BW Auth Objects' grouping in RSSM.

Similar Messages

• Can we control Work center group links using auth object UIU_COMP

  Hello All,
  We are running into an issue while doing our PFCG role configuration.
  I need to know if we can control Work center group links in a business role through auth object UIU_COMP.
  We can control Workcenter's but not 'Work Center Group Links'.
  Here is what we did:
  - We have a business role Z_RA_DEFAULT.
  - The Nav Bar Profile SRV-PRO for this business role has some work center group links that are checked in menu and visible.
  - I'm trying to find the values in the auth object UIU_COMP to restrict Work center group links.
  - Even though the values Work center group links are in menu and visible,
  I want to remove these Work center group links from the screen using the auth object.
  - If we remove the check from in menu and visible in the business role the Work center group links disapper from the screen.
  Right now this is only way we are able to controle Work center group links.
  Question:
  - Can I use UIU_COMP to restrict Work center group links?
  - any another auth object that controle Work center group links?
  - any document/ website / info  available which tells us what can we restrict with auth object UIU_COMP?
  - or any other way of doing this... like code change, user exit, ....?
  Really appreciate your help.
  Thanks,
  Nasir

  I am not sure if I have understood the issue correctly, but still what stops you from actually creating a clone business role to your existing business role and deactivating the in menu visible work center group links. Use this new business role for users who need to be prevented from viewing the work center groups links in question.
  If you are going to use authorization objects to control the visibility wont it impact all users (still defeating your original purpose?)
  Again apologies in case I have got the question wrong.

• BW Authorizations/Report. Auth Object/KF's vs. Calc. KF's

  We implemented a custom/reporting auth. object to protect key figures (1KYFNM) and it works well. The issue is that our user community never ceases to come up with new and even more creative requirements.
  Let me illustrate the latest requirement:
  I have locked-down access to certain key figures (let's call them 'KF A' and 'KF B') and therefore subsequently secure all combinations involving either one of the two meaning calc. KF D (KF A plus KF C) is locked down as well. I also need to mention that users are supposed to be able to create their own ad-hoc queries, which eliminates the option of limiting them to a query or set of queries that accomplish the following requirement.
  There are certain totals, which are calc. KF's that the users are allowed/required to see even though they are not supposed to see what makes up these numbers (they should see calc. KF K which is made up of KF A, KF B, and KF H, etc. but not KF A and KF B).
  Without the option of providing the users with rather static queries, I see another option as calculating 'KF K' (from the previous example) at the time of the load and just making it another key figure in the cube which then can be excluded from the auth. check previously mentioned based on the naming convention. The problem with that is that this will make reporting rather inflexible, increase load times as this calculation is rather complicated, and it will also create redundant information in an environment that is already experiencing substantial growth and volume.
  Does anyone see any other solution?
  Thanks,
  Joerg

  Jeorg,
  I'm afraid that there's no special authorization handling for calculated key figures. To my best knowledge, the approach to create another key figure at data load time via transfer rules or update rules would be the only one can work. While this approach may not be flexible, but the load time should not increase significantly if you just add two key figure values into a new one.
  If you find this is approach is unacceptable or it is a common requirement among BW community, you might consider submit such requirement through ASUG BI Group or via OSS development request.
  Thank you for your question and patience.
  Regards,
  Amelia Lo
  SAP NetWeaver RIG, US
  SAP Labs, LLC

• Job role design - transaction role and auth object role

  Hi all, please kindly comment following job role design:
  (1) transaction role:
  Keep transactions in single job role to represent business processes in different application areas, e.g.MM: maintain PR, PO, OA.   CO: maintain cost center, internal order   HR: maintain org structure, personnel management.
  The single job role will only keep role menu, object S_TCODE and inactivated all other application related authorization objects.
  (2) authorization role
  Keep application component related authorzation objects except S_TCODE in single job role by different application area, e.g. Objects of MM_B, MM_E, MM_G in MM role. Objects of K_CCA, K_CSKS_SET in CO role.  Objects of HR in HR role.
  Then maintain org level of MM, CO, HR roles for different companies, e.g. Company A MM role, company A CO role, company A HR role, company B MM role.;....
  User will be assigned transaction role + auth object role.   For example, user of company A to perform MM and CO functions will be assigned
  with MM transaction role + company A MM role + company A CO role.
  Please let me know the pros and cons of above design.  Thanks.
  Regards,
  Donald
  * I can see the disadvantage of this design is during SAP upgrade (SU25), revised of authorization object will not reflect in authorization role

  Brent Van Dyck wrote:
  Keep in mind the project was for an HCM implementation where there's already hardly any connection between tcodes and authorization values so it may have made more sense in that context than it would in a classic SD/MM.
  That is correct - but it still exceeds "horrible" beyond imaginable boundaries if you try to split the fields of the objects into different roles and expect it to work or that there will be less roles.
  In the case of HCM and also BW the auths admin needs to know more about the data and organization than what classic ERP auths admins can get away with. That is why they take longer to migrate away from manual profiles and have a greater tendency to have manual authorizations inserted into roles - which could however also be achieved by maintaining fields proposed without values and at least proposing those (such as activity type fields) which are known.
  But splitting cube / characteristics / key figures  or infotype / personel group / auth code into different roles can only go wrong.
  Another mistake some "value role experts" sometimes make is that they don't want Su24 proposals in PFCG because they don't understand them. So what they do is that they clean out the SU24 tables completely... Well... the side affect of that is that all SU24 check indicators flagged as "no check" suddenly become alive in their system although there are mostly good reasons not to have the checks active.
  Cheers,
  Julius

• SU24 on M_EINK_FRG auth object

  Hello Gurs,
  Requirement
  To make the release code/group to Org filed . Currently is not a Org filed.
  What I have done:
  The auth object is  M_EINK_FRG.
  Before I make it org field, I was cleaning up some tcodes  for eg : Me35 ,ME35K and ME28 to deactivate the object in SU24 ( meaning NO in the proposal u201Ctabu201D  as no users are assigned to this tcode in production.
  Question:
  After capturing in transport I am getting pop up with " Data automatically corrected " message and changes are getting reflected in SU24 once I click on this pop green check mark button. no sure why
  I have problem with this object only not which other auth object
  Please suggestion or did you experience any of this sort
  Damodar

  I think he only wants the proposal flag as 'No', but then SU24 automatically corrects the value based on TSTCA.
  See How to handle unwanted SU24 proposals which are automatically "corrected"? and the post by Keerti Vemulapali, which points to SAP note 1404093.
  PS: What would be very usefull for an "automatic correction" would be in the case of report type transactions to check whether the submitted report has been assigned to an S_PROGRAM group, and fill that with p_action SUBMIT. Any chances..? 
  Cheers,
  Julius

• Hierarchy Auth Object --  Exclusion of nodes possible ?

  Hello BW Experts,
  I am creating a Auth Object for the Infobject Hierarchy of 0Glaccounts. For a user A, I need to exclude 15 GL accounts. Algother we have around 2000 GL accounts. What is the recommended procedure to achieve this requirement.
  Procedure I know:
  1) RSSM > create a Auth object with Infobject 0GLaccount > again enable the 'Authorization Definition From Hierarchies' and press the create button > from the list select all the 1885 0GLaccounts.
  Wondering if there is any other procedure to exclude the 15 0GLaccounts.
  Suggestions appreciated.
  Thanks,
  BWer

  I would like to know as well if exclusion is possible for hierarchy authorization in BI 7.0 (RSEDADMIN)?
  I just read that exclusion in generell is not possible for BI 7.0 authorizations. Only IO 0TCAVALID allows exclusion. Exclude (E), special ranges (LE, GT, GE, LT), and the plus pattern work ONLY for this special characteristic!

• Assign auth. object to infoprovider

  Hello,
  i have transported a auth object zsales_orgn to production. have transported the queries, roles etc.
  i realised that the infoproviders are not assigned to this object.
  when i go to rssm->enter this object->select check for infocubes->change
  i dont see any cubes in the list. how do i assign this object to a cube??
  PLEASE SUGGEST?

  hi S B,
  to transport the authorization object itself, try SE03-> change object directory entry, in next screen, use SUSO (type in below DTEL) and reporting authorization object name, after that change package with icon pencil 'object directory'.
  RSSM for infoobject assignment to infoprovider
  How to Transport the Authorization Object
  hope this helps.

• Help need in creation of auth object

  Hi all,
  can anyone assist me in creating an auth object to restrict users based on plant.
  I would appreciate i anyone of you could send me screen shots of the procedure.
  My email id is
  <b><removed by moderator></b>
  Thanks
  Venki

  Hi,
  Basically you can use derived role and restric users based on plant...
  Other than standard objects do you want to create auth objects.
  For more information on you can follow link. info on objects
  http://help.sap.com/saphelp_47x200/helpdata/en/ea/e9b0054c7211d189520000e829fbbd/frameset.htm
  Cheers
  Soma

• Implementing "object-group service"

  Running 8.2(3) on an ASA 5510
  I have created the two following object groups.
  object-group service gatewayTCP tcp
  port-object eq 88
  port-object eq 135
  port-object eq 445
  port-object eq ldaps
  port-object eq 3268
  port-object eq 3269
  object-group service gatewayTCP-UDP tcp-udp
  port-object eq domain
  port-object eq 389
  port-object eq 464
  port-object range 49152 65535
  I have run into an issue with "domain" working in the tcp-udp type. The following access-list does not work without explicitly calling out "domain" for both TCP and UDP. Everywhere I looked I appear to be doing it right so what am I missing. Does "permit tcp" need to be "permit ip" to cover both tcp and udp? I found one article with someone suggestiong just make it "permit tcp" and it will work. Not in a position to test at the moment so figured I'd ask here. Want to be sure I'm not getting bit anywhere else related to these object groups in case I am not implementing them correctly?
  access-list dmzAccess extended permit tcp host 172.26.11.10 host 10.16.11.203 object-group gatewayTCP
  access-list dmzAccess extended permit tcp host 172.26.11.10 host 10.16.11.203 object-group gatewayTCP-UDP
  Is this a bug with service object groups? Is there some place I need to enable this feature?

  Hi,
  Have you tried configuring it like this
  object-group service GATEWAY-SERVICES
  service-object tcp eq 88
  service-object tcp eq 135
  service-object tcp eq 445
  service-object tcp eq ldaps
  service-object tcp eq 3268
  service-object tcp eq 3269
  service-object tcp eq 53
  service-object udp eq 53
  service-object tcp eq 389
  service-object udp eq 389
  service-object tcp eq 464
  service-object udp eq 464
  service-object tcp range 49152 65535
  service-object udp eq 49152 65535
  access-list dmzAccess permit object-group GATEWAY-SERVICES host 172.26.11.10 host 10.16.11.203
  I am not sure if it was only after software 8.3+ that the command under the actual "object-group" was of format "service-object tcp source" / "service-object tcp destination" (or the same for UDP)
  - Jouni

• Object-group with network-object containing an IP address range

  Hello,
  Does the ASA treat an object-group with a network-object containing a range of IP addresses as a netmask? For example, I can apply this configuration without the ASA throwing any errors though the configuration calls for a 'net mask':
  object-group network test
  network-object 192.168.0.0 192.168.63.255
  network-object-group mode commands/options:
    A.B.C.D  Enter an IPv4 network mask
  sh run ob id test
  object-group network test
  network-object 192.168.0.0 192.168.63.255
  I found that in the documentation it requires a netmask as oppose to a range. Is this a bug in the code? I am running code version 8.0(5)23 on a 5520. If this is not a bug how does the ASA treat this type of configuration when applied to an access list? When I ran a quick packet trace and denied access from that range it looks like the ASA doesn't read that configuration properly. Thank you.
  -John

  Hello,
  Thank you for your replies. In code version 8.0(5)23, it appears I am able to define a "range" of IP addresses as in:
  192.168.0.0 192.168.63.255 as opposed to defining a range with a netmask like 192.168.0.0 255.255.192.0.
  With the "range" of IP address applied to the "object-group network test" with sub command "network-object 192.168.0.0 192.168.63.255" the ASA does not pick up on said "range" when this object group is applied to a DENY access list. It only reads it properly when the netmask is attached, which is the correct configuration, as in: "network-object 192.168.0.0 255.255.192.0".
  To clarify, I mean range as in 192.168.0.0 - 192.168.63.255.
  Hope this helps to understand. I am just curious as to why this is even able to be applied in such a way or if it is a bug in this particular code version? I can also confirm that this can be done in code version 8.4(2). See below snippets of my configuration in the 8.4(2) code version:
  access-list 101 line 3 extended deny ip object-group testmask any 0x577f55a8
    access-list 101 line 3 extended deny ip 192.168.0.0 192.168.63.255 any (hitcnt=0) 0x0623b0c4
  access-list 101 line 4 extended permit tcp any any eq 89 (hitcnt=1) 0x36f1e5cd
  Packet trace results in allowing the "range" of IP address:
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: dmztest
  output-status: up
  output-line-status: up
  Action: allow
  Now with the "correct" configuration:
  access-list 101 line 3 extended deny ip object-group testmask any 0x577f55a8
    access-list 101 line 3 extended deny ip 192.168.0.0 255.255.192.0 any (hitcnt=1) 0xa31c6bbd
  access-list 101 line 4 extended permit tcp any any eq 89 (hitcnt=1) 0x36f1e5cd
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: dmztest
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  Thank you.
  -John

• How can I limit/control the addition of auth. objects to security roles?

  Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
  Edited by: Armando Salas on Nov 29, 2011 7:41 PM

  Hi Armando,
  Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
  I hope this helps you
  Regards
  Eduardo

• Subclass webutil object group problem

  Hi,
  I am using 10g form.
  I download the webutil demo and got a form called WU_TEST_106 in which there is
  a object group called WEBUTIL.
  Then I create a new form and drag the object group WEBUTIL of the form
  WU_TEST_106 to the object group of the new form and choose 'subclass'.
  When I check the content of the WEBUTIL data block in the new form, there
  is no items there.
  There should be some bean area such as WEBUTIL_FILE_FUNCTIONS and
  WEBUTIL_HOST_FUNCTIONS etc.
  Anyone can help ?
  Ivan

  Do not subclass WEBUTIL from another form. In folder <DevSuiteHome>\forms there should exist file webutil.olb. Open this file directly in Form Builder using
     File | Open
  and subclass the objects contained within.
  Eric Adamson
  Lansing, Michigan

• ORA-23326: object group "PUBLIC","REPG" is quiesced

  I am using Oracle 9i Enterprise Manager.
  I have two servers with databases isb.city and rwp.rawat. I completed the whole process of Multimaster Replication. I am working on the SCOTT schema as test. Right now I am working on LAN.
  Two servers are connected with each other. I am facing two problems:
  1) When I try following command, it shows no rows on both servers:
  SQL>SELECT DBLINK FROM DBA_REPSITES WHERE GNAME = 'repg';
  no rows selected
  2) When I try to insert data in the tables, it doesn't allow it and give following:
  ORA-23326: object group "PUBLIC","REPG" is quiesced
  I already made changes in init.ora and changed spfile file as well accordingly.
  What is wrong with my setup?

  Try this:
  1. SELECT DBLINK FROM DBA_REPSITES WHERE GNAME = 'REPG';
  2. You should change init.ora or spfile (database is using one of them):
  show parameter pfile will show you if you are using spfile or not
  execute RESUME_MASTER_ACTIVITY to unquisce replication group
  Best Regards
  Krystian Zieja / mob

• Is it possible to nest object groups in froms?

  Title says it all, but to explain further - I'd like to create some object groups and the objects I'd like to include within these groups are themselves objects groups.
  Is that possible?

  No - But you could subclass an object group and then add extra children to it.

• Is there a listing of all Auth.Objects for SAP and the discription for them

  I would like to know if there is a listing of all the Auth.Objects  for SAP out there somewhere??
  Thank you,
  Robert

  > Auth.Objects  for SAP out there somewhere??
  You want all the customer objects as well in all SAP systems?
  (Or just those in your TOBJ?)
  PS: Please try the F1 key on fields to find their tables (or structures) and give the search a try as well...
  Cheers,
  Julius