"Low-level" authorizations for accessing BW reports - add users to role

Similar Messages

• "Low-level" authorizations for accessing BW reports

  May I please have your attention for the following:
  Each employee is represented by a costcenter in our R/3, and thus, BW-system.
  Plan is as follows: by filling in the costcenter on the selection-screen of a BW-webreport on can see his/her own financial data for a certain (posting)period.
  Is there a way to restrict access without creating separate users/roles/profiles for each costcenter??(we have a lot of potential users who only need to see the report but do not need access to BW itself (RSA1 etc)).
  I'm thinking about some sort of mapping:
  e.g. user SANTA logs on -> ABAP-program/function maps it to correct costcenter e.g. 1234 -> user is only authorized for this costcenter...
  But is this possible and where to implement it??
  Thanx a lot in advance for your hints!!!
  Best regards,
  Marco

  Thanks al lot for your replies.
  Corwin, I tried your solution and I've almost got it working....
  1. made a table in DDIC to link username to costcenter
  2. set up a reporting auth. via RSSM
  3. created a variable (ZCOSTC) type 'Authorization' in the query designer
  4. wrote some code in the user-exit (via SMOD) to fill this variable (translate username to costcenter via mentioned table)
  5. created a role incl. authorization with reference to variable: value '$ZCOSTC'
  This reference is not working unfortunately enough.
  Everything works fine when I replace $ZCOSTC by an existing costcenter.
  Am I forgetting something??
  Thanx again!
  Best regards,
  Marco

• Do not have authorization for access with activity 03 on the InfoProvider

  Hi,
  I have developed new cube & ODS and created new Web Templates based on queries on these Infoproviders.
  I have created new role and adde these templates to menu of this Role.
  In Authorization profile i have used following Authorization objects.
  S_RS_BTMP
  S_RS_COMP
  S_RS_COMP1
  S_RS_ICUBE
  S_RS_ODSO
  In all these objects i hace selected activity 3.
  Infoarea used for these new Cube & ODS is also added and for cube & ODS selection ihave used * (full authorization)
  But when user is opening the web template it is showing error messahe
  "You do not have authorization for access with activity 03 on the InfoProvider ZICXEROX."
  Is there is any authorization object missing in the profile?
  Regards
  SSS

  Dear SSS,
  Have the same problem ' You do not have sufficent  authorization for the infoprovider'. so could you please send the document from my mail id
  [email protected].......
  plaase very very urgent
  Regards
  Ahmed.

• Low Level VI for ELVIS

  Where can I get the low level VIs for ELVIS functionalities not currently exposed in LabView eg for Bode Analyzer, Arbitrary WaveForm Generator

   Hi Adnaan,
   The lower level VI's are just as you list: DMM, FGEN, etc. I'm sorry the Bode Analyzer low level's are not available.
   It looks like all of the controls for the BodeAnalyzer can be accessed from the block diagram, is this not the level of programatic control that you need?
   The Express VI link was included in case you we're interested in how to create these.
   Have a great weekend!
  Best regards,
  MatthewW
  Applications Engineer
  National Instruments
  Message Edited by Matthew W on 09-28-2007 06:36 PM
  Attachments:
  bode_elvis.JPG ‏11 KB

• EDMS: 'Missing authorization for this functionality' when searching user

  Hi,
  I've activated ALC authorization for DMS. In EDMS, when trying to add an user to a DIR with search function an error occurres as below.
  'Missing authorization for this functionality'
  BTW, the user has contains SAP_ALL profile. It can't be any authorization reasons.
  Regards,
  Yemi

  Hi,
  authorization checks will not happen if the search help from sap-gui.I
  think the problem is releted to missing implementation of "check
  function module" from your side. If the search help is linked to a
  "master data table" (type A) a check function must be implemented to
  check the permission of the user.
  This function module is read from table BAPIF4T.                 Please
  check the following link:                                 http://help.sa
  p.com/saphelp_nw04/helpdata/en/a5/3eca044ac011d189
  4e0000e829fbbd/content.htm
  http://wiki.sdn.sap.com/wiki/display/PLM/Object+Link+search+in+EasyDMS
  Regards,
  Hari

• Authorization for gl account to specific user

  Dear SAP Experts,
  Cash GL Account-accounting to be authorized to specific User ID.
  In breaf:
  while post the document in cash gl account, they need to give authorization cash gl account wise per each user ID.
  pls advice me...
  Thanks in advance
  venkat reddy

  my client want give the authorization for gl account to specific user ids..
  ex: let say chash gl account 410000.. we want to give the authorization to post in 410000 to user id 254109 only not fot all..
    please give the solution..
  regards
  venkat reddy

• AppServer: problems trying to add users to roles in security dialog

  I'm trying to learn J2EE using AppServer. My current example has a client accessing
  an entity bean. I want two classes of user - Reader, and Updater. Most methods
  of Home and Remote are accessible to both classes, a few are restricted to users
  in Updater role. I'm currently having problems adding users to roles in deploytool.
  I have defined users using the Admin client.
  I have implemented and test run client and entity bean without security restrictions, it works.
  I have defined roles associated with the application.
  I have allocated roles to every method in Home and Remote interface of bean.
  I have extracted the generated XML file and checked the <assembly-descriptor> section and
  it appears that all roles and role descriptions are defined as required.
  deploytool lets me use the "Security Role Mapping" dialog, I can select either of my roles and
  try "Add user to role" - subsequent dialog shows my users and allows me to "Map user to role" -
  but selected user does NOT appear in the user names panel.
  What am I doing wrong or what am I omitting? Hints please!

  Thanks for suggestions. (I'm using Windows so file-protections pretty
  non-existent).
  I looked in the Sun file you mentioned and found the users were defined.
  When I restarted AppServer and deploytool, the users were shown in the appropriate
  panel.
  There is probably some minor bug in deploytool that causes the User Panel not
  to be updated as it should be after a user has been added to a role.

• How to disable Wifi and Network access in low level setting for security ?

  Hi
  New to here
  One of our final customer bought imac last months. OS 10.9, SN is c02*******J4i
  Since they are security printing, all the necessary ports accessing to outisdes need to be disabled in low level setting(not the ons just like turn on and off ).
  The ports including USB storage, Network and WIFI.
  I googled and found the following
  Open the /System/Library/Extensions folder.
  To remove support for USB mass storage devices, drag the following file to the Trash: IOUSBMassStorageClass.kext
  Open Terminal and enter the following command: $ sudo touch /System/Library/Extensions The touch command changes the modified date of the /System/Library/Extensions folder. When the folder has a new modified date, the Extension cache files (located in /System/Library/) are deleted and rebuilt by Mac OS X.
  Choose Finder > Secure Empty Trash to delete the file.
  Restart the system.
  I want to confirm this before sending to final user. Since I didn't have mac on hand, just wonder whether there are similar kext files for network and wifi to remove.
  Just like step 2 described.
  I would like customer to backup these files before permanently removed.
  Many thanks
  Kevin
  <Edited By Host>

  chiqui wrote:
  Is it possible to disable Internet access point and WAP as when I use WiFi some connections to WAP server of my provider are still made and I get charged. I am looking for the option not to delete it entirely from the access point list, but rather disable it as I might need connection when WiFi is not available and I want to be able to enable it as once I delete the server name and setting I won't know it.
  Is it possible to do it and how?
  You could delete WAP accesspoint. Not all providers (carriers) allow this.
  ‡Thank you for hitting the Blue/Green Star button‡
  N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009

• Object level authorizations for reports

  HI
  I have 20 charactesr in cube , around 15 have navigational attributes.
  i need to give authorizations for 5 objects only .( navigational attributes).
  i have 10 reports, i need 2 reports only authorizations relavant.
  if i restrict 5 objects authorizations , its effect all queris? in this scenerio i need to create 2 cubes?
  ple let me know

  hi suneel,
  As you said you require authorization for 2 reports, you can restrict those Infoobjects with the authorization variables and in the other 3reports use that object but do not restrict to the authorization variables..
  So, the user will be able to see whole data for 3 reports where authorization is not used.
  Hope it is clear.
  Thanks
  Lavanya

• We need to give field-level authorization for some fields

  The schenario is as follows :
  1. There are various storage locations within a plant.
  2. There is one or more people incharge of creating PO and receiving
  stocks for every storage location.
  3. We dont want to authorise the person incharge of one storage
  location to receive stock in another storage location or even view the
  other storage locations at the time of creating the PO or any other
  transaction. The user incharge of one storage location should not be
  able to view any other storage location in any storage location field's
  drop down.
  regards
  Manish
  +91 9811647727

  Hi Umesh,
  Please see the documentations for authorization profile P_ABAP in the R/3 library and the following:
  SU03 -> HR Human resources -> position your cursor to P_ABAP HR: Reporting -> choose button "Docu."  -> the pop-up "help - P_ABAP" appears.
  There is an example, which describes a similar issue regarding RPTIME00 and the Basic pay infotype (0008).
  The standard reports of personnel administration are based on logical database PNP I would recommend to set your authorization as follows:
  Object HR: Master data (P_ORGIN) (two authorizations)
    Infotype                  0002             ' '
    Subtype                   *                ' '
    Authorization level       R                ' '
    Organizational key        ' '              0001YYYYXXX
  Object HR: Reporting  (P_ABAP)
    Report name                SAPDBPNP
    Degree of simplification   1
  Please note, that if a user has authorization for e.g. the birthday list , (s)he will be able to view the birth date through thisquery, although (s)he cannot access to IT0002 through PA20.
  Another possibility would be using Customer-Specific Authorization Object P_NNNNN. I have attached a file with a very comprehensive documentation regarding HR authorizations. P_NNNNN is documented on pages 40 ff.
  Hope this help
  Sarah

• Field level Authorization for IT0002

  Hi All,
  We have a requirement to control the authorization for the field NI Number/Social Security number from IT0002.
  This field is getting displayed in various standard reports which are in use by administrators/Managers etc....
  We want to disable the access of this field to every one, even the HR administartor.
  Kindly suggest if this is possible using authorizations.
  I know that we can hide the field in display access for PA20 or PA30, but I am particularly serching the option for various reports.
  Regards,
  Umesh Chaudhari.

  Hi Umesh,
  Please see the documentations for authorization profile P_ABAP in the R/3 library and the following:
  SU03 -> HR Human resources -> position your cursor to P_ABAP HR: Reporting -> choose button "Docu."  -> the pop-up "help - P_ABAP" appears.
  There is an example, which describes a similar issue regarding RPTIME00 and the Basic pay infotype (0008).
  The standard reports of personnel administration are based on logical database PNP I would recommend to set your authorization as follows:
  Object HR: Master data (P_ORGIN) (two authorizations)
    Infotype                  0002             ' '
    Subtype                   *                ' '
    Authorization level       R                ' '
    Organizational key        ' '              0001YYYYXXX
  Object HR: Reporting  (P_ABAP)
    Report name                SAPDBPNP
    Degree of simplification   1
  Please note, that if a user has authorization for e.g. the birthday list , (s)he will be able to view the birth date through thisquery, although (s)he cannot access to IT0002 through PA20.
  Another possibility would be using Customer-Specific Authorization Object P_NNNNN. I have attached a file with a very comprehensive documentation regarding HR authorizations. P_NNNNN is documented on pages 40 ff.
  Hope this help
  Sarah

• Need help in copying Invoice date to lower level item in Sales order report

  Hello Experts,
  I am debugging into one Sales order report.I need little bit help.The report is displaying Invoice Date for
  Sales order Billing documents for Higher item in Bill of Material Structures.But as per user requirement,
  I am supposed to show the Invoice date for lower level items also.The field for Higher level item is 'UEPOS'.
  I want to copy the Invoice date for Higher level item to lower level item. Can you please guide me in the logic?
  Thanking you in anticipation.
  Best Regards,
  Harish

  Hi BreakPoint,
  Thanks for the information.
  I have applied the same way but it is showing only lower line items now.
  Invoice dates for Higher level items are not there.
  I am pasting the code here which I have applied.
  Then you can give me more guidence.
  This is to be done only for 'ZREP' sales orders.
  if w_vbak-auart EQ 'ZREP' and w_vbak-uepos is not INITIAL.
                        read table t_final into w_final_ZREP with key vbeln = w_vbak-vbeln
                                                                      posnr = w_vbak-uepos.
                           w_final-erdat_i = w_final_ZREP-erdat_i.
                           else.
                  if w_vbak-auart EQ 'ZREP' and w_vbak-uepos is INITIAL.
                    w_final-erdat_i = w_invdate.
                  endif.
                  endif.
  Can you please sugest me changes here?
  Best Regards,
  Harish
  Edited by: joshihaa on Jul 13, 2010 6:22 PM

• Object level authorization for SLT Configuration schema in HANA DB

  Hi All,
  We have connected SLT with HANA DB (& ECC as source system).
  Now for certain users we wanted to restrict the access for certain tables ( tables owned by SLT Schema, i.e schema created in HANA DB with the configuration name provided in the SLT configuration).
  With the SYSTEM user object level authorization's of another schema is not possible hence , an error is thrown when we are trying to provide/control the access of single table for a user.
  Is it ok that we generate a password for SLT schema and try login with schema owner. Is it the best practice or Is there any other way around.
  Regards,
  Kumar

  Hi Santosh,
  You can find more info about SLT Roles and Authorization from below security guide.
  http://help.sap.com/hana/SAP_HANA_Security_Guide_Trigger_Based_Replication_SLT_en.pdf
  Regards,
  V Srinivasan

• BI7 InfoObject Value Level Authorization for Queries

  Hi Guys/Gals,
        this is my requirement.....
  we have a HR ODS which has personal information of employees from 72 Companies.
  we have a query based on this ODS ....
  My requirement is when User A runs the query only data from Company A must be displayed...
  and when User B runs the same query only data from Company B must be displayed....  
  no pop-ups for the company code .....
  i posted this question yesterday & got a few replies....i tried them out... but there is this issue...
  i used the RSECADMIN & created the AO which includes the 0COMP_CODE....
  then i added it to the role using PFCG....
  when i add the AO i created in the " BI Analysis Authorizations: Na " section...
  the query gives a "no authorization" error.....
  then one of u guy asked me to add it in to the
  "SAP Business Information Warehouse - Reporting" section,,,, so i did that....
  but unless i also add " BI Analysis Authorizations: Na " with * the query doesn't work....
  and when i add " BI Analysis Authorizations: Na " with * &
  "SAP Business Information Warehouse - Reporting" with the AO i created...
  the filter doesn't work... it displays all the data
  please help me.....

  Hello Christopher,
  your thread is a little bit confusing and unclear. I just had a look at the other two threads you posted and here are my comments:
  Prerequisite for the use of BI 7.0 analysis authorizations:
  - each user needs authorizations for the three special dimensions (0TCAACTVT, 0TCAIPROV and 0TCAVALID) otherwise queries won't run!
  As a consequence you will have to create analysis authorizations like this:
  <b>ZCOMP_1000</b>
  0COMP_CODE<i> I EQ</i> 1000
  0TCAACTVT <i>I EQ</i> 03
  0TCAIPROV <i>I EQ</i> your HR DSO
  0TCAVALID <i>I EQ</i> *
  <b>ZCOMP_2000</b>
  0COMP_CODE<i> I EQ</i> 2000
  0TCAACTVT <i>I EQ</i> 03
  0TCAIPROV <i>I EQ</i> your HR DSO
  0TCAVALID <i>I EQ</i> *
  You can then assign these authorizations directly to your specific users using RSU01 or you will create a role and add the authorization object S_RS_AUTH with value ZCOMP_1000 and another one that contains S_RS_AUTH with value ZCOMP_2000.
  Of course your users will need authorizations for standard reporting such as S_RFC, S_RS_COMP, S_RS_COMP1.
  S_RS_ICUBE, S_RS_ODSO, S_RS_MPRO, S_RS_ISET are not necessary any more for reporting because they were replaced by 0TCAIPROV in the analysis authorization.
  Finally the query selection must be COMPLETELY be a part of the user's authorizations. This is best done by an query variable that is filled from the user's authorizations at runtime.
  Good luck,
  Petra

• Object level authorizations for deffirent user restrictions

  Hi
  i have 1 object, this object have only 3 values?
  i need authorizations for this object at report level?
  rsa1- i keep authorization relevant?
  rsecadmin i can include this object , here i need give from value and to value? i have 3 values only? suppose user 1 want only 1 value? user 2 need 2 and 3 value? how can i restrict like this ? ple let em know

  Hi Suneel,
  Go to RSECADMIN.
  Here, in maintain authorizations, create authorization for your characteristics along with the special characteristics.
  i.e. in your case, create authorization(assume 0plant is marked as authorization relevant)
  0PLANT
  0TCAACTVT
  0TCAIPROV
  0TCAVALID
  Double click on each characteristic to assign them the authorized value set.
  Thus, you will create two authorizations
  Z_PLANT_1
  0PLANT...................I..EQ..............1
  0TCAACTVT.............I...EQ..............3
  0TCAIPROV.............I...EQ..........ZPROVIDER
  0TCAVALID..............I...EQ...........*
  Z_PLANT_2&3
  0PLANT...................I..EQ..............2
  ..............................I..EQ..............3
  0TCAACTVT.............I...EQ..............3
  0TCAIPROV.............I...EQ..........ZPROVIDER
  0TCAVALID..............I...EQ...........*
  Go to RSECADMIN again in user tab in assignment, assign these authorizations created to the respective users.
  Like assign User1 -
  >Z_PLANT_1
  ................User2  -
  >Z_PLANT_2&3
  Refer  the link below for more information
  [Analysis Authorization|http://help.sap.com/saphelp_nw70/helpdata/en/66/019441b8972e7be10000000a1550b0/frameset.htm]
  Hope this helps,
  Best regards,
  Sunmit.