Hierarch Authorization
Please tell me the way to make hierarchy authorization for profit center and use it in report
i know some steps please correct
1. go to rssm and define authorization object and
2. then select radio button object and hit create and
3. select 0profit_ctr , 1kyfnm and 0tctauthh and move to right side
4. now go to pfcg and assgin to the role (Dfin_rftx) of profile all these 3 0profit_ctr , 1kyfnm and 0tctauthh
5. after this assign the authorization object to infocube
can u tell me how to create auth.variable in report for profit center hierarchy since when i go to report and see infoobject 0profit _ctr it does not show me the hierarch auth variable so where is it we create that.
please help
soniya
Hi Soniya,
try this link:
http://help.sap.com/saphelp_nw04/helpdata/en/e7/56b23bdb0d0156e10000000a11402f/content.htm
Regards,
Lilly
Similar Messages
-
BI analysis authorization - Same info provider- diffrent access ?
Hi Gurus,
Designation of roles:
1. User is having two PFCG roles (A1 & B1) assigned.
2. Role A1 contains query name ZQRYA1 & Role B1 contains query name ZQRYB1
3. Role A1 is linked to analysis authrozation role AR1 and Role B1 is linked to analysis auth. role BR1 (thorugh S_RS_AUTH)
4. AR1 is having access to Company code 1000 & info proivder is ZIC_COPA
5. BR1 is having access to Company code 2000 & info provider is same ZIC_COPA.
Requirement :
When user is executing ZQRYA1, he should see only 1000 company code.
Result:
With above design user is able to see 1000 & 2000 company code data for ZQRYA1.
My analysis:
1. We should use Customer exit in the Query. (SAP note referred 668520).
2. As per SAP note 1000004 (Merging and optimizing analysis authorizations), I understand that if same info provider is there then BI analysis auth. will merge the values.
Please correct me if I understand something wrong. Also suggest how can implement role so that values will not merge.Hi experts,
I am getting confused now.
As pe rmy practical experience for same info-proivder BI AA will merge the values. Even i got same response in SDN forums.
But when I raised this issue to SAP (OSS message), SAP says this issue should resolve by applying SAP notes through SNOTE..
1138708 Unauthorized data is displayed: "Not assigned" (#)
1158432 Too many values authorized for hierarchy with intervals
1234334 Authorization error for query on InfoSet
1229602 Error when using hierarchies: Authorization error
1226163 Authorization variables in workbook
1000004 Merging and optimizing analysis authorizations
1150754 Authorizations for InfoSet chars. ignored in input help
1235049 F4 help: Unauthorized data for referencing characteristic
I have gone through notes but did not find relevant, but still SAP replied it should resolve the issues.
Please suggest. -
Webi 4.0 using SAP BW old security model (old authorization concept in BW)
Hi experts,
we are facing a problem with a new customer, using SAP BO 4.0 - Webintellingence on top of a SAP BW 7.0 EHP1.
The customer is still running the old security concept in BW. The hint to upgrade SAP BW to the new reporting authorization will be done, but not within the next half year.
Could that be a major problem to run this combination (BO 4.0 (Webi) and the old security concept) particularily on hierarchie authorization.
Thanks in advance for a quick answer.
Thomas(1) BEx queries already in use by the business users are from the BWP and those same queries may or may not exist in BWD or BWT as some business users create BEx queries directly in the BWP.
1). As I told you earlier, design is purely based on Requirement and Process also needs to be followed.
Bex can be created directly in the production, but if query goes wrong or fetches wrong data, don't you think business people will get frustrated. If you or team can explain the process, then Yes you can directly work on Production (just my view)
(2) Even if those queries do exist in entire BW landscape, including BWD, BWT, and BWP, only BWP has the data that business user can count on. BWD has no data and BWT has only sample data where as BWP has actual and complete data.
Running the query is BWD or BWT is just for testing, example incase of BOBJ upgrade, you need to do in 577 and test before prod rite.
3). I can create reports in 577 in connection with BWD to maintain consistency in the schema for both the environments. Upon approval and migration to 578 I know that I can change the underlying connection from BWD to BWP and that would work just fine, however, according to the business users, the auditors would not like the idea in light of SOX compliance and may not approve the methodology.
You have answer in your question (SOX) and Business also like to follow the process (atleast in the companies, I have seen)
Just my view... -
Hierarchy restrictons not working with Basis servicepack upgrade to 14
Hi All,
We recently upgraded our system with basis sp 14, and we having the below problems with out hierarchy restrictions:
Problem #1
We recently upgraded our system from then onwards hierarchy restrictions not working, users are getting authorization error when they execute the query. However we tried by adding aggregates now hierarchy restrictions seems to be working.
Problem #2
We are testing hierarchy restrictions for budget planning function, after we add aggregate its allowing the user to plan the data, but when they try to distribute or escalate the data its again throwing authorization error. When I checked error log for Orgunit hierarchy restriction, the query is looking for single values it is not considering the node restriction, the orgunit values appeared in error log all belong to the node I restricted in analysis authorization.
We implemented note#1133674 as this was relevant to our issue with planning function. But this didnt fix the issue.
We are now on BI SP 16 and Basis SP 14
Just wondering If any of you came across with the same kind of issue, Any help is appreciated.
Thanks,
KavithaHi Kavitha,
Please check SAP note 1229602 Error when using hierarchies: Authorization error.
Regards
Imran -
Hello All,
We have an issue with some of our reports which are bookmarked.
Cost Element hierarchy is set up in the rows in some of these reports. When the bookmark is opened freshly, some of the transaction data against some of the hierarchy nodes of Cost Element shows as blank.
When the hierarchy is then deactivated in the screen and then reactivated again, the data is again visible against these hierarchy nodes. This issue is not occuring for all users but for some users.
Kindly advice.
Regards,
Subhra.Hi,
Can you please check whether the following note is helpful for you:
1229602 - Error when using hierarchies: Authorization error
Thanks & Regards,
Sapna -
Auth: Restrict Infoobject for Queries differently for the same user
Hi guys,
I need to restrict an infoobject differently for some queries (analysis authorization). For example, I need to give full hierarchie access for query 1 to user 1. But for another query for the same user I need to restrict the hierarchie authorization. Furthermore, both queries are based on the same multi provider. It is not possible to use different multi provider ... the adjustment effort is to high (to many queries).
I have set up an authorization with rsecadmin
QUERY1:
ZHier1 Hyrarchie 1
ZHier2 Hyrarchie 2
0TCAACTVT Activity in Analysis Authorizations
0TCAIPROV Authorizations for InfoProvider
0TCAVALID Validity of an Authorization
0TCTQUERY Query
-->I added the respective values for the queries, the used multiprovider, hierarchies, etc.
I have set up the same for QUERY 2 with different Hierarchy and Query values, but it does not work correctly. The user is always authorized for the hierarchie values of both queries.
Thanks foryour helpin advance!!
Regards,
SvenHi Sankar,
Sorry for the confusion. Lets focus only one hierarchy ... ZHier1.
QUERY1:
ZHier1 -> value: node2
0TCAACTVT -> value: 2 & 3
0TCAIPROV -> value: multiprovider1
0TCAVALID -> value: *
0TCTQUERY -> value: query1 (based on multiprovider1)
QUERY2:
ZHier1 -> value: node2.1 (sub node of node 2)
0TCAACTVT -> value: 2 & 3
0TCAIPROV -> value: multiprovider1
0TCAVALID -> value: *
0TCTQUERY -> value: query2 (based on multiprovider1)
But this does not work. When I use query2 in reports the user has access to node2 and not only to node2.1.
Any idea?
Thanks again!
Sven -
Analysis Authorization based on Hier node with multiple display hierarchies
Hi guys - I've got a problem where s.o. might have an idea of how to switch on the light at the end of the tunnel, I am currently standing in:
Requirement:
Cost Center Authorization should be given through RSECADMIN, reporting should be possible for any hierarchy that exists for the authorization relevant info object.
Preferred solution:
The Cost Center Analysis Authorization should be given through RSECADMIN - Hierarchy node assignment.
u2022 A dedicated Authorization Cost Center Hierarchy will be maintained in ECC6 as an alternative cost center hierarchy and extracted into BW.
u2022 The RSECADMIN Hierarchy node assignment should be based on a particular node (Type 2).
u2022 The display level will be specified as required (here: Level 7)
u2022 The Authorization granted should be independent of hierarchy name and version (validity 3).
Reporting Scenario and technical impact:
As mentioned above, when designing and running a query the user should be able to freely select other (i.e. than the authorization) display hierarchies for the authorization relevant reporting object 'Cost Center' as well. The technical names of the semantically relevant hierarchy nodes could therefore vary. E.g. cost centers 1, 2 and 3, being assigned under hierarchy node u2018Au2019 of the RSECADMIN relevant authorization hierarchy, could be subsumed by hierarchy node u2018Bu2019 in another display hierarchy, which the user may want to display in accordance to his reporting needs. Ideally, the alternative display hierarchy should therefore display node u2018Bu2019.
My findings so far (based on prototyping) turn out that this is not possible as long u2018Bu2019 (and its hierarchy) is not authorized in RSECADMIN. Can these findings be confirmed? And if not, would anyone have an idea of how to facilitate the reporting scenario?
Would there be any other way to grant access, possibly based on RSECADMIN single values, and also enable the user to flexibly display hierarchies with only those hierarchy nodes whose single cost center values the user has been given access to?
Thanks everyone for your input...
Claus
Edited by: Claus64 on Jul 13, 2009 4:10 AMHI CLause,
On Jul 14 2009, you wrote in SDN and said:
FYI: Found a solution...
The hierarchy analysis authorization will be based on a navigational attribute of cost center.
With analysis authorizations it is possible to declare the Auth object (e.g. 0COSTCENTER__RACCAUT0) as authorization relevant and leave the superior object 0COSTCENTER auth irrelevant.
The auth will be given for 0COSTCENTER__RACCAUT0. This object will be placed as a filter of the query, being restricted by an Authorization variable for hierarchy nodes.
Due to the concept of Analysis Authorizations, this variable will automatically pick up the nodes granted as part of RSECADMIN Hierarchy based Authorization.
As mentioned above, 0COSTCENTER as the regular reporting characteristic remains auth irrelevant and can therefore take any hierarchy thatu2019s available. Reporting on single values will be possible, too. Only those nodes show up that hold the authorized cost centers in accordance to the authorization.
If the auth relevant 0COSTCENTER__RACCAUT0 is not used in the query definition by either not taking it in as a filter or skipping the Auth variable, the query will launch the message that the authorization is missing. No data show up at all.
Claus
See this thread:
Analysis Authorization based on Hier node with multiple display hierarchies
I am also in the same situation as you and need to understadn your solution. I understand that you created a Nav Attr on 0COSTCENTER and made this auth relevant whilst ensuring that 0COSTCENTER is NOT auth relevant. This is all fine. The issue was you have multiple hierachies for 0COSTCENTER, how did the new Nav Attr help you solve your issue. When loading 0COSTCENTER what values did you load ino the new Nav Attribute and how did that link to the hierachies? Also, in RSECADMIN you created hiearchy nodes based on the Nav Attribute but I am confused as to what values you have in the Nav Attr.
I appreciate if you can share your solution from the past in more details.
many thanks -
Greetings All;
This is yet another question regarding BW Authorizations.
I have two fields 0COMPANY and 0PROFIT_CTR, both Authorization Relevant, both containing hierarchies.
I need to allow a user to see all profit centers for a given company <u>and</u> also selected profit centers for another company ...
example - All profit centers for company A and
Profit Center 1 for company B
... this must be an AND condition.
I've been through RSSM and PFCG but can't get it right.
I created an authorization object with ...
1KYFNM, 0COMPANY, 0PROFIT_CTR, 0TCTAUTHH
... and tried specifying a role with ...
Key figure = *
Company = ' '
Profit Center = *
Unique ID for Authorization = Y_COMPANY_A
... and ...
Key figure = *
Company = 'B'
Profit Center = *
Unique ID for Authorization = Y_COMPANY_B
... this shows me everything for both companies. As soon as I add ...
Profit Center = '1'
... to the second grouping I get an authorization failure.
It's possible I haven't specified the Authorization Definitions Y_COMPANY_A and Y_COMPANY_B (in RSSM) correctly, but I've followed all the documents I've found in SAP HELP and SDN.
Is it an issue with both the fields having hierarchies?
Any, and I do mean any, help would be greatly appreciated.
Regards
JimHi Jim,
If you replace '' with '1' in the second authorization, the variable (auth-based) is filled with '' from the first auth and with '1' from the second auth --> result is still no restriction in the ProfitCenter-Variable ('' and '1' = ''). Try to filter the query with company 'B' - do you see know a result? (At the moment your CompCode-Variable is filled with CompCode 'A' and 'B' but you don't have authorisation for all ProfitCenters combined with Company 'B').
I hope, this will help you.
Best regards,
Thorsten -
Authorizations for Hierarchies in BW-BEx
Hello, Experts!
I am having some problems in order to give specific access for specific nodes on the hierarchy on the profiles creation. For example, we need to give permission to the profile "Profile_one" (that can be viewed on the PFCG transaction) to access only the node "Node_one" of our hierarchy ("E_ERP01" - object 0city_code) and we need to give this authorization to a range of users.
We have studied some options like the one suggested on RSSM transaction and we have already tried creating an authorization object named "ZHIER". But the problem found on this transaction is that we have to create a profile authorization for EACH user that is mentioned on the range of authorization and then we need to link it on the transaction PFCG. But the users assigned on PFCG transaction don't receive all the same profile authorization (ZHIER), only the one that was mentioned on RSSM transaction.
Could you please help us to find a way to assign specific nodes of a hierarchy to a specific range of users? We have already searched and studied some notes without success.
Many thanks for your help.
Best regards,
Isabela.If the account type keep changing every month , you must have to maintain that field out side the cube though.
I guess you can use the hierarchies (or) add the flag as an attribute to the GL account master data,then you can filter on this field in reports.
But hierarchies gives more visibility on data/navigation.
Hope this helps.
cheers
Martin -
BI authorization on hierarchy- 2 different hierarchies on InfoProvider
Hello,
Im working with the new Authorization concept (Tcode rsecadmin).
Trying to create an Authorization for 2 different InfoObjects (with hierarchies) , on the same InfoCube.
I've created 3 Authorization object in Tcode rsecadmin:
1. The first hierarchy InfoObject - 0orgunit -(choosing node in the hierarchy to start from)
2. The second hierarchy InfoObject - zmarach -(choosing node in the hierarchy to start from)
3. Authorization for all other InfoObjects exist in the Infocube.
I've created a role with Authorization object S_RS_AUTH which contained all the above.
For example - the InfoCube contains:
record 1 - 0orgunit :under the node selected , zmarach :NOT under the node selected
record 2 - 0orgunit :NOT under the node selected , zmarach :under the node selected
The Query should return both records ! instead it returning "no authorization" msg.
When I tried the Query with only one hierarchy with authorization, it worked, the problem is when both authorizations are active. (on both hierarchies).
Meaning, the operation between those 2 authorization is "AND" , not "OR".
I need the user to see all the records he is authorized to see by the hierarchy, no matter if the InfoObject 0orgunit or zmarach is authorized to him.
Does anyone have an Idea how can i solve this ?Hello,
Im working with the new Authorization concept (Tcode rsecadmin).
Trying to create an Authorization for 2 different InfoObjects (with hierarchies) , on the same InfoCube.
I've created 3 Authorization object in Tcode rsecadmin:
1. The first hierarchy InfoObject - 0orgunit -(choosing node in the hierarchy to start from)
2. The second hierarchy InfoObject - zmarach -(choosing node in the hierarchy to start from)
3. Authorization for all other InfoObjects exist in the Infocube.
I've created a role with Authorization object S_RS_AUTH which contained all the above.
For example - the InfoCube contains:
record 1 - 0orgunit :under the node selected , zmarach :NOT under the node selected
record 2 - 0orgunit :NOT under the node selected , zmarach :under the node selected
The Query should return both records ! instead it returning "no authorization" msg.
When I tried the Query with only one hierarchy with authorization, it worked, the problem is when both authorizations are active. (on both hierarchies).
Meaning, the operation between those 2 authorization is "AND" , not "OR".
I need the user to see all the records he is authorized to see by the hierarchy, no matter if the InfoObject 0orgunit or zmarach is authorized to him.
Does anyone have an Idea how can i solve this ? -
Hierarchies in query and giving authorizations
Hi All Gurus,
i need to create hierarchies in a report , how to create them , why we create them and i need a detailed explanation and and the authorization .Presenly am working on HR module and i need to create a report where a manager can see only his employee details like ( working hours, actual time and the illness hours ) for his organisational unit. only the respective manager can see only his employee details .Do we need to create the authorizations here can we have a tree structure to select on? The user would like to have a tree structure of the managers organization .
i think i gave an over view .Kindly could some one expert tell me how to build the structure ,any more info mail me at ([email protected])
100% points will be awarded .
Thanks in advance
SherwinPaul,
a) Enable the characteristic for hierarchies (sales employee presumably).
b) Build your hierarchy in R/3 or BW. If you do it in R/3 you need to setup the daily / weekly load of the hierarchy.
c) In your query set the properties of the characteristic to look at your hierarchy.
When your hierarchy is built you will setup authorizations at node level - then in your query you will assign the Authorization variable to the Sales Employee characteristic.
Regards
Gill -
How to do authorizations on unassigned nodes for hierarchies
Hi,
Is there a white paper from SAP that shows how to do authorizations for unassigned nodes for the hierarchies? Or has anyone completed this challenge and would be willing to share their approach and strategy?
Thanks
WillHi Ashwin,
The characteristics are 0COSTCENTER and ZDEPT. The Hierarchy structure should be
-Test Hierarchy
--Cost center 1
---Dept1
---Dept2
---Dept3
--Cost center 2
---Dept4
---Dept5
---Dept6
--Cost center 3
---Dept7
---Dept8
---Dept9
Etc.
We have transaction data where a certain Cost center doesn't have the department and when displaying the hierarchy there would be some unassigned nodes for the BW report.
What would happen if the following hierarchy is in place and I am trying to do authorizations for the 0COSTCENTER and ZDEPT:
-Test Hierarchy
--Cost center 1
---Dept1
---Dept2
---Dept3
--Cost center 2
---Dept4
---Dept5
---Dept6
--Cost center 3
Where cost center 3 has no department for it?
Thanks and regards
Will -
Authorization Problem with Hierarchical Filter
Hi Gurus!
In our BW system I created a query that includes hierarchy-enabled characteristic
(0costcenter). 0costcenter has a hierarchy node variable to restrict
user's data by using authorization.
Then I created an authorization object from t-code RSECADMIN, in this auth.
object, restricted 0costcenter from hierarchy authorization tab , and
selected 6 nodes (the nodes have no sub-nodes).
In our web template ( WAD 7.0 ) I used hierarchical filter to see the 6 nodes in our report. It works fine when I first open the template in our Enterprise Portal that we see in the variable screen,0costcenter's variable captures the nodes that I restricted in our authorization object.
In the portal the hierarchical filter displays only selected nodes but this filter shows the hierarchy's root (name of the hierarchy) and when we choose the root the analysis displays all the values, the authorization do not work here.
From RSECADMIN, In the hierarchy authorization tab, I tried all the type of hierarchies but all of them gave the same result.
When i execute the report in BEx Analyzer, the authorization works fine, I think the problem is about hierarchical filter but i cannot find any solution...
Can you give me an idea plz..
Thank you!Hi,
I think this is caused by program error.
Take a look:
[1075125|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1075125] - Unauthorized data displayed when structure element expanded
[917565|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=917565] - Query displays unauthorized data
[981828|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=981828] - No authorization for assigned inactive hierarchy
[654947|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=654947] - Hierarchy authorizations with compound characteristics
Only available in German:
[1158432|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1158432] - Zu viele Werte berechtigt bei Hierachie mit Intervallen
Hope this helps.
Regards
Andreas -
Hierarchies in Analysis Authorizations
Hi - I have a role based Anlaysis Authorization created for access to all infoareas in BI. This information is put in the AA in the hierarchy. But one inforarea was not included and I need to add it to the existing list. We are unable to report on the infoproviders under that infoarea.Please assist howto include that infoarea in the AA.
Thanks.
Abhi.Hi Sagar, I didn't understand your answer: 'you can add that infoArea, Under your role,
Datawarehouse workbench - > Infoarea -> add technical name of Infoarea'.
Under Role using data warehousing workbench ? I didn't get that.
I need to add the infoarea to the AA not to the role.
How to add it to AA ?
Thanks,
Abhi. -
How to extract authorization data to standart BW DSO's from SAP R/3 system
Hi All,
Does anyone have any experience about this topic? I want to use SAP R/3 as a source system and after i extracted the data to business content DSO's in BW ,i will generate authorization objects from DSO 's.
I am using standar BC DSO 's
0TCA_DS01 Authorization data - Values
• 0TCA_DS02 Authorization data - Hierarchies
• 0TCA_DS03 Descriptive Text Authorizations
• 0TCA_DS04 Assignment User Authorizations
• 0TCA_DS05 Generate users for Authorizations
I have deep research but cant find anything.
Best Regards
OzanHi Ozan,
You can go though thread provided by Suman, These DSO's will help to maintain Analysis Authorizations in BW automatically In-short you don't need to maintain it, it will come from R/3 and same will be configured in BW.
Regards,
Ganesh
Maybe you are looking for
-
I own a MacBook Pro for 6 months now, and it always worked properly. Still, I'm concerned about the recent behaviour of its MagSafe connector. Its LED was usually always lit green when plugged on and the battery was charged, but since around 15 days,
-
Won't sync...Please Help!!
Hey, I am really starting to get a little nervous!! My 80G 5th gen Ipod (that I have had no problems with for the past year & half), is giving me a little trouble. When I connect to I-tunes it, it won't sync and I get the message, "the disk cannot be
-
Content conversion-source XSD structure
hi expert, I am doing content conversion from pdf to xml using content master studio.I have export the XSD file from source or target message type(IR). I have completed IR and ID including module configuration for transformation. now i am im
-
Watching online video on a new Intel-MacBook
I am unable to watch online videos on my new MacBook. The windows media player alarm comes up telling me I don't have the right plug-in. I believe that is the Quicktime component add-on. This still doesn't work. How can watch online video (like cnn.c
-
We have just migrated an Oracle application from a Solaris 8 environment to Solaris 9. My question is: Are the following /etc/system settings valid in solaris 9? exclude:sbdp exclude:gptwo exclude:sbd