you are trying to open." and the vendor account line is greyed out
  Wayward

  Sometimes ADE gets its registration/activation confused and in a semi-authorized state.  This is almost certainly what happened here.
  Uninstalling and reinstalling does not help.
  Unfortunately, it often then gives misleading error messages about what is wrong.
  A common incorrect message informs you that the ID is already in use on another computer and cannot be reused.
  This can often be resolved by completely removing any authorization using ctrl-shift-D to the Library screen on ADE (cmd-shift-D if on Mac).
  Restart ADE, and then reauthorize with your (old) Adobe ID.
  In extreme cases on the mac, the following extra step has helped some people.  Navigate to /Users//Library/Application Support/Adobe/Digital Editions and drag the activation.dat file to the trash. If you are using 10.7, see Access hidden user library files | Mac OS 10.7 Lion. http://forums.adobe.com/thread/1265248?tstart=0