Hierarchy authorization based on 0CCA_O01

Similar Messages

• Analysis Authorization based on Hier node with multiple display hierarchies

  Hi guys - I've got a problem where s.o. might have an idea of how to switch on the light at the end of the tunnel, I am currently standing in:
  Requirement:
  Cost Center Authorization should be given through RSECADMIN, reporting should be possible for any hierarchy that exists for the authorization relevant info object.
  Preferred solution:
  The Cost Center Analysis Authorization should be given through RSECADMIN - Hierarchy node assignment.
  u2022     A dedicated Authorization Cost Center Hierarchy will be maintained in ECC6 as an alternative cost center hierarchy and extracted into BW.
  u2022     The RSECADMIN Hierarchy node assignment should be based on a particular node (Type 2).
  u2022     The display level will be specified as required (here: Level 7)
  u2022     The Authorization granted should be independent of hierarchy name and version (validity 3).
  Reporting Scenario and technical impact:
  As mentioned above, when designing and running a query the user should be able to freely select other (i.e. than the authorization) display hierarchies for the authorization relevant reporting object 'Cost Center' as well. The technical names of the semantically relevant hierarchy nodes could therefore vary. E.g. cost centers 1, 2 and 3, being assigned under hierarchy node u2018Au2019 of the RSECADMIN relevant authorization hierarchy, could be subsumed by hierarchy node u2018Bu2019 in another display hierarchy, which the user may want to display in accordance to his reporting needs. Ideally, the alternative display hierarchy should therefore display node u2018Bu2019.
  My findings so far (based on prototyping) turn out that this is not possible as long u2018Bu2019 (and its hierarchy) is not authorized in RSECADMIN. Can these findings be confirmed? And if not, would anyone have an idea of how to facilitate the reporting scenario?
  Would there be any other way to grant access, possibly based on RSECADMIN single values, and also enable the user to flexibly display hierarchies with only those hierarchy nodes whose single cost center values the user has been given access to?
  Thanks everyone for your input...
  Claus
  Edited by: Claus64 on Jul 13, 2009 4:10 AM

  HI CLause,
  On Jul 14 2009, you wrote in SDN and said:
  FYI: Found a solution...
  The hierarchy analysis authorization will be based on a navigational attribute of cost center.
  With analysis authorizations it is possible to declare the Auth object (e.g. 0COSTCENTER__RACCAUT0) as authorization relevant and leave the superior object 0COSTCENTER auth irrelevant.
  The auth will be given for 0COSTCENTER__RACCAUT0. This object will be placed as a filter of the query, being restricted by an Authorization variable for hierarchy nodes.
  Due to the concept of Analysis Authorizations, this variable will automatically pick up the nodes granted as part of RSECADMIN Hierarchy based Authorization.
  As mentioned above, 0COSTCENTER as the regular reporting characteristic remains auth irrelevant and can therefore take any hierarchy thatu2019s available. Reporting on single values will be possible, too. Only those nodes show up that hold the authorized cost centers in accordance to the authorization.
  If the auth relevant 0COSTCENTER__RACCAUT0 is not used in the query definition by either not taking it in as a filter or skipping the Auth variable, the query will launch the message that the authorization is missing. No data show up at all.
  Claus
  See this thread:
  Analysis Authorization based on Hier node with multiple display hierarchies
  I am also in the same situation as you and need to understadn your solution. I understand that you created a Nav Attr on 0COSTCENTER and made this auth relevant whilst ensuring that 0COSTCENTER is NOT auth relevant. This is all fine. The issue was you have multiple hierachies for 0COSTCENTER, how did the new Nav Attr help you solve your issue. When loading 0COSTCENTER what values did you load ino the new Nav Attribute and how did that link to the hierachies? Also, in RSECADMIN you created hiearchy nodes based on the Nav Attribute but I am confused as to what values you have in the Nav Attr.
  I appreciate if you can share your solution from the past in more details.
  many thanks

• BPS Hierarchy Authorizations

  Hi All,
  We are implementing hierarchy node based authorizations for our BPS and related queries and it works fine. We have 300+ nodes and for this we would require a role for each node of the hierarchy (that would be 300+ roles).
  Now we are planing to use a hierarchy node exit varaible so that we end up with only one role. Can someone please let me know if there are complications in this approach or, if anybody has implemented this, can you please share your experience.
  Thanks,
  Jay
  Message was edited by:
          jayaroop gullapalli

  Marc,
  Thanks a lot for the solution.
  Firstly pardon me for my ignorance.
  Do I really not need any roles at all? How would the users get access to the planning functions related to their fund centers (its a fund centers based hierarchy)?
  Please correct me if I am wrong, I think I will need one role that gives access to the planning functions and the authorizations in RSECADMIN will restrict to fund center nodes. But this way, half the burden of building 300+ roles is now decreased. Thanks for this solution.
  Our fund center hierarchy is based on the characteristic 0FUNDS_CTR and not on 0TCTAUTH. It looked like the second option in point 4 of the link you provided will not serve my case.
  http://help.sap.com/saphelp_nw2004s/helpdata/en/e3/fc8b41b5b3b45fe10000000a1550b0/frameset.htm
  Would I have to build 300+ authorizations using RSECADMIN for each node?
  Again thanks a lot for your guidance
  Message was edited by:
          jayaroop gullapalli

• BIAUTH: Time-dependent hierarchy authorization in BI 7.0

  Hi folks,
  we got an authorization problem with time-dependent hierarchies.
  For example: Hierarchy A has DATETO 20100220 definied in BI
                        Hierarchy B has DATETO 99991231
  In our user authorization (BIAUTH) we have defined a node authorization, based on Hierarchy B like this:
  Hierarchy    PPS/99991231// [NAME OF IOBJ]                                    
  Nodes        679                                                                               
  Type of Authorization   1                                                 
  "Subtree Below Nodes"                                                      
  Hierarchy Level        0                                                 
  Validity Range         1         -
  >???  this should allow us key date-free selection ???                                        
  "Name and Version Identical"
  For evaluating the users authorization on the IOBJN in our own BI exit variable and FM we are using the SAP FM "RSSB_AUTHORIZATIONS_OF_USER".
  Despite the fact we call this FM with the wanted date (i_date), the FM does not return us the correct Hierarchy nodes desolved in s_tsx_auth_values_user.
  Is there any possibility to authorize on time-dependent hierarchies generally llike we did (Hierarchy B) and still get the key-date selected hierarchy at the time?
  Thanks a lot for any hint!
  Norbert

  Hi Norbert,
  Can you check that the SAP note 1301644 has been applied in your system.
  Best Regards,
  Des Gallagher

• Hierarchy Authorization not working on Navigational Attribute

  Hello,
  We have 0ORGUNIT as nav attribute in 0EMPLOYEE and 0ORGUNIT has enterprise hierarchy set.
  Now we have analysis authorization based on both 0ORGUNIT and 0EMPLOYEE__0ORGUNIT (nav attr).
  When an user tries to run a web report which has normal 0ORGUNIT in it, in the variable screen he is able to see the entire hierarchy tree structure as per his authorizations. On the other hand when the same user tries to run another report which has nav attr 0EMPLOYEE__0ORGUNIT in it, in the variable screen he can see only the top nodes of the hierarchy to which he is authorized. He cant see the tree structure.
  Please note we are on BI 7 SPS 21 and in both the queries we are using hierarchy variable set on correct hierarchy. Also the attributes in the query have hierarchy activated on them.
  Please suggest any ideas/views for the same.
  Thanks!!
  Regards,
  Shashank

  Neo - We need current info on 0ORGUNIT and hence cant go with concept of historic truth as per what you mentioned.
  Bhawani - We have set it to level 1 which is perfectly fine as it works for other hierarchy's perfectly.
  Regards,
  SHahsank

• Hierarchy authorization with variables of type exit

  Hi all,
  I am trying to implement hierarchy based authorizations with variables. After collecting information from the SAP documentation and this forum, I think I know more or less how to do it, but it's not working and it has me very confused.
  These are the steps I have followed:
  - From RSSM, I have created a hierarchy authorization object including my characteristic and 0TCTAUTHH
  - From RSSM again, I have created a hierarchy authorization pointing to the node $ZG_V_008
  - From the Query designer, I have created a hierarchy node variable of processing type customer exit ZG_V_008 (are any special settings needed here?)
  - From the Query designer, I have created <b>another</b> hierarchy node variable of processing type authorization, and I have used this variable to restrict the hierarchy for my characteristic
  - I have edited the EXIT_SAPLRRS0_001 to watch for I_STEP = 0 and give values to ZG_V_008 (we'll get to my code later in case we solve this issue first
  It is my understanding that with this setup, the user exit will be called to process the value of ZG_V_008 in I_STEP = 0, however, when debugging, I don't see any calls for the function with I_STEP = 0.
  What have I done wrong?
  Thanks a lot in advance.
  Guillermo

  Thanks, Jimmy, but that does not help much: my problem is that my user exit is not evaluated with I_STEP=0, but there are no error messages or anything like that.
  I have created a test user <b>without</b> a developer role to see if that could have any impact, but it's still not working.
  Any ideas?

• How to restrict authorization based on profit center in ke80 report

  hi friends
  we have a situation where we need to maintain the authorization based on profit center in ke80 report. The authorzation object K_PCA is not working. whenever we assign a particular profit center and then generate the profile, we still get the message no autjorization and when we check su53 it shows it needs '' asterisk. but we cant assign the asterisk as we have 5 subsidaries and there are using 5 different set of profit centers so assigning asterisk () would be comprimising on our security.
  does anybody came across this situation and if yes how did they resolve this?
  I need your suggestions on how to maintain this restriction.
  Regards,
  Imran

  Hi Friends
  The problem has beend solved. It turns out that this is a report writer issue. We raised the issue with SAP and they informed that 'For Report Painter/Writer every item is checked if you have the authori-zation or not. Only the items with authorization fullfilled will be displayed afterwards'.
  Based on SAP answer we created different reports for each profit center/company code.
  I would like to thank you all for your time and inputs.
  Regards,

• Hierarchy authorization default pick

  Hi ,
     I have got a profit center hierarchy which is used in the reporting in the selection screen in BW7.0 . I had created authorisations and its working fine through RSECADMIN. but i have got a question, if i leave the selection screen variable profit center empty and execute the report, it says you are not authorized,but then it works fine if i mention a hierarchy node in there. I had mentioned the values in the authorisation, as 2*,,but it doesn' tpick up any..any clues plz..
  thanks in advance.

  Hi,
  I am working with the SAP security team to get custom authorization on the Profit Center Hierarchy in place. We need to restrict access to the hierarchy nodes (only certain users need access to certain nodes in the hierarchy).
  1) We got into RSECADMIN --> Maintenance --> Created a new authorization object --> added profit center --> in the hierarchy authorization tab, added the hierarchy node and selected the Type of Authorization and Validity range as required and saved the auth object.
  2) We created a role in PFCG and added the authorization object to the role(no other authorization objects)
  3) Assigned the role to a user and tried testing the reports.
  The user could see all the nodes in the hierarchy and also data on the nodes restricted to him/her. Is there any step I am missing? Does the auth object need to be generated in RSECADMIN?
  Please advice.
  Thanks,
  Vivek

• How to check the authorization based on webdynpro application

  Hi Experts,
  I was asked to develop a webdynpro component with two webdynpro applications, one each for internal party and external party to be used.
  So how to restrict or check the authorization based on webdynpro application used?
  Do we have any authorization object like S_TCODE for webdynpro application in roles and authorizations?
  Please enlighten me.
  Regards,
  Ajay Matam

  You can assign an authorization object to the Web Dynpro Application within SICF -
  http://help.sap.com/saphelp_nw70ehp1/helpdata/en/61/d93822a88e15489a9391f309767366/frameset.htm
  Of course you could also programatically check which web dynpro application is being used from within the component and then call a custom auth-check. However maintain at the SICF is probably better for visibilty and long term maintenance costs.

• Credit management Authorization Based on Value.

  Hi All,
  Can help me out to find whether we can implement Credit management based on different level of Values or not.As i know we can do authorization based on % like 100%, 110% etc.
  But i want to activate release authorization based on the Amount like
  level 1              Rs 1 lakh( Can release upto 1 lakh) when it reaches to above of 1 lakh
  level2               Rs  2 lakh ( it will release upto 2 lakh)
  like wise.As what i understand whatever the standard roles are given relevant to % basis only.

  hello, friend.
  yes, you can do this in a few ways...
  1.  try 'Document Class' - a document class is assigned a certain value, which is assigned to a user (the link to credit management is indirect)
  2.  the traditional way is to use 'Risk Category', and you can set specific values (e.g. maximum document values) when doing OVA8. 
  i seem to recall there may also be a way to assign values to risk category, but i will check on this.
  regards.

• Implementing authorization based on database roles

  Hi,
  I am trying to implement authorization in my sample jdeveloper application.
  I have the list of users stored in LDAP and my database table contains the roles for those users.
  Now how can I get the roles from the database table and implement authorization based on the roles?
  I am using jdev 11 and weblogic 10.3
  Thanks

  Hi,
  Checkout [this post|http://forums.oracle.com/forums/thread.jspa?threadID=928304]
  Sireesha

• Authorization based on t.code and screenvariant

  All,
  Suppose I have created screenvariant in particular transaction .
  For eg MB52 , I have created one variant , ZVAR1
  Is it possile to give authorization based on t.code MB52 and screen variant  ZVAR1?
  Or t. code and layout of report.
  For eg I have changed the layout and save the report as Z111.
  Now is it possible to give authorization ,MB52 and Z111?
  Please advise.
  regards

  Thanks Alex.
  Suppose I am creating new t.code for MB52 program .
  Now in SE93 which object I should I select :
  - program and screen
  - program and selection screen
  - Method of a class
  - transaction with variant
  - transaction with parameters
  Pls advice.
  regards

• Restriciting BI query for Hierarchy authorization for a defined group

  Hi Friends
  We are trying to restrict the Display with respect to the company codes group.
  We have defined the authoirzation for BI w.r.t to the company code and groups ( collection of co.codes ) ..We have defined the authoirzation object under Rsecadmin and restricted the display for only group eg: GH3 . However when we ran the query we can see all the companies / groups. Also tried with putting the GHR group under Hierarchy authorization but still have the same result.
  Can you please let me know what is going wrong
  thank for all your help..

  We have defined the authoirzation for BI w.r.t to the company code and groups ( collection of co.codes ) ..We have defined the authoirzation object under Rsecadmin and restricted the display for only group eg: GH3 .
  Did you check if the infoprovider(s) which your query is hitting upon has company code and company groups checked as authorization relevant in RSA1?
  Thanks
  Sandipan

• Possible to combine Value and Hierarchy Authorizations?

  Hello Experts!
  Could anyone please tell me something about the interaction between value and hierarchy authorizations for the same info object?
  I created an authorization for an info object which makes use of both in some queries. But if you activate a hierarchy in query designer, the value authorizations seem not to work anymore. Instead the hierarchy authorizations restrict the analysis result. I get datasets in the result without having the corresponding value authorizations.
  Is there a way to ONLY use value authorizations which also work if you activate a hierarchy on an info object???
  Thanks in advance.....
  Bye,
  Joerg

  No you can't. GRE is only designed to carry routing protocols and multicast traffic over VPNs.
  It is also bad design practise to design a network that carry's L2 vlan's over a WAN or internet link.
  You have to ask yourself why you would want to carry VLANs over VPNs?
  Hope this helps.

• Profit Center Hierarchy: Authorization Error

  Hello,
  Right we are generating hierarchies for users on the object Profit center.  We want to have a separate data role that gives access to the authorization object ZPROFITCTR.  What should the values be for PROFIT_CTR and TCTAUTHH if we want to check what authorizations have already been generated for the user?  I am thinking there must be a way to do this rather than create a different data role for each user.
  I have done a lot of reading and have found if you specify the value ' ' for OTCTAUTHH as a value if only hierarchy authorizations are to be in effect.  I thought this would mean generated heirarchies would be checked and would give a user access to 0PROFITCTR, but that was not the case.
  Thanks,
  Brian

  try to re-transport PCA
  IMG; CO--> PCA --> tools --> transaport customizing set. -->
  but i believe if you transport only the "master data" Q will function fine. ( try OKEQ first)