Generating Authorization for non HR/CO requirement

Hi Experts,
I am planning to use the generation of authorizations concept for my security requirement. The business users have to view data in the reports based on specific InfoObject values they are authorized to. We are getting this information viz. user and the values they have access to from the source system. I am planning to create a custom version of the standard DSO 0TCA_DS01 and load the data from the source system via a generic datasource. I will be using the standard program RSSB_GENERATE_AUTHORIZATIONS to generate the authorization for each user.
My questions are:
1. Is 0TCA_DS01 the right choice of DSO?
2. If the answer to 1 is yes, then there is a field called 0TCTAUTH in the key fields of the DSO. I am not sure what information has to be brought in from the source system for this field
3. Is there a way we can change the naming convention of the authorizations generated? If yes, how?
I did go through this forum and most of the articles on BI Security. I understood the procedure, but the above questions are grey area that were not covered.
Thanks in Advance!
A

I believe that you van use Structural Authorizations to fulfill this business requirement because these authorizations, although maintained based on Org structure, can be and are used across the variuos modules.
Regards
Lincoln

Similar Messages

  • Authorizations for which transactions are required in BW?

    Hi,
    Can any ony please give some information regarding
    Authorizations for which transactions are required in BW Production Support?
    Regards,
    Aryan

    Hi Aryan,
    Authorizations for the following transactions are required in BW
    1. RSA1
    2. SM37
    3. ST22
    4. ST04
    5. SE38
    6. SE37
    7. SM12
    8. RSKC
    9. SM51
    10. RSRV
    11.RSPC
    13.RSMON
    The Process Chain Maintenance (transaction RSPC) is used to define, change and view process chains.
    Upload Monitor (transaction RSMO or RSRQ (if the request is known)
    The Workload Monitor (transaction ST03) shows important overall key performance indicators (KPIs) for the system performance
    The OS Monitor (transaction ST06) gives you an overview on the current CPU, memory, I/O and network load on an application server instance.
    The database monitor (transaction ST04) checks important performance indicators in the database, such as database size, database buffer quality and database indices.
    The SQL trace (transaction ST05) records all activities on the database and enables you to check long runtimes on a DB table or several similar accesses to the same data.
    The ABAP runtime analysis (transaction SE30)
    The Cache Monitor (accessible with transaction RSRCACHE or from RSRT) shows among other things the cache size and the currently cached queries. The Export/Import Shared buffer determines the cache size; it should be at least 40MB.
    ****Assign Points If Helpful****
    Regards,
    Ravikanth

  • Subcontract PO/PR does not generate PR for non stock component

    Hello,
    I need help on above topic.
    SAP Version is ERP Central Component 5.0.
    My problem is that PR is not being generated for non stock component in PR/PO of higher/parent material.
    I notice that in component overview screen the item cat for this non stk comp. has changed to T( text item) even though the BOm has been maintained with item cat as N( non stock). The material type being used for non stk material is custom developed(copy of NLAG).
    Has anyone faced similar issue. or can suggest some missing customization (if any)
    Just to confirm :
    I have done customising for Direct procurement in OPPQ to trigger PR  in requirements planning. Also tried with prod order creation option(though my case is PO creation)
    Any help from forum is highly appreciated.
    Thanks,
    Ram

    Hi ,
    Commitement check is taking place due to availability control. If u dont want to carry out AVAC for PR then in Tolerance limit put the exclude the check for PR.
    SPRO > PS > Budget > define tolerence limit > here u might selected ++ i.e. for all activity type. U select indidula transaction grp excluding PR.
    Rgds

  • Error at RSSM ( Generating authorization for RSANPR)

    Hi all,
    I have the following trouble when executing the program RSAN_PROCESS_EXECUTE in a process chain.
    The error message tells that I need authorization for the authorization object RSANPR  and for the activity  16  (Display).
    When I run RSSM informing "RSANPR" this error occurs:
    <b>"For object RSSB_BW_AUTH, no sub-object GENERATE is maintained
    Message no.BL011                                                                  
    Diagnosis                                                                 
    An application log entry is to be made for sub-object GENERATE of the object RSSB_BW_AUTH. This sub-object is, however, not maintained for object RSSB_BW_AUTH.                                                                          
    Objects and subobjects of the application log are created using transaction SLG0.                                                                               
    The program had to be cancelled."</b>
    I just have to include RSSB_BW_AUTH in SLG0?
    And what about this "activity  16  (Display)"?
    Any ideas?
    Regards,
    Tomas<b></b><b></b>

    Hi,
    In SLG1,i saw this error message:
    "InfoObject/field 0RSAN_APPL does not exist in the system"
    and
    "InfoObject/field 0RSAN_PR does not exist in the system"
    I checked this two infoobjects and they realy doesn´t exist.I couldn´t find them in business content or in SAP Help ..
    But this objects are part of RSANPR, that is standard ...
    Any one have ever used APD sucsessfuly with process chains?
    Regards,
    Tomas

  • What authorizations for Information Broadcasting are required?

    Hello experts, this is a scenario which has recently arisen. We have the BEx Broadcaster properly configured for e-mail broadcasting at least. Users need to be able to use the Broadcaster, in particular the e-mail function for WAD reports. However, we do not know what roles/profiles/transactions must be assigned to them. Whenever users call the broadcaster, the broadcaster wizard popup window opens but displays nothing (sends a "page not found" error). We know it is properly configured since we tested it with a user with profile SAP_ALL and it worked correctly. Since no one has that profile assigned (because of obvious reasons), the Broadcaster cannot be used.
    Any suggestions?

    Hi, thanks for the links. The users are now able to do information broadcasting. Unfortunately, some users are receiving the following error:
    Access Denied
    ¿What happened?
    Call to URL http://myhost:8000/sap/bw/Mime/BEx/Misc/PleaseWait.html was cancelled because logon data is incorrect.
    Note:
    System login was executed on system BWP No logon data is displayed
    ¿What can you do?
    If you do not have a user ID, contact the system administrator
    Error Code: ICF-LE-http-c:500-I:S-T:-C:6-U:-P:-L:7
    HTTP 401 Unauthorized
    Your computer Internet Communication Framework SAP
    As far as I have seen, this error is not affecting the information broadcasting operations (users are, for example, sending and receiving e-mails correctly). However, I know that there could be some functionalities not working due to this and I would like to fix the error.
    Any suggestions?

  • Authorizations for non cost center manager in transaction CADO

    I have project managers that need to run transaction CADO, usually against a specific sales order.  Since many employees from different cost centers may charge their time against this sales order and that time data needs to be in the CATSSHOW report.  Normal Structural Authorizations prevent the PM from seeing any of this data.  If I remove the project manager from table T77UA (from transaction OSSB) then they are able run the CADO report without restriction, but also loose their restrictions in other HR transactions which is unacceptable.  Is there a workaround solution to this issue?

    Hi Richard:
    I'm not too sure what "other" HR transactions you are referring to, but have you tried looking in to activating the P_ORGINCON auto object? That had solved my issues with restricting MSS yet still allowing access through other transactions.
    Regards,
    Jonathan

  • Xml output for non-built-in types generated by autotype

    Hi,
    I created a wsdl and used the autotype and wsdl2service ant tasks to generate
    java files.
    As part of my service, I want to log output in xml format of the data received.
    I can write my own serialization, or use the code that was generated by autotype.
    I would rather not write my own. I want to use the code generated by wsdl2service.
    Trouble is I can not find a javadoc nor a sample code segment that shows how!
    Call me dense, but I've spent several hours on BEA web pages looking for answers.
    This is what I found, but I could not get to work for various reasons:
    XML streaming: I have a codec (generated by autotype ant task), but it requires
    a SerializationContext. Where do I get a Serialization Context? I think serialize
    is a callout from WS and not for applicaiton code to call.
    javax.xml.rpc.encoding.Serializer: An object of this type is made available by
    AbstractCodec (base class of generated code, but how is this class used?
    [Sorry if you've seen this posting a couple of days ago on interest.xml newsgroup.
    I didn't intend to repost but due to lack of response there, I thought this newsgroup
    was more appropriate and read more.]
    Thanks,
    John

    manoj,
    Thanks for the help.
    Sample 4 tells me that there is no code generated that I can use to write out
    my non-built-in datatype to xml. For each of my non-built-in datatypes, I will
    have to hand write such code, or use a handler.
    John
    "manojc" <[email protected]> wrote:
    Here is an example of start form WSDL usecase:
    http://www.manojc.com/?sample11
    If you want to log the xml input/output to the web service
    you can use a handler. You need to edit the web-services.xml
    dd file to add handler.
    Here is a example of using handler. But this use source2wsdd
    instead of wsdl2service:
    http://www.manojc.com/?sample4
    Regards,
    -manoj
    "John Franey" <[email protected]> wrote in message
    news:3ef30db2$[email protected]..
    Hi,
    I created a wsdl and used the autotype and wsdl2service ant tasks togenerate
    java files.
    As part of my service, I want to log output in xml format of the datareceived.
    I can write my own serialization, or use the code that was generatedby
    autotype.
    I would rather not write my own. I want to use the code generated bywsdl2service.
    Trouble is I can not find a javadoc nor a sample code segment thatshows
    how!
    Call me dense, but I've spent several hours on BEA web pages lookingfor
    answers.
    This is what I found, but I could not get to work for various reasons:
    XML streaming: I have a codec (generated by autotype ant task), butit
    requires
    a SerializationContext. Where do I get a Serialization Context? I thinkserialize
    is a callout from WS and not for applicaiton code to call.
    javax.xml.rpc.encoding.Serializer: An object of this type is madeavailable by
    AbstractCodec (base class of generated code, but how is this classused?
    [Sorry if you've seen this posting a couple of days ago on interest.xml
    newsgroup.>>  I didn't intend to repost but due to lack of response there, I thought>this newsgroup>> was more appropriate and read more.
    Thanks,
    John

  • Acrobat 7 requires admin password at every launch for non admin users?

    acrobat 7 requires admin password at every launch for non admin users?
    any one with a solution or similar problem?
    thanks for any help.

    I've been avidly following all of the threads regarding this issue...yet none of the solutions have worked for me. I've got 11 Mac users that do not use the Creative Suite..only Acrobat, Quark, etc. I've tried installing and re-installing through both Admin and User accounts, I've tried the AdobeBib XML change, I've tried enabling Root and installing, changing permission on the Acrobat folder, etc. all to no avail. I still get asked for Admin Authentication every time Acrobat and Distiller are opened (except on the Admin account side). This is happening on one particular Mac (G4, 1GB Ram, OS 10.4.3) for both Acrobat Standard 6 and 7 as well. The biggest issue that also happens in tandem with the Acrobat installs is the inability to print from Quark. I get the following error when printing: "The process "pictwpstops" terminated unexpectedly on signal 6." Because of the necessity to print Quark documents, I have uninstalled all Acrobat on the machines until we can get a fix. This resolves the printing problem with Quark. The only option left is to set up all users as Admin accounts - which I really do not want to do. Any other suggestions out there? I've got more information available if needed.

  • 4.what accounts are generated for Non-Valuated material & for Consignment m

    4.what accounts are generated for Non-Valuated material & for Consignment material?
    please explain me.

    Dear Srinivas,
    Please find below the explanation about both materials in a simple manner.
      "Non valuated material".(UNBW):
    For this material type in the basic settings only Qty. update is active & no value update.
    No accounting data is maintained in Material master hence stock values are not updated.This material is procured only with account assignment.
    Consumption statistic is updated only after Goods Issue.Whenever material will come its value will be always go to consumption account.
    Consignment Material :
    In this case material is still owned by vendor & only kept in your premises. Liability only starts when you withdraw material from consignment stock or post it to your own valuated stock.Liabilities are generally settled monthly.
    At GR wrt PO material is directly put to consignment stock of vendor.It is possible to post another GR into consignment stock.No valuation takes place during GR.
    Once the material is withdrawn from consignment stock( For prod) it is valuated with the price of vendor in as per INFO record.
    If useful reward points,
    Vivek

  • Required Authorization for BI Administrator

    Hello
    I would like to know, what kind of authorization is required for a BI Administrator on ECC 6.0.  I'm keep gettting ERROR as
    Source system DEVCLNT510: No authorization for remote activation of DataSources
    Also, I don't have access to RSO2 transactions in ECC system as well. Is there any standard Authorization Objects that I neeed access to on the ECC side ?
    Thanks for your help
    BI

    Hi,
    For Remote activation of datasources from BI system, you need authorization object S_RO_BCTRA.
    When you get some authorization issue, immediately call transaction SU53 and you get the authorizaton needed.
    Regards,
    Murali.

  • Requirements to publish on iBook Store for non-US residents

    I recently applied to publish books on the iBook Store filling out the requested field as suggested by some users for non-US residents.
    I still would like to receive some clarifications on the process and the rules governing book publishing for European residents. What are the requirements to publish ?
    The following are my concerns:
    Is it allowed to be a personal or legal entity in Europe and publish on the iBook Store ?
    Is it required to have a Tax Identification Number in the USA to publish paid editions ?
    Is it required to have a USA credit card or bank account ?
    What about the USA witholdings required by law for Italy ?
    Thank you for your help
    Stefano

    Hi Stefano
    I am replying to this only because no one else have, I am not in Europe but in Canada, so i did experience some obstacles when trying to create my iTunes account. I would assume it would be similar for Europe.  Here are the answers to some of your questions from the Canadian perspective. perhaps they will apply to you as well?
    Is it allowed to be a personal or legal entity in Europe and publish on the iBook Store ?I could do either but went with the legal entity
    Is it required to have a Tax Identification Number in the USA to publish paid editions ?I did and simply hired a company to get the EIN as it I chose to do it under a corporate name.  It cost $250 and I had the number within 48hrs. 
    Is it required to have a USA credit card or bank account ?No
    What about the USA witholdings required by law for Italy ?Apple is handling the sales taxes for the various countries, it is up to me to look after the corporate taxes
    Hope this is a bit helpful to you
    Ajsha

  • My order have a status: "Payment action required: We are unable to obtain an authorization for the credit card you provided. Please contact your card issuing bank. Please update your payment method to continue with this order". But i paid from AmEx.

    My order have a status: "Payment action required: We are unable to obtain an authorization for the credit card you provided. Please contact your card issuing bank. Please update your payment method to continue with this order". But i paid from AmEx. And my money blocked when i see it in internet banking.

    Have yuo contacted AmEx? From what you describe it seems like AmEx is blocking the charge.
    You can contact iTunes if you want by:
    Contact iTunes

  • Material Requirement for non regular materials

    Hi,
    In case of MRP, we have some materials which have no regular consumption pattern. Therefore we cant predict the procurement plan through MRP run. Currently we are running these material by calculating the safety manually and uploading to the system. This is actually a out of system process.
    Therefore please instruct me if any one who have an idea how to calculate dynamic safety level/re-order point for these type of material or any one knows different methodology of MRP running for these type of material.
    Thanks in advance,
    Nihal Wijerathne

    Hi,
    Consider a finished product A,which has a main assembly A1 & in this example we will take A1 for MPS,lets say for making A1 you need a special machine(Work center) & this machine is a critical resource for that company,So A1 is planned ahead in MPS to ensure that critical resource is efficiently utilised & at the same time A1 is also made on time,so MPS is run on A1 first before going for the MRP run(for the rest).As a result of MPS the necessary orders are planned at that level(in our case planned order for A1). Dependent requirements (if any) are placed on the next BOM level down, and then the process stops,Like wise if in your compnay if there are n products amoung which some products contibute a high profit then you can even take them afor MPS
    Normally MPS run before the MRP and during MPS system plans only those parts which are marked as MPS parts via MRP type. Here MRP plans single items (MPS items) and dependent requiremenst will be created for the parts which are just below the MPS assembly. It is advisable to run MPS a day before of the MRP run.
    For MPS run you have used tcode MD41. It is a single item multi level planning run.
    MPS plan for below one level only. But this is the tcode provided for multi level run.
    For single item single level run use tcode MD42.
    In your scenario, system created palnned order upto ROH level, eventhough HALB & ROH mrp types are PD.
    But with tcode MD02 or MD03, can not run MRP type M0 and series
    During normal MRP run system will not plan MPS parts again. only dependent assemblies and parts will be planned.
    First run MPS only with MRP type M0,M1,M2 and all and run with MD42 and then go for MRP in MD02 or MD03.
    You can schedule MRP run , First run MPS items and then MRP in MDBT also.
    pherasath

  • Excise invoice issue for non stock orders

    Hi,
    We are unable to create excise invoice for non stock materials. When we try to create excise invoice with refernce to the billing document, the following error appears (message no 81681: reference document of 2917 is not delivery document). This process was working properly before updating patches, but after the updation, we are not able to generate excise invoice for non stock materials. (FYI: In the case of non stock order we are using order related billing). Any solution to resolve this error??
    regards
    John
    Edited by: Gino12 on Oct 28, 2010 10:00 AM

    For sales with material type NLAG, Item category TAX and schedule line category CX contain the standard settings along with copy control settings (VTFL, item level requirement 004) that suit your case.

  • What's the best way to do authorization for my app?

    The authorization situation is somewhat complicated for my app.
    Each component of the app is authorized based on not only the user, but also the page number, the value of at least one P0_ITEM.
    From what I've seen so far, there are two different options of setting the authorization for the component:
    1. Set its Condition
    2. Set its Security Authorization Scheme
    Here is my understanding for each (from my limited experience with APEX):
    1. Set its Condition
    + Can pass in parameters such as :APP_USER, page numebr, P0_ITEM. So I can just create one function that does all the authorization
    - Have to combine the SQL query with the component's non-authorization display conditions, if any.
    2. Set its Security Authorization Scheme
    + By name, it seems like it should be used for authorization
    - Cannot take in parameters relating to the page, such as the page number --> therefore I will need to create many different schemes, for all the different pages.
    #2 will end up with a long list of schemes (each with its own SQL queries) for different pages, which doesn't seem as efficient as #1 with far fewer SQL queries and just take in parameters.
    Which one should I pick?
    Thanks!

    953006 wrote:
    Thanks fac586 for the detailed response, and also everyone else who replied. You guys are very helpful and respond promptly. And we'd appreciate it if you changed "953006" into a real handle promptly.
    Andre mentioned using conditions:
    The way I work around this is to have two functions, one which is used at the page level as a normal authorization scheme and one which can be passed variables which is called as a Condition and the name of the item is one of the variables, in effect giving it "self awareness".But fac586 said:
    You can't pass "parameters" to authorization schemes. Use application items, APEX collections or application contexts to set current context before the authorization scheme is evaluated, and access these values in the functions.Does this mean, fac586, that we can avoid conditions altogether? No, it means that I prefer to use Authorization Schemes to control access to resources based on user privileges and security, and Conditions to control rendering and processing for functional reasons. Using the approach described above I have found it possible to maintain this separation.
    Say if a page has two buttons, Button_A and Button_B. Button_A has a set of requirements for displaying and Button_B has its own set of requirements (some of which are shared with Button_A). So far, the only way that I can see of using pure authorization is to write 2 different authorization schemes, and set the authorization schemes for the two buttons respectively.What's the problem with that? Consider a more concrete example using a standard APEX report/form pattern for customer maintenance. Page 6 contains the report, and page 7 is the maintenance form with P7_CREATE and P7_SAVE buttons. Only users entitled to create new customers should have access to P7_CREATE, and only users able to edit customers access to P7_SAVE. This would be controlled by the CREATE_CUSTOMER and EDIT_CUSTOMER authorization schemes respectively. Functionally, conditions are used to show P7_CREATE if the P7_CUSTOMER_ID is null, and P7_SAVE if it's not null. We don't mix non-functional security considerations with functional requirements.
    The CREATE_CUSTOMER and EDIT_CUSTOMER authorization schemes are of type PL/SQL Function Returning Boolean. These are implemented using package functions. Exactly how a user has create/edit customer privilege is determined in the package. Determinants that are shared by multiple schemes can be combined at this level. These implementations can be changed as necessary without requiring changes to the application.
    The authorization schemes are reusable across pages and components. On page 6, CREATE_CUSTOMER can be used on the "Create New Customer..." button; EDIT_CUSTOMER on the report column containing the "Edit" links.
    Each component of the app is authorized based on not only the user, but also the page number, the value of at least one P0_ITEM. So I guess this goes back to my original concern with Authorizations:
    [Using purely authorizations] will end up with a long list of schemes (each with its own SQL queries) for different pages [and page items] ....
    Re: VPD policies. Note that in the example above there's no need for the authorization schemes to "know" which pages/items are being evaluated. The P7_SAVE button and the page 6 link column are involved with the EDIT_CUSTOMER operation, so that authorization scheme is applied to them.

Maybe you are looking for