BW Context Authorizations within Structural Auths

I am an urgent question for everyone:
Currently, we are using context authorizations within the R/3 environment and would like to integrate them into BW authorizations.  Is this possible and if so, how do you do it?  The problem is that there are multiple roles that are assigned to different profiles within the authorizations.  When I generate the authorizations in BW, it takes all of the profiles that are assigned to this user.  I know there is a note to remove a profile from a user but not sure how we can copy this logic over into BW.  I'm thinking they may have to create a report profile only and we only extract that one for BW?  Please inform.

Unfortunately, that isn't what I'm trying to do, let me see if I can make clearer (using 2 users in this scenario):
R/3
User 1,2 is assigned to Role 1 which is OrgUnit 1
User 1 is assigned to Role 2 which is OrgUnit 2
BW:
User 1 is assigned to Data Target 1, which has report 1 & report 2 assigned to it
Report 1 is for Role 1
Report 2 is for Role 2
DataTarget 1 has both Report 1 and Report 2 created against it.
User 1 is assigned to Role 1 and Role 2
User 2 is assigned to Role 2
When User 1 executes Report 1, they should only be able to see OrgUnit 1 and when User 1 executes Report 2, they should only be able to see OrgUnit 2.
When User 2 executes Report 2, they should only be able to see OrgUnit.
Unless, we create a seperate Multiprovider, is there a way to restrict user 1 on the OrgUnits by report on the same DataTarget?

Similar Messages

  • HR context structural auths and unrelated personnel IDs

    Hi,
    we are working on HR SAP 4.7 SAP R/3 Enterprise with these patch levels:
    COMPONENT Rel Liv. Supp.Pack. Descr.
    SAP_BASIS 620 0038 SAPKB62038 SAP Basis Component
    SAP_ABA 620 0038 SAPKA62038 Cross-Application Component
    SAP_APPL 470 0020 SAPKH47020 Logistics and Accounting
    SAP_HR 470 0028 SAPKE47028 Human Resources
    EA-HR 200 0009 SAPKGPHB09 SAP R/3 Enterprise HR Extension
    We are using only context structural authorizations (P_ORGINCON) with these switches:
    ADAYS 15 HR: tolerance time for authorization check
    APPRO 0 HR: Test procedures
    DFCON 4 HR: Default Position (Context)
    INCON 1 HR: Master Data (Context)
    NNCON 0 HR:Customer-Specific Authorization Check (Context)
    NNNNN 0 HR: Customer-specific authorization check
    ORGIN 0 HR: Master data
    ORGPD 4 HR: Structural authorization check
    ORGXX 0 HR: Master data - Extended check
    PERNR 1 HR: Master data - Personnel number check
    XXCON 0 HR: Master Data - Enhanced Check (Context)
    Everything works fine except for personnel IDs not linked to OM.
    If we use PA40 to assigne an "unrelated object" (personnel IDs) to the OM structure, the
    action works correctly.
    We are not able to assign a unrelated personnel IDs to OM using PPOM.
    Even if we have assigned the value 4 to both DFCON and ORGPD, we have to create a large
    structural autorization with maintain flag active (the same as ALL in OOSP) and assign it to
    the user in order to see the button "unrelated object" in PPOM.
    In other words: it seems that unrelated personnel IDs need structural authorizations in order
    to be assigned in OM.
    Any idea ?
    Is this a bug ?
    Thanks
    Andrea Cavalleri

    There are many ways of doing this depends which one you like....
    1. Create a custom Function Module which will perform end to end extraction of desired Objects. There is no need to pass on some inputs for evaluation path. Just while creating structural, keep everything blank except for the last column to put your custom FM. This is a technique to control Structural using FM only.
    2. In a structural use two lines...one might be with standard FM, other one should pick specific objects which you don't want user to have access. Ensure to check exclude beside that line. The Intention is to remove undesired objects from populating in OOSB.
    3. Implement a BADI which will be executed after RHBAUS* programs are run, whose objective should be to identify these CIDs and remove them from T77UU table or INDX or from OOSB.
    Please do not confuse P_ORGINCON with structural authorization. The integration of PA and structural authorization is to provide different level of access to set of objects pulled by structural auth.
    There can be plenty other ways to do it.....HR Security is a playground where multiple games can be played at a time

  • Restrict HR Authorization Object PLOG By HR Structural Auth Profile

    Via OSS Note 453786, SAP requested customers not to use HR Authorization Object PLOG_CON. 
    We have a requirement to restrict HR Authorization Object PLOG by HR Structural Authorization Profiles. How are other customers able to accomplish this objective without authorization object PLOG_CON being used?
    (Custom solution:  ZPLOG_CON/custom FM, or use HRBAS00_STRUAUTH BADI)?
    Thank you,
    Ken

    Ken,
    1. the note you mentioned is specific to sap version 46b. is that the version your client is on? just wanted to check.
    2. then you have not mentioned anything about the requirement, i mean explicit details.. without which it is very difficult to come to a solution.
    3. you look like you are on the right track of thinking though with the z-auth-object/function module/badi thingy...
    4. ultimately solution is dependant on the explicit requirements.
    the 'con' bit usually refers to context sensitiveness of security when a mixture of regular and structural auths would not meet the security requirements.... so at a high level:
    1. design the structural profile with the right combo of eval path and function module(z-fm?)
    2. do the right thing by plog by explicitly mentioning levels of suths for all objects and subtypes and infotypes as well.
    3. use p_origincon to assign the structural profile
    4. a combination of all of the above should do the trick...
    good luck
    cheers

  • Users Are Not Removed From Old Position Via Structural Auth

    Hello...
    Has anyone experienced an issue where someone move from one position into a new one, the old reporting manager can still see this person information via structural auth?  There's a general structural profile with the evaluation path o-s-p and function module RH_GET_ORG_ASSIGNMENT which is assigned to all accounts in the system.  This profile works as intended when Person A moves to a different position reporting to Manager B.  Manager B can view Person A information (time, personal, etc.); however, the system does not remove Person A from Manager A.  In addition, the RHPROFL0 is scheduled twice a day.
    Thanks for any insights or thoughts on this issue.

    Hmm...
    Which release and SP are you on?
    Also check the depth of the profile (just in case the employees were demoted...) and the period (although you mention that it should be current only).
    I have only been involved is custom implementations of "structural authorizations" because the standard is quite tricky and complex to find an error or inconsistency - so hopefully one of the other gurus who are more familiar with it can help as well.
    Cheers,
    Julius

  • Need to deactivate structural auth. check for a custom Report

    Hi all experts:
    I have a report that is based on PNPCE logical database and it displays work hours for a project, all non-sensitive information.  We would like a wide range of users to have access to this but since this is based on PNPCE logical database whenever a user runs it, the str. authorization check is performed.  I have tried deactivate this check with P_ABAP object and coers 2 but it only ignores infotype auth. check but still checks the structural.  We don't want to expand str. profile for users. 
    Do you know if there is a way to deactive this just for one report?
    Your help will be greatly appreciated.
    Regards,
    Net

    Thanks Kiran. I had tried that value but still got the same message.  I am having problem understanding exactly when this value 2 ignores structural authorization because it works on some reports and not others.  Anyway, we implemented BADI for this report to ignore structural auth. check and it is working fine.
    Thanks again,
    NT

  • Can we give more than one value for an Authorization field in Auth-Check.

    Hi all,
    Can we give more than one value for an Authorization field in Auth-Check.
    Ex: AUTHORITY-CHECK OBJECT 'S_TRVL_BKS'
    ID 'ACTVT' FIELD '02'
    ID 'CUSTTYPE' FIELD <Value 1> <Value 2> <Value 3>.
    IF SY-SUBRC 0.
    MESSAGE E...
    ENDIF.
    If yes, please help me with exact syntax.
    Think it will be like
    ID 'CUSTTYPE' FIELD: <Value 1>, <Value 2>, <Value 3>.

    Hi,
    yes we can give more than one field.
    program an AUTHORITY-CHECK.
    AUTHORITY-CHECK OBJECT <authorization object> 
       ID <authority field 1> FIELD <field value 1>. 
       ID <authority field 2> FIELD <field value 2>. 
       ID <authority-field n> FIELD <field value n>. 
    The OBJECT parameter specifies the authorization object.
    The ID parameter specifies an authorization field (in the authorization object).
    The FIELD parameter specifies a value for the authorization field.
    The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
    please reward points, if it is useful.
    satish.

  • Retrieve data from other context node within the same context

    Hi Experts,
    I want to redefine method BUILD_TABLE for a table context node and I need to access data from another context node within the same context. I have looked through the methods of class CL_BSP_WD_CONTEXT_NODE_TV but could not find a mean of retrieving the other context nodes.
    Any ideas?
    Thanks a lot. Your help is appreciated.
    Cheers,
    Jens

    Hi Jens,
    Check this [wiki|http://wiki.sdn.sap.com/wiki/pages/viewpage.action?pageId=201066680] it should be helpful.
    Regards,
    Shobhit

  • No context menu within Web Application in Portal

    Hello all,
    our user runs Web Application via Portal. Normally they can call up the context menu within the web application in order to access the context menu. There they can drill down, swap characteristic, distribute, etc.
    For some user we notice that this context menu is not appearing by right mouse click, but the context menu from the internet explorer. That means that these user can not navigate properly within the web application.
    When the user executes the Web application via the Bex browser, the context menu appears properly. When I log on in into the portal/bex browser on the users PC, the context menu is also appearing properly.
    Is there an user-specific portal setting, which is to maintained?
    Any help would be great.
    Best regards,
    Stefan from Munich/Germany

    Hi Stuart,
    The easiest way to achieve the desired behavior is to make some changes to your web-j2ee-engine.xml file.
    In the login module configuration element edit the security-policy-domain field to u201C/irju201D. This will provide you access to your application from the portal without re-authentication to be required.
    See also http://help.sap.com/saphelp_nwce10/helpdata/en/3e/ee7aa1ab8b4442bab00ba3171cef72/content.htm
    Regards,
    Diyan

  • HR restrictions required across personnel areas w/o structureal auths

    The business has the need to restrict their HR users to a select population of users.  Example, we need to be able to exclude the Executive population.  The executive population is across multiple organizations (personnel areas) and we cannot use the employee subtgroup field to restrict on (04) for Executives because not we have some ISA's that we have coded US-ISAs so they are not reflected in the master data as (04). We have not implemented structural authorizations but I need to know if there is a means to restricting (PA20 - display of master data) on groups of associates without structural authorizations??

    Hi,
    From my clients implementations so far, I have seen two approaches to restrict access to executive's PA data in PA20:
    1. Based on organizational key which can be restricted at role level via auth objects- P_ORGIN
    2. Implementing custom exit/BADI in the PA20 program  or implement customer specific auth object [P_NNNNN|http://help.sap.com/saphelp_470/helpdata/en/4e/74ba3bd14a6a6ae10000000a114084/content.htm] to additionally check authorization for a custom auth object while executing PA20 which restricts access for specific range of personnel numbers that belong to the executives.
    In short, either organization key (i.e personnel area + cost center) or personnel number of executives should fall within a reserved number range which can be used to restrict the access to their PA data.
    Thanks
    Sandipan

  • Authorization within a report

    I have a report, and that transaction is assigned to different roles, which are assigned to different users.
    How do I limit which company code can be view per user? I am not sure how the authorization objects work when it comes to reporting. In PFCG I have trouble finding any objects relating to this report.
    Can someone point me in the right direction please?
    Allie

    Hi,
    usually authorization is not added on for one field in a table. if the user is not authorized to view the total field, then check the authority at the beginnning of the program. If the authority fails do not display the total field, else display the total field. There is no need to add authority check inside the loop.
    AUTHORITY-CHECK OBJECT object
    ID name1 FIELD f1
    ID name2 FIELD f2
    ID name10 FIELD f10.
    Effect
    Explanation of IDs:
    object
    Field which contains the name of the object for which the authorization is to be checked.
    name1 ...
    Fields which contain the names of the
    name10
    authorization fields defined in the object.
    f1 ...
    Fields which contain the values for which the
    f10
    authorization is to be checked.
    AUTHORITY-CHECK checks for one object whether the user has an authorization that contains all values of f (see SAP authorization concept).
    You must specify all authorizations for an object and a also a value for each ID (or DUMMY).
    The system checks the values for the IDs by AND-ing them together, i.e. all values must be part of an authorization assigned to the user.
    If a user has several authorizations for an object, the values are OR-ed together. This means that if the CHECK finds all the specified values in one authorization, the user can proceed. Only if none of the authorizations for a user contains all the required values is the user rejected.
    If the return code value in SY-SUBRC is 0, the user has the required authorization and may continue.
    The return code value changes according to the different error scenarios. The return code values have the following meaning:
    4
    User has no authorization in the SAP System for such an action. If necessary, change the user master record.
    8
    Too many parameters (fields, values). Maximum allowed is 10.
    12
    Specified object not maintained in the user master record.
    16
    No profile entered in the user master record.
    24
    The field names of the check call do not match those of an authorization. Either the authorization or the call is incorrect.
    28
    Incorrect structure for user master record.
    32
    Incorrect structure for user master record.
    36
    Incorrect structure for user master record.
    If the return code value is 8 or 24, inform the person responsible for the program. If the return code value is 4, 12, 16 or 24, consult your system administrator if you think you should have the relevant authorization. In the case of errors 28 to 36, contact SAP because authorizations have probably been destroyed.
    Individual authorizations are assigned to users in their respective user profiles, i.e. they are grouped together in profiles which are stored in the user master record.
    Note
    Instead of ID name FIELD f, you can also write ID name DUMMY. This means that no check is performed for the field concerned.
    The check can only be performed on CHAR fields. All other field types result in 'unauthorized'.
    Example
    Check whether the user is authorized for a particular plant. In this case, the following authorization object applies:
    Table OBJ: Definition of authorization object
    M_EINF_WRK
    ACTVT
    WERKS
    Here, M_EINF_WRK is the object name, whilst ACTVT and WERKS are authorization fields. For example, a user with the authorizations
    M_EINF_WRK_BERECH1
    ACTVT 01-03
    WERKS 0001-0003 .
    can display and change plants within the Purchasing and Materials Management areas.
    Such a user would thus pass the checks
    AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
    ID 'WERKS' FIELD '0002'
    ID 'ACTVT' FIELD '02'.
    AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
    ID 'WERKS' DUMMY
    ID 'ACTVT' FIELD '01':
    but would fail the check
    AUTHORITY-CHECK OBJECT 'M_EINF_WRK'
    ID 'WERKS' FIELD '0005'
    ID 'ACTVT' FIELD '04'.
    To suppress unnecessary authorization checks or to carry out checks before the user has entered all the values, use DUMMY - as in this example. You can confirm the authorization later with another AUTHORITY-CHECK.

  • BW Authorizations/Report. Auth Object/KF's vs. Calc. KF's

    We implemented a custom/reporting auth. object to protect key figures (1KYFNM) and it works well. The issue is that our user community never ceases to come up with new and even more creative requirements.
    Let me illustrate the latest requirement:
    I have locked-down access to certain key figures (let's call them 'KF A' and 'KF B') and therefore subsequently secure all combinations involving either one of the two meaning calc. KF D (KF A plus KF C) is locked down as well. I also need to mention that users are supposed to be able to create their own ad-hoc queries, which eliminates the option of limiting them to a query or set of queries that accomplish the following requirement.
    There are certain totals, which are calc. KF's that the users are allowed/required to see even though they are not supposed to see what makes up these numbers (they should see calc. KF K which is made up of KF A, KF B, and KF H, etc. but not KF A and KF B).
    Without the option of providing the users with rather static queries, I see another option as calculating 'KF K' (from the previous example) at the time of the load and just making it another key figure in the cube which then can be excluded from the auth. check previously mentioned based on the naming convention. The problem with that is that this will make reporting rather inflexible, increase load times as this calculation is rather complicated, and it will also create redundant information in an environment that is already experiencing substantial growth and volume.
    Does anyone see any other solution?
    Thanks,
    Joerg

    Jeorg,
    I'm afraid that there's no special authorization handling for calculated key figures. To my best knowledge, the approach to create another key figure at data load time via transfer rules or update rules would be the only one can work. While this approach may not be flexible, but the load time should not increase significantly if you just add two key figure values into a new one.
    If you find this is approach is unacceptable or it is a common requirement among BW community, you might consider submit such requirement through ASUG BI Group or via OSS development request.
    Thank you for your question and patience.
    Regards,
    Amelia Lo
    SAP NetWeaver RIG, US
    SAP Labs, LLC

  • Authorization check failed Auth. Obj. M_MSEG_LGO Goods Movements

    Hello security team.
    We are using two roles for one authorization object to be checked in the MIRO transaction. One role (1) checks the S_TCODE and the authorization object M_MSEG_LGO for ACTVT and  BWART  fields. The other role (2) checks for the same authorization object M_MSEG_LGO for LGORT and WERKS fields. I mean that the complementary effect between the two profiles attached to one and only user and employing the same authorization object M_MSEG_LGO could satisfy the return code SY-SUBRC = 0.
    I have the detailed error message in a file. Please let me know if the issue is clear enough.
    Best Regards,
    Victor Sarabia
    Edited by: Victor  Sarabia Rangel on Mar 16, 2010 2:16 PM

    Hello  Prasant and Julius.
    When you enter a goods movement  using transaction MIGO  I use the movement type values for a good movement. vgr. movement type 987 - Init. entry of state balance or movement types 101,102 GR goods receipt & GR PO reversal BWART field from the authorization object  M_MSEG_LGO.  We gather the movement type values into groups that represents the structural basis that distinguish between , for example:  Goods Receipt with Outbound delivery or  Place in Storage with Material Document .
    Authorization profile 1 for Outbound Delivery with transaction MIRO.
    S_TCODE: MIRO
    M_MSEG_LGO: Inactive
    Authorizat. T-C161126200
    Profl. T-C1611262
    Role MM_AL_OPERACION_ENTRADAS MMA_GRC: OPERACIONES ALMACENES
    Authorization profile 2 Bolton
    M_MSEG_LGO maintained
    Authorizat. T-C161137500
    Profl. T-C1611375
    Role NIVORG_ALMACENENTRADAS_4515  BOLTON:  PLANT ORG LEVEL
    Authorization Field ACTVT Activity
    01, 02, 03
    Authorization Field BWART Movement Type (Inventory Management)                                                                                101, 102, 103, 104, 105, 122, 123, 543, 544, 901, 902, 903, 904, 905, 906, 915,                                                                                916, 925, 926, 947, 948, 979, 980, 981, 982, 987, 988, DMS, RMS
    Authorization Field LGORT Storage location
    1000-1100, 1071, 1CBE, 2000, 3000, 3500, 4000, 5000, 6000, 7000, REHA, T000
    Authorization Field WERKS Plant
    4013-4019
    Profile 1: transaction_code MIRO binds with Profile 2: M_MSEG_LGO, movement type 987 and Authorization Field WERKS Plant 4013 and Storage Location 3000 to satisfy the return code SY-SUBRC = 0 for Goods recepit&Oubound Delivery position in the organization
    The  binding between master profile 1 and the bolton profiles 2,3,4u2026u2026.n  results  in an  organized role framework and greater specificity for handling different positions in the organization.
    Thank you.
    Victor Sarabia

  • Function module RH_GET_MANAGER_ASSIGNMENT in MSS, HR Structural auth

    Hi,
    - Is function module RH_GET_MANAGER_ASSIGNMENT only valid when a personnel user is flagged as 'chief position' in HR Org model ? As this function module uses MANASS evaluation path and A012 (Manages...) as relationship, can it be used without mentioning 'chief position' in HR Org model ?
    If no, what would be the best solution to find out all employees in MSS (Manager Self Services) case using HR Structural authorizations ? Custom Evaluation Path and Relationship ?
    - What is the major difference in Evaluation Paths : MANASS, MSSDIREC and MSSREPS ?
    Thanks,
    Karan..

    You can maintain evaluation paths in transaction OOAW.
    There you also see the differences of the paths you mentioned.
    To find existing paths to suit your needs you can use the search help in transation PPSS.
    Kind regards, Rob Dielemans

  • 3 level authorization table structure

    Hi ,
        I have an application, I want add a feature of maker,checker and authorize for every record in a table. I am explaining in below details.
    Ex : -
         Suppose I have one table called Employee table. There are 3 users are there. one is maker, 2nd one is checker and last one is authorize person. So when 1st user creates an employee record in database then this record is not live means
    this record can not be used in any transaction. Once checker is checked and authorize user is authorized this record will go live. Same thing is applicable for update and delete also. So I want a table structure how to achieve this in real time. I have designed
    a structure but I need a reliable and simple design. Please advice if any.

    Looks like you need a single column to identify the type of user (M,C or A) Much better this scenario described here
    http://vyaskn.tripod.com/row_level_security_in_sql_server_databases.htm
    Best Regards,Uri Dimant SQL Server MVP,
    http://sqlblog.com/blogs/uri_dimant/
    MS SQL optimization: MS SQL Development and Optimization
    MS SQL Consulting:
    Large scale of database and data cleansing
    Remote DBA Services:
    Improves MS SQL Database Performance
    SQL Server Integration Services:
    Business Intelligence

  • New structural auth. profile

    Hello!
    I need to remake old profile (O-S-P) - keep all structure, but delete authorization on personnel numbers in top (O1).
    O1
    P1
    P2
    O2
    P3
    P4
    O3
    P5
    =>
    O1
    O2
    P3
    P4
    O3
    P5
    It's possible using combination of standard evaluation paths?
    May be I need to create profile for
    O2
    P3
    P4
    O3
    P5
    + the head
    O1?
    Thanks in advance!

    So, you want to show Organisation Unit level O1, but not the positions under level O1? But you still want to show Org Units and positions for O2 and O3?
    I don't think this is possible with standard evaluation paths.
    Not sure why you'd want to do this either....!

Maybe you are looking for

  • How do I get my iPhoto library back onto my iMac's HD?

    So the problem seems like an easy fix but I can't figure it out. I have to iPhoto libraries which I have merged with iPhoto Library Manger and that is completed. My issue is now I can't get the merged library onto my iMac's HD. It only works with my

  • External cd drive wont import cd to iTunes

    external cd drive connected to macbook air. previously worked. cd recognized in iTunes but error message when trying to import "required disk cannot be found" tried this with multiple cds with same result.

  • Change Ipod name

    I bought my wife a new 3g Nano. She hooked it up to her computer and itunes to get started. The ipod name is listed as owner. How do you change the name of her specific ipod in itunes or on the ipod? Thanks for the help.

  • SOAP or XI adaptor should be used

    Hi Expert, I have a scenario where the sender should call XI in form of web service, XI will forward the call to the ABAP using proxy. My question is how should I configure the sender agreement: 1) Since it's web service, I guess it should be SOAP se

  • "There are currently no logon servers available to service the logon request." when trying to access a shared folder in domain environment.

    Hi, I already have a windows server 2003 working as a Primary Domain Controller (PDC) and now I created another windows server 2012 to work as an Additional Domain Controller (ADC). - PDC is doing (Active directory domain services + DNS + DHCP) - ADC