BI7 InfoObject Value Level Authorization for Queries

Similar Messages

• InfoObject level authorization for Queries

  Hello Experts,
  I'm working on an authorization object to restrict my queries. Basically we want to restrict the queries based on Personnel area. I've created an authorization from RSECADMIN with the following variables.
  0PERS_AREA eq XXXX
  0TCAACTVT    eq 03
  0TCAIPROV    eq my infocube
  0TCAVALID     cp *
  I've made my info object 0PERS_AREA as authorization relevant and I've assigned this object to a user say 'A' from RSECADMIN. Now for the personnel area in my query I've created a variable of type 'characteristic value', variable name as ZPERSA, processing by 'Authorization', variable represents 'Multiple Single Values' and not ready for input. FYI, I've created this variable from single values selection.
  When I execute the query with user A, I expect it to display the data for personnel area XXXX only but it displays the data for all the personnel areas. Can someone please help whats wrong here.
  Regards,
  NR

  Hi Viki,
  I've checked that earlier and I've tried all options like creating a value range variable with and without ready for input and with single values and multiple single values. But the query gives me all the personnel area records when I execute the query.
  Can someone please help. Its very urgent.
  NR

• "Low-level" authorizations for accessing BW reports - add users to role

  Using the advice in Topic "Low-level" authorizations for accessing BW reports, I have been able to publish a query to a role that has 3 test users and each user gets the same query but with different data, as determined in the tables.
  Is there a way to look up the users and e-mail addresses from a table and associate them to the role? We have several hundred e-mail recipients that will not need BW access, but only need an e-mail with a static report that contains data on their own territories.

  Hi!
  i think programatically it might be complex. You got to maintain a seperate variant of report per user and use this variant to send mail. that means you need to maintain a variant and a Broadcast setting per user. once maintained you can use it any number of times the values will be recalculated everytime.
  with regards
  ashwin
  <i>PS n: Assigning point to the helpful answers is the way of saying thanks in SDN.  you can assign points by clicking on the appropriate radio button displayed next to the answers for your question. yellow for 2, green for 6 points(2)and blue for 10 points and to close the question and marked as problem solved. closing the threads which has a solution will help the members to deal with open issues with out wasting time on problems which has a solution and also to the people who encounter the same porblem in future. This is just to give you information as you are a new user.</i>

• Object level authorizations for reports

  HI
  I have 20 charactesr in cube , around 15 have navigational attributes.
  i need to give authorizations for 5 objects only .( navigational attributes).
  i have 10 reports, i need 2 reports only authorizations relavant.
  if i restrict 5 objects authorizations , its effect all queris? in this scenerio i need to create 2 cubes?
  ple let me know

  hi suneel,
  As you said you require authorization for 2 reports, you can restrict those Infoobjects with the authorization variables and in the other 3reports use that object but do not restrict to the authorization variables..
  So, the user will be able to see whole data for 3 reports where authorization is not used.
  Hope it is clear.
  Thanks
  Lavanya

• Object level authorizations for deffirent user restrictions

  Hi
  i have 1 object, this object have only 3 values?
  i need authorizations for this object at report level?
  rsa1- i keep authorization relevant?
  rsecadmin i can include this object , here i need give from value and to value? i have 3 values only? suppose user 1 want only 1 value? user 2 need 2 and 3 value? how can i restrict like this ? ple let em know

  Hi Suneel,
  Go to RSECADMIN.
  Here, in maintain authorizations, create authorization for your characteristics along with the special characteristics.
  i.e. in your case, create authorization(assume 0plant is marked as authorization relevant)
  0PLANT
  0TCAACTVT
  0TCAIPROV
  0TCAVALID
  Double click on each characteristic to assign them the authorized value set.
  Thus, you will create two authorizations
  Z_PLANT_1
  0PLANT...................I..EQ..............1
  0TCAACTVT.............I...EQ..............3
  0TCAIPROV.............I...EQ..........ZPROVIDER
  0TCAVALID..............I...EQ...........*
  Z_PLANT_2&3
  0PLANT...................I..EQ..............2
  ..............................I..EQ..............3
  0TCAACTVT.............I...EQ..............3
  0TCAIPROV.............I...EQ..........ZPROVIDER
  0TCAVALID..............I...EQ...........*
  Go to RSECADMIN again in user tab in assignment, assign these authorizations created to the respective users.
  Like assign User1 -
  >Z_PLANT_1
  ................User2  -
  >Z_PLANT_2&3
  Refer  the link below for more information
  [Analysis Authorization|http://help.sap.com/saphelp_nw70/helpdata/en/66/019441b8972e7be10000000a1550b0/frameset.htm]
  Hope this helps,
  Best regards,
  Sunmit.

• Plant level authorization for Notification Change

  Hi All
  We have 7 plants and person belong to one plant is able to open and change the notification of other plants.
  In the role we have given restriction for the plant for the Tcode IW 22 and for the object SWERK .In the Notification only Workcenter and Plant fields are mandatory.
  How can we restrict for a user belong to a particular plant can only change his plant notifications using IW22 only ---not IW28
  Thanks in advance
  gangs

  Dear gangs,
  Check in all the roles of that user in orgnozation levels maintenance plant and planning plant.
  It may happen in one role you have ristricted for that user, but in other roles it may be having the t.code authorization for IW22 and with other plant also.
  Check that also.
  Regards,
  Praveen.

• Object level authorization for SLT Configuration schema in HANA DB

  Hi All,
  We have connected SLT with HANA DB (& ECC as source system).
  Now for certain users we wanted to restrict the access for certain tables ( tables owned by SLT Schema, i.e schema created in HANA DB with the configuration name provided in the SLT configuration).
  With the SYSTEM user object level authorization's of another schema is not possible hence , an error is thrown when we are trying to provide/control the access of single table for a user.
  Is it ok that we generate a password for SLT schema and try login with schema owner. Is it the best practice or Is there any other way around.
  Regards,
  Kumar

  Hi Santosh,
  You can find more info about SLT Roles and Authorization from below security guide.
  http://help.sap.com/hana/SAP_HANA_Security_Guide_Trigger_Based_Replication_SLT_en.pdf
  Regards,
  V Srinivasan

• We need to give field-level authorization for some fields

  The schenario is as follows :
  1. There are various storage locations within a plant.
  2. There is one or more people incharge of creating PO and receiving
  stocks for every storage location.
  3. We dont want to authorise the person incharge of one storage
  location to receive stock in another storage location or even view the
  other storage locations at the time of creating the PO or any other
  transaction. The user incharge of one storage location should not be
  able to view any other storage location in any storage location field's
  drop down.
  regards
  Manish
  +91 9811647727

  Hi Umesh,
  Please see the documentations for authorization profile P_ABAP in the R/3 library and the following:
  SU03 -> HR Human resources -> position your cursor to P_ABAP HR: Reporting -> choose button "Docu."  -> the pop-up "help - P_ABAP" appears.
  There is an example, which describes a similar issue regarding RPTIME00 and the Basic pay infotype (0008).
  The standard reports of personnel administration are based on logical database PNP I would recommend to set your authorization as follows:
  Object HR: Master data (P_ORGIN) (two authorizations)
    Infotype                  0002             ' '
    Subtype                   *                ' '
    Authorization level       R                ' '
    Organizational key        ' '              0001YYYYXXX
  Object HR: Reporting  (P_ABAP)
    Report name                SAPDBPNP
    Degree of simplification   1
  Please note, that if a user has authorization for e.g. the birthday list , (s)he will be able to view the birth date through thisquery, although (s)he cannot access to IT0002 through PA20.
  Another possibility would be using Customer-Specific Authorization Object P_NNNNN. I have attached a file with a very comprehensive documentation regarding HR authorizations. P_NNNNN is documented on pages 40 ff.
  Hope this help
  Sarah

• Second Level Authorization for ESS

  Hi,
  I have an issue regarding ESS . The requirement is to provide a second level authorization when anybody clicks on the content in ESS. i,e a logon screen. On successful authentification the user has to see the required info. We should also be able to provide a 5 min idle time out. Can anybody help me with this.
  Thanks,
  Abhishek

  Abhishek, Did you find any solution for second level authentication for ESS?

• Field level Authorization for IT0002

  Hi All,
  We have a requirement to control the authorization for the field NI Number/Social Security number from IT0002.
  This field is getting displayed in various standard reports which are in use by administrators/Managers etc....
  We want to disable the access of this field to every one, even the HR administartor.
  Kindly suggest if this is possible using authorizations.
  I know that we can hide the field in display access for PA20 or PA30, but I am particularly serching the option for various reports.
  Regards,
  Umesh Chaudhari.

  Hi Umesh,
  Please see the documentations for authorization profile P_ABAP in the R/3 library and the following:
  SU03 -> HR Human resources -> position your cursor to P_ABAP HR: Reporting -> choose button "Docu."  -> the pop-up "help - P_ABAP" appears.
  There is an example, which describes a similar issue regarding RPTIME00 and the Basic pay infotype (0008).
  The standard reports of personnel administration are based on logical database PNP I would recommend to set your authorization as follows:
  Object HR: Master data (P_ORGIN) (two authorizations)
    Infotype                  0002             ' '
    Subtype                   *                ' '
    Authorization level       R                ' '
    Organizational key        ' '              0001YYYYXXX
  Object HR: Reporting  (P_ABAP)
    Report name                SAPDBPNP
    Degree of simplification   1
  Please note, that if a user has authorization for e.g. the birthday list , (s)he will be able to view the birth date through thisquery, although (s)he cannot access to IT0002 through PA20.
  Another possibility would be using Customer-Specific Authorization Object P_NNNNN. I have attached a file with a very comprehensive documentation regarding HR authorizations. P_NNNNN is documented on pages 40 ff.
  Hope this help
  Sarah

• "Low-level" authorizations for accessing BW reports

  May I please have your attention for the following:
  Each employee is represented by a costcenter in our R/3, and thus, BW-system.
  Plan is as follows: by filling in the costcenter on the selection-screen of a BW-webreport on can see his/her own financial data for a certain (posting)period.
  Is there a way to restrict access without creating separate users/roles/profiles for each costcenter??(we have a lot of potential users who only need to see the report but do not need access to BW itself (RSA1 etc)).
  I'm thinking about some sort of mapping:
  e.g. user SANTA logs on -> ABAP-program/function maps it to correct costcenter e.g. 1234 -> user is only authorized for this costcenter...
  But is this possible and where to implement it??
  Thanx a lot in advance for your hints!!!
  Best regards,
  Marco

  Thanks al lot for your replies.
  Corwin, I tried your solution and I've almost got it working....
  1. made a table in DDIC to link username to costcenter
  2. set up a reporting auth. via RSSM
  3. created a variable (ZCOSTC) type 'Authorization' in the query designer
  4. wrote some code in the user-exit (via SMOD) to fill this variable (translate username to costcenter via mentioned table)
  5. created a role incl. authorization with reference to variable: value '$ZCOSTC'
  This reference is not working unfortunately enough.
  Everything works fine when I replace $ZCOSTC by an existing costcenter.
  Am I forgetting something??
  Thanx again!
  Best regards,
  Marco

• User level Authorization for SSO by using SOAP Sender

  Hi,
  Scenario : Non-SAP to PI 7.31 using SOAP Sender adapter.
  Authentication we need to go for user based level at the receiver system where the information shall be passed from the sender (non-SAP) and also we 're using Single Sign On method for this interface.
  Note : Previously we achieved this through WS-RM using SAML certificates, but this adapter doesn't support in PI7.31 single stack since we have option only by using SOAP adapter.
  Please suggest how can i achieve this for my current landscape.
  Thanks for your help.
  Warm regards,
  Ram.

  Hi!
  The SOAP Adapter itself has no queueing mechanism. But the PI has one if you work asynchronously.
  To pick files it may be helpful to use the Axis Framework of SOAP Adapter whre you can add your own adapter modules.
  Very helpful tips concerning the SOAP Adapter can be found in the SAP Note 856597 (FAQ SOAP Adapter XI 3.0 Pi 7.0 PI 7.1).
  For Axis Adapter FAQ refer to SAP note 1039369
  Hope this helps.
  Regards,
  Volker

• User level authorization for process order

  Hi,
  Greetings for the day.
  As we all know that there are three main screen of process order
  1. Header Data
  2. Operations data
  3. Materials Data
  Now, we want to restrict the users to access the screen as below. (T-Code: COR1 & COR2)
  Header
  PP, MM, QM Users can change
  Operations
  PP, QM Users can change, MM user can display only
  Materials
  MM, QM Users can change, PP user can display only
  How can we achieve this?
  Please guide me.

  Hi
  Yes, that is impossible to control that way in standard, so I think you may consider the the user exits to write your own source codes to check the changes done by user and prohibit the save.
  PPCO0018  Check for changes to production order header
  PPCO0019  Checks for changes to order operations
  PPCO0008  Enhancement in the adding and changing of components
  Regards.
  Leon.

• Discount level authorization in sales order

  Hi,
  I have one scenario where customer want to give discount level authorization for some customer, please find below example and suggest possible solution
  Ex. There would be like 3 level discount authorization in sales order like sale manager 2%, manager 3-4% n sales head 5%.
  If sales manager make the order n enter  3 %  and more discount then error show like " you are not authorized for this discount" and order can not be saved ,same will be applicable to manager and sales head.
  Note: There may not be different level user id used here means Sales manager and manager will be using same ID.
  Please suggest the configuration step by step
  Edited by: KHAPREVIPIN on Jan 4, 2012 7:51 AM

  Hello
  there is a process of Basis roles that can help u in doing this. Using these roles u can give permission the condition types
  u create 3 diffrent condition type ZCP1,ZCP2ZCP3 and give authorization only to the required level.
  Example : manger can only add ZCP1 not others.
  Through this no need to create any program... for each specifice condition type u can give authorizatoin this is standard in SAP.
  Mager      ZCP1 discount 30%
  user :      ZCP3 Dicount 5%
  If the system must determine automaically : make a requirement for each condition and check the role(USER ID) and pass the condition
  If it is the manual discount then the user can only add the discount they can not give others.

• Auth: Restrict Infoobject for Queries differently for the same user

  Hi guys,
  I need to restrict an infoobject differently for some queries (analysis authorization). For example, I need to give full hierarchie access for query 1 to user 1.  But for another query for the same user I need to restrict the hierarchie authorization. Furthermore, both queries are based on the same multi provider. It is not possible to use different multi provider ... the adjustment effort is to high (to many queries).
  I have set up an authorization with rsecadmin
  QUERY1:
  ZHier1     Hyrarchie 1
  ZHier2     Hyrarchie 2
  0TCAACTVT     Activity in Analysis Authorizations
  0TCAIPROV     Authorizations for InfoProvider
  0TCAVALID     Validity of an Authorization
  0TCTQUERY     Query
  -->I added the respective values for the queries, the used multiprovider, hierarchies, etc.
  I have set up the same for QUERY 2 with different Hierarchy and Query values, but it does not work correctly. The user is always authorized for the hierarchie values of both queries.
  Thanks foryour helpin advance!!
  Regards,
  Sven

  Hi Sankar,
  Sorry for the confusion. Lets focus only one hierarchy ... ZHier1. 
  QUERY1:
  ZHier1     -> value: node2
  0TCAACTVT     -> value: 2 & 3
  0TCAIPROV -> value: multiprovider1
  0TCAVALID     -> value: *
  0TCTQUERY     -> value: query1 (based on multiprovider1)
  QUERY2:
  ZHier1     -> value: node2.1 (sub node of node 2)
  0TCAACTVT     -> value: 2 & 3
  0TCAIPROV -> value: multiprovider1
  0TCAVALID     -> value: *
  0TCTQUERY     -> value: query2 (based on multiprovider1)
  But this does not work. When I use query2 in reports the user has access to node2 and not only to node2.1.
  Any idea?
  Thanks again!
  Sven