CATS selection + Structural Authorization Check

Similar Messages

• Structural authorization check in HR-ABAP

  Hello Friends,
  I am not able to get how to do the structural authorization check, my exact problem was : There is a report where it diplays all the qualifications of the employees and now I should restrict to only the employees who belongs to the organization unit depending upon the user who is running the report belongs to. It should check some more authorization profiles also.
  Regards,
  Yoganand.

  Hi Yoganand,
  if you use logical database PCH in your report, it should work by default.
  Manually search for RHSTRUAUTH in transaction SE37. There
  is a function modul which gives a list with the person the user has authorization.
  With this list you could compare the list with selected persons.
  hope this helps.
  Regards
  Bernd

• How To Create ABAP Code For HR Context Sensitive Structural Authorization

  Hello,
  We have created a HR Custom Program which IS NOT built off the PCH or PNP Logical Database. As a result, we need to manually create ABAP code for HR Context Sensitive Structural Authorization Check in our custom HR program. Via HR Context Sensitive Structural Authorizations, we are restricting access to personnel numbers and the underlying HRP* tables.
  Any assistance would be greatly appreciated with the identification of the SAP standard function modules (Ex. RH_STRU_AUTHORITY_CHECK, HR_CHECK_AUTHORITY_INFTY, HR_CHECK_AUTHORITY_INFTY , etc) used in HR Context Sensitive Structural Authorization Check, how they are used to control HR Structural authorization (P_ORGINCON), and some sample code.
  Thank you in advance for all your assistance,
  Ken Bowers

  Hello Ken
  You can use the interface methods IF_EX_HRPAD00AUTH_CHECK to get the same structural authorization as you can see in PA20/PA30. You need to use the methods set_org_assignment and check_authorization for this purpose. For more information you can refer to include FP50PE21 from line 237 onwards till 270.
  Regards
  Ranganath

• Structure Authorization Issue

  Hi guys,
  I don't have structure authorization implemented or HR system implemented. I was playing with my sandbox system to learn structure authorization by using step by step tutorial.  After I created a structure authorization for two users I deleted everything related to structure authorization but unfortunately, some t-codes related to org chart for example PPOME, PPOMW are not working properly, its not allowing to create new org char.
  We have another team needs to create some org chart for prototyping but they can't create org chart its giving no authorization error when I ran SU53 it's not giving regular auth error its also give failed HR structure authorization error, this is the error in su53 coming (Date 10/01/2010 and time Plan version 01 Object ID 5000075 Action LISD) there are so many different object ID on the list.
  They all already have SAP_ALL in the system. Can anybody give some kind of report so I remove structure authorization completely from the system.
  Please help
  Thanks

  Structural Authorization Check
  Structural authorizations are used to grant access to view information for personnel where HR OM has been implemented as we stated. The Access is granted to a user implicitly by the useru2019s position on the organizational plan.
  On top of the general authorization check, which is based on authorization objects, you can define additional authorizations by hierarchical structures.
  In each area, the combination of start object and [Evaluation Path|http://help.sap.com/saphelp_erp60_sp/helpdata/en/35/26c256afab52b9e10000009b38f974/content.htm] from an existing structure returns a specific number of objects. This exact combination, in other words the number of objects returned by this combination, represents a useru2019s [Structural profile|http://help.sap.com/saphelp_erp60_sp/helpdata/en/0c/49ba3b3bf00152e10000000a114084/content.htm]. So structural authorization check is therefore based on a Dynamic concept: The concrete objects that are returned by a structural profile change as the structure (under the start object) changes.
  Steps to Perform to Set Up Structural Authorization Check in brief:
  (Before start moving for str. auth profile it is assumed that the Switch AUTSW for HR General Authorization check is also activated in table T77S0. Structural Authorization won't give the access for accessing HR data as described in the last posts and works together with General Authorization - to remind you)
  1. Integration:  Control parameters for the integration of Personnel Planning and Development (PD) with other applications (such as Personnel Administration (PA) and Cost Accounting (CO), etc.) are specified in the "PLOGI" group.
  2. Turn on PD PA switch: TCode used is OOPS. Ensure value registered for PLOGI u2013 ORGA is X. No other values need to be checked or changed.
  (Note: PD and PA sub modules of HR are not configured to share data by default in the SAP delivered system. This switch must be on for data to flow between both modules.)
  3. Turn on Structural Authorizations Main Switches : TCode is OOAC. Value for ORGPD is set to 1.
  4. Create Org. Plan (check the first post).
  (Note: Do not create your Organizational Plan without this switch on. If you do, structural authorizations will not work and some org and infotype setup will not work. You cannot turn the switch on and get structural authorizations on an organizational plan, that was created while it was off, to work..)
  5. Create Personnel Master Record: Tcode is PA40. This is time consuming staff.
  6. Create record for Infotype 0105 - TCode is PA30.
  7. Create Structural Authorization Profiles u2013 TCode = OOSP
  8. Create entry for IT 1017 - TCode is PO10 (Organizational Unit) or PO13 (Position).
  9. Assignment of Structural Authorizations: The assignment of the Structural Authorization can be found with good details here in [SAP Help|http://help.sap.com/saphelp_erp60_sp/helpdata/en/97/27973b3ea3eb0fe10000000a114084/frameset.htm].
  Please check and let us know for any query.
  Regards,
  Dipanjan

• HR strutural Authorization check in the Lean order Interface (LORD)

  Hi ,
  We place Quotations , Orders in CRM 7.0 , via the Lean order Interface Screen (LORD) . So users in ECC have HR structural authorization and they seems to the checked ( for the HR# part of the Sales Team , and comming accross as partner function in the Quotations , Orders documents )
  Can we avoid the HR structural Authorization check in the Lean order Interface ?

  Dear Christophe,
  I do not understand the requirement...you create ERP orders via CRM interface, and you have set up authorization in ERP for the users. Why do you want to prevent the authority check when coming from CRM when it is needed ?
  However please consider note 1446253 quesiton 9.
  You might activate or deactivate the "current user" flag in sm59 for your ERP system.
  Hope this information helps...
  Regards
  Rene

• How to deactivate authorization check?

  hi ,
  how to deactivate  Authorization check?
  thanks.
  reddy.

  Use switch T77S0 to control the use of an authorization object during the authorization check.
  If value is 0 authorization check is inactive, if value is 1 inactive. See example below.
  AUTSW     ADAYS            15     HR: tolerance time for authorization check
  AUTSW     APPRO     0     HR: Test procedures
  AUTSW     DFCON     1     HR: Default Position (Context)
  AUTSW     INCON     0     HR: Master Data (Context)
  AUTSW     NNCON     0     HR:Customer-Specific Authorization Check (Context)
  AUTSW     NNNNN     0     HR: Customer-specific authorization check
  AUTSW     ORGIN     1     HR: Master data
  AUTSW     ORGPD     0     HR: Structural authorization check
  AUTSW     ORGXX     0     HR: Master data - Extended check
  AUTSW     PERNR     1     HR: Master data - Personnel number check
  AUTSW     VACAU          Activate Auths for Maintaining Vacancies (PBAY)
  AUTSW     XXCON     0     HR: Master Data - Enhanced Check (Context)
  http://help.sap.com/saphelp_erp60_sp/helpdata/EN/84/49ba3b3bf00152e10000000a114084/frameset.htm
  Regards,
  David

• Selection screen and authorization check for plant from 2 diff tables?

  Hi,
  Could anyone help me out?
  how to write code for  this?
  u2022   Fields for selection
  Plant : WERKS (one selection) - check authorization access u2013 Mandatory .
  Material code MATNR (one selection) - Mandatory
  and while doing the authorization check how should i check it ? here iam taking the table as t001w for werks and for selection screen iam taking it from another Z table......i should take 2 different tables here.....for selection and for authorization.
  my code is pasted below:
                   Data Declarations                                  *
  data: s_werks type t001w-werks.
                   Selection Screen                                    *
    SELECTION-SCREEN BEGIN OF BLOCK b1 WITH FRAME TITLE text-h01.
    PARAMETER : p_werks like Ztable-werks OBLIGATORY,
                p_matnr like mara-matnr  OBLIGATORY.
    SELECTION-SCREEN END OF BLOCK b1.
                   Start-of-Selection                                  *
  START-OF-SELECTION.
  **-Get Plants for Authorization check.
     SELECT werks
            FROM t001w
            INTO TABLE it_werks
        WHERE werks IN s_werks.
      LOOP AT it_werks INTO x_werks.
         v_werks = x_werks.
  Regards,
  Reddy

  Plant : WERKS (one selection)
  That means only 1 plant value to be given? Then you can use PARAMETERS instead of SELECT-OPTIONS. And additionally, you'll only have to check that plant value.
  Using SELECT-OPTIONS you would indeed retrieve the plants and check each individual selected plant. Your code for that is good enough to start with.
  I wouldn't do the check in the START-OF-SELECTION event, but rather in the AT SELECTION_SCREEN event.
  To perform an authorisation check; try the ABAP help on AUTHORITY-CHECK. And you will need to know which authorisation object you need to use.
  Just noticed you're using PARAMETERS
  WHERE werks IN s_werks
  should be
  WHERE werks eq p_werks
  But actually you don't need to select T001W. Just use the value in p_werks.
  Edited by: Maen Anachronos on Oct 10, 2008 7:53 PM

• Authorization check for select-options field - Company code.

  Hi experts,
  i have company code field on the report selection screen and i have to validate the authorization check for BUKRS.
  How to do authorization check for a select-options field?
  Any function modules used to write the authorization check for a SELECT-OPTIONS FIELD?
  Thanks.

  >
  RNB wrote:
  > Any function modules used to write the authorization check for a SELECT-OPTIONS FIELD?
  Does it hurt to type a few lines of code? Why do you need an FM for this my friend?
  Anyways can you please tell which SAP application area (viz. FI, SD etc.) do you want to run the report?
  Suhas

• Authorization check by Cost centers

  Hello all,
  I developed a report in Report Painter and the requirement is that the users be able to run it only for their own CCtrs - challenge is that we are trying to not use variants, custom transactions and also modifying / checking authorization at at SU01 level.
  Is there any other way to do this and if yes can you pls provide some details.
  Thanks,
  Richa

  hi richa,
  Authorizations with Variables
  Definition
  Instead of using a single value or interval, you can also use variables in authorizations. The Customer Exit is called up for these variables while the authorization check is running. The call is carried out with I_STEP = 0. The intervals of characteristic values or hierarchies for which the user is authorized can be returned here. By doing this, the maintenance load for authorizations and profiles can be reduced significantly.
  Every cost center manager should only be allowed to evaluate data for his/her cost center. Within the SAP authorization standard, a role or a profile with the authorization for the InfoObject 0COSTCENTER equal to ‘XXXX’ (XXXX stands for the particular cost center) would have to be made for every cost center manager X. This then has to be entered in the user master record for the cost center manager.
  Using variables reduces the authorization maintenance workload with the InfoObject 0COSTCENTER equal to ‘$VARCOST’, as well as with the role or the profile, which is maintained for all cost center managers. The value of the variable ‘VARCOST’ is then set for runtime during the authorization check by the CUSTOMER-EXIT ‘RSR00001’.
  Maintaining the authorizations restricts the entries for the values to the length of the existing InfoObject. It is possible, however, to use both limits of the interval. In the example 0COSTCENTER with 4 spaces, the variable ‘VARCOST’ is, therefore, entered as ‘$VAR’ – ‘COST’.
  There is a buffer for these variables. If this buffer is switched on, the customer exit is only called up once for a variable with the authorization check. In doing so, you avoid calling up the customer exit for variables over and over, as well as decreasing performance. If you want to call up the customer exit each time, you have to deactivate this buffer in the Setting Up Reporting Authorizations. To do this, go to the main menu and choose Extras  ® Compatibility  ® Buffer for Variables (Customer-Exit)  ® Deactivate..
  You can also call up the customer exit for authorizations for hierarchies. There are two ways to do this:
         1.      Enter the variable in the authorization for characteristic 0TCTAUTHH. The customer exit is then called up while the authorization check is running. In the LOW fields of the return table E_T_RANGE, the system anticipates the technical name for the hierarchy authorization that you specified in the authorization maintenance (transaction RSSM).
  As a result, all parameters are available for such an authorization. Nevertheless, you must also create a new definition for each node.                                    
         2.      Where many authorizations differ from an authorization for a hierarchy only in respect to the nodes and not to the other authorizations, we suggest the following solution: Different users can be authorized for a specific hierarchy area (subtree). The highest node is different for each user.                                          
  Do this by creating an authorization for a hierarchy in the transaction RSSM and enter this in the authorization or role. Instead of specifying a particular node, you specify the variable in the authorization maintenance (transaction RSSM). The customer exit is then called up for the node while the authorization check is running. The return table E_T_RANGE must be filled according to the customer exit documentation (nodes in the LOW field, InfoObject of the node in the HIGH field
  Setting Up Reporting Authorizations
  Use
  Before you are able to set up reporting authorizations, you have to create authorization objects.
  As soon as an authorization object is saved, it can be checked when a query is run. The user may not have the appropriate authorizations if he or she has not yet been assigned this authorization object.
  Only when the user has been assigned the appropriate authorizations can he/she define and execute a query or navigate in an existing query.
  If in the query a characteristic value or a node is excluded, a complete authorization check “*” is required.
  Procedure
  Creating an authorization object
         1.      In the SAP Easy Access initial screen of the SAP Business Information Warehouse, choose the path SAP Menu ® Business Explorer ® Authorizations ® Reporting Authorization Objects.
         2.      Choose Authorization Object ® Create. Give the authorization object a technical name and a regular name. Save your entries.
         3.      On the right-hand side of the screen, an overview of all the InfoObjects that are authorization-relevant is displayed.
  Only those characteristics that have been flagged as authorization-relevant previously in the InfoObject maintenance screen can be assigned as fields for an authorization object. See also: Creating InfoObjects: Characteristics
         4.      Assign the InfoObject fields to the authorization object:
  ¡        Select the characteristics for which you want an authorization check of the selection conditions to be carried out.
  ¡        Select the InfoObject key figure (1KYFNM) if you want to restrict the authorization to a single key figure.
  ¡        Select the InfoObject (0TCTAUTHH) if you want to check authorizations for a hierarchy.
  ¡        Include the authorization field activity (ACTVT) in the authorization object if you want to check authorizations for documents.
         5.      Save your entries.
         6.      Go back to the initial screen of the authorization maintenance.
         7.      Choose Check for InfoProviders ® Display to get a list of the InfoProviders that contain the InfoObjects that you selected and are therefore subject to an authorization check (where-used list). In the change mode you can exclude individual InfoProviders from the authorization check for this authorization object by removing the flag.
  Authorization object:           S_RSRSAREA
  Name:                   Sales area
  Fields:                         DIVISION, CUSTGROUP, 1KYFNM
  Creating authorizations
  Authorizations are created and maintained in the role maintenance screens.
         1.      Choose Authorizations ® Roles ® Change.
         2.      Specify the roles that you want to change and choose Change. This takes you to the role maintenance screen.
         3.      On the Authorizations tabstrip, choose the Expert mode for generating profiles option.
         4.      Choose the Enter Authorization Objects Manually option, and specify the objects that you require. Choose Enter. The authorization object is added to the role.
         5.      Choose Generate.
  For more information, see Changing and Assigning Roles.
  Result
  The user is now able to work with queries
  Authorizations to Work with a Query
  Use
  Authorizations to work with a query are first checked in the dialog box to open a query.
  Furthermore, when a query is opened, the authorizations for the individual objects are checked.
  See also: Authorization Check When Executing a Query..
  Structure
  Check in the Open Dialog Box:
  When you open a query, you will see four buttons in the dialog box. The History, Favorites and Roles buttons only display your own queries and those queries intended for you per role definition.
  The InfoAreas button enables you to look at all queries for which the user has display authorization. If this display authorization is not restricted to queries, the user will see all available queries in the system here. It is possible to hide the InfoAreas button if you do not want the user to see all queries in the system. The authorization object S_RS_FOLD with the field SUP_FOLDER can be used here. In order to hide the InfoArea button, set this field to X when authorizing, otherwise leave the field blank “ “ or set it to * (asterisk – all authorizations).. The button will be displayed if the authorization check fails.
  Authorizations by User
  It is also possible to make queries from particular users (= OWNER = query creator) available to other users (= USER) for display or processing. The authorization object S_RS_COMP1 with four fields (COMPID, COMPTYPE, OWNER, ACTVT) is used here.
  You can grant this authorization to a particular team or use the variable $USER to give all users the authorization for queries that they created themselves. $USER is replaced by the corresponding user name during the authorization check.
  See also the Example for Reporting Authorizations.
  Authorizations for the BEx Broadcaster
  Using the authorization object S_RS_BCS, you can determine which user is allowed to register broadcasting settings for execution and in which way.
  Note:
  ·        The only authorization necessary for the online execution of broadcasting settings is the authorization for the execution of the underlying reporting objects (for example, the Web template).
  ·        Every user that has authorization to create background jobs also has authorization for direct scheduling in the background.
  ·        If you need to work under the name of another user to execute broadcast settings (for example with user-specific precalculations), the authorization object S_BTCH_NAM for background scheduling is also required for the other user. For more information, see Authorizations for Background Processing and Definition of Users for Background Processing
  Authorizations for Selection Criteria
  Definition
  The selection criteria of a query determine which data can be displayed after you have entered it in a workbook.
  An authorization check for certain InfoObjects only takes place if an authorization object with this InfoObject was already created in the authorization object class Business Information Warehouse.
  As soon as an authorization object is created, only authorized users can select query data.
  Use
  To decide whether a user should be authorized to work with a query, you should check whether authorization has been given to him/her for all selection criteria.
  Essential to the authorization of selection criteria is the authorization object S_RS_ICUBE.
  Definitions of authorizations for working with certain InfoCubes must be transported separately.
  See: Transporting Additional Information
  In general, it is not sufficient to give authorizations for individual InfoObjects (characteristics and key figures), or to check them separately from one another. It more usual that specific authorizations should be given for combinations of characteristics and key figures.
  It is therefore feasible that a "Sales Manager" is allowed to view the respective total sales figures for all sales areas, but is only authorized to break down "his/her" area (0001) according to the individual sales personnel. In this case, the following authorizations, which are grouped together, would be created and assigned.
  Sales area = *
  Sales personnel = :
  Key figure = Sales figures
  (‘:’ represents the authorization to view the values aggregated with the characteristic.
  Sales area = 0001
  Sales personnel = *
  Key figure = Sales figures
  The user frequently uses these "multidimensional" authorities in companies that are regional as well as product-oriented (matrix organization). In this way, you could arrange for the person responsible for the combination of a certain division and a certain sales area to have the exact authorization for the output of the relevant values, without him/her necessarily also having access to the data for the whole division or the whole sales area.
  Authorizations for the Query Definition
  Authorizations can be granted for the following objects for the query definition in the Business Explorer:
  The entire query
  Structures
  Calculated key figures
  Restricted key figures
  Variables
  The activities for the query definition are specified in the authorization object S_RS_COMP (Business Explorer - components). The authorization object has the following fields: InfoArea, InfoCube, component type, component name and activity.
  The following values are possible for the component type:
  REP: Entire query
  STR: Structure
  CKF: Calculated key figure
  RKF: Restricted key figure
  VAR: Variables
  By specifying an InfoArea or an InfoCube, you can further restrict the component types. By specifying a component name, you can specify the authorization for individual components in more detail. Components that begin with 0 are delivered by SAP and cannot be changed. Components that are within the customer name range must begin with a letter of the alphabet.
  Valid activities are:
  01 (create)
  02 (change)
  03 (display)
  06 (delete)
  At the moment, activities 16 (Execute) and 22 (Save for Reuse) are not checked for the query definition.
  User A is allowed to create, change or delete queries beginning with A1 and A6 within InfoArea 0001 in InfoCube 0002. In addition, the user is allowed to change the calculated key figures and structures (templates) already defined in this InfoProvider.
  Related authorizations for user A:
  InfoArea: ‘0001’
  InfoProvider: ‘0002’
  Component type: ‘REP’
  Component Name: ‘A1’, ‘A6’
  Activity: ‘01’, ‘02’, ‘06’
  InfoArea: ‘*’
  InfoProvider: ‘0002*’
  Component type: ‘STR’, ‘CKF’
  Component name: ‘*’
  Activity: ‘02’
  Authorizations for Display Attributes
  Definition
  Authorization-relevant display attributes are hidden in the query if the user does not have sufficient authorization to view them.
  Use
  For characteristics:
  The user needs to have complete authorization (*) to see the display attribute in the query.
  For the characteristic 0EMPLOYEE, the 0EMPLSTATUS attribute is authorization-relevant. Only users with authorization "*" for 0EMPLSTATUS can display the attribute in the query.
  For key figures:
  Key figures cannot be marked as authorization-relevant. To use this function nonetheless for key figure attributes, the system checks against meta object 1KYFNM. For this, the user requires authorization for the field 1KYFNM in the authorization object.
  The key figure attribute 0ANSALARY is contained in the 0EMPLOYEE characteristic.
  If the user has the 1KYFNM field in his or her authorization object, and authorization "*", he or she can display all key figure attributes.
  If the user has the 1KYFNM field in the authorization object and the 0ANSALARY key figure as a value of the authorization, he or she can only see this key figure attribute. If the user is not supposed to see this attribute, do not give the authorization "*" but only assign the key figures for authorization that are to be displayed.
  Authorizations for Navigation Attributes
  Use
  During authorization checks for navigation attributes, it is always the characteristic that is being used as a navigation attribute that is checked.
  Integration
  If referencing characteristics are used as navigation attributes, authorization for the basic characteristic is checked. You should, however, change this logic so that the referencing characteristic is checked for instead. In the maintenance screen for reporting authorizations, choose the following path from the main menu Extras  ® Compatibility  ® Navigation Attributes ® Switch Off.
  This function exists for reasons of compatibility. The authorization logic of referencing characteristics worked differently with the beginning of Release BW 2.0. From BW 2.0, Support Package 20 and in all of the releases that follow, for referencing characteristics as well, the authorization for exactly this characteristic (and not the basic characteristic, as was the case previously) is checked.
  Example
  In the query, you use characteristic A with the navigation attributes A__B and A__R. Characteristic R references characteristic B. For these navigation attributes, authorization for the basic characteristic B is checked. If you switch off the compatibility for navigation attributes option, B is checked for A__B, and R is check for A__R.
  Maintaining Authorizations for Hierarchies
  Use
  Authorizations for hierarchies determine up to which subarea of a hierarchy a user may drilldown.
  Prerequisites
  Before you can set authorizations for hierarchies, you must first transfer and activate the InfoObject 0TCTAUTHH from the Business Content. Make sure that the indicator Relevant for Authorization is set. You must also create an authorization object for which you want to set the authorization.
  Authorization for a hierarchy on the Profit Center characteristic (0PROFIT_CTR):
  Define an authorization object with 0PROFIT_CTR and 0TCTAUTHH.
  Example: You define a hierarchy for the basic characteristic B. For characteristic B there is a referencing characteristic R. If you use this hierarchy for characteristic R in the query, authorization for the basic characteristic B is checked. However, you can change this logic so that characteristic R is checked for instead. In the maintenance screen for reporting authorizations, choose the following path from the main menu Extras ® Compatibility ® Ref. Characteristics with Hierarchy ® Switch Off.
  You need the characteristic 0TCTAUTHH to specify the hierarchy in the authorization. If you add this characteristic to an authorization object, you can specify authorizations for hierarchies for all InfoObjects in the authorization object.
  Procedure
         1.      In the SAP Easy Access initial screen of the SAP Business Information Warehouse, choose SAP Menu ® Business Explorer ®Reporting Authorization Objects.
         2.      Choose Authorizations ® Authorization Definition for Hierarchies ® Change.
         3.      In the Definition, select the InfoObject, hierarchy and node.
  If there are several users who are authorized to work with just one part of a hierarchy (subtree) but the top node is different for each, you have the option of specifying a variable instead of a node.
  See also: Variable Types
  Instead of selecting a node, you can also set the Top of hierarchy indicator. This enables you to ensure that a user is authorized to use a hierarchy from the top node down to a determined level.
  You can select the top node here. However, if the hierarchy is being used in a query without a filter on this node, the user will not be able to execute the query.
  This is because the top-most visible node does not represent the actual top of the hierarchy. As, for example, there are other Remaining Leaves, there should always be exactly one internal node at the top of the hierarchy. Therefore, there is one internal node above the top-most visible node. If the hierarchy is used in a query without the top-most node being determined, it is compared with this unseen, internal node. So that the user has the correct authorizations, select the internal top of the hierarchy for this option.
         4.      Select the authorization type:
  ¡        0 for the node
  ¡        1 for a subtree below the node
  ¡        2 for a subtree below the node up to and including a level (absolute)
  You must define a level for this type. A typical example of an absolute level is data protection with regard to the degree of detail of the data (works council ruling: no reports at employee level only at more summarized levels).
  ¡        3 for the entire hierarchy
  ¡        4 for a subtree below the node up to and including a level (relative)
  You must specify a level that is defined relative to the node for this type. It makes sense to specify a relative distance if an employee may only expand the hierarchy to a certain depth below his or her initial node, but this node moves to another level when the hierarchy is restructured.
         5.      For types 2 and 4 you can specify, in Hierarchy Level, the level to which the user can expand the hierarchy.
  ¡        With authorization type 2 (up to and including a level, absolute) the level refers to the absolute number of the level in the hierarchy where the top-most node of the hierarchy is level 1.
  ¡        With authorization type 4 (up to and including a level, relative) the level number refers to the number of levels starting from the selected node itself which is level 1.
         6.      In the Validity Area you specify in exactly which ways a hierarchy authorization has to match a selected display hierarchy for it to be included in the authorization check.
  ¡        Type 0 (very high) : The name, version and key date of the hierarchy on which the hierarchy authorization is based have to agree with the selected display hierarchy.
  ¡        Type 1: The name and version of the hierarchy on which the hierarchy authorization is based have to agree with the selected display hierarchy.
  ¡        Type 2: The name of the hierarchy on which the hierarchy authorization is based has to agree with the display hierarchy.
  ¡        Type 3 (lowest) : None of the characteristics have to match.
  Note that in some circumstances, setting a check level that is too low may lead to more nodes being selected using hierarchy node variables that are filled from authorizations, than actually exist in the display hierarchy for the query. This can cause an error message.
  As a general rule, select the highest possible level for the check.
         7.      If you set the Node variable default value indicator, this definition of an authorization for a hierarchy is used as the default value for node variables.
  If more than several authorizations are assigned to a user for different subareas of the same hierarchy, one of these authorizations has to be defined as the default value. Only one node can be selected for a node variable on the variable screen of a query. So that this variable can be filled from the authorizations, the correct variable type has to be selected and an authorization has to be determined as the default value.
         8.      Specify a technical name for this definition. If you do not enter a value, a unique ID is set.
         9.      Now create an authorization for the new authorization object. To do this, enter the technical name of the definition as a characteristic value for the characteristic 0TCTAUTHH. Hierarchy authorizations and authorizations for characteristic values are added:
  ¡        Specify the value ‘ ‘ (a blank character) as a characteristic value if only hierarchy authorizations are to be in effect. If you specify more values these are authorized additionally.
  ¡        Specify the value “:” (a colon) when queries are also allowed without this characteristic.
  The value '’ (all characteristic values) is not supported for the characteristic 0TCTAUTHH. Nevertheless, if you specify the value ‚’ a ‚:’ is automatically generated instead because no other valid value is found.
  If you would like the user to be able to see all values and hierarchies for a characteristic, use the value '*' for this characteristic.
  If you use a drilldown hierarchy in the query, you restrict the highest node by a fixed node or a node variable.
  Definitions of authorizations for hierarchies must be transported separately. See: Transporting Additional Information
  Alternative Procedure:
  Manually Maintaining Reporting Authorizations
  Use
  You usually maintain authorizations in the role maintenance. However, in exceptional cases it could be more practical to create authorizations manually. This is the case if you have to assign every user his/her own role.
  Prerequisites
  Reporting authorization objects have been created.
  Procedure
  Assign Authorization Objects
         1.      In the SAP Easy Access initial screen of the SAP Business Information Warehouse, choose SAP Menu ® Business Explorer ® Authorizations ® Reporting Authorization Objects.
         2.      Choose Authorizations ® Authorizations for Several Users. Enter an interval and choose Change.
         3.      Select a characteristic from the left side of the screen. You can then display master data as a list or as a hierarchy. The right side of the screen shows you a list of all the selected users with the authorization profiles and roles you assigned.
         4.      You can now use Drag&Drop to assign additional authorization objects to the user.
         5.      Choose Generate authorizations. The system creates the authorizations and assigns them to the users.
  Assigning Authorizations for Hierarchies
  You can also make authorizations for hierarchies in the same transaction.
         1.      Select a characteristic.
         2.      You can use the context menu on the authorization object to determine up to which hierarchy level the authorization should apply.
  You can currently select exactly 1 level for each hierarchy and user.
         3.      Choose Generate authorizations. The system creates the authorizations and assigns them to the user.
  Result
  The system has created individual authorization profiles.
  thanks
  karthik
  reward me ipoints if the above is usefull to you

• Authorization check For Test plan in SAP Solution Manager test management

  Hi experts,
  I need to allow only selected user to view their test package and the list of transaction so i need to have a authorization check by using enhancement i got struck since i am not able to find any badi for this ..kindly looking back your suggestion

  Hi Namrata,
  Yes, you can create project structure before using solar01 tcode. later once your test cases (either manual or automatic) are ready then you can upload them using solar02 on test cases tab,
  refer Link Test Case to Transactions/Reports - Configuration - SAP Library
  Assignments - SAP Solution Manager - SAP Library
  Thanks
  Jansi

• Structural authorization - creation of employee number in webdynpro or abap

  Hello Experts,
  We are facing some problems with the combination of structural authorizations and the creation of a new employee.
  When we use PA40 to create a new employee this does not give any problem.
  In the webdynpro we first execute a call transaction PA40 to apply infotype 0000 and 0001. This works well.
  Except that the call transaction does not set the connection between PA and OM. (so we did program this ourselves)
  In PO13 and the table HRP1001 the same relations are made as when we use PA40 in the sap gui.
  After this we do call transactions PA30 for the next infotypes.
  When we check the SU53 it gives a message: problems with structural authorizations object P (with the employeenumber) starting at 01.01.1800, enddate is empty.
  The employee is manager and connected with his userid in infotype 0105.
  We use in the structural profile the function module  RH_GET_MANAGER_ASSIGNMENT
  We checked with transaction HRHAUTH.
  User has been adjusted to the tables T77UA etc.
  We do not use workflow in this webdynpro
  We used the trace function when this was executed, but it did not give more information about missing structural authorizations.
  This issue was before on SDN (Structural authorization - creation of employee number) but unfortunally there was no solution there for the issue!
  Hope one of you can help me to find the solution!
  With kind regards,
  Rita Mensink

  Hi.
  After 2½ days of frustration I finally nailed this.
  Function group RHAC, that handles the authority checks, initially buffers a table called VIEW containing all objects available for the user. As stated earlier in this conversation, SAP handles creation of relations in HRP1001 (links PA and OM). At this point the new employee number is appended to buffered table VIEW in function group RHAC.
  When execution the PA40 activity through CALL TRANSACTION, the creation of the relations are not handled - and the same goes for updating the buffered table VIEW. The table can be updated using the function module RH_VIEW_ENTRY_INSERT from the same fundtion group:
  This example might be useful
    data: ls_view_entry type hrview,
          ls_related_object type hrobject.
    ls_view_entry-plvar = '01'.
    ls_view_entry-otype = 'P'.
    ls_view_entry-objid = lv_pernr.
    ls_view_entry-begda = '18000101'.
    ls_view_entry-endda = '99991231'.
    ls_view_entry-maint = 'X'.
    ls_related_object-plvar = '01'.
    ls_related_object-otype = 'S'.
    ls_related_object-objid = lv_ny_objid.
    call function 'RH_VIEW_ENTRY_INSERT'
      exporting
        view_entry     = ls_view_entry
        related_object = ls_related_object.
  Best regards
  Poul Steen Hansen
  Senior Technical Consultant
  EDB Consulting Group A/S, Denmark

• HR ABAP Custom Authorization Check

  Hi all,
  We know that Implicit authorization check is carried out. The system determines whether the user has the authorizations required for the organizational features of the employees selected with
  GET PERNR.
      I have a question, if we create a custom authorization then, whether this custom authorization is checked or not.
  Thanks in Advance.

  There is no difference in the coding of the check, which as RJ has stated needs to be somewhere at the correct coding location... otherwise it is going no where.
  Some special differences are:
  - The object class of the custom object in SU21 => Authorization objects in HR cannot be deactived context specifically in SU24. You can create custom objects within SAP classes.
  - Depending on the transport type of your system, you will have to maintain transaction SU24 with a check indicator for the object - so make in known that the transaction has the capability to check the object. This does not affect "customer" systems, but is still a very good practice for the same reason that SAP forces it in their own development systems.
  - Additional object checks in SE93 (which are typically "plausibility" checks) are not subject to this restraint. The check is always there, and your ability to bypass it is limited if you check the tcode authority of the caller at initialization of the (called) coding context. CALL TRANSACTION will skip this check, unless the called transaction is sy-tcode already (as it is in variant transactions... which urban legends claim to be secured to use for CALL TRANSACTION).
  This concept is to a large extent influenced by SAP's own development guidelines and "settings" - but it is advisable to understand them and the intended authorization concept - to be able to create consistent customer implementations of SAP products.
  Of course there are exceptions to the rules... but they generally cause problems and sooner or later need to be corrected as well when the auditors get hold of them....
  Cheers,
  Julius
  Edited by: Julius Bussche on Apr 27, 2009 9:03 PM

• MSS genericiview and R/3 structural authorizations

  Hi,
  I have created some iViews based on par-file "eeprofilegenericiviewtable" to display R/3-queries. In R/3 we use also structural authorizations for the managers with functional module RH_GET_MANAGER_ASSIGNMENT.
  The structural authorization is working in R/3 for a selected manager selecting a query directly from the R/3 via SQ01, but it doesn't in the iview. When the same user is viewing the "query"-iview, the message "No data selected" appears.
  When I assign the user a structural authorization without the functional module RH_GET_MANAGER_ASSIGNMENT, e.g. only with some object types, the user can retrieve data without any problem using "query"-iview.
  Probably the problem is in the functional module HR_INFO_GET_USING_QUERY used for retrieving R/3 query data from the portal and used by the iview eeprofilegenericiviewtable.
  Has anybody met a similar problem? We are using EP6.0 SP14 and SAP R/3 4.6C.
  Beata

  Hi Dwayne (and others!),
  Were facing similar problems with the error message "R3_CONNECT_FAILED". However, our difficulties are a bit strange because i only occurs on one of our two server nodes. We're running SAP EP 6.4, SP9.
  Previously, we've had problems with the maximum number of connections towards our backend system, SAP R/3. But setting the environment variable CPIC_MAX_CONV helped us.
  However, now we get the above error, but only on one of our server nodes. Do you (or anyone else) have any suggestions as to what might be wrong?
  Thanks in advance,
  Rasmus

• SAP BI 7.0 Transport issue with HR Structural Authorization DSO

  Hi,
  I am trying to transport HR Structural Authorization DSO Objects in  BI 7.0  from Dev to QA system. The Data sources are 0PA_DS02 and 0PA_DS03. ( I am sure that there are lots of changes in Authrorization concept in BI 7.0),.
  1. Please suggest me if I need to make any changes and tests before moving these authorization objects to QA system.
  2. Also, do I need to take any pre-cautions while activating business content objects 0TCTAUTH  and 0TCTAUTH_T (Datasources look like are from 3.x) as I am getting issue with the activation of the transfer structure for these objects?
  Thanks a lot for your valuable inputs.
  Regards
  Paramesh
  Edited by: paramesh kumar on May 5, 2009 12:45 AM

  Hi Paramesh.
  You can use the DSOs 0PA_DS02 and 0PA_DS03 in BI7.0 as well. You just need to use the new generation of analysis authorizations in transaction RSECADMIN.
  You can use 0TCTAUTH and 0TCTAUTH_T in BI7.0, however we have experienced som problems with the 0TCTAUTH_T extractor, which dumped because of a poorly designed SELECT statement that was unable to cope with 10000 records. We have replaced it with a generic data source that uses table RSECTEXT directly.
  Regards,
  Lars

• Document search error in webshop(Error in authorization check: user unknow)

  Hi All
  actually we have implemented the document search functionality in webshop to access all the documents in webshop who have created order in the webshop.
  actually when i am logging into the portal with userid "skumar" after that there was role called "Document Search" when i click that document search role then the document search will be opened, based on the selections in the selection criteria then the documents will be displayed generally.
  actually come to my error when i select in the selection criteria "order acknowledgement" and i select the one more column called "period" after that i click the search button then i am getting the error as follows.
  <b>Error in authorization check: user unknown.</b>
  Can you please help me where to check the authorizations in the system for accessing the documents.
  Regards
  Sunil

  Hi Sunil generally this kind of error will occur when you choose acknoledgement
  for Future Periods,eventhough input is past date if the same problem occurs you should check for Su05 Internet USer authoriasations
  Reward if helpful
  Venkat