Hierarch Authorization

Please tell me the way to make hierarchy authorization for profit center and use it in report
i know some steps please correct
1. go to rssm and define authorization object and
2. then select radio button object and hit create and
3. select 0profit_ctr , 1kyfnm and 0tctauthh and move to right side
4. now go to pfcg and assgin to the role (Dfin_rftx) of profile all these 3 0profit_ctr , 1kyfnm and 0tctauthh
5. after this assign the authorization object to infocube
can u tell me how to create auth.variable in report for profit center hierarchy since when i go to report and see infoobject 0profit _ctr it does not show me the hierarch auth variable so where is it we create that.
please help
soniya

Hi Soniya,
try this link:
http://help.sap.com/saphelp_nw04/helpdata/en/e7/56b23bdb0d0156e10000000a11402f/content.htm
Regards,
Lilly

Similar Messages

  • BI analysis authorization - Same info provider- diffrent access ?

    Hi Gurus,
    Designation of roles:
    1. User is having two PFCG roles (A1 & B1) assigned.
    2. Role A1 contains query name ZQRYA1 & Role B1 contains query name ZQRYB1
    3. Role A1 is linked to analysis authrozation role AR1 and Role B1 is linked to analysis auth. role BR1 (thorugh S_RS_AUTH)
    4. AR1 is having access to Company code 1000 & info proivder is ZIC_COPA
    5. BR1 is having access to Company code 2000 & info provider is same ZIC_COPA.
    Requirement :
    When user is executing ZQRYA1, he should see only 1000 company code.
    Result:
    With above design user is able to see 1000 & 2000 company code data for ZQRYA1.
    My analysis:
    1. We should use Customer exit in the Query. (SAP note referred  668520).
      2. As per SAP note 1000004 (Merging and optimizing analysis authorizations), I understand that if same info provider is there then BI analysis auth. will merge the values.
    Please correct me if I understand something wrong. Also suggest how can implement role so that values will not merge.

    Hi experts,
    I am getting confused now.
    As pe rmy practical experience for same info-proivder BI AA will merge the values. Even i got same response in SDN forums.
    But when I raised this issue to SAP (OSS message), SAP says this issue should resolve by applying SAP notes through SNOTE..
    1138708     Unauthorized data is displayed: "Not assigned" (#)     
    1158432     Too many values authorized for hierarchy with intervals     
    1234334     Authorization error for query on InfoSet     
    1229602     Error when using hierarchies: Authorization error     
    1226163     Authorization variables in workbook     
    1000004      Merging and optimizing analysis authorizations
    1150754     Authorizations for InfoSet chars. ignored in input help     
    1235049     F4 help: Unauthorized data for referencing characteristic     
    I have gone through notes but did not find relevant, but still SAP replied it should resolve the issues.
    Please suggest.

  • Webi 4.0 using SAP BW old security model (old authorization concept in BW)

    Hi experts,
    we are facing a problem with a new customer, using SAP BO 4.0 - Webintellingence on top of a SAP BW 7.0 EHP1.
    The customer is still running the old security concept in BW. The hint to upgrade SAP BW to the new reporting authorization will be done, but not within the next half year.
    Could that be a major problem to run this combination (BO 4.0 (Webi) and the old security concept) particularily on hierarchie authorization.
    Thanks in advance for a quick answer.
    Thomas

    (1) BEx queries already in use by the business users are from the BWP and those same queries may or may not exist in BWD or BWT as some business users create BEx queries directly in the BWP.
    1). As I told you earlier, design is purely  based on Requirement and Process also needs to be followed.
    Bex can be created directly in the production, but if query goes wrong or fetches wrong data, don't you think business people will get frustrated. If you or team can explain the process, then Yes you can directly work on Production (just my view)
    (2) Even if those queries do exist in entire BW landscape, including BWD, BWT, and BWP, only BWP has the data that business user can count on. BWD has no data and BWT has only sample data where as BWP has actual and complete data.
    Running the query is BWD or BWT is just for testing, example incase of BOBJ upgrade, you need to do in 577 and test before prod rite.
    3). I can create reports in 577 in connection with BWD to maintain consistency in the schema for both the environments. Upon approval and migration to 578 I know that I can change the underlying connection from BWD to BWP and that would work just fine, however, according to the business users, the auditors would not like the idea in light of SOX compliance and may not approve the methodology.
    You have answer in your question (SOX) and Business also like to follow the process (atleast in the companies, I have seen)
    Just my view...

  • Hierarchy restrictons not working with Basis servicepack upgrade to 14

    Hi All,
    We recently upgraded our system with basis sp  14, and we having the below problems with out hierarchy restrictions:
    Problem #1
    We recently upgraded our system from then onwards hierarchy restrictions not working, users are getting authorization error when they execute the query. However we tried by adding aggregates now hierarchy restrictions seems to be working.
    Problem #2
    We are testing hierarchy restrictions for budget planning function, after we add aggregate its allowing the user to plan the data, but when they try to distribute or escalate the data its again throwing authorization error. When I checked error log for Orgunit hierarchy restriction, the query is looking for single values it is not considering the node restriction, the orgunit values appeared in error log all belong to the node I restricted in analysis authorization.
    We implemented note#1133674 as this was relevant to our issue with planning function. But this didnt fix the issue.
    We are now on BI SP 16 and Basis SP 14
    Just wondering If any of you came across with the same kind of issue, Any help is appreciated.
    Thanks,
    Kavitha

    Hi Kavitha,
    Please check SAP note 1229602 Error when using hierarchies: Authorization error.
    Regards
    Imran

  • Data not visible on bookmark

    Hello All,
    We have an issue with some of our reports which are bookmarked.
    Cost Element hierarchy is set up in the rows in some of these reports. When the bookmark is opened freshly, some of the transaction data against some of the hierarchy nodes of Cost Element shows as blank.
    When the hierarchy is then deactivated in the screen and then reactivated again, the data is again visible against these hierarchy nodes. This issue is not occuring for all users but for some users.
    Kindly advice.
    Regards,
    Subhra.

    Hi,
    Can you please check whether the following note is helpful for you:
    1229602 - Error when using hierarchies: Authorization error
    Thanks & Regards,
    Sapna

  • Auth: Restrict Infoobject for Queries differently for the same user

    Hi guys,
    I need to restrict an infoobject differently for some queries (analysis authorization). For example, I need to give full hierarchie access for query 1 to user 1.  But for another query for the same user I need to restrict the hierarchie authorization. Furthermore, both queries are based on the same multi provider. It is not possible to use different multi provider ... the adjustment effort is to high (to many queries).
    I have set up an authorization with rsecadmin
    QUERY1:
    ZHier1     Hyrarchie 1
    ZHier2     Hyrarchie 2
    0TCAACTVT     Activity in Analysis Authorizations
    0TCAIPROV     Authorizations for InfoProvider
    0TCAVALID     Validity of an Authorization
    0TCTQUERY     Query
    -->I added the respective values for the queries, the used multiprovider, hierarchies, etc.
    I have set up the same for QUERY 2 with different Hierarchy and Query values, but it does not work correctly. The user is always authorized for the hierarchie values of both queries.
    Thanks foryour helpin advance!!
    Regards,
    Sven

    Hi Sankar,
    Sorry for the confusion. Lets focus only one hierarchy ... ZHier1. 
    QUERY1:
    ZHier1     -> value: node2
    0TCAACTVT     -> value: 2 & 3
    0TCAIPROV -> value: multiprovider1
    0TCAVALID     -> value: *
    0TCTQUERY     -> value: query1 (based on multiprovider1)
    QUERY2:
    ZHier1     -> value: node2.1 (sub node of node 2)
    0TCAACTVT     -> value: 2 & 3
    0TCAIPROV -> value: multiprovider1
    0TCAVALID     -> value: *
    0TCTQUERY     -> value: query2 (based on multiprovider1)
    But this does not work. When I use query2 in reports the user has access to node2 and not only to node2.1.
    Any idea?
    Thanks again!
    Sven

  • Analysis Authorization based on Hier node with multiple display hierarchies

    Hi guys - I've got a problem where s.o. might have an idea of how to switch on the light at the end of the tunnel, I am currently standing in:
    Requirement:
    Cost Center Authorization should be given through RSECADMIN, reporting should be possible for any hierarchy that exists for the authorization relevant info object.
    Preferred solution:
    The Cost Center Analysis Authorization should be given through RSECADMIN - Hierarchy node assignment.
    u2022     A dedicated Authorization Cost Center Hierarchy will be maintained in ECC6 as an alternative cost center hierarchy and extracted into BW.
    u2022     The RSECADMIN Hierarchy node assignment should be based on a particular node (Type 2).
    u2022     The display level will be specified as required (here: Level 7)
    u2022     The Authorization granted should be independent of hierarchy name and version (validity 3).
    Reporting Scenario and technical impact:
    As mentioned above, when designing and running a query the user should be able to freely select other (i.e. than the authorization) display hierarchies for the authorization relevant reporting object 'Cost Center' as well. The technical names of the semantically relevant hierarchy nodes could therefore vary. E.g. cost centers 1, 2 and 3, being assigned under hierarchy node u2018Au2019 of the RSECADMIN relevant authorization hierarchy, could be subsumed by hierarchy node u2018Bu2019 in another display hierarchy, which the user may want to display in accordance to his reporting needs. Ideally, the alternative display hierarchy should therefore display node u2018Bu2019.
    My findings so far (based on prototyping) turn out that this is not possible as long u2018Bu2019 (and its hierarchy) is not authorized in RSECADMIN. Can these findings be confirmed? And if not, would anyone have an idea of how to facilitate the reporting scenario?
    Would there be any other way to grant access, possibly based on RSECADMIN single values, and also enable the user to flexibly display hierarchies with only those hierarchy nodes whose single cost center values the user has been given access to?
    Thanks everyone for your input...
    Claus
    Edited by: Claus64 on Jul 13, 2009 4:10 AM

    HI CLause,
    On Jul 14 2009, you wrote in SDN and said:
    FYI: Found a solution...
    The hierarchy analysis authorization will be based on a navigational attribute of cost center.
    With analysis authorizations it is possible to declare the Auth object (e.g. 0COSTCENTER__RACCAUT0) as authorization relevant and leave the superior object 0COSTCENTER auth irrelevant.
    The auth will be given for 0COSTCENTER__RACCAUT0. This object will be placed as a filter of the query, being restricted by an Authorization variable for hierarchy nodes.
    Due to the concept of Analysis Authorizations, this variable will automatically pick up the nodes granted as part of RSECADMIN Hierarchy based Authorization.
    As mentioned above, 0COSTCENTER as the regular reporting characteristic remains auth irrelevant and can therefore take any hierarchy thatu2019s available. Reporting on single values will be possible, too. Only those nodes show up that hold the authorized cost centers in accordance to the authorization.
    If the auth relevant 0COSTCENTER__RACCAUT0 is not used in the query definition by either not taking it in as a filter or skipping the Auth variable, the query will launch the message that the authorization is missing. No data show up at all.
    Claus
    See this thread:
    Analysis Authorization based on Hier node with multiple display hierarchies
    I am also in the same situation as you and need to understadn your solution. I understand that you created a Nav Attr on 0COSTCENTER and made this auth relevant whilst ensuring that 0COSTCENTER is NOT auth relevant. This is all fine. The issue was you have multiple hierachies for 0COSTCENTER, how did the new Nav Attr help you solve your issue. When loading 0COSTCENTER what values did you load ino the new Nav Attribute and how did that link to the hierachies? Also, in RSECADMIN you created hiearchy nodes based on the Nav Attribute but I am confused as to what values you have in the Nav Attr.
    I appreciate if you can share your solution from the past in more details.
    many thanks

  • BW Authorizations Hierarchies

    Greetings All;
    This is yet another question regarding BW Authorizations.
    I have two fields 0COMPANY and 0PROFIT_CTR, both Authorization Relevant, both containing hierarchies.
    I need to allow a user to see all profit centers for a given company <u>and</u> also selected profit centers for another company ...
    example - All profit centers for company A and
              Profit Center 1 for company B
    ... this must be an AND condition.
    I've been through RSSM and PFCG but can't get it right.
    I created an authorization object with ...
    1KYFNM, 0COMPANY, 0PROFIT_CTR, 0TCTAUTHH
    ... and tried specifying a role with ...
    Key figure = *
    Company = ' '
    Profit Center = *
    Unique ID for Authorization = Y_COMPANY_A
    ... and ...
    Key figure = *
    Company = 'B'
    Profit Center = *
    Unique ID for Authorization = Y_COMPANY_B
    ... this shows me everything for both companies. As soon as I add ...
    Profit Center = '1'
    ... to the second grouping I get an authorization failure.
    It's possible I haven't specified the Authorization Definitions Y_COMPANY_A and Y_COMPANY_B (in RSSM) correctly, but I've followed all the documents I've found in SAP HELP and SDN.
    Is it an issue with both the fields having hierarchies?
    Any, and I do mean any, help would be greatly appreciated.
    Regards
    Jim

    Hi Jim,
    If you replace '' with '1' in the second authorization, the variable (auth-based) is filled with '' from the first auth and with '1' from the second auth --> result is still no restriction in the ProfitCenter-Variable ('' and '1' = ''). Try to filter the query with company 'B' - do you see know a result? (At the moment your CompCode-Variable is filled with CompCode 'A' and 'B' but you don't have authorisation for all ProfitCenters combined with Company 'B').
    I hope, this will help you.
    Best regards,
    Thorsten

  • Authorizations for Hierarchies in BW-BEx

    Hello, Experts!
    I am having some problems in order to give specific access for specific nodes on the hierarchy on the profiles creation. For example, we need to give permission to the profile "Profile_one" (that can be viewed on the PFCG transaction) to access only the node "Node_one" of our hierarchy ("E_ERP01" - object 0city_code) and we need to give this authorization to a range of users.
    We have studied some options like the one suggested on RSSM transaction and we have already tried creating an authorization object named "ZHIER". But the problem found on this transaction is that we have to create a profile authorization for EACH user that is mentioned on the range of authorization and then we need to link it on the transaction PFCG. But the users assigned on PFCG transaction don't receive all the same profile authorization (ZHIER), only the one that was mentioned on RSSM transaction.
    Could you please help us to find a way to assign specific nodes of a hierarchy to a specific range of users? We have already searched and studied some notes without success.
    Many thanks for your help.
    Best regards,
    Isabela.

    If the account type keep changing every month , you must have to maintain that field out side the cube though.
    I guess you can use the hierarchies (or) add the flag as an attribute to the GL account master data,then you can filter on this field in reports.
    But hierarchies gives more visibility on data/navigation.
    Hope this helps.
    cheers
    Martin

  • BI authorization on hierarchy- 2 different hierarchies on InfoProvider

    Hello,
    Im working with the new Authorization concept (Tcode rsecadmin).
    Trying to create an Authorization for 2 different InfoObjects (with hierarchies) , on the same InfoCube.
    I've created 3 Authorization object in Tcode rsecadmin:
        1. The first hierarchy InfoObject - 0orgunit -(choosing node in the hierarchy to start from)
        2. The second hierarchy InfoObject - zmarach -(choosing node in the hierarchy to start from)
        3. Authorization for all other InfoObjects exist in the Infocube.
    I've created a role with Authorization object S_RS_AUTH which contained all the above.
    For example - the InfoCube contains:
    record 1 - 0orgunit :under the node selected , zmarach :NOT under the node selected
    record 2 - 0orgunit :NOT under the node selected , zmarach :under the node selected 
    The Query should return both records ! instead it returning "no authorization" msg.
    When I tried the Query with only one hierarchy with authorization, it worked, the problem is when both authorizations are active. (on both hierarchies).
    Meaning, the operation between those 2 authorization is "AND" , not "OR".
    I need the user to see all the records he is authorized to see by the hierarchy, no matter if the InfoObject 0orgunit or zmarach is authorized to him.
    Does anyone have an Idea how can i solve this ?

    Hello,
    Im working with the new Authorization concept (Tcode rsecadmin).
    Trying to create an Authorization for 2 different InfoObjects (with hierarchies) , on the same InfoCube.
    I've created 3 Authorization object in Tcode rsecadmin:
        1. The first hierarchy InfoObject - 0orgunit -(choosing node in the hierarchy to start from)
        2. The second hierarchy InfoObject - zmarach -(choosing node in the hierarchy to start from)
        3. Authorization for all other InfoObjects exist in the Infocube.
    I've created a role with Authorization object S_RS_AUTH which contained all the above.
    For example - the InfoCube contains:
    record 1 - 0orgunit :under the node selected , zmarach :NOT under the node selected
    record 2 - 0orgunit :NOT under the node selected , zmarach :under the node selected 
    The Query should return both records ! instead it returning "no authorization" msg.
    When I tried the Query with only one hierarchy with authorization, it worked, the problem is when both authorizations are active. (on both hierarchies).
    Meaning, the operation between those 2 authorization is "AND" , not "OR".
    I need the user to see all the records he is authorized to see by the hierarchy, no matter if the InfoObject 0orgunit or zmarach is authorized to him.
    Does anyone have an Idea how can i solve this ?

  • Hierarchies in query and giving authorizations

    Hi All Gurus,
    i need to create  hierarchies in a report , how to create them , why we create them and i need a detailed explanation and and the authorization  .Presenly am working on HR module and i need to create a report where a manager can see only his employee details like ( working hours, actual time and the illness hours ) for his organisational unit. only the respective manager can see only his employee details .Do we need to create the authorizations here can we  have a tree structure to select on?  The user would like to have a tree structure of the managers organization .
    i think i gave an over view  .Kindly could some one expert tell me how to build the structure ,any more info mail me at ([email protected])
    100% points will be awarded .
    Thanks in advance
    Sherwin

    Paul,
    a) Enable the characteristic for hierarchies (sales employee presumably).
    b) Build your hierarchy in R/3 or BW. If you do it in R/3 you need to setup the daily / weekly load of the hierarchy.
    c) In your query set the properties of the characteristic to look at your hierarchy.
    When your hierarchy is built you will setup authorizations at node level - then in your query you will assign the Authorization variable to the Sales Employee characteristic.
    Regards
    Gill

  • How to do authorizations on unassigned nodes for hierarchies

    Hi,
    Is there a white paper from SAP that shows how to do authorizations for unassigned nodes for the hierarchies? Or has anyone completed this challenge and would be willing to share their approach and strategy?
    Thanks
    Will

    Hi Ashwin,
    The characteristics are 0COSTCENTER and ZDEPT. The Hierarchy structure should be
    -Test Hierarchy
    --Cost center 1
    ---Dept1
    ---Dept2
    ---Dept3
    --Cost center 2
    ---Dept4
    ---Dept5
    ---Dept6
    --Cost center 3
    ---Dept7
    ---Dept8
    ---Dept9
    Etc.
    We have transaction data where a certain Cost center doesn't have the department and when displaying the hierarchy there would be some unassigned nodes for the BW report.
    What would happen if the following hierarchy is in place and I am trying to do authorizations for the 0COSTCENTER and ZDEPT:
    -Test Hierarchy
    --Cost center 1
    ---Dept1
    ---Dept2
    ---Dept3
    --Cost center 2
    ---Dept4
    ---Dept5
    ---Dept6
    --Cost center 3
    Where cost center 3 has no department for it?
    Thanks and regards
    Will

  • Authorization Problem with Hierarchical Filter

    Hi Gurus!
    In our BW system I created a query that includes hierarchy-enabled characteristic
    (0costcenter). 0costcenter has a hierarchy node variable to restrict
    user's  data by using authorization.
    Then I created an authorization object from t-code RSECADMIN, in this auth.
    object,  restricted 0costcenter from hierarchy authorization tab , and
    selected 6 nodes (the nodes have no sub-nodes).
    In our web template ( WAD 7.0 ) I used hierarchical filter to see the 6 nodes in our report. It works fine when I first open the template in our Enterprise Portal that we see in the variable screen,0costcenter's variable captures the nodes that I restricted in our authorization object.
    In the portal the hierarchical filter displays only selected nodes but this filter shows the hierarchy's root (name of the hierarchy) and when we choose the root the analysis displays all the values, the authorization do not work here.
    From RSECADMIN, In the hierarchy authorization tab, I tried all the type of hierarchies but all of them gave the same result.
    When i execute the report in BEx Analyzer, the authorization works fine, I think the problem is about hierarchical filter but i cannot find any solution...
    Can you give me an idea plz..
    Thank you!

    Hi,
    I think this is caused by program error.
    Take a look:
    [1075125|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1075125] - Unauthorized data displayed when structure element expanded
    [917565|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=917565] - Query displays unauthorized data
    [981828|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=981828] - No authorization for assigned inactive hierarchy
    [654947|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=654947] - Hierarchy authorizations with compound characteristics
    Only available in German:
    [1158432|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1158432] - Zu viele Werte berechtigt bei Hierachie mit Intervallen
    Hope this helps.
    Regards
    Andreas

  • Hierarchies in Analysis Authorizations

    Hi - I have a role based Anlaysis Authorization created for access to all infoareas in BI. This information is put in the AA in the hierarchy. But one inforarea was not included and I need to add it to the existing list. We are unable to report on  the infoproviders under that infoarea.Please assist howto include that infoarea in the AA.
    Thanks.
    Abhi.

    Hi Sagar, I didn't understand your answer: 'you can add that infoArea, Under your role,
    Datawarehouse workbench - > Infoarea -> add technical name of Infoarea'. 
    Under Role using data warehousing workbench ? I didn't get that.
    I need to add the infoarea to the AA not to the role.
    How to add it to AA ?
    Thanks,
    Abhi.

  • How to extract authorization data to standart BW DSO's  from  SAP R/3 system

    Hi All,
    Does anyone have any experience about this topic? I want to use SAP R/3 as a source system and after i extracted the data to business content DSO's in BW  ,i will generate authorization objects from DSO 's.
    I am using standar BC DSO 's
    0TCA_DS01 Authorization data - Values
    &#149; 0TCA_DS02 Authorization data - Hierarchies
    &#149; 0TCA_DS03 Descriptive Text Authorizations
    &#149; 0TCA_DS04 Assignment User Authorizations
    &#149; 0TCA_DS05 Generate users for Authorizations
    I have deep research but cant find anything.
    Best Regards
    Ozan

    Hi Ozan,
    You can go though thread provided by Suman, These DSO's will help to maintain Analysis Authorizations in BW automatically In-short you don't need to maintain it, it will come from R/3 and same will be configured in BW.
    Regards,
    Ganesh

Maybe you are looking for

  • MagSafe LED issue

    I own a MacBook Pro for 6 months now, and it always worked properly. Still, I'm concerned about the recent behaviour of its MagSafe connector. Its LED was usually always lit green when plugged on and the battery was charged, but since around 15 days,

  • Won't sync...Please Help!!

    Hey, I am really starting to get a little nervous!! My 80G 5th gen Ipod (that I have had no problems with for the past year & half), is giving me a little trouble. When I connect to I-tunes it, it won't sync and I get the message, "the disk cannot be

  • Content conversion-source XSD structure

    hi expert,          I am doing content conversion from pdf to xml using content master studio.I have export the XSD file from source or target message type(IR). I have completed IR and ID including module configuration for transformation. now i am im

  • Watching online video on a new Intel-MacBook

    I am unable to watch online videos on my new MacBook. The windows media player alarm comes up telling me I don't have the right plug-in. I believe that is the Quicktime component add-on. This still doesn't work. How can watch online video (like cnn.c

  • Solaris 8 to Solaris 9

    We have just migrated an Oracle application from a Solaris 8 environment to Solaris 9. My question is: Are the following /etc/system settings valid in solaris 9? exclude:sbdp exclude:gptwo exclude:sbd