Authorizations for Variables

Similar Messages

• Authorizations for variable input

  Hi all.
  I am facing the problem restricting users to input variables in BEX and BPS-SEM
  The situation is that I can restrict the variables user can choose from the list (F4 input help) using S_TABU_LIN. The user sees only that masterdata values that he is authorized. Everything is fine, but... If user enters value directly, there is no check performed on mastedata. User actually can enter any value that exists in masterdata. The same situation in SEM forms.
  I need to restrict user to be able to choose only particular values (separate list for each user/role)

  Try executing NW2004s transaction RSECADMIN
  and investigate using option Analysis-->Execution as with the particular user and the options available ...individually.
  Hope it Helps
  Chetan
  @CP..

• Abort Could not determine a value for variable 0DAT from the authorizations

  Hi All,
  I encountered an error '/ Abort Could not determine a value for variable 0DAT from the authorizations\' when executing my query on a multiprovider in BW 3.5.
  Can anyone help me in finding a solutionn to this issue.
  Thanks,
  Kartik.

  Hi Kartik,
  I am sorry as that note is for NW2004s. Please check if 0DAT variable installed from a business content? if not then I think thats the cause of the problem.
  Hope this helps,
  Bye...

• BW report authorization for restrict cost center

  dear all,
  i have problem on BW report authorization for restrict cost center.....when i execute the query, after selection screen, appear error message 'you cannot change zv_cctr for characteristic 0COSTCENTER during query'.
  note : zv_cctr is variable restriction for costcenter, type processing = customer exit.
  below the customer exit :
  WHEN 'ZV_CCTR'.
      IF i_step = 2.
        DATA : gt_mstuidvscc TYPE TABLE OF  ztbw_mstuidvscc,
               gs_mstuidvscc TYPE  ztbw_mstuidvscc,
               wa_final2(10) TYPE c.
        SELECT * FROM ztbw_mstuidvscc INTO CORRESPONDING FIELDS OF TABLE gt_mstuidvscc
          WHERE userid = 'sy-uname'.
        LOOP AT gt_mstuidvscc INTO gs_mstuidvscc.
          wa_final2 = gs_mstuidvscc-kostl.
          l_s_range-opt = 'EQ'.
          l_s_range-high = wa_final2.
          APPEND l_s_range TO e_t_range.
        ENDLOOP.
      ENDIF.
  Regards,
  Tony

  i defined variable as ready for input and mandatory.
  regards,
  Tony

• What's the best way to do authorization for my app?

  The authorization situation is somewhat complicated for my app.
  Each component of the app is authorized based on not only the user, but also the page number, the value of at least one P0_ITEM.
  From what I've seen so far, there are two different options of setting the authorization for the component:
  1. Set its Condition
  2. Set its Security Authorization Scheme
  Here is my understanding for each (from my limited experience with APEX):
  1. Set its Condition
  + Can pass in parameters such as :APP_USER, page numebr, P0_ITEM. So I can just create one function that does all the authorization
  - Have to combine the SQL query with the component's non-authorization display conditions, if any.
  2. Set its Security Authorization Scheme
  + By name, it seems like it should be used for authorization
  - Cannot take in parameters relating to the page, such as the page number --> therefore I will need to create many different schemes, for all the different pages.
  #2 will end up with a long list of schemes (each with its own SQL queries) for different pages, which doesn't seem as efficient as #1 with far fewer SQL queries and just take in parameters.
  Which one should I pick?
  Thanks!

  953006 wrote:
  Thanks fac586 for the detailed response, and also everyone else who replied. You guys are very helpful and respond promptly. And we'd appreciate it if you changed "953006" into a real handle promptly.
  Andre mentioned using conditions:
  The way I work around this is to have two functions, one which is used at the page level as a normal authorization scheme and one which can be passed variables which is called as a Condition and the name of the item is one of the variables, in effect giving it "self awareness".But fac586 said:
  You can't pass "parameters" to authorization schemes. Use application items, APEX collections or application contexts to set current context before the authorization scheme is evaluated, and access these values in the functions.Does this mean, fac586, that we can avoid conditions altogether? No, it means that I prefer to use Authorization Schemes to control access to resources based on user privileges and security, and Conditions to control rendering and processing for functional reasons. Using the approach described above I have found it possible to maintain this separation.
  Say if a page has two buttons, Button_A and Button_B. Button_A has a set of requirements for displaying and Button_B has its own set of requirements (some of which are shared with Button_A). So far, the only way that I can see of using pure authorization is to write 2 different authorization schemes, and set the authorization schemes for the two buttons respectively.What's the problem with that? Consider a more concrete example using a standard APEX report/form pattern for customer maintenance. Page 6 contains the report, and page 7 is the maintenance form with P7_CREATE and P7_SAVE buttons. Only users entitled to create new customers should have access to P7_CREATE, and only users able to edit customers access to P7_SAVE. This would be controlled by the CREATE_CUSTOMER and EDIT_CUSTOMER authorization schemes respectively. Functionally, conditions are used to show P7_CREATE if the P7_CUSTOMER_ID is null, and P7_SAVE if it's not null. We don't mix non-functional security considerations with functional requirements.
  The CREATE_CUSTOMER and EDIT_CUSTOMER authorization schemes are of type PL/SQL Function Returning Boolean. These are implemented using package functions. Exactly how a user has create/edit customer privilege is determined in the package. Determinants that are shared by multiple schemes can be combined at this level. These implementations can be changed as necessary without requiring changes to the application.
  The authorization schemes are reusable across pages and components. On page 6, CREATE_CUSTOMER can be used on the "Create New Customer..." button; EDIT_CUSTOMER on the report column containing the "Edit" links.
  Each component of the app is authorized based on not only the user, but also the page number, the value of at least one P0_ITEM. So I guess this goes back to my original concern with Authorizations:
  [Using purely authorizations] will end up with a long list of schemes (each with its own SQL queries) for different pages [and page items] ....
  Re: VPD policies. Note that in the example above there's no need for the authorization schemes to "know" which pages/items are being evaluated. The P7_SAVE button and the page 6 link column are involved with the EDIT_CUSTOMER operation, so that authorization scheme is applied to them.

• Customization of "No Authorization" for Query in BI!!!

  Hi,
  Have a query on when we get a no authorization for a query in BI. Can we customize the error message or create pop up in analyzer to show the user that he does not have access to a particular value like a Company Code etc.
  Also is it possible to show data to the user for which he is authorized even if he has put in fields to which he has no access.
  Thanks,
  Yogesh

  May be you can try Authorization Fill variable.
  To see what the user ID is Authorized to see use RSECADMIN (Only in BI7.0) and see for Error Logs under Analysis.
  AB

• Error-Specify a value for variable

  Dear All,
  We upgraded our BW system to BI 7 SP 15. We are getting following error when executing queries in Bex.
  Specify a value for variable Company Code
      Message no. BRAIN629
  Diagnosis
      The variable cannot be empty. You must make an entry in the variable
      maintenance for variable Company Code.
  System Response
  Procedure
      Enter a value. Use the search help (F4) if necessary.
  Procedure for System Administration
  Interesting thing is that this error is faced by only 2 users in all upgarded systems.
  We created test user with same roles and we are getting error for these test users as well. All other users can run these queries without any problem. When we gave them sap_allprofile, it worked but I dont think this an authorization issue as these user can execute reports in web without any error.
  Second interesting thing is that, I applied note 1085822. This solved the problem. But on next day while closing this issue formally we found it is not working again and giving the same error.
  I checked other notes but these are not suitable for SP15.
  Any pointer/help will be well appreciated.
  Regards,
  Niraj

  Hi All,
  Resolved this issue by giving authorization obj S_BDS_D value display.
  Regards,
  Niraj

• Issue with authorizations for BPS

  Hi Experts,
  There was an issue with authorizations for BPS. We have a large number of agents that need to enter plan data via a layout. In order to control the necessary authorizations, we would like to filter via something similar to a user exit using a function module in order to avoid having to define authorization objects for each of the agents who have access to the systems. Right now, we are not sure if there is user exit concept available as it is for BW variables. Any body experienced similar issue may share their experience.
  Regards,
  Ankit

  Hi,
  In BPS, you can use user specific variables or you can set up a Variable of type exit. You can also have a variable of type authorization which uses the security / authorization of the BW system.
  Hope it helps...
  Cheers,
  Tanish

• Authorization for navigational attribute

  Hi Gurus,
  I am facing an authorization issue with respect to infoobject hierarchy. I have created authorizations as below.
  There one infoobject 'A' and a navigational attribute 'B' in infoobject 'A'. This navigational atribure A_B is used in an infocube.  And hierarchy is uploaded to Infoobject 'B'. Now I want to give authorization for this hierarchy in infoobject 'B'.
  Now coming to authorization.
  1. I have made Infoobject 'B' as authorization relevant in Business explorer tab.
  2. Created authorization object say ABC in RSSM and inculded infoobject 'B' & 0TCTAUTHH (since I want to authorize the hierarchy and we are using 3.5 authorization concepts in BI 7.0).
  3. Activate this authorization object for the infocube.
  4. Included this authorization object in the role included for my user. In the field 'B' of authorization object I have given ' ' (space) and in the field 0TCTAUTHH I have given the technical name of the hierarchy.
  4. In 3.5 query designer I have put this navigational attribute A_B in the filter area and activated the hierarchy in the properties tab for the same hierarchy that I inculded in previous step.
  5. Created a variable with processing type authorization.
  Now when I run this report I get an error as no authorization for object ABC.
  Can someone help me if I have done anything wrong.
  Thanks,
  Sandeep

  Hi,
  In the infoobject A maintenance screen check the chekc box for field "AuthorizRelevant" for B to make it authorization relevant navigational attribute.
  Then go to RSECADMIN and ope your relevant authorization.
  In the menu bar just above the "Authorization Structure" you will find the button with icon of infoobject.
  Chick on this icon this will give you a screen to enter characteristic name of which attributes are to be added to authorization.
  Enter the infoobject A name here and click on continue.
  This will give you list of all authorization relevant navigational attributes present for A.
  Add B from this list to the authorization.
  Hope this helps.
  - Geetanjali

• 'Authorization for replace' sy002

  SAP System gives me this error in debbuging mode. I suppose it is something related to authorization when modifying the content of variables (which is what I was doing).
  What would be the problem ?
  Thanks in advance.

  > The message is 'No authorization for replace' - message type sy002.
  I am not logged on and still dont know which program you are debugging... The system might be throwing an error message which does not relate to the real cause. Unlikely... Most likely an authorizations issue. If I may be honest with you (no offense!) if you do not know which object controls debugging and what it does to a SAP system..., then I would personally not give you debug authority in a system (I also do not have any debug authority - it was removed from my roles at my request). Only in some lab systems... (an one or two temporary exceptions).
  > The change mode is not activated however I am supposed to be able to debug a program in Test System even changing the value of a specific variable defined in the program. In fact, I am allowed to debug the program but I can not change the value of a variable in debugging mode. (Perhaps it is because of the change mode status). That's why the system is showing me the error.
  So you cannot activate the change mode? Are you setting a break-point, a watch-point or are you running a it from the start in the debugger? Are you executing it in the debugger from the tcode, or from Se38 etc? It the "productive" test client, the system might also react differently (which release are you on and which SCC4 settings does that client have?).
  > Is it possible to change the authorization without having to make any more changes in the System?
  Don't do that. I would reject the development and ask the developer to join you for the debugging session to see why those variables are incorrect. Your debugging mthod (or mode) may be incorrect (likely), or, the developer will have to go back to the drawing board in a development system or sandbox (sort of equaly likely, depending on the developer).
  > The change mode can not be activated instead I want to grant access in order to be able to change the value of some varibles defined to see the results given.
  See above. Besides that, the developer should ideally have handled those exceptions so that you do not get an incorrect variable; you only get an incorrect output in display mode (and send their code back for a rework, or invite them over...).
  Hope that helps, sorry for the many questions...
  Julius

• Value  for variable *** hierarchy Version is invalid

  hi ALL
  for one Of the user, when he tries to run the report he is freequently facing this situation. he is getting the error like : "Value  for variable *** hierarchy Version is invalid" . but the same report is working for other users.
  The starange part is . those variables are not mandatory selections, they are userentry optional values.
  we tried with authorization team also . that is not the probelm.
  how can i solve this...
  any ideas?
  Praveen.
  Message was edited

  Praveen,
  Please check if there is any "Personalization of variable" setting for that variable.
  Raju

• Roles & Authorizations for Web Reports...

  Hello Experts,
  We are newly implementing Web Reports in our organization. I need your great thoughts regarding implementing Authorizations for users to access the reports.
  We are using a report menu page that contain links to all the reports. The page opens by clicking on a link on the portal. The individual reports are basically accessed from this page by clicking on the corresponding button (links a URL ).
  I wonder if there is any way to look into the menu page (XHTML code of that web page/application) when ever the users click on the reports link and disable those buttons that the users are not allowed to access depending on the roles users are assigned to. Otherwise is there any better way to do it.
  And also how to call a function from web applications.
  This is a kind of urgent issue any quick ideas would be greatly appreciated.

  I apologize for the difficulty in reading this  I will repost.
  We have had no training or received any documenation on WAD.  The below was created from internet research.  Hence there may be WAD functionality that would allow easier maintenance, however; this is what we use.
  With our dashboard, I have a web template that contains hyperlinks for our reports.  I will call this HeaderTemplate1.  For each web page I have report templates.  These report templates have the HeaderTemplate1 mentioned above as well as the report tables, charts, text elements, tabs, etc.
  The JavaScript logic for accessing the urls of the specific report templates is contained within our HeaderTemplate1.
  Below is how our setup was tested.  Keep in mind, this was only for testing basic functionality.  If this is something we use I will most likely create a master data table that houses the user ID and an attribute for the header type.  Thus, any report menu changes can be altered quickly without changing the javascript of each report template.  Also this will accomodate the few thousand users we have.
  To add the functionality of different 'menus', I created another header template with the same hyperlinks of HeadertTemplate1 with the exception of one or two hyperlinks.  This, HeaderTemplate2, was added to each report template just below HeaderTemplate1.  Note that both HeaderTemplate1 and HeaderTemplate2 were set as visible on each report template.
  Also, on each report template I added a text element.  The 'List of Text Elements'property was set as such; Element Type = General Text Sympol,  Element ID = SYUSER.  This Text Element was linked to a query  or view from BEx via the dataprovider.  On the HTML side, I surrounded this Text Element with
  <Font ID="UserID",,,textelement....</Font>
  Each Report template has this javascript function, fnRepOnLoad, which is triggered at the OnLoad event.
  [<SCRIPT language = "JAVASCRIPT">                       
    function fnRepOnLoad()
      var user_ID=document.getElementById("UserID").innerHTML;
      if (user_ID=='USER123')
        document.all["HEADTMPLT1"].style.visibility = 'hidden';
        document.all["HEADTMPLT1"].style.position = 'absolute';
      else         
        document.all["HEADTMPLT2"].style.visibility = 'hidden';
        document.all["HEADTMPLT2"].style.position = 'absolute';
  </script>
  The function results as this.  If the user is USER123, HeaderTemplate1 is hidden, leaving only HeaderTemplate2 visible.  Otherwise HeaderTemplate2 is invisible leaving on HeaderTemplate1 visible.
  We do not use buttons as our global leaders prefer hyperlinks but buttons can be enabled or disabled similarly.
  As mentioned before, if this method is implemented, I will create a reportable master data table.  Create a customer exit variable to retrieve the header template required for the user.  This header template variable value will then be pulled by a text element on each report template.  The script function will act as follows.  If many report headers are necessary I may use a case statement.
  Var User_template=document.getElementById("UserTmplt").innerHTML;
  If UserTmplt = HeaderTemplate1
  -->  make all header templates other than HeaderTemplate1 invisible
  else
  -->  make all header templates other than HeaderTemplate2 invisible
  etc...
  I hope this helps.  Please keep me posted with your solution.  I am very interested to learn what others are doing.
  Best Regards,
  Larry

• Authorizations for planning

  Hi,
  We are facing the following issue concerning authorizations for integrated planning.
  An employee 'X' should be authorized to change its own planning and display the planning of other employees. Furthermore the employee should see WBS elements 1 & 2 while planning and all WBS elements while displaying.
  I created two authorizations:
  1) EMPLOYEE = 'X', ACTIVITY = '02', WBS = 1, 2
  2) EMPLOYEE = '', ACTIVITY = '03', WBS = ''
  and an authorization variable, which is in the characteristic restrictions of the query.
  By doing this, while running the query the employee always gets to see ALL the WBS elements (for all employee numbers). While changing his own planning, he gets the message 'insufficient authorizations'.
  How can this issue be solved in analysis authorizations?
  Thanks in advance.
  Dave

  Hi,
  Check this:----
  HR Authorization: In a nutshell...
  Regards,
  Suman

• Authorization for the Tax auditor

  Dear All,
  We are facing the problem to acces the person who got transftered to the other department.
  Tax auditor should have access to all the person which is belonging a personal area, Even if the person got tranfered to other personal area and was belong to that same  personnel area.
  Since LDB is reading the first record for the IT0001.We have given the access in the role for the infotypes with a  personal area.
  Auditor is not able to see the record for the transferd person.
  We tried to copy the program RPCAOKD0 and override the standard authorization check using the statement
  pnp_sw_skip_pernr = 'N'.
  but not working.
  Please sugest.
  Thanks
  Vikas

  Hi,
  You can change the code below
  *---Authorization for Company code entered by the users.
  *---This code will restrict users to see data for company
  *---codes which they are not authorized to.
  *---Select all the company codes based upon selection entered by the
  *---user
  SELECT bukrs
     FROM t001
     INTO TABLE li_bukrs
    WHERE bukrs IN z_bukrs.
  IF sy-subrc EQ 0.
  *---Clear Screen variable for Company code
     CLEAR z_bukrs.
     REFRESH z_bukrs.
  *---Filter and prepare Select options for Company code table to be
  *---passed to query. Table will only have values of company codes he is
  *---authorized to for display.
     LOOP AT li_bukrs INTO lwa_bukrs.
       AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
                         ID 'BUKRS' FIELD lwa_bukrs
                         ID 'ACTVT' FIELD '03'.
       IF sy-subrc = 0.
         z_bukrs-sign = 'I'.
         z_bukrs-option = 'EQ'.
         z_bukrs-low = lwa_bukrs.
         z_bukrs-high = space.
         APPEND z_bukrs.
       ELSE.
         lv_flag = 'X'.
       ENDIF.
     ENDLOOP.
  *---Give warning message to the user in case he is not authorized to see
  *---data for all the company codes that he has entered.
     IF lv_flag = 'X'.
       MESSAGE ID 'ZFNG' TYPE 'W' NUMBER '015'.
     ENDIF.
  ENDIF.
  This code does an authorization check at company code level and removes all the company codes that user has entered but is not authorized to look for. After that we pass the filtered list of company codes for which user is authorized to in the select query and fetch the results. You can first select all the records from database for PERNR and VKORG. Then filter them and prepare new list of VKORG and PERNR after performing authorization check and pass it further to select queries in your program.
  KR Jaideep,

• Authorization for the report

  Hi
  I have made one report,  I needed to check the authorization for the report, how to do it.
  Eg.  One employee is executing the report, he only needed to select his transaction
  If somebody from one sales organisation, they only needed to take the data belongs to the sales office.
  SELECT-OPTIONS: p_vkorg  FOR tvkot-vkorg.
  SELECT-OPTIONS: p_pernr FOR pa0001-pernr
  for example two selection parameter is displaying. if my employee no is 100, while trying to enter execute the report for 200 employee no. no data should show. like that vkorg filed also should work.
  Please let me know how it possible.
  Regards
  Sebastian John

  Hi,
  You can change the code below
  *---Authorization for Company code entered by the users.
  *---This code will restrict users to see data for company
  *---codes which they are not authorized to.
  *---Select all the company codes based upon selection entered by the
  *---user
  SELECT bukrs
     FROM t001
     INTO TABLE li_bukrs
    WHERE bukrs IN z_bukrs.
  IF sy-subrc EQ 0.
  *---Clear Screen variable for Company code
     CLEAR z_bukrs.
     REFRESH z_bukrs.
  *---Filter and prepare Select options for Company code table to be
  *---passed to query. Table will only have values of company codes he is
  *---authorized to for display.
     LOOP AT li_bukrs INTO lwa_bukrs.
       AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
                         ID 'BUKRS' FIELD lwa_bukrs
                         ID 'ACTVT' FIELD '03'.
       IF sy-subrc = 0.
         z_bukrs-sign = 'I'.
         z_bukrs-option = 'EQ'.
         z_bukrs-low = lwa_bukrs.
         z_bukrs-high = space.
         APPEND z_bukrs.
       ELSE.
         lv_flag = 'X'.
       ENDIF.
     ENDLOOP.
  *---Give warning message to the user in case he is not authorized to see
  *---data for all the company codes that he has entered.
     IF lv_flag = 'X'.
       MESSAGE ID 'ZFNG' TYPE 'W' NUMBER '015'.
     ENDIF.
  ENDIF.
  This code does an authorization check at company code level and removes all the company codes that user has entered but is not authorized to look for. After that we pass the filtered list of company codes for which user is authorized to in the select query and fetch the results. You can first select all the records from database for PERNR and VKORG. Then filter them and prepare new list of VKORG and PERNR after performing authorization check and pass it further to select queries in your program.
  KR Jaideep,