Different authorizations for a Dashboard in a SAP NW BW Portal
Hi everybody,
we would like to use BO Dashboards / Xcelsius in our company. Everything is fine and the dashboards are looking fantastic. Since we would like to publish them on our SAP BW portal I have a question. Given a dashboard with a SAP NW BW connection that is published as an iView in the portal. And we have users with different authorizations. For example there is user A with the authorization to see data from a BW query for departments ABC and there is a second user X with the permission for dept. XYZ.
Is it possible to configure the connection / dashboard in a way that only the data is used for the dashboard in dependence of the authorization at the SAP portal?
Thanks for your help!
Hi,
The person who creates the dashboard should have a BW ID which should have access to all the data required for the dashboard and as well access to EP portal. Else he wont be able to test and validate the dashboard once the development is done.
The BW ID's belonging to the users with which they will access the dashboard, if already created or need to be created , then you can ask the authorization team to extend these ID's to EP System as well as provide the necessary BW Roles, ie access to the related queries and info providers. Once this is done they will have access to EP portal as well as the dashboard and the data displayed will be based on the roles provided to the ID.
For ex User A will only see departments A-D and the User X will see Departments X-Z. You need not write logic for Dynamic Visibility as such for this. Once the roles are assigned to the users they wont be able to see any other data apart from the ones assigned to their ID's.
Thanks & Regards,
Arjun.C.T
Similar Messages
-
Hello,
I'm doing my internship at a litte Telekom company. I'm investigating how they can use MS SharePoint as their central place to put projectinformation. Now i've been thinking what happends when i do the following:
Make one document library
Add 2 groups to the Active Directory, group "A" with all the employees and group "B" with only four people working on a project. When i add a document to the document library and set the authorizations for the document as
follows:
Group B: Read/Write
Group A: Read
Does the people from group B still be able to edit the document, because they are also in group A?
I don't have a test environment to test this myself.
Why i want to know this? The company want's one place to place all their documents with projectinformation. This information is about different projects. You only wan't that people can change the specific document when they are working on the specific project
where the document belongs to.You get the union of permissions, so if one group allows access and the other not, you will get the union of both and therefore access. Of course, you can break security settings per library/folder or document, and specify new settings,
if you need too.
Kind regards,
Margriet Bruggeman
Lois & Clark IT Services
web site: http://www.loisandclark.eu
blog: http://www.sharepointdragons.com -
HR authorization for Display the documents in SAP DMS
HI experts,
We want to control display authorization depending on the entry made in object link tab in DMS( DOcument Management System). We developed screen for HR master object link. When user executes cv03n and enters document No. system should check hr master number entered in object link. If the user has authorization for that hr master number in PA (personnel administration), then he should be allowed to display the document. Otherwise it should restrict him to display the DIR.
Now my query is how to achieve it. Can anybody provide me some solutions
I have one solution, whenever user enter document number in cv03n screen, system will first check hr master number entered in object link and it will check the Personnel Area, Employee group and employee subgroup aginst this hr master number. Say for ex: PA:1000, EG:1 and ESG:01 for HR number xyz.
Now system should check in roles assigned agaist user id for these PA, EG and ESG values. If user has got authorization for PA:1000, EG:1 and ESG:01 in HR roles,then he should allowed to display the document.
Now my query is how feasible this approach? is this tough task for abaper? or is there any easier approach than this.
regards
shamHi,
Try to use the User Exit: CNEX0002.
Check with your ABAP er for the enhancement.
Hope it helps..
Thanks!!! -
UWL - Different numbers for wf-templates over all SAP Systems are needed?
Hi Experts,
we have the situation that we have three systems with a invoice receipt workflow. In all systems they are the same template numbers (e. g. WS99900012). Now it is a good solution because every development at the workflow could be transported to the other two systems and good is.
Now we heard that all template number must be a distinct number over all systems. Otherwise the UWL will not find the correct workflow in the correct system.
Is this true? Or have the UWL another attribute except the template number to find the correct combination system/workflow?
Thank you for your help!
BernhardHi,
When you configure the UWL for your workflow tasks, there will be configuration XML file(s). You either generate them automatically or build them manually, or something between these two. The thing that I mentioned will be done in the configuration file(s).
Now I cannot find any official document about this topic. But as I said I don't see any reason why it shouldn't work. I have configured UWL to work with multiple backend systems. And your case is basically the same. The only difference seems to be that your task IDs will be the same for each system, but the different backend system objects should handle this. Of course I cannot be 100% sure about this, and sure there might be at least a bug in the UWL that it cannot handle these.
The uwl configuration you can find in portal in System admin -> System config -> UWL.
Regards,
Karri -
Authorization for FBL5n specific customer
Hi all,
I have a scenario where we want to restrict sales person to view specific customer. We maintain sales person and customer number relation in a Z table.
Please advise how I can restrict?Hello Ravi
You can restrict access to master records in order to prevent unauthorized changes from being made. Depending on how you organize your master data, you can assign authorizations for maintaining this data. For example, one user may have authorization to maintain all master data, while another may have authorization to maintain only accounting master data.
You can also assign different authorizations for different types of processing. All users could have authorization to display master records, while only a limited group of users may be able to create and change master data.
Authorizations are specified during system configuration and assigned to each user in his or her user master record. If you have any other questions on this subject, you should contact your system administrator. The Implementation Guide (IMG) for Financial Accounting explains how to set up authorizations.
Suresh -
Different authorizations on different cubes for the same characteristic
Hello,
Is it possible to implement different authorizations on different groups for the cubes characteristic?
For example a user should be authorized to see just the data of company code 101 on Cube A but he should see the data of all company codes on Cube B (Cube B also contains the company code. ":"-Authorization is not an option)?
In transaction RSECADMIN it is possible to insert the "special characteristics" Acitivty, InfoProvider and Validity into an authorization. But standard setting for InfoProvider is * and I get an error message if I want to modify for just 1 Cube because the characteristic "InfoProvider" (SAP Content) isn't marked as authorization relevant.
Can you please answer:
1) If it is possible to implement different authorizations on different cubes for the same characteristic?
2) What is the function of the special charactristics if I can't maintain the values?
Thank you
JohannesHi there,
Yes it is possible.
The new authorization concept created union also based on InfoProvider Characteristic.
You have to change in rsd1 transaction the characteristics 0TCAACTVT, 0TCAKYFNM, 0TCAIPROV and 0TCAVALID to be authorization relevant.
So you can do this:
Create two authorizations in rsecadmin like this:
Aut_1:
0comp_code: 101
0TCAACTVT: 03 (activity of display)
0TCAKYFNM: * (all key figures)
0TCAIPROV: Cube A
0TCAVALID: * (authorization valid for ever)
Aut_2:
0comp_code: *
0TCAACTVT: 03 (activity of display)
0TCAKYFNM: * (all key figures)
0TCAIPROV: Cube B
0TCAVALID: * (authorization valid for ever)
Now in rsecadmin give both authorizations aut_1 and aut_2 for the user.
If the user opens a query built on cube a he will be having authorizations only for company code 101. If the user opens a query for cube B he will be having authorizations for all the company codes.
Diogo. -
Authorization for dashboard publishing
Hi,
I'm using the Netweaver BI connection on Xcelsius. When I try to publish my dashboard, I recieve the error "You don't have the necessary authorization to perform this action".
I've already got some portal roles like "Super Administration", "System Admin", "Content Admin" etc.
Does anyone knows the role names that are needed to publish the dashboard?
Thanks,
ErdemHi Victor,
Thanks for the information. As I also ran into the same problem.
If any body faces the same problem and unaware of security activity like role creation then here is a link. Go to 4 th Option. The document has the step by step guide for it.
http://wiki.scn.sap.com/wiki/display/BOBJ/Xcelsius+2008+and+SAP+NetWeaver+BW+Connection?original_fqdn=wiki.sdn.sap.com
Thanks and Regards
Dibyajoti -
I want authorization for SAP classes
my company are provided computer courses.I want authorization for SAP classes.what are i doing for this process
Hi,
can you please reformulate your question? Are you looking to become an authorized training partner? If so which country?
Thanks,
Arnold -
How many ways we can create authorization for user groups in sap query reports
Hi Gurus, I am getting a problem when I am assigning users to user group in sap query report .The users other than created in user groups are also able to add &change the users .So please suggest me how to restrict users outside of the user group.
Please send me if u have any suggestions and useful threads.
Thank You,
Suneel Kumar.I don't think it can be done. According to the link below 'Users who have authorization for the authorization object S_QUERY with both the values Change and Maintain, can access all queries of all user groups without being explicitly entered in each user group.'
http://help.sap.com/saphelp_46c/helpdata/en/d2/cb3f89455611d189710000e8322d00/content.htm
Although I think you can add code to your infoset and maybe restrict according to authority group, i.e.:
Use AUTHORITY-CHECK to restrict access to the database based on user.
Press F1 on AUTHORITY-CHECK to find out how to use it in the code -
CK40N error: Missing authorization for BOM (SAP Error: CK-581)
Hi Experts,
When running CK40N, I found an error message Missing authorization for BOM (SAP Error: CK-581).
If this is the problem of my CK40N that make object cannot be costed, how can I solve this? Is this relate to SAP authorizartion?
Thanks.
sbmelHello,
While doing Costing run CK40N or Cost estimate CK11N, you require having authorization of T. Code CS03 for the plant in your SAP ID as it explodes BOM.
Kindly contact basis team & take the authorization on your SAP ID.
Regards,
Anand -
Hi Experts,
I need access for SAP-BI , So for that Please tell me the T-CODES which i need authorization to work on SAP-BI
I need for Modelling, Advanced Modelling ,Reporting and Extraction
Regards,
Marasa.Hi Marasanaidu,
Basically u need authorization for Tcodes RSA1,RSA3,RSO2,RSA5,RSA6 etc.
You can find better information in below links:
in first PPT 43 slide u can know how to assign authorizations:
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a6c54319-0e01-0010-20a4-fb81ad32f330
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/ded59342-0a01-0010-da92-f6b72d98f144
For Tcodes:
http://wiki.sdn.sap.com/wiki/display/BI/BI%20FAQ%20-%20Important%20Transaction%20Codes%20in%20SAP%20Business%20Intelligence
http://wiki.sdn.sap.com/wiki/display/BI/Frequently%2bused%2bTransaction%2bCodes%2bin%2bBI
http://sap.seo-gym.com/
http://sbpatil.wordpress.com/2008/02/29/frequently-used-transaction-code-in-sap-bi/
Hope you get clear picture.
Ravi
Edited by: Ravi Naalla on Jan 12, 2010 5:20 AM -
Authorization for Profit Center in SAP R3
Dear friends,
I want to give authorization for Profit Centers for T. Code F.01, FB50 etc.
I got one object related to this K_PCA but this is not checking for Profit Centers.
Please guide me how to restrict User according to Profit Center.
Thanks in advance.
Rafeeq AhmedHi,
Let me start with removing the misconception of Auth Obj,
you can put the utmost restriction at the object but it wont help until unless
the transactions have AUTHORITY-CHECK for the auth obj. you mentioned above. so first
search in SE93 for the transaction find if there are any authority checks for the object you mentioned if they are there then see in SU24 if the object is in C or CM if it is them you can restrict otherwise change it to C or CM for it to be checked. But if the Auth Obj is not checked in the program for the Tcode then there is no way you can restrict without an development (enhancement or Custom Tcodes.)
Hope this explanation helpss
Message was edited by: Manohar Kappala -
Authorization for opening & Closing posting periods - OB52
Hi,
Is there any way to set authorization for opening & closing of posting periods in OB52?
My scenario:
I have 2 company codes - A & B assigned to 2 different posting period variant - say PPA & PPB.
The user belonging to CoCd A should not be able to open/close posting period of CoCd B and vice versa.
Is this possible through any authorization settings?
Request your help on this.
Regards,
SrideviHi Sridevi
Please go through the following:
You can assign authorization groups for permitted posting periods. This means that, for example, some posting periods can only be opened for particular users within monthly or annual closing. You can only assign the authorization group at document header level and it only affects period 1. The authorization object is called F_BKPF_BUP (Accounting document: Authorizations for posting periods). Read the corresponding chapter on "User maintenance" in the "Assigning authorizations" topic.
"User maintenance"
Due to the modular authorization concept of the system, you can define authorization profiles which are tailored to the workplace of your employees. You can, for example, assign authorization to a workplace in the Accounts Receivable, Accounts Payable or General Ledger Accounting areas.
By assigning authorizations you define which business-related objects your employees are allowed to process and which editing functions are allowed.
In the following activities for authorization management, you must carry out the following for employees who are to work with the system:
Assign authorizations
The authorizations are assigned by specifying permitted values for the pre-defined objects.
Define profiles
In the SAP system, authorizations are grouped together in workplace profiles. Therefore one or more profiles must be allocated to the individual employee in the master record.
I hope this helps.
Regards
Kavitha -
Authorization for specific business scenario or business step in solar01
Dear all,
we have an issue regarding solution manager blueprinting management restricting an access to specific nodes. Our goar is to have several substructures devided by modules like: FI, SD, PS and etc. And each team member according his position in a company should have an access only to his substructure and all the related documentation below that. Saying an access means a change mode not a display access.
Please find the steps have been performed during the configuration of project below:
All the configuration around system landscape has been done properly.
A new project for solution was created in solar_project_admin.
A correct logical componens has been assigned.
All the required users have assigned as a team members of a project.
At the projec. team member tab a box has been checked in for: restrict changes to nodes in project to assigned team members.
A proposed structure of nodes has been created within Tx solar02.
The right team members have assigned to specific node. So that only they suppose to have a change permission within that nodes. All others read only access.
Every user has sap_solar01_all role assigned to him. We have tryed assigning varios roles according to http://help.sap.com/saphelp_sm310/helpdata/en/db/a1033b2a98f46ae10000000a11402f/content.htm
However as a result we are having a change permission allowed for every node within the structure. Like FI responsible member can access to any node from a tree. And he can make a change for SD related documentation.
Please assist regarding this issue.
Kind regards,
P.S.
I found a thread with a similar problem which was solved by activating a checkbox which is already activated in our system and actually doesn't solve that problem for us.
Authorization for specific business scenarios in Solar01/02
Edited by: Artjoms Nikulins on Mar 11, 2010 3:37 PMHi
As far my knowldege goes this is not possible to do within same project or making the same.
You can have project specific access given to member but you cannot go module wise authorization.
Ofcourse there satellite system authorization will be different but not in solman.
In addition check this security guide
https://websmp104.sap-ag.de/~form/sapnet?_SHORTKEY=00200797470000075728&_OBJECT=011000358700007187872005E
Hope it ans ur query.
Regards
Prakhar
Edited by: Prakhar Saxena on Mar 12, 2010 3:22 AM -
'Authorization for replace' sy002
SAP System gives me this error in debbuging mode. I suppose it is something related to authorization when modifying the content of variables (which is what I was doing).
What would be the problem ?
Thanks in advance.> The message is 'No authorization for replace' - message type sy002.
I am not logged on and still dont know which program you are debugging... The system might be throwing an error message which does not relate to the real cause. Unlikely... Most likely an authorizations issue. If I may be honest with you (no offense!) if you do not know which object controls debugging and what it does to a SAP system..., then I would personally not give you debug authority in a system (I also do not have any debug authority - it was removed from my roles at my request). Only in some lab systems... (an one or two temporary exceptions).
> The change mode is not activated however I am supposed to be able to debug a program in Test System even changing the value of a specific variable defined in the program. In fact, I am allowed to debug the program but I can not change the value of a variable in debugging mode. (Perhaps it is because of the change mode status). That's why the system is showing me the error.
So you cannot activate the change mode? Are you setting a break-point, a watch-point or are you running a it from the start in the debugger? Are you executing it in the debugger from the tcode, or from Se38 etc? It the "productive" test client, the system might also react differently (which release are you on and which SCC4 settings does that client have?).
> Is it possible to change the authorization without having to make any more changes in the System?
Don't do that. I would reject the development and ask the developer to join you for the debugging session to see why those variables are incorrect. Your debugging mthod (or mode) may be incorrect (likely), or, the developer will have to go back to the drawing board in a development system or sandbox (sort of equaly likely, depending on the developer).
> The change mode can not be activated instead I want to grant access in order to be able to change the value of some varibles defined to see the results given.
See above. Besides that, the developer should ideally have handled those exceptions so that you do not get an incorrect variable; you only get an incorrect output in display mode (and send their code back for a rework, or invite them over...).
Hope that helps, sorry for the many questions...
Julius
Maybe you are looking for
-
Hello Everyone, Here is my situation. I have one vi that is reading an AI task of 8 channels AI0 --> AI7 (one sample on demand) and also has control of all of the digital outputs on the board. My problem is that I want to run another vi that will u
-
Bookmarks saved to a uniquely named bookmarks "folder" using "Bookmark All Tabs" not exporting.
I used the Bookmark All Tabs feature to save a group of bookmarks into bookmark "folders". I did that by right-clicking on one of the tabs, choosing "Bookmark All Tabs". For "Folder Name" I entered "Watches". The default entry in the "Folder" field w
-
Security issue concerning BW reports as an iView
If certain BW reports were to be hosted in an external portal, is there a possibility of external users getting the source (via View Source in the web form) and then alter some key parameters and then be able to obtain information not accessible to t
-
HELP. Can't reinstall flash on Mac OS 10.3.9.
I have a 1.25Ghz PowerPC G4 version 10.3.9. I am trying to reinstall flash player, but the current download is for 10.4 and above. I have found flash 9 in various places online, but when I try to install it I get an error saying it is for Power-PC on
-
Regional settings is not effecting in SQL Server
Hi All, I made changes to the regional and language (made decimal = ,) of the windows server 2008 R2 Standard but the database still not accepting comma as a decimal point. Tried restarting the SQL Server services and restarted the server without luc