Hierarchy node authorization problem

Hi All,
We are on SP10 for BI.
We are restricting user to a node (fund center) in the hierarchy (based on fund centers).
1) When a user executes the query and selects a node (in the filter
selection criteria) to which he is authorized, the output of the query is
restricted to the authorized node. This is what we want. Test is successful.
   After the query is executed, when the user tries to play around with the
Fund Center info-object by moving it to the Free Characteristics space and
back to the Rows, the node restriction still works and the user is again
restricted to the authorized node. This is what we want. Test is successful.
2) When a user executes the query and selects a higher node (in the filter
selection criteria) to which he is NOT authorized, the output of the query
is still restricted to the authorized node. This is what we want. Test is
successful.
   After the query is executed, when the user tries to play around with the
Fund Center info-object by moving it to the Free Characteristics space and
back to the Rows, the node restriction no longer works and the user is now
able to the data for the complete hierarchy. Now here our security fails and
we do not want this to happen.
Possible approach for a solution:
We would want the user to see only the authorized nodes in the filter
selection criteria. By doing this, the user will not be able select any
other nodes and would be restricted to Testing scenario 1, thus avoiding testing scenario 2. Is this approach feasible? I found couple of OSS note but none of them exactly match to our situation here. Did anyone encounter this problem?
Is there any other solution for this problem?
Thanks,
Jay

Hello,
this is interesting and sounds like system failure.
I would suggest to open an OSS message and explain the system behaviour to the support. I'm sure they can help you.
For me it sounds like the node authorization restriction should be active anytime.
Best, Michael

Similar Messages

  • Hierarchy Node Authorization Issue

    Hello Experts,
    I am trying to restrict a user from seeing the complete hierarchy. The user should only be able to see the text node "text1" and below.
    I did the following:
    1) Using Tcode RSECADMIN  I created an Authorization Object ZTEST2 for 0COMP_CODE hierarchy  at node level "text1".
    2) I have assigned user "User1" to the Authorization object ZTEST2.
    Now, when I click on the "Analysis" tab and click on "Execute As"  as user "User1" and then I check the "RSRT" to execute a query that has Company Code hierarchy as a variable. When I click on the prompt for variable input for hierarchy i see the hierarchy name and then when i execute the query i get to see the complete hierarchy. 
    I would really appreciate if somebody could point me where I am wrong.
    I see the following in the error log:
      Buffering the Authorization Data  
      Buffering for InfoProvider 0FIGL_C10 and Users ABARAPATRE  
    InfoObject Properties Defined
    Reading of Directly Assigned Authorizations
    Direct Assignment Does Not Include Universal Authorization 0BI_ALL
    Reading the Indirect Assignments with Authorization Object S_RS_AUTH
    Does user have OBI_ALL?
    Yes, the User Has Universal Authorization 0BI_ALL
    Indirect Assignment Includes Universal Authorization 0BI_ALL
    All Other Assignments Will Be Ignored
    The Following Value Authorizations Were Found
    TCTAUTH  TCTIOBJNM      TCTSIGN  TCTOPTION  TCTLOW  TCTHIGH 
    0BI_ALL    0COMP_CODE  I              CP                * 
    Thanks.
    Regards,
    bw_newbie

    Hi,
    0BI_ALL will include all the analysis authorization created on the infoobject level. So if a user have 0BI_ALL, by default he is authorized for all the analysis auth that you create, even if you donot asisgn these explicitly to the user. For your scenario, you need to remove 0BI_ALL auth.
    Rgds,
    Hari

  • Hierarchy Node authorization with customer exit

    Hi All,
    I have created a hierarchy for an info-object A along with nodes test1 and test 2.node test1 consisit of value 10,20,30,40,50 and node test2 consist of value 60,70,80,90.  .
    1) I want that perticuler user should access perticuler node in hierarachy for that reason I have created a database table in which i have maintained the username and the values from the Infoobject A .I want to write a customer exit code in which user X can access node test1 and user Y can access node test2
    but in database table i can not maintain the nodes i can only maintain the values from the nodes
    so how can i restrict the user to perticuler node instead of values
    The authorization values for the perticuler user will get filled by customer exit variable maintained in the authorization profile
    can any body suggest me or send me example customer exit code for this scenario.
    I really appreciate your thoughts on this issue.
    Thanks,

    Hi,
    in addition to Anil's valid input, make sure that ZTEST is NOT ready for input. Indeed "ready for input" vars cannot be changed via customer exits.
    hope this helps...
    Olivier.

  • Hierarchy Nodes Display problem in the query

    Hi
    I have an organizational hierarchy upto 6 levels of nodes.
    When it is displyed in the query only the first three levels are getting displayed.
    When i see in the restricted area ( when restricting values ) i find all the nodes displayed but when query is executed i dont see anything.
    Are there setting thats needs to be made in order to see the entire hierarchy.
    regards
    sundaresan

    When you restrict any query you can see all the nodes of hierarchy, but when you run it you can see only those nodes for which value exists in infoprovider.
    Corss check if you have any other restrictions also.

  • Identifying hierarchy node in authorization log

    Hi,
    I created a error log (RSECADMIN) for an authorization problem.
    The log displays - among other things - :
    Main Check:
    Following Set Is Checked
    Characteristic  Contents 
    0COMPANY    Node 0 1 0 824 1
    What do these 5 numbers after the word Node mean?
    The number 824 seems to be the SID for the hierarchy ID. I assume that the other numbers are somehow used to identify the exact node. But I don't really know.
    Can anybody help me here?

    Hi,
    Please explain, what is your authorization issue.?
    in the previous post, authorization issue was not explained exactly.
    please do the needful.

  • Variable for hierarchy node using in authorization

    Hi all,
    I have the following problem:
    When I create a variable for a hierarchy node and I use it for the authorization, I have the possibility to say, that a user can see all elements under a node.
    But it should now be possible, that the user can also see the usage of this node bottom-up ( multi-level usage of this node ).
    Is there a possibilty ?
    Thanks
    Dieter

    Hi,
    I would suggest you provide more details than just "doesn't work". In addition keep in mind that this is a forum and not an official support channel. In case you need a faster response you should talk to the support team.
    Ingo

  • Data slice inconsistency problem with hierarchy nodes

    Hi Experts,
    We want to lock planning tables from function. We create the appropriate data slices but there are problems with (material group) hierarchy nodes.
    If I give the node as input variable to the function it causes inconsistency in the data slice. If I choose and add this node to the lock in modeler, the problem is the same.
    We are using the following variables to create a data slice:
    0VERSION
    0VTYTYPE
    0COMP_CODE
    ZGRMAT (developed material group)
    Z_YEARCR (developed yera created)
    The problem also exist if I set an another type of node e.g. destination country (0RECIPCNTRY) instead of material group.
    For me, the problem seems to be generic.
    Do you have any idea?
    Many thanks in advance
    Peter

    There is a note related to this proble:
    Note 1070608 - Lowflag field is not valid
    The implementation of this note resolves the problem.
    Peter

  • Restric to hierarchy nodes and characteristics at the same time

    Hi together,
    I've got a profit center hierarchy and an authorization object with those fields:
    0CO_AREA
    0PROFIT_CTR
    0TCTAUTHH
    The controling area is compounded to the profitcenter.
    Then I created an authorization definition for hierarchies where i added a node from my profit center hierarchy.
    But aditionaly I want to add a single Profit center, which is not below this node. but it does not work. I only get the profit centers below the node i maintained for the hierarchy authorization and not the single entry for the profit center
    How can I setup this situation where I need to maintain on the one side one or more nodes in a hierarchy and then a single profit center which might be under another hierarchy node although this node is not explicitly allowed?
    Kind regards
    Stefan

    Thanks for the reply.  This issue is becoming a major problem for lots of implementations.  I have sent out several forum and OSS on this but no solution.

  • Authorization problem

    Hi experts,
    I have the following authorization problem:
    I have a role containing authorization for company code. The role contains several queries.
    Some of the queries contain authorization variable of company code but some are not restricted by any authorization.
    When I run the queries that are not restricted by authorizations I get an error: User is not authorized
    from RESCADMIN:  
    Message EYE007: You do not have sufficient authorization   
    No Sufficient Authorization for This Subselection (SUBNR)   
    Following CHANMIDs Are Affected:
    182 ( 0COMP_CODE )
    267 ( 0COMP_CODE__Z_EBUKR )
    Thanks,
    Hagit

    Dear Hagit,
    Iu2019m going to try helping you regarding your question,
    Before give you some suggestion. I would like to check with you some item,
    The first is the authorization structure. The main authorization structure includes:
    Characteristics and Attribute Navigational are relevant authorization, as 0COMP_CODE.
    Roles, where are included authorization object to execute queries as S_RS_COMP, S_RS_COMP1, S_RFC and S_TCODE. In field of S_RS_COMP and S_RS_COMP1 is very important include the right technical name of the queries. Furthermore, add the S_RS_AUTH authorization object to join an analysis authorization.
    Analysis Authorization, where are included each characteristic and attribute navigational relevant authorization with specific value, as: u201C*u201D full access, u201C:u201D aggregate value, single value, range value or node of hierarchy.
    Query, where are include in some cases the characteristic relevant authorization with its variable authorization.
    InfoProvider, where are contain characteristic an attribute navigational relevant authorization.
    Regarding your Error:
    from RESCADMIN:
    Message EYE007: You do not have sufficient authorization
    No Sufficient Authorization for This Subselection (SUBNR)
    Following CHANMIDs Are Affected:
    182 ( 0COMP_CODE )
    267 ( 0COMP_CODE__Z_EBUKR )
    I suggest you, to try the following action:
    Query, in some queries where you havenu2019t included the characteristic 0COMP_CODE in the row. Put in the default value the characteristic  0COMP_CODE with its variable authorization, not ready for entry and optional.
    Analysis authorization, you should add all of characteristic and attribute navigational relevant authorization available in the InfoProvider. Must be matching characteristic and navigational attribute relevant authorization, between analysis authorization and InfoProvider.
    Try to include in your analysis authorization the u201C:u201D value.
    Furthermore,  try you execute tcode RSUDO, then RSECPROT you can get more information about your authorization system behavior. The first transaction is to execute a query with other user (select u201Cwith error logu201D), and the second is to display the error log.
    I hope these comments can help you,
    Luis

  • Authorization problem using rsecadmin

    Hi all,
    i created a authorization based on a hierarchy of an infoobject we use in BW (ZIOICOUJ).
    So the user should have access only to his hierarchy node and everything what is under the node.
    The hierarchy goes for example like this:
    LEVEL0 - infoobject ZIOCELOK - Infoobject name LEVEL0
    --LEVEL1.1 - infoobject ZIOCELOK - Infoobject name LEVEL1.1
    Level1.1.1 - infoobject ZIOICOUJ - Infoobject name Level1.1.1
    Level1.1.2 - infoobject ZIOICOUJ - Infoobject name Level1.1.2
    --LEVEL1.2 - infoobject ZIOCELOK - Infoobject name LEVEL1.2
    Level1.2.1 - infoobject ZIOICOUJ - Infoobject name Level1.2.1
    Level1.2.2 - infoobject ZIOICOUJ - Infoobject name Level1.2.2
    In resecadmin i added to authorization these infoobjects:
    0TCAACTVT - actvity 03, 16
    0TCAIPROV - all activities
    0TCAVALID - all activities
    ZIOICOUJ - selected the hierarchy for Level1.1
    ZIOCELOK - all
    Now the user gets "no authorization" message when he choose level1.1 When he choose the nodes Level1.1.1 and Level1.1.2 he gets the correct data.
    Here is the rsecadmin error log:
    this part is crucial, characteristic is OK, Hierarchy version OK, Key date OK, Node infoobject not ok, node name ok
    what is node infoobject ???
      Objects Used 
    Hierarchy Node Definitions Used in the Selection
    Nodes     Char.     Hierarchy     Version     Key Date     Node InfoObject     Node Name     Node Level     Depth (Levels)
    Node S0001     ZIOICOUJ     STAT     000     99991231     KAP28     KAP28     3     96
    Node S0002     ZIOICOUJ     STAT     000     99991231     KAP28     KAP28     3     96
    Node S0003     ZIOICOUJ     STAT     000     99991231     KAP28     KAP28     3     96
    Node S0004     ZIOICOUJ     STAT     000     99991231     KAP28     KAP28     3     96
    Node S0005     ZIOICOUJ     STAT     000     99991231     KAP28     KAP28     3     96
    i guess this is used in the authorization and it matches the table above, but not in node infoobject
    Hierarchy Node Definitions:Used in the Authorization
    Node     Char.     Hierarchy     Version     Key Date     Node InfoObject     Node Name     Type     Level     Validity Range     Structure Date
    Node A0001     ZIOICOUJ     STAT     000     99991231     ZIOCELOK     KAP28     4     02     0     00000000
    I need help, really really bad.....
    Thx for any suggestions.....

    No one with any idea?
    At least i would like to know what exactly is node infoobject name, in our hierarchy its ZIOCELOK for LEVEL1.1, i cant find any node infoobject name LEVEL1.1
    i edited the tables from rsecadmin a little bit to see clearly where the problem is.....
    Objects Used
    Hierarchy Node Definitions Used in the Selection
    Nodes Char. Hierarchy Version Key Date Node InfoObject Node Name Node Level Depth (Levels)
    Node S0001 ZIOICOUJ STAT 000 99991231 LEVEL1.1 LEVEL1.1 3 96
    Node S0002 ZIOICOUJ STAT 000 99991231  LEVEL1.1 LEVEL1.1 3 96
    Node S0003 ZIOICOUJ STAT 000 99991231 LEVEL1.1 LEVEL1.1 3 96
    Node S0004 ZIOICOUJ STAT 000 99991231 LEVEL1.1 LEVEL1.1 3 96
    Node S0005 ZIOICOUJ STAT 000 99991231  LEVEL1.1 LEVEL1.1 3 96 3 96 3 96
    Hierarchy Node Definitions:Used in the Authorization
    Node Char. Hierarchy Version Key Date Node InfoObject Node Name Type Level Validity Range Structure Date
    Node A0001 ZIOICOUJ STAT 000 99991231 ZIOCELOK LEVEL1.1 4 02 0 00000000
    Edited by: Martin  Zluky on Oct 15, 2010 10:03 AM
    Edited by: Martin  Zluky on Oct 15, 2010 10:05 AM

  • BI Security: Hierarchy reporting authorizations

    Hi Guys,
      I have created hierarchy authorization object in RSECADMIN. Included this object in role and assigned
      this role to user. I have four reports in FI. In this four reports this heirarchy authorization is working for
      three reports as per the requirement but the one report is not working. It is showing the message
      " Need authorization". This report also has to show the required hierarchy node.
        Today  I have included one DSO in the same multi provider. Now all reports are not working for the
    authorized users. It is showing the message "No authorization". Till now I haven't generated the
    authorizations in RSECADMIN. Is this the problem? I tried to generate the authorizations in
    RSECADMIN it is showing below error messages.
    InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTUSERNM
    InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTAUTH
    InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTADTO
    InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTIOBJNM
    InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTHIENM
    InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTHIEVERS
    InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTHIEDATE
    InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTNIOBJNM
    InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTNODE
    InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTATYPE
    InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTACOMPM
    InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTTLEVEL
    Please suggest me if I messed any thing.
    Thanks
    Prasad

    Hi Zaheer,
    Hi Aduri,
    Thanks for your response.
    I tried to execute the user with logs in RSECADMIN. Here it is showing the error
    message "Authorizations missing for aggregation (":")".
    I have included 0TCAACTVT, 0TCAIPROV, 0TCAVALID, 0PROFIT_CTR, 0CO_AREA and
    0ASSET__0PROFIT_CTR in authorization object.
    I checked the relevent SAP not " Note 1140831 - Colon authorization during query execution ". In is
    saying to Restrict the characteristic in the query to a certain selection (single value, interval, hierarchy
    node, and so on) and authorize this selection explicitly.
    Thanks
    Prasad

  • RSECADMIN: Hierarchy node checked can not be interpreted (trace)

    Hi there,
    Time for me to ask for your help.
    When using RSECADMIN for tracing Hierarchy Analysys Authorization I cannot interpreted the hierarchy node that is checked:
    - The authorizations found are displayed as a clickable text e.g.  Node 1  and the value can be found below the check
    - The hierarchy node checked however is displayed as e.g.  Node 4 1 0 7 1 and I can not translate this node to any existing node in my hierarchy.
    [See this picture |http://farm4.static.flickr.com/3172/2978379084_acdf6baba5_o.jpg]that shows an example.
    Could anybody help me to find out the checked authorization node?
    Thank you!
    Kind regards,
    Lodewijk

    Hi Steve,
    Thanks for your reaction, in this case the problem indeed might be something else instead of the ZKLANT node. I will have a look at it rightaway.
    Nevertheless I find it very discomforting that these strange node numbers seem to be of no use at all.
    Can anyone shine a light on this issue?
    Thanks,
    Lodewijk

  • Authorization Problem with Hierarchical Filter

    Hi Gurus!
    In our BW system I created a query that includes hierarchy-enabled characteristic
    (0costcenter). 0costcenter has a hierarchy node variable to restrict
    user's  data by using authorization.
    Then I created an authorization object from t-code RSECADMIN, in this auth.
    object,  restricted 0costcenter from hierarchy authorization tab , and
    selected 6 nodes (the nodes have no sub-nodes).
    In our web template ( WAD 7.0 ) I used hierarchical filter to see the 6 nodes in our report. It works fine when I first open the template in our Enterprise Portal that we see in the variable screen,0costcenter's variable captures the nodes that I restricted in our authorization object.
    In the portal the hierarchical filter displays only selected nodes but this filter shows the hierarchy's root (name of the hierarchy) and when we choose the root the analysis displays all the values, the authorization do not work here.
    From RSECADMIN, In the hierarchy authorization tab, I tried all the type of hierarchies but all of them gave the same result.
    When i execute the report in BEx Analyzer, the authorization works fine, I think the problem is about hierarchical filter but i cannot find any solution...
    Can you give me an idea plz..
    Thank you!

    Hi,
    I think this is caused by program error.
    Take a look:
    [1075125|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1075125] - Unauthorized data displayed when structure element expanded
    [917565|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=917565] - Query displays unauthorized data
    [981828|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=981828] - No authorization for assigned inactive hierarchy
    [654947|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=654947] - Hierarchy authorizations with compound characteristics
    Only available in German:
    [1158432|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1158432] - Zu viele Werte berechtigt bei Hierachie mit Intervallen
    Hope this helps.
    Regards
    Andreas

  • How to filter hierarchy node in BEX query designer

    Dear experts
    We are working on FI balance sheet with hierarchy infoobject 0GLACCEXT. Example of our balance sheet is as follow:
    Parent Node A = 20
         Sub-parent Node A1 = 10
             Leaf A11 = 5
                 Leaf A12 = 5
    Parent Node B = 20
         Sub-parent Node B1 = 10
                   Leaf B11 = 5
                   Leaf B12 = 5
    We require only:
        Sub-parent Node A1 = 10
        Leaf B12 = 5
    So I filter those out in BEX restriction;  however, after we examine the report in tcode RSRT, "Sub-parent Node A1" is not shown in BEX Report, and the result is as follow:
    Parent Node B = 5
         Sub-parent Node B1 = 5
                 Leaf B12 = 5
    Are there solutions for us to show merely A1 and B12 ?

    Hi Chu
    Try the following steps.
    Initial Output
    In this example I will restrict the query for only displaying Node 8603 and leaf 9000
    Proceed to restrict the Characteristic. Please be aware of the difference between hierarchy nodes and leaf characteristic values. Also set the Hierarchy display properties to expand up to level 1.
    Execute the query again:
    Please be aware that users will still be able to expand node 8603 and see the lower level nodes/leaf. In order to restrict users from doing this set up users authorizations.
    Regards,
    Carlos

  • Drilldown to hierarchy nodes in VC..

    Hi..
    I want drilldown functionality in VC..
    1. my Query has a hierarchy
    2. my VC application has a table attached to this query.
    3. In Output the hierarchy nodes are displayed
    4. i ve taken a button Drilldown on my table
    5. on selection of a node and onclick of button all the hierarchy nodes get expanded(drilled down)
    Problem : i do not want all the nodes to get drilled down..only the selected node should get drilled..
    Plz help me out for the same...
    Thanks in advance..
    Bhavna.

    Hi,
    Just check out in hierarchy attribute setting... what is the start node for the drill down..
    Regards,
    Viren.

Maybe you are looking for

  • How can I get my Microsoft exchange calendar items in the cloud

    I am changing jobs, but all of my personal calendar items and contacts are in the work Exchange server.  Is there a way to transfer those items to the iCloud?

  • Static nat using gloabl ip

    I have an ASA configured with a server in our DMZ. It is currently configured to be accessed via the internet on port 80.  That works. Now they want to initiate traffic from the DMZ to the internet.  I thought the static NAT would keep the IP.  Its a

  • DIVX Converter/Codec not working with FCP and OS 10.7?

    For years, I've used the DIVX Converter/Codec to output video files from Final Cut Pro 7.0.3 via the Export/Use Quicktime Conversion/Divx as a .divx file. But today, after I upgraded my OS from 10.6 to 10.7 and installed the latest version of DIVX Pr

  • HP Pavilion Elite m9040n Desktop and Fire Wire 1394

    I have the above mentioned Desktop. It has a 1394 plugin on the front of case. Does the Pavilion come with all the software to make fire wire work? I backed up my hard drive onto an Toshiba external disk with a USB cable the other day and it took 6 h

  • Problem in sending the Smartform Output as PDF through Mail

    Dear All, I am sending the Smartform Output as an attachment by converting it into PDF. But when I am recieve this attachment I am unable to open the PDF file, it is giving error that FILE IS DAMAGED. Below is the code: REPORT  Y_SEND_MAIL2. TABLES: