Authorizations for report

Similar Messages

• Object level authorizations for reports

  HI
  I have 20 charactesr in cube , around 15 have navigational attributes.
  i need to give authorizations for 5 objects only .( navigational attributes).
  i have 10 reports, i need 2 reports only authorizations relavant.
  if i restrict 5 objects authorizations , its effect all queris? in this scenerio i need to create 2 cubes?
  ple let me know

  hi suneel,
  As you said you require authorization for 2 reports, you can restrict those Infoobjects with the authorization variables and in the other 3reports use that object but do not restrict to the authorization variables..
  So, the user will be able to see whole data for 3 reports where authorization is not used.
  Hope it is clear.
  Thanks
  Lavanya

• Authorization for Report Painter

  Hi,
  we have a report in report painter with Company Code selection. May I know how to restrict the company code selection such that userA will see only company codeA data?
  i see there's an authorization group. may i know how to use the authorization group? may i have the detailed steps? thanks.

  ZL Goay,
  Follow these steps.
  1. Go to T-code <b>SE54</b> there is radio button for authorization group just click it and create. authorization group say ZGOAY
  2. You can assign this to your report painter - go to header information and press F4 you should get 'ZGOAY' there.
  3. Assign this object group to the userA (Get help from Security team or BASIS)
  You may check the table TBRG for auth object and group relation
  reward if useful

• Authorizations for report PC00_M99_CIPE  by field PayrollArea

  Hi experts.
  I have the following requirement:
  I need that by authorization the system allows to the managers of HR execute the  report standard PC00_M99_CIPE .
  only for the employee that have in the infotype 0001 field payroll area the same value that have the manager
  in his role.
  Example :
  Employee1
  Payroll area = A1
  Employee2
  Payroll area = A2
  Employee3
  Payroll area = A1
  Employee4
  Payroll area = A1
  Employee5
  Payroll area = A3
  Employee6
  Payroll area = A3
  When the Manager of HR execute the report, the system just take into account the employee that have Payroll area = A1 and A3 and not the employee with  Payroll area = A2.
  How can do this using roles, if the object P_ORGIN not have the field  Payroll area . I checked the t.code SU24.
  Thank in advance for your help,
  Best Regards

  As far as I understand your issue you require 2 things.
  1. You want to segregate the access to Employees by their Payroll Area.
  2. You require that segregation only for transaction PC00_M99_CIPE.
  As you have mentioned already P_ORGIN does not check the Payroll Area.
  I would apporach that as follows.
  Solution for number 1.
  A new Authorisation Object is required which will allow to check the Payroll Area. That can be done in transaction SU21. If you haven't created any object class in the customer naming space before I suggest you create a new customer object class first. That is what looks like a folder and than you create in that object class a new Authorisation Object which has the field Payroll Area.
  You than assign the new authorisation object to the manager roles and just give them access to their payroll area.
  Solution for number 2 (enabling the new Authorisation Object).
  That will require some ABAP development. However you will get away without any modification. SAP has provided a BAdI to get that working.
  Lets step through that:
  You will need to implement SAP BAdI Definition HRPAD00AUTH_CHECK. BAdIs can be implemented with transaction SE19.
  When implementing the BAdI you must ensure that you always call the SAP standard. If we do not do that the SAP HR standard checks will not work.
  Therefore when you implement the BAdI do the following.
  - Create a class attribute in the implementing class of the BAdI. The attribute is a reference to the SAP standard authorisation class. The attribute should have Type : TYPE REF TO CL_HRPAD00AUTH_CHECK_STD
  - Create a Class Constructor in the implementing class of the BAdI. The class constructor should now create an instance of the SAP standard authorisation class. That instance is the attribute you have declared before.
  - Now you go through ALL the methods. In every method you must check first if your class attribute is not initial otherwise create an instance of the SAP standard authorisation class (That instance is the attribute you have declared before and should normally exist as result of the Class Constructor). Than you call the Interface Method of the SAP standard authorisation class. The interface method must have the same method name in comparison to the method you are working on.
  - If that has been done in ALL methods SAP standard is working again.
  Now the ADD ON for the new authorisation object.
  - Go in METHOD IF_EX_HRPAD00AUTH_CHECK~CHECK_AUTHORIZATION of the BAdI implementation.
  - After the call of the standard authorisation check at the end of the method you add your code for the new authorisation object.
  - First check the SY-TCODE is equal to PC00_M99_CIPE
  - now Read Infotype 0001 of the employee which is passed in the BAdI Method as import parameter.
  - Call the authorisation check (use the pattern function in the ABAP editor) for your new authorisation check. You pass the payroll area of the employee which you will have retrieved in the previous step.
  - check the SY-SUBRC after the authorisation check.
  - if SY-SUBRC is not initial, clear the Method export parameter IS_AUTHORIZED.
  Hope that helps.
  Best regards
  Karsten
  I
  Edited by: Karsten Arold on Jul 25, 2010 12:12 PM
  I have created a documentation with screen shots on how to do it.
  Please follow the link. http://www.mediafire.com/file/k6r4yb862w7revi/Creation of a new HR Authorisation Checks.pdf

• Authorizations for report by field PayrollArea

  Hi experts.
  I have the following requirement:
  I need that by authorization the system allows to the managers of HR execute the  report standard PC00_M99_CIPE .
  only for the employee that have in the infotype 0001 field payroll area the same value that have the manager
  in his role.
  Example :
  Employee1
  Payroll area = A1
  Employee2
  Payroll area = A2
  Employee3
  Payroll area = A1
  Employee4
  Payroll area = A1
  Employee5
  Payroll area = A3
  Employee6
  Payroll area = A3
  When the Manager of HR execute the report, the system just take into account the employee that have Payroll area = A1 and A3 and not the employee with  Payroll area = A2.
  How can do this using roles, if the object P_ORGIN not have the field  Payroll area . I checked the t.code SU24.
  Thank in advance for your help,
  Best Regards

  HI,
  Check how the payroll area is defaulted in feature "ABKRS".
  Include the PA/EG/ESG in P_ORGIN for the employee.
  Also check if any structural authorizations are there or not.
  Still if this doesnot resolves user TCODE -su53 after executing the report.
  -Param

• BW 3.5: flexible Authorizations for reporting

  Hi Experts,
  I am looking for a solution for flexible reporting authorizations.
  The background:
  There are lots for Profit Centers in our system. Currently, we have created lots of Roles/Profiles which include fix values defined to limit access for users. The maintenace effort is getting higher and higher.
  I heard there could be a flexible solution to use BEX variable typed Authorization and the authorization values can be determined via BEx user exit. Finally, I need only one profile for all users. But I don't know how to implement this flexible solution.
  If anyone out there could share the knowledge it would be great.
  Thanks for your help in advance!
  Regards,
  Sally

  Hi
  First make the info object authorization relevant in the business explorer tab of the info object.
  Plz follow the below steps:
  1. Goto RSECADMIN tcode to create analysis authorization object for Profit centre
  2. Click on Maintenance
  3. Give a name and click on create
  4. Give the info object name as profit centre under char/ dimension
  5. double click on info object profit centre or click on details
  6. Under value authoriztion tab, give the variable name. (The variable name should start with $ symbol ex $test).
  Write the logic for the customer exit variable in the function module EXIT_SAPLRRBR_001 inside of enhancement RSR0001 via tcode CMOD.A variable of processing type authorization reads the values from authorizations of a user. A variable of processing type customer exit reads the variable values using a selection routine placed in the function module.
  Assign the authorization object to all the user instead of creating new profile with the hard coded values.
  The advantage of this method is that you can give all users the same authorization by placing the variable name with a $ sign in front of it instead of a value in the characteristic value (or the hierarchy node).
  The variable can also of course be used in the query, but this is not absolutely necessary. You can also filter using another variable or with fixed value restrictions in the query.
  Hope it helps.
  Regards
  Sadeesh

• Authorization  for Report Execution

  Hello Experts,
  There is a BEx Report in production, which is visible to me and i can execute.  But at the same time, the user is not able to view or execute the report. The report is developed in the production itself and not in development box  and transported.  This is surely related to authorizations.. Can anybody suggest how can I grant the user authorization so that he can view and execute the report but not modify.
  I have authorization at DEV, QA and PROD.
  Best Regards!

  Hi,
  Not sure whether its an authorization issue or something.
  But he may be unable to find the exact bex query.
  You can guide(info area-->info cube-->bex query) him how to find exact query while opening bex designer or anylaser.
  Mean while you can give bex query technical name to user and ask him run at RSRT.
  that may give some idea.
  whether its any authorization issue or he is unable to find at query designer while opening.
  Thanks

• User Authorization for a Query

  Hi,
  I have assigned a single role to a user, in which I have authorization for all the Infoproviders, including authorization for reporting. The user is able to access most of the queries, except one query. If there is a problem, he should not have accessed all the queries.
  What problem could have prevented the user from accessing on particular query???
  Any Ideas will be highly appreciated,
  Thanks and Regards,
  Ravi Sankar

  Some possibilities:
  The one query which the user is not able to run , who is the author of this query?
  You need to give authirozation for the object S_RS_COMP1.
  If the user has authorization for this object, then the next possibility is:
  The query may have a filter or a characteristic value for which the value is not set for the user.
  Ravi Thothadri

• Autorization for report RPUAUD00

  Hi all,
  is it possible to create authorization for report RPUAUD00 to work like this:
  if user start report it should display only changes which he makes.
  if hr manager start report it should display all changes for all users.
  Best regards.

  Hi,
  You can find the Date & Time from PCL4 cluster table.

• BW report authorization for restrict cost center

  dear all,
  i have problem on BW report authorization for restrict cost center.....when i execute the query, after selection screen, appear error message 'you cannot change zv_cctr for characteristic 0COSTCENTER during query'.
  note : zv_cctr is variable restriction for costcenter, type processing = customer exit.
  below the customer exit :
  WHEN 'ZV_CCTR'.
      IF i_step = 2.
        DATA : gt_mstuidvscc TYPE TABLE OF  ztbw_mstuidvscc,
               gs_mstuidvscc TYPE  ztbw_mstuidvscc,
               wa_final2(10) TYPE c.
        SELECT * FROM ztbw_mstuidvscc INTO CORRESPONDING FIELDS OF TABLE gt_mstuidvscc
          WHERE userid = 'sy-uname'.
        LOOP AT gt_mstuidvscc INTO gs_mstuidvscc.
          wa_final2 = gs_mstuidvscc-kostl.
          l_s_range-opt = 'EQ'.
          l_s_range-high = wa_final2.
          APPEND l_s_range TO e_t_range.
        ENDLOOP.
      ENDIF.
  Regards,
  Tony

  i defined variable as ready for input and mandatory.
  regards,
  Tony

• Report S_ALR_87013105 : no authorization for the report/ table 7KU6_001

  Hi Gurus,
  While executing the program S_ALR_87013105 (Detailed Reports 
  For Sales Order : Plan/Actual Comparison ) system showing the selection log.
  "Have no authorization for the report/table  7KU6_001 and 7KU6_002".
  But for the user the authorization check through SU53 was successful.
  Pl can any one suggest on this issue.
  Thanks in advance,
  Vijay

  Hi,
  Contact your basis consultant to provide the missing authorisation. This is one of the authorisation object.
  Regards,
  Sankar

• How many ways we can create authorization for user groups in sap query reports

  Hi Gurus, I am getting a problem when I am assigning users to user group in sap query report .The users other than created in user groups are also able to add &change  the users .So please suggest me how to restrict users outside of the user group.
  Please send me if u have any suggestions and useful threads.
  Thank You,
  Suneel Kumar.

  I don't think it can be done. According to the link below 'Users who have authorization for the authorization object S_QUERY with both the values Change and Maintain, can access all queries of all user groups without being explicitly entered in each user group.'
  http://help.sap.com/saphelp_46c/helpdata/en/d2/cb3f89455611d189710000e8322d00/content.htm
  Although I think you can add code to your infoset and maybe restrict according to authority group, i.e.:
  Use AUTHORITY-CHECK to restrict access to the database based on user.
  Press F1 on AUTHORITY-CHECK to find out how to use it in the code

• Authorization for Web report

  Hello Experts,
  One of my user wants to see a report in the web and wants an authorization for the same. When he is trying to execute the query in the WEB he is facing the follwoing error.
  User SCANESIN has no RFC authorization for function group SDIFRUNTIME.
  What steps do i need to follow to resolve this issue.
  Regards,

  Hi,
  You can solve this problem with the help of your basis person.
  Go to the role of that use using RSECADMIN. Find the authorisation object S_RFC. Include SDIFRUNTIME in
  'Name of RFC to be protected' field. Activate the role.
  Regards
  Githen

• Roles & Authorizations for Web Reports...

  Hello Experts,
  We are newly implementing Web Reports in our organization. I need your great thoughts regarding implementing Authorizations for users to access the reports.
  We are using a report menu page that contain links to all the reports. The page opens by clicking on a link on the portal. The individual reports are basically accessed from this page by clicking on the corresponding button (links a URL ).
  I wonder if there is any way to look into the menu page (XHTML code of that web page/application) when ever the users click on the reports link and disable those buttons that the users are not allowed to access depending on the roles users are assigned to. Otherwise is there any better way to do it.
  And also how to call a function from web applications.
  This is a kind of urgent issue any quick ideas would be greatly appreciated.

  I apologize for the difficulty in reading this  I will repost.
  We have had no training or received any documenation on WAD.  The below was created from internet research.  Hence there may be WAD functionality that would allow easier maintenance, however; this is what we use.
  With our dashboard, I have a web template that contains hyperlinks for our reports.  I will call this HeaderTemplate1.  For each web page I have report templates.  These report templates have the HeaderTemplate1 mentioned above as well as the report tables, charts, text elements, tabs, etc.
  The JavaScript logic for accessing the urls of the specific report templates is contained within our HeaderTemplate1.
  Below is how our setup was tested.  Keep in mind, this was only for testing basic functionality.  If this is something we use I will most likely create a master data table that houses the user ID and an attribute for the header type.  Thus, any report menu changes can be altered quickly without changing the javascript of each report template.  Also this will accomodate the few thousand users we have.
  To add the functionality of different 'menus', I created another header template with the same hyperlinks of HeadertTemplate1 with the exception of one or two hyperlinks.  This, HeaderTemplate2, was added to each report template just below HeaderTemplate1.  Note that both HeaderTemplate1 and HeaderTemplate2 were set as visible on each report template.
  Also, on each report template I added a text element.  The 'List of Text Elements'property was set as such; Element Type = General Text Sympol,  Element ID = SYUSER.  This Text Element was linked to a query  or view from BEx via the dataprovider.  On the HTML side, I surrounded this Text Element with
  <Font ID="UserID",,,textelement....</Font>
  Each Report template has this javascript function, fnRepOnLoad, which is triggered at the OnLoad event.
  [<SCRIPT language = "JAVASCRIPT">                       
    function fnRepOnLoad()
      var user_ID=document.getElementById("UserID").innerHTML;
      if (user_ID=='USER123')
        document.all["HEADTMPLT1"].style.visibility = 'hidden';
        document.all["HEADTMPLT1"].style.position = 'absolute';
      else         
        document.all["HEADTMPLT2"].style.visibility = 'hidden';
        document.all["HEADTMPLT2"].style.position = 'absolute';
  </script>
  The function results as this.  If the user is USER123, HeaderTemplate1 is hidden, leaving only HeaderTemplate2 visible.  Otherwise HeaderTemplate2 is invisible leaving on HeaderTemplate1 visible.
  We do not use buttons as our global leaders prefer hyperlinks but buttons can be enabled or disabled similarly.
  As mentioned before, if this method is implemented, I will create a reportable master data table.  Create a customer exit variable to retrieve the header template required for the user.  This header template variable value will then be pulled by a text element on each report template.  The script function will act as follows.  If many report headers are necessary I may use a case statement.
  Var User_template=document.getElementById("UserTmplt").innerHTML;
  If UserTmplt = HeaderTemplate1
  -->  make all header templates other than HeaderTemplate1 invisible
  else
  -->  make all header templates other than HeaderTemplate2 invisible
  etc...
  I hope this helps.  Please keep me posted with your solution.  I am very interested to learn what others are doing.
  Best Regards,
  Larry

• "Low-level" authorizations for accessing BW reports - add users to role

  Using the advice in Topic "Low-level" authorizations for accessing BW reports, I have been able to publish a query to a role that has 3 test users and each user gets the same query but with different data, as determined in the tables.
  Is there a way to look up the users and e-mail addresses from a table and associate them to the role? We have several hundred e-mail recipients that will not need BW access, but only need an e-mail with a static report that contains data on their own territories.

  Hi!
  i think programatically it might be complex. You got to maintain a seperate variant of report per user and use this variant to send mail. that means you need to maintain a variant and a Broadcast setting per user. once maintained you can use it any number of times the values will be recalculated everytime.
  with regards
  ashwin
  <i>PS n: Assigning point to the helpful answers is the way of saying thanks in SDN.  you can assign points by clicking on the appropriate radio button displayed next to the answers for your question. yellow for 2, green for 6 points(2)and blue for 10 points and to close the question and marked as problem solved. closing the threads which has a solution will help the members to deal with open issues with out wasting time on problems which has a solution and also to the people who encounter the same porblem in future. This is just to give you information as you are a new user.</i>