Authorization Structure/Concept

Hi All,
While designing an authorization structure/concept for a new system, from experiences can i ask if it is best to use any of the following methods, or some different approach?
1. Many varying sized Single Roles and few Composite Roles, where the Composite Role is usually directly related the 'Business Job Title', so in theory a user should be assigned 1 (maybe more in some cases) Composite Role.
2. No Composite Roles, and ONLY medium to varying sized Single Roles, in which case many of these are assigned to each user.
I think in most scenarios it may be a mixture of the two, but i have experience of the second and it does work but manageability becomes an issue due to complexity. So the Composite Role structure should reduce the complexity and give future flexibility however this requires more time up front.
I know this is brief but i have left it slightly open for comments/opinions, thanks in advance for any information.

Hi Ashley,
i suggest you to go with approach "1", i.e, creating composite roles and assigning to users. but i suggest you to have a clear picture of, what roles should come under wht composite role and to which group of users you have assign them.
prepare an list of of all single roles and composite roles (which group them).
with BR,
Rajesh
<i>award points</i>

Similar Messages

Learning SAP BW authorizations structure and hierarchy - concepts

Hello Experts,
I need a good document for learning Authorizations structuring and hierarchy in SAP BIW 3.5 . I am giving authorizations in BIW but do not hv conceptual nd fundamentalistic knowledge of SAP BW authorizations and its structure . Plz send a good document for learning BW authorizations .............................it may be an excerpt frm FU&FU guide. My Email Id is [email protected]
A short but complete SAP BW fundamentalistic , concepts and structure & hierarchy covering document is appreciated.
Requested to revert at earliest as this is very urgent.
Points guaranteed.
Regards,
Somya

Hi maheshwari ,
Use these steps for authorizations,
1.before going to authorizations u have to decide on which Infoobject u have to apply authorizations.
EX: SD--- Sales Org, MM -> palnt ,purorg,FI> companycode.
first u ahve to decide which area & on which Infoobject.
2.goto that Infoobject --> change there check the checkbox Authorization relavent object cahechbox
2.after that U Have to goto RSSM there u have to create authorization object
Ex: Zxxx ( XXX is Infoobject Name ).
3. In the same transaction Screen u have Infocube selection radio Button check that then select on which cube(cube means under that cube all Quaries) u have to make authorization for that perticuler Infoobject.
4.next goto PFCG create role & save it
5.goto Authorization tab in that selct edit authorization it will give automatiaclly authorization Templates in that u have to select only S_RS_RREPU & press Enter.
6. Select manual pushbutton it will ask authorisation object enter ur authorization object what u have created ( zxxx) .
7.click generate +enter
8. goto user tab Enter userId+enter + click on usercomparision+ enter
9.save the role.
FOR HIRARCHIES:
1. goto RSSM There u have one rediobutton called authorization hierarchy ( this radio button is very below the RSSM screen)
2. there u have to select Hierachy on which u have to apply authorization.
Thanks,
kiran

Structural authorization only possible in HR,correct?

It is my strong understanding that strucural authorization is possible only in HR.Can somebody please confirm that it cannot be accomplished for any other module,espicially FI? Thanks.

HR is a separate authorization concept in SAP, which as you stated is a structural concept.
All other module objects in SAP are of the standard SAP Authorization Concept, which is well documented for each release at http://help.sap.com
Hope this helps.
Regards
Ashley

Bw upgrade - Authorization concept

Hi,
We have just completed the BW3.5 upgrade to BI7.3.
I'm trying to work out the authorization concept in our system again.
I've created one simple query on a multiprovider with only 1 characteristic and 1 KF.
-Authorization object S_RS_MPRO for this multiprovider given.
-User has one role which has the basic 0TCAACTVT , 0TCAIPROV,0TCAVALID
-Basic BW end user authorization for RS Class is available.(S_RS_COMP,S_RS_COMP1,S_RS_FOLD,S_RS_HIER,S_RS_ICUBE
S_RS_IOBJ,S_RS_ISET,S_RS_ODSO)
Now when i run the query, i have 'No authorization'.
Display authorization check shows authorization check failed for S_RS_AUTH with object 0BI_ALL.
From my understanding 0BI_ALL should be given to user who is allowed to access all queries.
Appreciate advice from anyone whos familiar on this. Is it safe to give 0BI_ALL or there is some other object which i am not assigning?
Thank you.
Regards
Maili

Hi,
With NW2004s, a new concept was introduced to check analysis authorizations. You can activate this using Transaction RSCUSTV23 or the IMG entry "Analysis authorizations: Select concept".
To do this, select the "Current procedure with analysis authorizations"
option. For detailed information, refer to the following link:
http://help.sap.com/saphelp_nw04s/helpdata/de/80/d71042f664e22ce10000000
a1550b0/frameset.htm
Using the new analysis authorizations, the check of the MultiProvider authorization is not carried out any longer.
If you cannot use the new analysis authorizations, assign corresponding
authorizations for the "Data Warehousing Workbench - MultiProvider"
authorization object (S_RS_MPRO).
The settings of Transaction RSCUSTV16 listed above are obsolete as of
Release NW2004s and are not analyzed any longer. Instead, the
MultiProvider authorization is always checked when you execute queries
using the usual authorization concept.
Please refer notes
820183     New authorization concept in BI
727354    Colon authorization during query execution
1122407   dealing with prerequisits for message processing in OLAP!!
Thanks,
Venkat

Authorization for navigational attribute

Hi Gurus,
I am facing an authorization issue with respect to infoobject hierarchy. I have created authorizations as below.
There one infoobject 'A' and a navigational attribute 'B' in infoobject 'A'. This navigational atribure A_B is used in an infocube. And hierarchy is uploaded to Infoobject 'B'. Now I want to give authorization for this hierarchy in infoobject 'B'.
Now coming to authorization.
1. I have made Infoobject 'B' as authorization relevant in Business explorer tab.
2. Created authorization object say ABC in RSSM and inculded infoobject 'B' & 0TCTAUTHH (since I want to authorize the hierarchy and we are using 3.5 authorization concepts in BI 7.0).
3. Activate this authorization object for the infocube.
4. Included this authorization object in the role included for my user. In the field 'B' of authorization object I have given ' ' (space) and in the field 0TCTAUTHH I have given the technical name of the hierarchy.
4. In 3.5 query designer I have put this navigational attribute A_B in the filter area and activated the hierarchy in the properties tab for the same hierarchy that I inculded in previous step.
5. Created a variable with processing type authorization.
Now when I run this report I get an error as no authorization for object ABC.
Can someone help me if I have done anything wrong.
Thanks,
Sandeep

Hi,
In the infoobject A maintenance screen check the chekc box for field "AuthorizRelevant" for B to make it authorization relevant navigational attribute.
Then go to RSECADMIN and ope your relevant authorization.
In the menu bar just above the "Authorization Structure" you will find the button with icon of infoobject.
Chick on this icon this will give you a screen to enter characteristic name of which attributes are to be added to authorization.
Enter the infoobject A name here and click on continue.
This will give you list of all authorization relevant navigational attributes present for A.
Add B from this list to the authorization.
Hope this helps.
- Geetanjali

Is there any way to force a Role Check for authorization from a Ztable

Hi all,
I have an issue that deals with Authorization check using a role. I have to know if there is any way to make a Role force to check if an entry exists in a Ztable.
Eg. A User is assigned a role Z:Ztable_check. Can we now force this Role to somehow check for a particular entry in a Ztable which has a Username and its Corresponding Authorized Cost center. Can the role check from the Ztable and allow the user to view only those cost centers that he is allowed to.
Don't know if this is even theoretically possible.

hi
see if this helps you
<b>The SAP Authorization Concept
Authorization checks are a means of protecting functions or objects in the R/3 System. The programmer of the function determines where and how these checks are made, while the user administrator determines (within the framework defined by the programmer) who can execute a function or access an object.
The terms central to the SAP authorization concept are:
Authorization field
This is the smallest unit against which checks can be made. The programmer can create authorization fields by selecting Tools → ABAP Workbench → Development → Other tools → Authorization objs → Fields.
Example: ACTVT and CUSTTYPE.
Authorization object
An authorization object groups together 1 to 10 authorization fields which can then be checked as a combination. The programmer can create authorization fields by selecting Tools → ABAP Workbench → Development → Other tools → Authorization objs → Objects.
Example: The authorization objekt S_TRVL_BKS groups together the authorization fields ACTVT and CUSTTYPE.
Authorization
An authorization is a combination of permitted values for each authorization field of an authorization object. The user administrator creates authorizations by selecting Tools → Administration → Maintain users → Authorization.
Example:
S_TRVL_CUS1 is an authorization for the authorization object S_TRVL_BKS with the values
for customer type (CUSTTYPE) and
02 for activity (ACTVT).
Users who have this authorization are allowed to change the bookings of all customers.
S_TRVL_CUS2 is an authorization for the authorization object S_TRVL_BKS with the values
B for customer type (CUSTTYPE) and
03 for activity (ACTVT).
Users who have this authorization are allowed to display the postings of all customers.
Authorization profile
An authorization profile represents a simple workplace in the context of authorizations. An authorization profile contains authorizations for the authorization objects a user needs to operate effectively in a restricted task area. The user administrator creates authorizations by selecting Tools → Administration → Maintain users → Profiles.
User master record
Your user master record is checked when you logon to the R/3 system. Through the authorization profiles, this provides restricted access to the functions and objects of the R/3 System. The user administrator creates authorizations by selecting Tools → Administration → Maintain users → Users.
Authorization check
The programmer can perform authorization checks with the ABAP command AUTHORITY-CHECK by specifying the value to be checked for each authorization field defined. The system then scans the profiles in the user master record for the authorizations specified. If one of the authorizations found for all fields of the authorization object covers the values specified by AUTHORITY-CHECK, the check was successful.
Example: Check whether the user is allowed to change the postings of business customers:
AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
                ID 'ACTVT'    FIELD '02'
                ID 'CUSTTYPE' FIELD 'B'.
IF SY-SUBRC <> 0.
MESSAGE E...
ENDIF.
If the authorization S_TRVL_CUS1 exists in the user's master record, the authorization check is successful. However, if the authorization S_TRVL_CUS2 exists, but not the authorization S_TRVL_CUS1, the check fails.
Authorization assignment
The system administrator is responsible for assigning user master records with the correct authorizations. You should use the Profile Generator to maintain authorization profiles. However, you can also change them manually. Each authorization object contains authorizations. These are grouped together in authorization profiles such that each authorization profile represents a job description, for example 'flight reservations clerk'. You assign one or more authrization profiles to each user master record. You can assign an authorization to as many authorization profiles as you like, and an authorization profile to as many composite profiles and users as you like. Composite profiles are used in manual authorization maintenance, and form a further division in the authorization structure. However, they are not strictly necessary.
                  User master record
                Auth. profile Composite auth. profile
           Authorization              Auth. profile
             Values              Authorization
                               Values</b>
plz reward if satisfied

HR Authorization issue

Hello All,
System: HRP
Support pack: EHP5
I have an issue with one user (HR team) under the HR system who has been assigned with the authorizations similar to other HR team members in the system.
User 1: has authorizations (Structural and Standard) assigned, he is able to get to look up the Master Data for users under an Organization Unit.
User 2: has an authorization similar to user 1, but he is NOT able to view the Master data for people under the same Organization unit.
Your advice will be helpful.
Vidyar.

Hi Hari,
Did you run RHPROFL0 programm?
Ans : No
1. Also can you please give us some more information are you assigning generic PD profiles(functional modules) or explict org unit pd profiles?
Ans: Generic PD profile that is created for the HR team is assigned.
2. User 2 is just assigned PD profiles are any replacement of PD profiles if then there is another ABAP programm should run
Ans: Is just assinged the Generic PD profile.
Regars
Vidyar

SAP BW 7.0 Authorization problem

HI,
we have the following problem on our project and I hope someone can help us!
First some input:
We are working with Net weaver 2004s (SAP BW 7.0) and my user has the following profiles S_A.SYSTEM and SAP_ALL. We have loaded the following data model from BC: C0-OM-CCA and are working with info cube 0CCA_C11 (Costs and Allocation. It was possible to load data records from R/3 without errors.
Now the problem:
If we want to see the content of our info cube (without any selection) we get the following error messages:
Message no. EYE007: You do not have sufficient authorization
Diagnosis: You do not have sufficient authorization for the requested data records.
Procedure: Either select other data records or get the required authorizations from your administrator.
Message no. RS_EXECPETION251: User XX does not have authorization for Info Provider 0CCA_C11
No further Information.
Does someone know this problem and can help us? Maybe it is really a bug or it has something to do with the new authorization concept of SAP BW 7.0
Thanks for your help and support!
Jessica

Hi Jessica,
I would start standard authority tracing for your user in transaction ST01. But the authorization concept changed a lot. You should check
<a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/61/8c3842bb58f83ae10000000a1550b0/frameset.htm">Analysis authorization</a> and <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/61/8c3842bb58f83ae10000000a1550b0/frameset.htm">New authorization objects</a>.
Personally I would add SAP_NEW to your authorization that contains all new authorization objects or even better switch first back to the old authorization concept via SAP Customizing Implementation Guide -> SAP NetWeaver -> Business Intelligence -> Reporting-Relevant Settings -> General Reporting Settings -> Analysis Authorizations: Select Concept.
Best regards
Dirk

'No authorization' error for selection values outside the authorized range

Hi All,
We are currently trying to use the authorization analysis concept for 'Cost center reporting'.
We have made 0COSTCENTER info-object as authorization relevant and have created a analysis authorization object for it through RSECADMIN and we have maintained a single value as '1875' . We have assigned this object to 1 of the test users.
So now if the user runs the report for cost center '1875' , he is able to view the data/report. Now if he enters any other cost center apart from '1875' than he gets an authorization error (Everything works as per requirement till this point).
But now if the user enters multiple cost centers like 1875, 1876, 1877 as multiple single values and runs the report, he gets an 'No authorization error'.
So all the experts, please let me know if it's possible in anyway for the user to see the result/report for the value he is authorized to (in this case - 1875) and should give an information/warning/error message saying that he is not authorized to other cost center (in this case - 1876, 1877).
Same thing is occuring if user enters a range. Suppose a user is authorized for cost center - 1875 to 1880. Now if he puts multiple single values or range in between the authorized range than he can see the result but if he enters even 1 single value outside the range he gets an error - what I mean by this is - if the user enter a range from 1875 to 1801, he does not get any data display but instead he recieves an error message saying 'No authorization' even though he is authorized for all the cost centers in that range except 1801.
I would really appreciate your help regarding this. Any comments/suggestions are very welcome.
Thanks & regards,
Sunny

Hi Sunny
That is the way analysis authorizations work!!
If you ask for a number of values i.e. cost centers and you don't have authorization to *all* of them you will get a system error as you say.
There is no way of partially evaluating the query as you suggest (only for the authorized values).
Try to be less restrictive when defining characteristic values in RSECADMIN.
In queries use variables with
Processing by Authorization and Input Ready.
So the system will tell the user which are the allowed values. In your example the system suggests the range 1875-1880.
Hope this helps, regards
Germá

Organisational Unit Authorization not getting effected

Hi gurus,
I m facing problem while providing the authorization.We have an role base authorization structure.I had provided as * in organisational leve for all plants or shipping point or any org element for master roles.But when I m copying the master role to derived role and in that when i mention the respective plant in org level it doesnt gets effected at the hirearchy below.It shows there as * only.Scenario is Org level authoirzation is not getting maintained at the heriarcy level below.
Eagerly waiting for positive response.
Regards,
Amit

Hi Nikhil,
I think buffering CRM sales areas might help you.
In CRM the sales areas are represented in the organizational model, this means they are not physically stored, but they are the result of the different combinations of sales organizations, sales offices, sales groups, channels and divisions maintained in the organizational model.
Whenever a CRM transaction or a business partner needs the sales areas, they are calculated, and this is an expensive process. To speed up this process, the sales areas are buffered.
Report HRBCI_ATTRIBUTES_BUFFER_UPDATE is used to buffer the attributes of organizational management objects. To enable buffering you have to maintain view T77OMATTR.
1. Go to Tcode : OOATTRCUST
2. Select the structure node Scenarios.
3. Flag the field in the column Buffering for the scenario SALE.
4. Choose Save (Ctrl+S).
Then run the report in Tcode: sa38
1. Tcode: sa38
2. Select the report HRBCI_ATTRIBUTES_BUFFER_UPDATE.
3. Flag the fields Delete All Buffers and Restructure Buffer on (Date).
4. Choose Execute (F8).
In Note 737315 further details regarding this topic are described. Note you can also schedule a job in transaction SM36 to run this report regularly.
Hope this helps!
Regards,
Chethan

Authorization flow Business Transactions

Hello partners,
I have a issue with the authorization flow concept.
My need is :
A.- the transaction type z01 is only for the user that belong to unit org A, object CRM_ORD_OE
B.- the transaction type z02 is only for the for own transactions of the employee, object CRM_ORD_OP
C.- the transaction type z03 is access for all users and not depend of unit org or his transaction.
So I have doubt with the combination of all of them, how can indicate to the system that for A scenary, I need the restrict only if the transaction type is Z01? and for the scenary B only for Z02, and the scneary C without restrictions?
this is the help sap documentation:
Process Flow of the Authorization Check in Business Transactions - Authorization Check in Business Transactions - SAP Li…
Regards
Roberto.

Thanks Christophe,
I analize the FM CRM_ORDER_CHECK_AUTHORITY_ACE,
but when I try to search activities in the SALESPRO, component view BT126S_APPT/ApptSQ, the break not work,
in others view like search service request, work ok the FM,
but for search activities not work,
I'm not sure if I need a specific Switch for that.
Do you know?
Regards

Data Structures and Algorithms in java book

Hi guys,
I want to know a good book which is good for Data Structures and Algorithms in java. I am good at Core java but a beginner for Data Structures in Java. I am a little poor in Data Structures concepts.
Following are the books I have found on the net. Could you help me the choose the best outta them.
1. Data Structures and Algorithms in Java - Mitchell Waite
2. Data Structures in Java - Sandra Anderson
3. Fundamentals of OOP and Data Structures in Java - Richard Weiner & Lewis J. Pinson
4. Object Oriented Data Structures Using Java - Nell Dale, Daniel T. Joyce, Chip Weems

lieni wrote:
I good data structures book doesn't have to be language-specific.Thx DrLazlo, my speachYes.
The OP wrote:
I have access to these books and dont know which one to start with.What I meant is that you shouldn't narrow your search to insist that the book you choose have "Java" in the title.

Authorization best practices in AS Java

I have been assigned the responsibility to create an authorization structure on the java stack.
We would like to create groups with corresponding roles for developers and system administrators.
Are there any best practices out there regarding this subject?
I have currently started with looking at the standard actions and roles available in EP and will start from there, any other ideas?

Dear Colleague,
SAP NetWeaver Application Server (AS) Java includes the [identity management|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/5069e9d6253912e10000000a42189b/frameset.htm] application for administration of users, groups, and roles. This [section|http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/ad6a169eff35b7e10000000a42189d/frameset.htm] lists administrative tasks, general and specific, for the management of users, groups, and roles.
Regards
Alvaro Raminelli

Data Structures in SQL Server

Friends,
I am giving a session on "Data structures and SQL Server" for one of the SQL Server communities in India.
My idea is to explain high level concepts of data structures (Stacks, Queues, Linked lists, Trees, Graphs etc.)
here are my questions.
Like to know how data structure concepts are implemented SQL Server components (in a high level).
Here are some hints in my mind:
1. Queues - SQL Server - DMVs for Processor Queue length, Disk Queue length etc.
2. Linked Lists - SQL Server - Previous and Next page pointers in Page headers (and DBCC IND)
3. Trees - SQL Server - Btrees in Indexes (DBCC IND and DBCC PAGE of Index pages)
3. Linear Search - SQL Server - Table Scan
4. Binary Search - SQL Server - Index Seek
What i need is:
1. Sorting algorithm used in SQL Server?
2. Stack concept used in SQL Server? I think No
3. what else data structure concepts are implemented in SQL Server (that can be demonstrated)
Note: level: 300 - Intermediate to Advanced.
Thanks in advance
Ramkumar
[email protected]
Ramkumar Gopal Living For SQL Server Blog: http://www.sqlservercentral.com/blogs/livingforsqlserver/ Facebook: https://www.facebook.com/#!/groups/livingforsqlserver/ Twitter: https://twitter.com/LivingForSQL

Hello,
Take a look at some structures created for In-Memory OLTP (hash indexes, etc.)
http://download.microsoft.com/download/5/F/8/5F8D223F-E08B-41CC-8CE5-95B79908A872/SQL_Server_2014_In-Memory_OLTP_TDM_White_Paper.pdf
BUF Structures.
http://blogs.msdn.com/b/karthick_pk/archive/2013/03/16/sql-server-memory.aspx
Hope this helps.
Regards,
Alberto Morillo
SQLCoffee.com

Authorization problem

Hi experts,
I have the following authorization problem:
I have a role containing authorization for company code. The role contains several queries.
Some of the queries contain authorization variable of company code but some are not restricted by any authorization.
When I run the queries that are not restricted by authorizations I get an error: User is not authorized
from RESCADMIN:
Message EYE007: You do not have sufficient authorization
No Sufficient Authorization for This Subselection (SUBNR)
Following CHANMIDs Are Affected:
182 ( 0COMP_CODE )
267 ( 0COMP_CODE__Z_EBUKR )
Thanks,
Hagit

Dear Hagit,
Iu2019m going to try helping you regarding your question,
Before give you some suggestion. I would like to check with you some item,
The first is the authorization structure. The main authorization structure includes:
Characteristics and Attribute Navigational are relevant authorization, as 0COMP_CODE.
Roles, where are included authorization object to execute queries as S_RS_COMP, S_RS_COMP1, S_RFC and S_TCODE. In field of S_RS_COMP and S_RS_COMP1 is very important include the right technical name of the queries. Furthermore, add the S_RS_AUTH authorization object to join an analysis authorization.
Analysis Authorization, where are included each characteristic and attribute navigational relevant authorization with specific value, as: u201C*u201D full access, u201C:u201D aggregate value, single value, range value or node of hierarchy.
Query, where are include in some cases the characteristic relevant authorization with its variable authorization.
InfoProvider, where are contain characteristic an attribute navigational relevant authorization.
Regarding your Error:
from RESCADMIN:
Message EYE007: You do not have sufficient authorization
No Sufficient Authorization for This Subselection (SUBNR)
Following CHANMIDs Are Affected:
182 ( 0COMP_CODE )
267 ( 0COMP_CODE__Z_EBUKR )
I suggest you, to try the following action:
Query, in some queries where you havenu2019t included the characteristic 0COMP_CODE in the row. Put in the default value the characteristic 0COMP_CODE with its variable authorization, not ready for entry and optional.
Analysis authorization, you should add all of characteristic and attribute navigational relevant authorization available in the InfoProvider. Must be matching characteristic and navigational attribute relevant authorization, between analysis authorization and InfoProvider.
Try to include in your analysis authorization the u201C:u201D value.
Furthermore, try you execute tcode RSUDO, then RSECPROT you can get more information about your authorization system behavior. The first transaction is to execute a query with other user (select u201Cwith error logu201D), and the second is to display the error log.
I hope these comments can help you,
Luis

Authorization Structure/Concept

Similar Messages

Maybe you are looking for