Hierarchy node authorization problem
Hi All,
We are on SP10 for BI.
We are restricting user to a node (fund center) in the hierarchy (based on fund centers).
1) When a user executes the query and selects a node (in the filter
selection criteria) to which he is authorized, the output of the query is
restricted to the authorized node. This is what we want. Test is successful.
After the query is executed, when the user tries to play around with the
Fund Center info-object by moving it to the Free Characteristics space and
back to the Rows, the node restriction still works and the user is again
restricted to the authorized node. This is what we want. Test is successful.
2) When a user executes the query and selects a higher node (in the filter
selection criteria) to which he is NOT authorized, the output of the query
is still restricted to the authorized node. This is what we want. Test is
successful.
After the query is executed, when the user tries to play around with the
Fund Center info-object by moving it to the Free Characteristics space and
back to the Rows, the node restriction no longer works and the user is now
able to the data for the complete hierarchy. Now here our security fails and
we do not want this to happen.
Possible approach for a solution:
We would want the user to see only the authorized nodes in the filter
selection criteria. By doing this, the user will not be able select any
other nodes and would be restricted to Testing scenario 1, thus avoiding testing scenario 2. Is this approach feasible? I found couple of OSS note but none of them exactly match to our situation here. Did anyone encounter this problem?
Is there any other solution for this problem?
Thanks,
Jay
Hello,
this is interesting and sounds like system failure.
I would suggest to open an OSS message and explain the system behaviour to the support. I'm sure they can help you.
For me it sounds like the node authorization restriction should be active anytime.
Best, Michael
Similar Messages
-
Hierarchy Node Authorization Issue
Hello Experts,
I am trying to restrict a user from seeing the complete hierarchy. The user should only be able to see the text node "text1" and below.
I did the following:
1) Using Tcode RSECADMIN I created an Authorization Object ZTEST2 for 0COMP_CODE hierarchy at node level "text1".
2) I have assigned user "User1" to the Authorization object ZTEST2.
Now, when I click on the "Analysis" tab and click on "Execute As" as user "User1" and then I check the "RSRT" to execute a query that has Company Code hierarchy as a variable. When I click on the prompt for variable input for hierarchy i see the hierarchy name and then when i execute the query i get to see the complete hierarchy.
I would really appreciate if somebody could point me where I am wrong.
I see the following in the error log:
Buffering the Authorization Data
Buffering for InfoProvider 0FIGL_C10 and Users ABARAPATRE
InfoObject Properties Defined
Reading of Directly Assigned Authorizations
Direct Assignment Does Not Include Universal Authorization 0BI_ALL
Reading the Indirect Assignments with Authorization Object S_RS_AUTH
Does user have OBI_ALL?
Yes, the User Has Universal Authorization 0BI_ALL
Indirect Assignment Includes Universal Authorization 0BI_ALL
All Other Assignments Will Be Ignored
The Following Value Authorizations Were Found
TCTAUTH TCTIOBJNM TCTSIGN TCTOPTION TCTLOW TCTHIGH
0BI_ALL 0COMP_CODE I CP *
Thanks.
Regards,
bw_newbieHi,
0BI_ALL will include all the analysis authorization created on the infoobject level. So if a user have 0BI_ALL, by default he is authorized for all the analysis auth that you create, even if you donot asisgn these explicitly to the user. For your scenario, you need to remove 0BI_ALL auth.
Rgds,
Hari -
Hierarchy Node authorization with customer exit
Hi All,
I have created a hierarchy for an info-object A along with nodes test1 and test 2.node test1 consisit of value 10,20,30,40,50 and node test2 consist of value 60,70,80,90. .
1) I want that perticuler user should access perticuler node in hierarachy for that reason I have created a database table in which i have maintained the username and the values from the Infoobject A .I want to write a customer exit code in which user X can access node test1 and user Y can access node test2
but in database table i can not maintain the nodes i can only maintain the values from the nodes
so how can i restrict the user to perticuler node instead of values
The authorization values for the perticuler user will get filled by customer exit variable maintained in the authorization profile
can any body suggest me or send me example customer exit code for this scenario.
I really appreciate your thoughts on this issue.
Thanks,Hi,
in addition to Anil's valid input, make sure that ZTEST is NOT ready for input. Indeed "ready for input" vars cannot be changed via customer exits.
hope this helps...
Olivier. -
Hierarchy Nodes Display problem in the query
Hi
I have an organizational hierarchy upto 6 levels of nodes.
When it is displyed in the query only the first three levels are getting displayed.
When i see in the restricted area ( when restricting values ) i find all the nodes displayed but when query is executed i dont see anything.
Are there setting thats needs to be made in order to see the entire hierarchy.
regards
sundaresanWhen you restrict any query you can see all the nodes of hierarchy, but when you run it you can see only those nodes for which value exists in infoprovider.
Corss check if you have any other restrictions also. -
Identifying hierarchy node in authorization log
Hi,
I created a error log (RSECADMIN) for an authorization problem.
The log displays - among other things - :
Main Check:
Following Set Is Checked
Characteristic Contents
0COMPANY Node 0 1 0 824 1
What do these 5 numbers after the word Node mean?
The number 824 seems to be the SID for the hierarchy ID. I assume that the other numbers are somehow used to identify the exact node. But I don't really know.
Can anybody help me here?Hi,
Please explain, what is your authorization issue.?
in the previous post, authorization issue was not explained exactly.
please do the needful. -
Variable for hierarchy node using in authorization
Hi all,
I have the following problem:
When I create a variable for a hierarchy node and I use it for the authorization, I have the possibility to say, that a user can see all elements under a node.
But it should now be possible, that the user can also see the usage of this node bottom-up ( multi-level usage of this node ).
Is there a possibilty ?
Thanks
DieterHi,
I would suggest you provide more details than just "doesn't work". In addition keep in mind that this is a forum and not an official support channel. In case you need a faster response you should talk to the support team.
Ingo -
Data slice inconsistency problem with hierarchy nodes
Hi Experts,
We want to lock planning tables from function. We create the appropriate data slices but there are problems with (material group) hierarchy nodes.
If I give the node as input variable to the function it causes inconsistency in the data slice. If I choose and add this node to the lock in modeler, the problem is the same.
We are using the following variables to create a data slice:
0VERSION
0VTYTYPE
0COMP_CODE
ZGRMAT (developed material group)
Z_YEARCR (developed yera created)
The problem also exist if I set an another type of node e.g. destination country (0RECIPCNTRY) instead of material group.
For me, the problem seems to be generic.
Do you have any idea?
Many thanks in advance
PeterThere is a note related to this proble:
Note 1070608 - Lowflag field is not valid
The implementation of this note resolves the problem.
Peter -
Restric to hierarchy nodes and characteristics at the same time
Hi together,
I've got a profit center hierarchy and an authorization object with those fields:
0CO_AREA
0PROFIT_CTR
0TCTAUTHH
The controling area is compounded to the profitcenter.
Then I created an authorization definition for hierarchies where i added a node from my profit center hierarchy.
But aditionaly I want to add a single Profit center, which is not below this node. but it does not work. I only get the profit centers below the node i maintained for the hierarchy authorization and not the single entry for the profit center
How can I setup this situation where I need to maintain on the one side one or more nodes in a hierarchy and then a single profit center which might be under another hierarchy node although this node is not explicitly allowed?
Kind regards
StefanThanks for the reply. This issue is becoming a major problem for lots of implementations. I have sent out several forum and OSS on this but no solution.
-
Hi experts,
I have the following authorization problem:
I have a role containing authorization for company code. The role contains several queries.
Some of the queries contain authorization variable of company code but some are not restricted by any authorization.
When I run the queries that are not restricted by authorizations I get an error: User is not authorized
from RESCADMIN:
Message EYE007: You do not have sufficient authorization
No Sufficient Authorization for This Subselection (SUBNR)
Following CHANMIDs Are Affected:
182 ( 0COMP_CODE )
267 ( 0COMP_CODE__Z_EBUKR )
Thanks,
HagitDear Hagit,
Iu2019m going to try helping you regarding your question,
Before give you some suggestion. I would like to check with you some item,
The first is the authorization structure. The main authorization structure includes:
Characteristics and Attribute Navigational are relevant authorization, as 0COMP_CODE.
Roles, where are included authorization object to execute queries as S_RS_COMP, S_RS_COMP1, S_RFC and S_TCODE. In field of S_RS_COMP and S_RS_COMP1 is very important include the right technical name of the queries. Furthermore, add the S_RS_AUTH authorization object to join an analysis authorization.
Analysis Authorization, where are included each characteristic and attribute navigational relevant authorization with specific value, as: u201C*u201D full access, u201C:u201D aggregate value, single value, range value or node of hierarchy.
Query, where are include in some cases the characteristic relevant authorization with its variable authorization.
InfoProvider, where are contain characteristic an attribute navigational relevant authorization.
Regarding your Error:
from RESCADMIN:
Message EYE007: You do not have sufficient authorization
No Sufficient Authorization for This Subselection (SUBNR)
Following CHANMIDs Are Affected:
182 ( 0COMP_CODE )
267 ( 0COMP_CODE__Z_EBUKR )
I suggest you, to try the following action:
Query, in some queries where you havenu2019t included the characteristic 0COMP_CODE in the row. Put in the default value the characteristic 0COMP_CODE with its variable authorization, not ready for entry and optional.
Analysis authorization, you should add all of characteristic and attribute navigational relevant authorization available in the InfoProvider. Must be matching characteristic and navigational attribute relevant authorization, between analysis authorization and InfoProvider.
Try to include in your analysis authorization the u201C:u201D value.
Furthermore, try you execute tcode RSUDO, then RSECPROT you can get more information about your authorization system behavior. The first transaction is to execute a query with other user (select u201Cwith error logu201D), and the second is to display the error log.
I hope these comments can help you,
Luis -
Authorization problem using rsecadmin
Hi all,
i created a authorization based on a hierarchy of an infoobject we use in BW (ZIOICOUJ).
So the user should have access only to his hierarchy node and everything what is under the node.
The hierarchy goes for example like this:
LEVEL0 - infoobject ZIOCELOK - Infoobject name LEVEL0
--LEVEL1.1 - infoobject ZIOCELOK - Infoobject name LEVEL1.1
Level1.1.1 - infoobject ZIOICOUJ - Infoobject name Level1.1.1
Level1.1.2 - infoobject ZIOICOUJ - Infoobject name Level1.1.2
--LEVEL1.2 - infoobject ZIOCELOK - Infoobject name LEVEL1.2
Level1.2.1 - infoobject ZIOICOUJ - Infoobject name Level1.2.1
Level1.2.2 - infoobject ZIOICOUJ - Infoobject name Level1.2.2
In resecadmin i added to authorization these infoobjects:
0TCAACTVT - actvity 03, 16
0TCAIPROV - all activities
0TCAVALID - all activities
ZIOICOUJ - selected the hierarchy for Level1.1
ZIOCELOK - all
Now the user gets "no authorization" message when he choose level1.1 When he choose the nodes Level1.1.1 and Level1.1.2 he gets the correct data.
Here is the rsecadmin error log:
this part is crucial, characteristic is OK, Hierarchy version OK, Key date OK, Node infoobject not ok, node name ok
what is node infoobject ???
Objects Used
Hierarchy Node Definitions Used in the Selection
Nodes Char. Hierarchy Version Key Date Node InfoObject Node Name Node Level Depth (Levels)
Node S0001 ZIOICOUJ STAT 000 99991231 KAP28 KAP28 3 96
Node S0002 ZIOICOUJ STAT 000 99991231 KAP28 KAP28 3 96
Node S0003 ZIOICOUJ STAT 000 99991231 KAP28 KAP28 3 96
Node S0004 ZIOICOUJ STAT 000 99991231 KAP28 KAP28 3 96
Node S0005 ZIOICOUJ STAT 000 99991231 KAP28 KAP28 3 96
i guess this is used in the authorization and it matches the table above, but not in node infoobject
Hierarchy Node Definitions:Used in the Authorization
Node Char. Hierarchy Version Key Date Node InfoObject Node Name Type Level Validity Range Structure Date
Node A0001 ZIOICOUJ STAT 000 99991231 ZIOCELOK KAP28 4 02 0 00000000
I need help, really really bad.....
Thx for any suggestions.....No one with any idea?
At least i would like to know what exactly is node infoobject name, in our hierarchy its ZIOCELOK for LEVEL1.1, i cant find any node infoobject name LEVEL1.1
i edited the tables from rsecadmin a little bit to see clearly where the problem is.....
Objects Used
Hierarchy Node Definitions Used in the Selection
Nodes Char. Hierarchy Version Key Date Node InfoObject Node Name Node Level Depth (Levels)
Node S0001 ZIOICOUJ STAT 000 99991231 LEVEL1.1 LEVEL1.1 3 96
Node S0002 ZIOICOUJ STAT 000 99991231 LEVEL1.1 LEVEL1.1 3 96
Node S0003 ZIOICOUJ STAT 000 99991231 LEVEL1.1 LEVEL1.1 3 96
Node S0004 ZIOICOUJ STAT 000 99991231 LEVEL1.1 LEVEL1.1 3 96
Node S0005 ZIOICOUJ STAT 000 99991231 LEVEL1.1 LEVEL1.1 3 96 3 96 3 96
Hierarchy Node Definitions:Used in the Authorization
Node Char. Hierarchy Version Key Date Node InfoObject Node Name Type Level Validity Range Structure Date
Node A0001 ZIOICOUJ STAT 000 99991231 ZIOCELOK LEVEL1.1 4 02 0 00000000
Edited by: Martin Zluky on Oct 15, 2010 10:03 AM
Edited by: Martin Zluky on Oct 15, 2010 10:05 AM -
BI Security: Hierarchy reporting authorizations
Hi Guys,
I have created hierarchy authorization object in RSECADMIN. Included this object in role and assigned
this role to user. I have four reports in FI. In this four reports this heirarchy authorization is working for
three reports as per the requirement but the one report is not working. It is showing the message
" Need authorization". This report also has to show the required hierarchy node.
Today I have included one DSO in the same multi provider. Now all reports are not working for the
authorized users. It is showing the message "No authorization". Till now I haven't generated the
authorizations in RSECADMIN. Is this the problem? I tried to generate the authorizations in
RSECADMIN it is showing below error messages.
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTUSERNM
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTAUTH
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTADTO
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTIOBJNM
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTHIENM
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTHIEVERS
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTHIEDATE
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTNIOBJNM
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTNODE
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTATYPE
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTACOMPM
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTTLEVEL
Please suggest me if I messed any thing.
Thanks
PrasadHi Zaheer,
Hi Aduri,
Thanks for your response.
I tried to execute the user with logs in RSECADMIN. Here it is showing the error
message "Authorizations missing for aggregation (":")".
I have included 0TCAACTVT, 0TCAIPROV, 0TCAVALID, 0PROFIT_CTR, 0CO_AREA and
0ASSET__0PROFIT_CTR in authorization object.
I checked the relevent SAP not " Note 1140831 - Colon authorization during query execution ". In is
saying to Restrict the characteristic in the query to a certain selection (single value, interval, hierarchy
node, and so on) and authorize this selection explicitly.
Thanks
Prasad -
RSECADMIN: Hierarchy node checked can not be interpreted (trace)
Hi there,
Time for me to ask for your help.
When using RSECADMIN for tracing Hierarchy Analysys Authorization I cannot interpreted the hierarchy node that is checked:
- The authorizations found are displayed as a clickable text e.g. Node 1 and the value can be found below the check
- The hierarchy node checked however is displayed as e.g. Node 4 1 0 7 1 and I can not translate this node to any existing node in my hierarchy.
[See this picture |http://farm4.static.flickr.com/3172/2978379084_acdf6baba5_o.jpg]that shows an example.
Could anybody help me to find out the checked authorization node?
Thank you!
Kind regards,
LodewijkHi Steve,
Thanks for your reaction, in this case the problem indeed might be something else instead of the ZKLANT node. I will have a look at it rightaway.
Nevertheless I find it very discomforting that these strange node numbers seem to be of no use at all.
Can anyone shine a light on this issue?
Thanks,
Lodewijk -
Authorization Problem with Hierarchical Filter
Hi Gurus!
In our BW system I created a query that includes hierarchy-enabled characteristic
(0costcenter). 0costcenter has a hierarchy node variable to restrict
user's data by using authorization.
Then I created an authorization object from t-code RSECADMIN, in this auth.
object, restricted 0costcenter from hierarchy authorization tab , and
selected 6 nodes (the nodes have no sub-nodes).
In our web template ( WAD 7.0 ) I used hierarchical filter to see the 6 nodes in our report. It works fine when I first open the template in our Enterprise Portal that we see in the variable screen,0costcenter's variable captures the nodes that I restricted in our authorization object.
In the portal the hierarchical filter displays only selected nodes but this filter shows the hierarchy's root (name of the hierarchy) and when we choose the root the analysis displays all the values, the authorization do not work here.
From RSECADMIN, In the hierarchy authorization tab, I tried all the type of hierarchies but all of them gave the same result.
When i execute the report in BEx Analyzer, the authorization works fine, I think the problem is about hierarchical filter but i cannot find any solution...
Can you give me an idea plz..
Thank you!Hi,
I think this is caused by program error.
Take a look:
[1075125|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1075125] - Unauthorized data displayed when structure element expanded
[917565|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=917565] - Query displays unauthorized data
[981828|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=981828] - No authorization for assigned inactive hierarchy
[654947|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=654947] - Hierarchy authorizations with compound characteristics
Only available in German:
[1158432|https://websmp230.sap-ag.de/sap(bD1kZSZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1158432] - Zu viele Werte berechtigt bei Hierachie mit Intervallen
Hope this helps.
Regards
Andreas -
How to filter hierarchy node in BEX query designer
Dear experts
We are working on FI balance sheet with hierarchy infoobject 0GLACCEXT. Example of our balance sheet is as follow:
Parent Node A = 20
Sub-parent Node A1 = 10
Leaf A11 = 5
Leaf A12 = 5
Parent Node B = 20
Sub-parent Node B1 = 10
Leaf B11 = 5
Leaf B12 = 5
We require only:
Sub-parent Node A1 = 10
Leaf B12 = 5
So I filter those out in BEX restriction; however, after we examine the report in tcode RSRT, "Sub-parent Node A1" is not shown in BEX Report, and the result is as follow:
Parent Node B = 5
Sub-parent Node B1 = 5
Leaf B12 = 5
Are there solutions for us to show merely A1 and B12 ?Hi Chu
Try the following steps.
Initial Output
In this example I will restrict the query for only displaying Node 8603 and leaf 9000
Proceed to restrict the Characteristic. Please be aware of the difference between hierarchy nodes and leaf characteristic values. Also set the Hierarchy display properties to expand up to level 1.
Execute the query again:
Please be aware that users will still be able to expand node 8603 and see the lower level nodes/leaf. In order to restrict users from doing this set up users authorizations.
Regards,
Carlos -
Drilldown to hierarchy nodes in VC..
Hi..
I want drilldown functionality in VC..
1. my Query has a hierarchy
2. my VC application has a table attached to this query.
3. In Output the hierarchy nodes are displayed
4. i ve taken a button Drilldown on my table
5. on selection of a node and onclick of button all the hierarchy nodes get expanded(drilled down)
Problem : i do not want all the nodes to get drilled down..only the selected node should get drilled..
Plz help me out for the same...
Thanks in advance..
Bhavna.Hi,
Just check out in hierarchy attribute setting... what is the start node for the drill down..
Regards,
Viren.
Maybe you are looking for
-
How can I get my Microsoft exchange calendar items in the cloud
I am changing jobs, but all of my personal calendar items and contacts are in the work Exchange server. Is there a way to transfer those items to the iCloud?
-
I have an ASA configured with a server in our DMZ. It is currently configured to be accessed via the internet on port 80. That works. Now they want to initiate traffic from the DMZ to the internet. I thought the static NAT would keep the IP. Its a
-
DIVX Converter/Codec not working with FCP and OS 10.7?
For years, I've used the DIVX Converter/Codec to output video files from Final Cut Pro 7.0.3 via the Export/Use Quicktime Conversion/Divx as a .divx file. But today, after I upgraded my OS from 10.6 to 10.7 and installed the latest version of DIVX Pr
-
HP Pavilion Elite m9040n Desktop and Fire Wire 1394
I have the above mentioned Desktop. It has a 1394 plugin on the front of case. Does the Pavilion come with all the software to make fire wire work? I backed up my hard drive onto an Toshiba external disk with a USB cable the other day and it took 6 h
-
Problem in sending the Smartform Output as PDF through Mail
Dear All, I am sending the Smartform Output as an attachment by converting it into PDF. But when I am recieve this attachment I am unable to open the PDF file, it is giving error that FILE IS DAMAGED. Below is the code: REPORT Y_SEND_MAIL2. TABLES: