Authorizations in report

Similar Messages

• User authorization query/report

  Has anyone determined a method of printing a query or report of all authorizations for a user? From reading SOX requirements, this appears to be standard in almost every company yet there does not appear to be a way to do it in Business One.

  Hi,
  if you want to print all authorization for all users so I think that the only way is do it through tables and sql query. The base table is HEM5.
  hope it helps
  Petr

• Authorization BI Report

  Hi,
  I have some problem with the authorization. Here is the scenario,
  I need to make one user in to access BI report, but only from one cube(let say cube A). The user cannot access, display or execute any others report except the reports generate from cube A.
  anybody can help me with this...
  Thanks in advance
  Tienus

  I finally got the answer...
  we just have to set the role in pfcg

• Authorization for Report Painter

  Hi,
  we have a report in report painter with Company Code selection. May I know how to restrict the company code selection such that userA will see only company codeA data?
  i see there's an authorization group. may i know how to use the authorization group? may i have the detailed steps? thanks.

  ZL Goay,
  Follow these steps.
  1. Go to T-code <b>SE54</b> there is radio button for authorization group just click it and create. authorization group say ZGOAY
  2. You can assign this to your report painter - go to header information and press F4 you should get 'ZGOAY' there.
  3. Assign this object group to the userA (Get help from Security team or BASIS)
  You may check the table TBRG for auth object and group relation
  reward if useful

• Authorization of Report Painter GRR3

  Dear
  Kindly help me to restrict our users on Tcode GRR3 for Report Painter.
  There are number of reports under Report >>> Library.
  on authorization at PFCG I created a role and has only one tcode GRR3. under this there are four objects
  Report Writer: Report
  Report Writer: Libaray
  Report Writer: Report Group
  how I restrict users at this stage...how to define authorization group ???? is this work able.
  regds:
  AJ

  I think there are a coupleof ways to do this
  1.
  Go to GRR3, check the report(s) that is(are) to be executed. Check the hierarchial assignment of the report(i mean check the Report group & Library they are under)
  based on the above information, you can make restriction on the following objects:
  G_800_GRP (For the actual report itself)
  G_801K_GLB (For the report Library)
  G_803J_GJB (For the report group)
  2.
  an alternate but somewhat tricky way to do this could be, For the user who needs the access/restriction check the roles that have the object S_PROGRAM , make sure that there is no (*) value in this.
  Give free access to GRR3, without any specific restriction. BUt in the role that has S_PROGRAM - give access to only those program authorization groups that are shown for the reports to be executed
  I think i made it too complex. OK.......if the user needs to run schedule 10 reports, go to GRR3 go the report he needs to execute, check the program behind - go to SE38, RSCSAUTH execute, check the authorization group of the program - make your restriction of program execution (S_PROGRAM) based on this
  hope it helps

• Douts in authorizations and reports..

  Hi Gurus,
  I do have some doubts on time manageents consepts like
  1. what is Time manager's workplace ( TMW )
  2.what is cost assignments and activity  allocation
  And in Authorizations :
  1. what is the general authorization checks
  2. what is the Authorization objects? what is usage of this objects?
  3. what is structural authorization? when do we use this structure?
  in Reports part
  1. what is the differents between SAP query  and Ad hoc query?
  2 what are all the HR reporting methods?
  Thanks,
  BAlaji

  In TMW, the manager can do the following activities for the employees like daily work schedules, suntitutions, overtime, etc
  http://help.sap.com/saphelp_47x200/helpdata/en/ea/dd8e3802dd0f3de10000009b38f842/frameset.htm
  Cost center assignments are used for payroll. Generally its is used for profit accountability. Through this top level management can know the profit for the project, dept etc through the cost center. Its assigened in Infotype Org. Assignment (IT0001). If an employee working in different departments or projects use in IT Cost Distribution (IT0027).
  Generally authorization is used for security purpose. Structural Authorization used for Organizational Management (T Code OOSP) and the general authorization used for USERS in terms of T Codes.
  Refer this link for authorization
  http://help.sap.com/saphelp_47x200/helpdata/en/97/27973b3ea3eb0fe10000000a114084/frameset.htm
  Reporting tools
  http://help.sap.com/saphelp_47x200/helpdata/en/a8/2e7237a323427ee10000009b38f8cf/frameset.htm
  Hope it helps u to know the overview of ur questions.

• Authorizations for report PC00_M99_CIPE  by field PayrollArea

  Hi experts.
  I have the following requirement:
  I need that by authorization the system allows to the managers of HR execute the  report standard PC00_M99_CIPE .
  only for the employee that have in the infotype 0001 field payroll area the same value that have the manager
  in his role.
  Example :
  Employee1
  Payroll area = A1
  Employee2
  Payroll area = A2
  Employee3
  Payroll area = A1
  Employee4
  Payroll area = A1
  Employee5
  Payroll area = A3
  Employee6
  Payroll area = A3
  When the Manager of HR execute the report, the system just take into account the employee that have Payroll area = A1 and A3 and not the employee with  Payroll area = A2.
  How can do this using roles, if the object P_ORGIN not have the field  Payroll area . I checked the t.code SU24.
  Thank in advance for your help,
  Best Regards

  As far as I understand your issue you require 2 things.
  1. You want to segregate the access to Employees by their Payroll Area.
  2. You require that segregation only for transaction PC00_M99_CIPE.
  As you have mentioned already P_ORGIN does not check the Payroll Area.
  I would apporach that as follows.
  Solution for number 1.
  A new Authorisation Object is required which will allow to check the Payroll Area. That can be done in transaction SU21. If you haven't created any object class in the customer naming space before I suggest you create a new customer object class first. That is what looks like a folder and than you create in that object class a new Authorisation Object which has the field Payroll Area.
  You than assign the new authorisation object to the manager roles and just give them access to their payroll area.
  Solution for number 2 (enabling the new Authorisation Object).
  That will require some ABAP development. However you will get away without any modification. SAP has provided a BAdI to get that working.
  Lets step through that:
  You will need to implement SAP BAdI Definition HRPAD00AUTH_CHECK. BAdIs can be implemented with transaction SE19.
  When implementing the BAdI you must ensure that you always call the SAP standard. If we do not do that the SAP HR standard checks will not work.
  Therefore when you implement the BAdI do the following.
  - Create a class attribute in the implementing class of the BAdI. The attribute is a reference to the SAP standard authorisation class. The attribute should have Type : TYPE REF TO CL_HRPAD00AUTH_CHECK_STD
  - Create a Class Constructor in the implementing class of the BAdI. The class constructor should now create an instance of the SAP standard authorisation class. That instance is the attribute you have declared before.
  - Now you go through ALL the methods. In every method you must check first if your class attribute is not initial otherwise create an instance of the SAP standard authorisation class (That instance is the attribute you have declared before and should normally exist as result of the Class Constructor). Than you call the Interface Method of the SAP standard authorisation class. The interface method must have the same method name in comparison to the method you are working on.
  - If that has been done in ALL methods SAP standard is working again.
  Now the ADD ON for the new authorisation object.
  - Go in METHOD IF_EX_HRPAD00AUTH_CHECK~CHECK_AUTHORIZATION of the BAdI implementation.
  - After the call of the standard authorisation check at the end of the method you add your code for the new authorisation object.
  - First check the SY-TCODE is equal to PC00_M99_CIPE
  - now Read Infotype 0001 of the employee which is passed in the BAdI Method as import parameter.
  - Call the authorisation check (use the pattern function in the ABAP editor) for your new authorisation check. You pass the payroll area of the employee which you will have retrieved in the previous step.
  - check the SY-SUBRC after the authorisation check.
  - if SY-SUBRC is not initial, clear the Method export parameter IS_AUTHORIZED.
  Hope that helps.
  Best regards
  Karsten
  I
  Edited by: Karsten Arold on Jul 25, 2010 12:12 PM
  I have created a documentation with screen shots on how to do it.
  Please follow the link. http://www.mediafire.com/file/k6r4yb862w7revi/Creation of a new HR Authorisation Checks.pdf

• Authorizations for report by field PayrollArea

  Hi experts.
  I have the following requirement:
  I need that by authorization the system allows to the managers of HR execute the  report standard PC00_M99_CIPE .
  only for the employee that have in the infotype 0001 field payroll area the same value that have the manager
  in his role.
  Example :
  Employee1
  Payroll area = A1
  Employee2
  Payroll area = A2
  Employee3
  Payroll area = A1
  Employee4
  Payroll area = A1
  Employee5
  Payroll area = A3
  Employee6
  Payroll area = A3
  When the Manager of HR execute the report, the system just take into account the employee that have Payroll area = A1 and A3 and not the employee with  Payroll area = A2.
  How can do this using roles, if the object P_ORGIN not have the field  Payroll area . I checked the t.code SU24.
  Thank in advance for your help,
  Best Regards

  HI,
  Check how the payroll area is defaulted in feature "ABKRS".
  Include the PA/EG/ESG in P_ORGIN for the employee.
  Also check if any structural authorizations are there or not.
  Still if this doesnot resolves user TCODE -su53 after executing the report.
  -Param

• BW authorizations at report level

  hi,
  i have a requirement to restict user's access to certain cost centers on a report.
  i have created a new authorization object and switched on the reporting authorization on the cube for this object. i have created an authorization variable and this report is working like it should. But the issue is that when i switching on reporting authorization at the cube level, every query on the cube is getting affected. is there a way i can turn on this reporting authorization on the report level rather than the cube level and not affect the other queries?
  thanks,
  Parthava.

  Mark the Cost center Infoobject as Authorization relevant (RSD1 -> infoobject -> Business Explorer tab -> Authorization relavent) and restrict the user to the corresponding costcenters using correspnding authorization objects.
  http://help.sap.com/saphelp_nw70/helpdata/en/a0/48f438f3422f2ce10000000a114084/frameset.htm
  Assign points if helpful!
  Regards, Uday

• BW 3.5: flexible Authorizations for reporting

  Hi Experts,
  I am looking for a solution for flexible reporting authorizations.
  The background:
  There are lots for Profit Centers in our system. Currently, we have created lots of Roles/Profiles which include fix values defined to limit access for users. The maintenace effort is getting higher and higher.
  I heard there could be a flexible solution to use BEX variable typed Authorization and the authorization values can be determined via BEx user exit. Finally, I need only one profile for all users. But I don't know how to implement this flexible solution.
  If anyone out there could share the knowledge it would be great.
  Thanks for your help in advance!
  Regards,
  Sally

  Hi
  First make the info object authorization relevant in the business explorer tab of the info object.
  Plz follow the below steps:
  1. Goto RSECADMIN tcode to create analysis authorization object for Profit centre
  2. Click on Maintenance
  3. Give a name and click on create
  4. Give the info object name as profit centre under char/ dimension
  5. double click on info object profit centre or click on details
  6. Under value authoriztion tab, give the variable name. (The variable name should start with $ symbol ex $test).
  Write the logic for the customer exit variable in the function module EXIT_SAPLRRBR_001 inside of enhancement RSR0001 via tcode CMOD.A variable of processing type authorization reads the values from authorizations of a user. A variable of processing type customer exit reads the variable values using a selection routine placed in the function module.
  Assign the authorization object to all the user instead of creating new profile with the hard coded values.
  The advantage of this method is that you can give all users the same authorization by placing the variable name with a $ sign in front of it instead of a value in the characteristic value (or the hierarchy node).
  The variable can also of course be used in the query, but this is not absolutely necessary. You can also filter using another variable or with fixed value restrictions in the query.
  Hope it helps.
  Regards
  Sadeesh

• Report Designer: No Authorization Save Report ???

  Hello,
  I'd like to save a report.
  After entering Technical Name and Description the System says: "You do not have the necessary authorization to perform this action."
  Does anyone know which authorization I need to add?
  Thank you
  Daniel

  Hi
  In PFCG check the roles assigned to you and check the authorization data.
  There you need to modify your authorization permission to change  the report.
  Contact the reponsible person who created the role, ask them to include the permission to Edit or save the report.
  Regards
  M.A

• Authorization error report

  I want to see authorization unsuccessful error report of 100 users from last 15 days.Is there any program need to executre or any process to get this?

  > venkat sap wrote:
  > Then there is NO solution for this?
  I can think of a few solutions, but USR07 would not be one of them. There is also an old post about this "last failed check" and "reason codes for failed checks" which suggested that a development request to enhance them might be on the cards. I eventually decided not to open the development request.
  A simple solution:
  To report on failed authority-checks for attempts to start transactions, the failed attempts to call RFC's and failed attempts to start reports, you can use the Security Audit Log (tcode SM20 <= use the search and the FAQ) for objects S_TCODE, S_RFC and S_PROGRAM. There might be false-positives for BDC programs... see the threads on function module AUTHORITY_CHECK_TCODE.
  A more complex solution:
  Intended for recording detailed information about authorization checks during the development of applications (much more detailed than USR07, SU53 and St01), there are an obscure set of tables which contain information about (failed) authority-checks. They are not intended really for production systems and there is a SAP note which explains how to use them and warns about consequences for rapid growth of the tables, particularly in large systems with many users... I could not find any infos on the search terms here at SDN, but if you are interested, I can dig in my box-of-tricks to see whether I can find the infos again. I dont think that it was originally intended for production systems though, much like ST01, debugging, etc, etc...
  If your authorization concept is confident of the application authorizations which the users have, then the simple solution would, in my opinion, be sufficient for monitoring purposes, which can then be drilled down further once abnormalities are found using a number of tools with forensic capabilities such as SM20, ST03N, STAD (if you are fast enough), F190, etc, etc...
  Cheers,
  Julius

• Authorization-Display report from InfoProvider-ODS

  Hello,
  Currently, I got some problems displaying data through the reports which were created from InfoProvider-ODS.
  The authorization team already configure the authorization objects. Unfortunately, there was no data display from the queries at all.
  One concern related to the authorized configuation is:
  from checking authorization for dealer report in ODS model, we use auth. object: ZBPCODE which is dealer id value.
  but it's not required only dealer id value, it require "*" for this object.
  How do I limit in this authorization case?
  Any suggestion would sincerely appreciate.
  Thank you very much
  -WJ-

  Closed without solution!

• Authorization Scheme - Report

  I was looking for a report that would show the utilization of the authorization schemes, defined in an application. Where do I find or how do I create such a report?
  Thanks,
  Denes Kubicek

  Thanks Scott,
  next time I will keep my eyes open while searching for that stuff. Your application - HTML db - is a good thing. Thanks for that as well.
  Denes Kubicek

• Authorization wise report

  Hi Experts,
  I have created custom HR report with custom transaction. I want to provide the transaction based on company code access to the user?
  Rajneesh Gupta

  Use Authorization object J_B_BUKRS for your custom transaction
  and maintain the authorization values in the roles of users for that object.

• Authorization  for Report Execution

  Hello Experts,
  There is a BEx Report in production, which is visible to me and i can execute.  But at the same time, the user is not able to view or execute the report. The report is developed in the production itself and not in development box  and transported.  This is surely related to authorizations.. Can anybody suggest how can I grant the user authorization so that he can view and execute the report but not modify.
  I have authorization at DEV, QA and PROD.
  Best Regards!

  Hi,
  Not sure whether its an authorization issue or something.
  But he may be unable to find the exact bex query.
  You can guide(info area-->info cube-->bex query) him how to find exact query while opening bex designer or anylaser.
  Mean while you can give bex query technical name to user and ask him run at RSRT.
  that may give some idea.
  whether its any authorization issue or he is unable to find at query designer while opening.
  Thanks