Hiearchy Authorization

Hi All ,
Consider a scenario in which in a single infoobject which is authorization relevant consist of three heirarchies i only want a user to accesss two hierarchy out of three but in all the three hierarchy some common values are present due to this reason  i need to give user all value authorization
(Value authorization: I CP *).But due to this when i excute a query i can see all the hierarchy evethough i have includes only two in the hierarchy authorization.
How should i i assign a authorization in order to get proper result.
Regards,
Deepak

Hello Deepak warbhe,
If you give CP * you'll always give full authorizations regarding of any hierarchies assigned.
You should give EQ : and assign two hierarchies in that authorization.
It should work right that way.
Remember even with the third hierarchy not assigned, you're giving authorization to the two hierarchies and whatever structure of nodes and leafs that belong to that hierarchy, you'll see values of that characteristic that belong to the tree of the hierarchy in the nodes and the leafs.
Diogo.

Similar Messages

  • Analysis Authorization based on Hier node with multiple display hierarchies

    Hi guys - I've got a problem where s.o. might have an idea of how to switch on the light at the end of the tunnel, I am currently standing in:
    Requirement:
    Cost Center Authorization should be given through RSECADMIN, reporting should be possible for any hierarchy that exists for the authorization relevant info object.
    Preferred solution:
    The Cost Center Analysis Authorization should be given through RSECADMIN - Hierarchy node assignment.
    u2022     A dedicated Authorization Cost Center Hierarchy will be maintained in ECC6 as an alternative cost center hierarchy and extracted into BW.
    u2022     The RSECADMIN Hierarchy node assignment should be based on a particular node (Type 2).
    u2022     The display level will be specified as required (here: Level 7)
    u2022     The Authorization granted should be independent of hierarchy name and version (validity 3).
    Reporting Scenario and technical impact:
    As mentioned above, when designing and running a query the user should be able to freely select other (i.e. than the authorization) display hierarchies for the authorization relevant reporting object 'Cost Center' as well. The technical names of the semantically relevant hierarchy nodes could therefore vary. E.g. cost centers 1, 2 and 3, being assigned under hierarchy node u2018Au2019 of the RSECADMIN relevant authorization hierarchy, could be subsumed by hierarchy node u2018Bu2019 in another display hierarchy, which the user may want to display in accordance to his reporting needs. Ideally, the alternative display hierarchy should therefore display node u2018Bu2019.
    My findings so far (based on prototyping) turn out that this is not possible as long u2018Bu2019 (and its hierarchy) is not authorized in RSECADMIN. Can these findings be confirmed? And if not, would anyone have an idea of how to facilitate the reporting scenario?
    Would there be any other way to grant access, possibly based on RSECADMIN single values, and also enable the user to flexibly display hierarchies with only those hierarchy nodes whose single cost center values the user has been given access to?
    Thanks everyone for your input...
    Claus
    Edited by: Claus64 on Jul 13, 2009 4:10 AM

    HI CLause,
    On Jul 14 2009, you wrote in SDN and said:
    FYI: Found a solution...
    The hierarchy analysis authorization will be based on a navigational attribute of cost center.
    With analysis authorizations it is possible to declare the Auth object (e.g. 0COSTCENTER__RACCAUT0) as authorization relevant and leave the superior object 0COSTCENTER auth irrelevant.
    The auth will be given for 0COSTCENTER__RACCAUT0. This object will be placed as a filter of the query, being restricted by an Authorization variable for hierarchy nodes.
    Due to the concept of Analysis Authorizations, this variable will automatically pick up the nodes granted as part of RSECADMIN Hierarchy based Authorization.
    As mentioned above, 0COSTCENTER as the regular reporting characteristic remains auth irrelevant and can therefore take any hierarchy thatu2019s available. Reporting on single values will be possible, too. Only those nodes show up that hold the authorized cost centers in accordance to the authorization.
    If the auth relevant 0COSTCENTER__RACCAUT0 is not used in the query definition by either not taking it in as a filter or skipping the Auth variable, the query will launch the message that the authorization is missing. No data show up at all.
    Claus
    See this thread:
    Analysis Authorization based on Hier node with multiple display hierarchies
    I am also in the same situation as you and need to understadn your solution. I understand that you created a Nav Attr on 0COSTCENTER and made this auth relevant whilst ensuring that 0COSTCENTER is NOT auth relevant. This is all fine. The issue was you have multiple hierachies for 0COSTCENTER, how did the new Nav Attr help you solve your issue. When loading 0COSTCENTER what values did you load ino the new Nav Attribute and how did that link to the hierachies? Also, in RSECADMIN you created hiearchy nodes based on the Nav Attribute but I am confused as to what values you have in the Nav Attr.
    I appreciate if you can share your solution from the past in more details.
    many thanks

  • Authorization based on STD Cost Centre Hierarchy - different hier levels

    Hello,
    I need to create an Authorization scenario where the same user, which have autorization based on Cost Centre Standard Hierarchy, would have access to Cost Centre Hier "NODE A" for "CUBE 1" and Cost Centre Hier "NODE AB" for "CUBE 2". The challange is that he cannot access "NODE A" on "CUBE 2".
    How can I have this? Would it work if I create 2 different authorization objects based on cost centre, each one for a different cube?
    Current authorizations are set up for CUBE 1 based on roles assigned to users and this affects more than 300 User ID. So I need a solution with few impact on what is already set up...
    BW version 3.1
    Thanks in advance

    Just for the forum information, I have made further progress on this.
    I have created different Authorization Objects (both based on cost cecntre) and assigned each one o a different cube. I will then have 2 roles assigned to the user: one role with Auth Object X will provide access to cube A only; the other role with Auth Object Y will provide access to cube B only.
    Regarding the hiearchy level, as this does not depend of the Authorization Object but on the Cost Centre Object itself, I dont need to create (Tcode: RSSM) duplicated hierachy technical names for the same node of the hiearchy depending on the auth. Object.
    Hope this helps who's browing on the forum and have a similar issue. Otherwise, please contact me.
    Regards

  • Open and close posting period authorization control TCODE: S_ALR_87003642

    HI All,
    Is there any chance to control the user to open and close another company code posting period variant in TCODE: S_ALR_87003642.
    In our system we are using the same client for different countries. So user can able to change the other country company code posting periods.
    We would like to control either on the country (or) organizational unit(company code) (or) posting period variant so that user can only open/close  their country / company code posting periods.
    Our present authorization role for open and close posting period contain the auth.Obj. : S_TABU_DIS.
    Please share your knowledge if you come across this problem..
    Thanks in advance..

    Hey Sandhya,
    Congratz, this can be done using linbe item authorization with the object S_TABU_LIN.
    Field ORG_CRIT - Value 02
    Field ORG_FIeld1 - Value ZT001B
    We have successfully done it in our client.
    You need to contact your BASIS consultant for this.
    Thanks,
    Nitish

  • Analysis Authorization in BO 4.0 Webi report

    Hi All,
    I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
    We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
    However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
    I have tried:
    1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
    2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
    3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
    Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
    (BO 4.0 no service pack or fix pack installed on the system yet)
    Thanks - Appreciate your help !
    Prasad Rasam

    Ingo,
    1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
    >> Correct you need to setup you OLAP Connection with SSO.
    >>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
    Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
    Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
    2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
    >> The variable in the BEx query needs to be an authorization variable.
    >>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
    Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
    regards
    Ingo Hilgefort

  • Analysis Authorization Issue 7.3

    Hello Friends,
    System BW 7.3, Currently there are 80 odd analysis authorization objects
    We want to introduce a new info object (GL Account) to be authorization relevant, ( there are few objects in the system which are already authorization relevant in the system with proper analysis authorization objects and they are working fine)
    Things done, made the GL Account object authorization relevant in RSA1, Created 2 analysis authorization objects with GL Account and TCT objects and one with hierarchy restrictions and one open access.
    Added this object to the user in addition to its already existing authorization objects. Created authorization variable in BEx.
    Some how the authorization is not picked up and it gives us all the values in the report. But if I add the GL Account info object to the existing analysis authorization objects then it works fine.
    I do not want to change all the existing analysis authorization objects to add GL Account.
    Your inputs are most welcome.
    Thanks
    Ed.

    Gajesh- I have added the new analysis authorization object to the user in RSECadmin.
    Subhendu- Problem statement: What are the steps involved in making a new info object(GL Account) authorization relevant. Authorizations are given at hierarchy level. Can we create a new analysis authorization with  GL Account only or do we have to add it to every existing analysis authorization
    I have done the following steps
    1. Made the GL Account object authorization relevant in RSA1,
    2. Created 2 new analysis authorization objects with GL Account ( with hierarchy restrictions) and TCT objects and one with GL Account open access.
    3. Added this object ( which has restrictions) to the user in RSECADMIN, in addition to its already existing authorization objects.
    4. Created authorization variable in BEx.
    5. No existing analysis authorization objects have been changed.
    When I test the report, It does not restrict based on the hierarchy that I have given, it gives open access.
    But If I add GL Account with restrictions to the existing analysis authorization object, it works good.
    Guess I am missing some thing here.
    Do you need any other screen shots.
    Thanks
    Ed.

  • Analysis Authorization Issue

    Hi:
    I created an analysis authorization ZCO_CODE to trstrict it by a company code.
    I added following objects in authorization with values.
    0COMP_CODE = 1000
    0TCAACTVT = 03
    0TCAIFAREA = *
    0TCAIPROV = *
    0TCAVALID = *
    Then I created a role Z:00:BW_REPORT, where I added following authorization objects S_RS_AUTH and restricted it by value ZCO_CODE. Then I assigned this role to a user test01.
    When I execute a program RSEC_MIGRATION for this specific user, I do not see authorization object ZCO_CODE on 2nd step of this program. Any Idea Why? I think this object should show up as I want to migrate this specific object.
    Help will be appreciated.

    Hi Sachin:
    Okay here is my issue.
    I have a Reporting authorization Object created earlier which is ZCOCODE. I though I'll have to create a new Analysis authorization object e.g. ZCO_CODE and then restrict it with other chars. as mentioned in Marc Bernards presentation and then you have to migrate it.
    In selection list I can see old Reporting authorization object. If I select it and use option "Enhance existing profile" then It will update profile and not role? right....
    How can I see whether it has updated existing profile?????
    Do I need to create new Analysis Auth. for Company code or I can use old Reporting authorization for company code?
    For testing purpose, I created a test user and assigned all reporting roles but It will not show up in RSEC_MIGRATION step???

  • BW Analysis authorization issue on cost center range

    Hello BIW security experts
    I have a problem where I created an analysis authorization on a cost center range and it looks like the interval is not working. The report is just a list of cost centers (demo to users to prove that analysis authorizations work in order to skip 2 managerial cost centers.
    . Cost centers are numeric. Example:  2000100. In the drop down list they appear as such.
    . I want to have the following cost center range: 1000000 to 1000771, 1000773 to 2000771, 2000773 to 9999999.
    Thereofore 1000772  and 2000772 should not appear in the list.
    . In the analysis authorization I have put the 3 ranges above on 3 separate lines. 'BT' is the operator. The cost centers have been selected from the drop down list.
    Results:  I get only 1 record from the report....  2000772. (which is one I want to exclude..
    Steps tried to debug:
    . When I put a list of cost centers in the analysis authorization on separate line with the 'EQ' operator, then the report works.
    . I tried putting ' ' delimiters since cost center is a char field but it fails.
    . I tried adding leading and trailing zeros to fill up the char(10) but no luck.
    . I tried creating a hierarchy with the interval and put it in the hierachy auth. tab and it does not work either. It gives the same number of records than the first step.
    . A hierarchy with single values work.
    I do not know what else to try..
    Thanks.
    YB.

    Good morning
    Here it is from RSECVAL
    ZCC_TEST     0COSTCENTER                    I       BT        1000000                                                      1000771
    ZCC_TEST     0COSTCENTER                    I       BT        1000773                                                      2000771
    ZCC_TEST     0COSTCENTER                    I       BT        2000773                                                      9999999
    ZCC_TEST     0COSTCENTER                    I       EQ        #
    ZCC_TEST     0COSTCENTER                    I       EQ        :
    ZCC_TEST     0INFOPROV                         I       CP        *
    ZCC_TEST     0TCAACTVT                        I       EQ        03
    ZCC_TEST     0TCAIPROV                         I       CP        *
    ZCC_TEST     0TCAKYFNM                       I       CP        *
    Thank you for your help.

  • BW Analysis authorization issue... need help urgently....

    We have one BW query which is pulling data from Contract Division info-object. Now this report does not variable selection object so it is pulling data from all values of Contract Division. Values of  Contract Division are CNC, CNS, CNE and CNL.
    Now we have created an analysis auth. object called z_es_3 and added Contract division info-object. Now we have added that z_es_3 into role and given value to CNS. now when we are running report, we are getting No Authorization error. When we are giving * value in z_es_3, it is running fine.
    Now we have to restrict report to contract division. please help.
    Thanks in advance

    Are you running unrestricted search on Contract division in your queries? You should restrict it to value which is maintained in the authorization for the InfoObject.
    Also please run the analysis authorization trace from RSECADMIN. That will give you a clearer picture of what is wrong.

  • BW Analysis authorizations issue in BO Webi Report

    Dear All,
    I have one webi report which is on BEx Query-universe.
    Query has 6 authorization variables with ready for input(optional).
    User has authorizations for all 6 fields.
    But when we execute the webi report it is throwing error message  like" query do not retrive data"
    One of the  6 authorization fields has only few values , when we give " * " to this field the user can able to execute the report.
    Could  anybody tell me what is need be done here
    regards
    mhreddy

    Hi!
    Probabily the combination of authoriztions funcions are executing considering "and".
    See your configuration to considerer "or".
    Test one by one.
    bye

  • Can I authorize 2 apple IDs on one computer?

    I'm new to the communities so please bear with me if I post this inappropriately.
    My husband and I both have iphones.  My two children have itouchs.  My husband has an ipad.  We also have numerous ipods.
    We have two computers in the house.  When my husband first bought an ipod, we had a PC.  All of his devices have always been synced on the PC using his apple id.  When I got my iphone, I synced on our MAC using my apple id.  When the kids got itouches, they synced on the MAC using their apple id.
    We discovered that anything the kids and I purchased on itunes on the MAC is available to all of us.
    We would now like to use home sharing.  To do this, both computers must be authorized to one apple id.  If the PC is deauthorized for my husband's apple id, I understand he will lose his purchases on the PC (or at least they won't be available until he authorizes it again).
    I understand that an apple id may be authorized on up to 5 computers.  But what about multiple apple id on one computer???
    My questions are basically this...
    Can we authorize 2 or more apple id on one computer? 
    Can I authorize my apple id on the PC and have my husband's apple id remain authorized on the PC?
    Can my husband's apple id be authorized on the MAC and my apple id remain authorized? 
    Can the kids apple id be authorized on each of the PC and the MAC?
    Can we have 4 different apple id authorized on a computer at once?
    Will authorizing my apple id on the PC de-authorize my husband's apple id?
    How's that for asking the same question in lots of different ways?  I have seen a lot about a computer using the same id multiple times but nothing about whether I can authorize many different ids on one computer at once.
    Thanks for the help.

    Each person in your home can have their own Apple ID provided it is tied the their own separate email address.
    iTunes permits up to five authorized computers connected to a single Apple ID: iTunes Store- About authorization and deauthorization.
    For this all to work well, however, each user in your household should have a separate user account on the computer they commonly use.

  • How can i authorize music from one apple id acount to another

    how can i authorize music from one apple id acount to another? My IPhone 5 wont play my songs that were purches from my old apple id account

    timss22 wrote:
    how can i authorize music from one apple id acount to another?
    You cannot. iTunes purchases remain on the iTunes account they were purchased with.
    My IPhone 5 wont play my songs that were purches from my old apple id account
    So just upload them from iTunes.
    You have mulitple AppleIDs?
    Why?

  • How can i get the itunes store authorization on a windows 7 laptop

    i need help big time please. i am about to either throw my laptop because itunes is not authurizing my dell windows 7 laptop

    Hello there, jeffrodgers74.
    The following Knowledge Base article goes over a few of the reasons iTunes may continually prompt for authorization:
    iTunes repeatedly prompts to authorize computer to play iTunes Store purchases
    http://support.apple.com/kb/ts1389
    Although all of the topics are relevant, most people find the following section to be the culprit in most cases:
    Authorize using the correct account name
    The items you are trying to play might have been purchased using a different iTunes Store account. To determine which account was used to purchase an item, follow these steps:
    Select a purchased song in your library and choose File > Get Info.
    Click the Summary tab. Note the Account Name that appears in the list. This is the account name (Apple ID) you will need to use when authorizing your computer to play this purchase.
    Note: The account name that appears is the one you used when purchasing the item and does not change if the account name (Apple ID) changes.
    If you've authorized the Apple ID that is shown in the Summary tab, you can check the purchase history for that Apple ID from Store > View My Account. If your purchase history does not reflect the purchase of the items in your iTunes library, consider any other Apple ID you may have created, and authorize the computer for your additional Apple ID.
    If you forgot the password to one of your accounts, you can recover it using Apple's password-recovery website.
    Thanks for reaching out to Apple Support Communities.
    Cheers,
    Pedro.

  • How many computers can you authorize with one serial number?

    Hey guys.
    I'm thinking about buying a 2nd Mac, but I'm just curious how many total computers you have authorize Logic studio on at one time (my guess would be 3 but I hope more).
    Please let me know if you can.
    Thanks,
    Nathan

    I'll copy my post from the other thread:
    I don't know for the others but in my retail package ((not upgrade) I found two serial numbers. Though I haven't got time yet to try the second serial number on my MacBook, my logic says that with two different serials I could run both macs simultaneously and be on the network. But, my logic fails so often so it's better to shut my mouth, install Logic on MacBook and come back here again.

  • Is there a way to authorize more than 5 computers.  We have three macs and 5 pc's in the house.

    Hello,  I have a MBP (mid 12 model), a brand new MBA (mid 13), and Mac Mini, four laptop PCs and 2 more Desktop PCs (I have teenage daughters and my wife)...
    I intend for one of the PC's to be a "server" I have a large library that certainly does not fit on the MBA, or the MBP.  To share the library the client has to be authorized. 
    I am currently using all of my authorizations...  is there a way to get more?  (I can't move content to another account I am assuming...)
    Thanks in Advance,
    Chris

    iTunes Store: About authorization and deauthorization - http://support.apple.com/kb/HT1420 - and another helpful post: https://discussions.apple.com/message/17828050
    "You can authorize up to five computers with your Apple ID."  I have not heard of a way to get more.  They probably set up a limit so people don't go around and authorize all their friends' and relatives' computers to one account, and somehow arrived at the number 5 to limit (probably because most families won't have more than one computer per person and 2 parents + 2.5 children rounds up to 5).

Maybe you are looking for