MSS - Reports - Authorization object

Hi
I am working on configuring EP 7.0 ... In MSS , i have brought the reports from MDP..Its working fine when i give "SAP_ALL" profile, else i see only reports table with out any entries(Reports selection) ..when i check out Su53 for any missing Auth-object , it doesnt give any clue as it doesnt take this as authorization error.
Any idea on what authorization object to be included in the backend role to get the reports page  displaying  all the entries/reports?
Thanks in advance

SU53 isn't all that useful for properly analysing authorisation checks.
Try running an authorisation trace in transaction ST01 to see what's really happening in the backend ECC system.

Similar Messages

  • Authorization object impact

    Hi,
    I have got an infocube(IC) and multicube based on IC (MC).
    The authorization object for IC and MC are A & B.
    A report on MC has got B as authorization object.
    Now does the object 'A' has got any impact on report.
    As on now its saying that indequate authorization, even if authorization for B is given.
    Please clarify,
    Thanks in Advance,
    Naveen.A

    hi Naveen,
    object A won't get impact on report if in RSSM you didn't mark multicube/multiprovider MC. check again RSSM for object A if MC is marked. (by default system will mark new create reporting authorization object for relevant infoproviders).
    further more, what the 'no authorization' message say ? is it say no authorization for A ?
    you can try with transaction RSRT.
    and have trace set trace with RSRTRACE to find what exactly the authorization problem.
    hope this helps.

  • Authorization object of a query

    Hi All,
    How can we check the authorization objects of a particular query?
    Means... I have one query.
    I have to find out the authorization objects of this query.
    Where can we find the authorization objects of this query?
    How can we find out the authorization objects for a query?
    Please tell me...  
    Thanks
    Krishna.

    Authorizations for the Query Definition
    http://help.sap.com/saphelp_nw04/helpdata/en/80/1a68a7e07211d2acb80000e829fbfe/frameset.htm
    Setting Up Reporting Authorizations
    Creating an authorization object
           1.      In the SAP Easy Access initial screen of the SAP Business Information Warehouse, choose the path SAP Menu ® Business Explorer ® Authorizations ® Reporting Authorization Objects.
           2.      Choose Authorization Object ® Create. Give the authorization object a technical name and a regular name. Save your entries.
           3.      On the right-hand side of the screen, an overview of all the InfoObjects that are authorization-relevant is displayed.
    Only those characteristics that have been flagged as authorization-relevant previously in the InfoObject maintenance screen can be assigned as fields for an authorization object. See also: Creating InfoObjects: Characteristics
           4.      Assign the InfoObject fields to the authorization object:
    ¡        Select the characteristics for which you want an authorization check of the selection conditions to be carried out.
    ¡        Select the InfoObject key figure (1KYFNM) if you want to restrict the authorization to a single key figure.
    ¡        Select the InfoObject (0TCTAUTHH) if you want to check authorizations for a hierarchy.
    ¡        Include the authorization field activity (ACTVT) in the authorization object if you want to check authorizations for documents.
           5.      Save your entries.
           6.      Go back to the initial screen of the authorization maintenance.
           7.      Choose Check for InfoProviders ® Display to get a list of the InfoProviders that contain the InfoObjects that you selected and are therefore subject to an authorization check (where-used list). In the change mode you can exclude individual InfoProviders from the authorization check for this authorization object by removing the flag.
    Authorization object:           S_RSRSAREA
    Name:                   Sales area
    Fields:                         DIVISION, CUSTGROUP, 1KYFNM
    Creating authorizations
    Authorizations are created and maintained in the role maintenance screens.
           1.      Choose Authorizations ® Roles ® Change.
           2.      Specify the roles that you want to change and choose Change. This takes you to the role maintenance screen.
           3.      On the Authorizations tabstrip, choose the Expert mode for generating profiles option.
           4.      Choose the Enter Authorization Objects Manually option, and specify the objects that you require. Choose Enter. The authorization object is added to the role.
           5.      Choose Generate.
    http://help.sap.com/saphelp_nw04/helpdata/en/a0/48f438f3422f2ce10000000a114084/content.htm
    Hope it helps
    regards
    Bala

  • Reporting authorization in BW 3.5: use of colon ":"

    Hello,
    we are using in our BW 3.5 system a reporting  authorization object ZAUTHOBJ. ZAUTHOBJ is defined on exactly one InfoObject ZINFOBJ (e.g. country).
    Some of our users have the following authorization
       ZINFOBJ = :
    so that they  view the values of an KYF aggregated with the characteristic ZINFOBJ. They cannot drill down to a certain value of ZINFOBJ, e.g. by filtering to a specific value.
    We are facing the following problem:
    If the user with the ":" authorization defines a query with an excluding filter on ZINFOBJ, e.g. excluding certain values, the query aggregates the KYF on the remaining values of the characteristic ZINFOBJ.
    So by this "backdoor" the user can find out the KYF of specific ZINFOBJ values.
    Is this a feature or a bug of SAP BW?
    Best regards
    Lothar

    Hi,
    We can think it as Back door or we can say We are misusing the concept of : in authorization.
    If we have to use ZAUTHOBJ = :, in any case we are not going to give Country as the free characterstic , Part of rows, and filter area.
    That means noware we use the country in the query.
    With rgds,
    Anil Kumar Sharma .P

  • Reporting Authorization - InfoObject/Navigational Attributes

    We have a custom infoobject for Vendor to which access needs to be controlled. Certain users are not supposed to have access to a number of the navigational attributes on the object however we want these users to have access to all other navigational attributes (meaning we don't want these 'fields' to be visible but everything else). We have other reporting authorization objects that prevent access to the entire 'record' if the user is not authorized for a certain value (cost center, etc.).
    Thanks.

    Hi Joerg,
    navigational attributes are treated like characteristics. You can make them authorization relevant and restrict access, e.g. by granting ":", which allows to see overall results without details on this attribute.
    Regards, Klaus

  • Authorization Object is not working when report is modified.

    Hi BW Guru's
    We have Company Code as Authorization Object .and we have 3 company Codes (xxxx,yyyy,zzzz).where the users under Company code xxxx are not supposed to view company code yyyy,zzzz data etc.
    I modified an existing Report and transported to production.But the Authorization Object is not working for that report.The Report is defaultly displaying all the company codes data(xxxx,yyyy) for all the users.But for the other reports its(company code ) is working fine.
    What could be the problem?Is theproblem in transporting the objects.But i transported all the objects inluding auhorization object.
    Please send me the solution as it is very much urgent.
    The solution will be def. awarded with full points.
    Regards
    Sanjay

    hi Sanjay,
    please don't post the same question again, check and response back from your previous thread
    Re: Authorization Object is not working when report is Modified.
    hope this helps.
    would be nice if you reward for helpful answers to all of your previous postings, e.g
    docs related to RRI

  • Report to check authorization object used in customized programs

    Hi Guys,
    An auditor came and he raised a question to us, he asked whether all of our customized transactions and programs are maintained with authorization checks? The question is how can we check what authorization objects are used for our customized programs and transaction codes? The developer did not maintain the objects used for that program in SU24 table. Is there a program or a report to show us all the authorization object used for a customised program or transaction? Example : T-code MIGO we can check in SU24 table for all the authorization object used. How do we check for customized tcodes? Please advise. Thanks!
    Edited by: Jarod Tan on Nov 25, 2010 9:42 AM

    Note that some programs are built in such a way that no (visible) auth check is necessary, or even desired at all.
    To determine the necessity of an auth check, you should check that starting it has an entry point (tcode, rfc, service) which is appropriately restricted. The rest (whether and where and how a further check is evaluated) is entirely dependent to what the program actually does.
    Well designed applications generally have centralized functions and methods, and the checks are in there or a "base check" they use.
    Others again use the same in UI programming to determine the visibility of functions, to make the application more intuitive for the user. This on it's own is however not a sufficient auth check to rely on.
    Code review is an art form!
    Cheers,
    Julius

  • Authorization object for running a report in background

    Good day experts,
    I tried running a report in background, I choose immediately so that it doesn't have to be scheduled. But when I checked it in my own jobs, It remains at scheduled status. When I tried it on my admin account, It works and with status finished. It seems to be an authorization problem. What object could I be missing with my user account? I tried S_TCODE SMX and SP02 but still not working.
    Thanks in advance!

    Hi karshbax,
    What you're looking for is authorization object S_BTCH_JOB. You need authorization for field JOBACTION = RELE.
    In future use transaction SU53. It shows last error authorization error, so if this is authorization problem then after try of manual releasing of job you'll find in SU53 precise info what went wrong.
    Best Regards
    Marcin Cholewczuk

  • Report to view user nm, authorization objects, activity, transaction code.

    Hi All,
    I want to view a user-wise report that displays the transaction code, authorization objects and activities for which the user has authorization.
    Is there any standard report to view all this at a glance?
    Can anybody help me on this?
    Thanks.

    u can try SUIM tcode
    its really helps u
    regards,
    Abhilash

  • Authorization object coding in ABAP report

    Hi,
    I am working on a report. The output of the report is details regarding vendor based on purchasing organization. When user executes the reports, they should be only able to see details if they are authorized to (create, change and display) for the purchasing org of vendor.
    The authrorization object by SAP security team is 'M_LFM1_EKO' for standard access to vendors (via MK01, MK02 AND MK03).
    How can I use same authorization object to do check in my program for the user in ABAP so that if user is not authroized he will not be able to see details during output for those vendor.
    Regards,
    Tgshah.

    Hi ,
    Basically you need to call Authority-check using the pattern option and then pass the object name and field name .If the user has been assigned that object in his profile sy-subrc will succed otherwise fail .
    AUTHORITY-CHECK OBJECT 'M_LFM1_EKO'
             ID 'ACTVT' FIELD '1/2/3'
             ID 'EKORG' FIELD 'value of purchase organization'.
    IF sy-subrc eq 0 .
    WRITE :'authorization' .
    ELSE .
      WRITE 'no authorization' .
    ENDIF.
    The below lonk explains it more ...
    [http://help.sap.com/saphelp_40b/helpdata/fr/d4/e02c7dd435d1118b3f0060b03ca329/content.htm]
    Thank you .
    Anjaneya .

  • Authorization object to view Maintain Performance Documents on MSS

    Hi Experts,
    Would like to know which authorization object would require to view Maintain Performance Documents on MSS. Currently, we removed SAP_ALL access from MSS user and not able to peform Maintain Performance Documents.We are on EP 7 and ECC 6.
    It gives following error :
    java.lang.NullPointerException
         at com.sap.xss.hr.mbo.blc.BMboStatusComp.resetGlobalMboR3Data(BMboStatusComp.java:260)
         at com.sap.xss.hr.mbo.blc.wdp.InternalBMboStatusComp.resetGlobalMboR3Data(InternalBMboStatusComp.java:195)
         at com.sap.xss.hr.mbo.blc.BMboStatusCompInterface.resetGlobalMboR3Data(BMboStatusCompInterface.java:150)
         at com.sap.xss.hr.mbo.blc.wdp.InternalBMboStatusCompInterface.resetGlobalMboR3Data(InternalBMboStatusCompInterface.java:168)
         at com.sap.xss.hr.mbo.blc.wdp.InternalBMboStatusCompInterface$External.resetGlobalMboR3Data(InternalBMboStatusCompInterface.java:224)
         at com.sap.xss.hr.mbo.vac.VMboStatusComp.onBeforeOutput(VMboStatusComp.java:227)
         at com.sap.xss.hr.mbo.vac.wdp.InternalVMboStatusComp.onBeforeOutput(InternalVMboStatusComp.java:185)
         at com.sap.xss.hr.mbo.vac.VMboStatusCompInterface.onBeforeOutput(VMboStatusCompInterface.java:143)
         at com.sap.xss.hr.mbo.vac.wdp.InternalVMboStatusCompInterface.onBeforeOutput(InternalVMboStatusCompInterface.java:136)
         at com.sap.xss.hr.mbo.vac.wdp.InternalVMboStatusCompInterface$External.onBeforeOutput(InternalVMboStatusCompInterface.java:212)
         at com.sap.pcuigp.xssfpm.wd.FPMComponent.callOnBeforeOutput(FPMComponent.java:603)
         at com.sap.pcuigp.xssfpm.wd.FPMComponent.doProcessEvent(FPMComponent.java:569)
         at com.sap.pcuigp.xssfpm.wd.FPMComponent.doEventLoop(FPMComponent.java:438)
         at com.sap.pcuigp.xssfpm.wd.FPMComponent.wdDoInit(FPMComponent.java:196)
         at com.sap.pcuigp.xssfpm.wd.wdp.InternalFPMComponent.wdDoInit(InternalFPMComponent.java:110)
         at com.sap.tc.webdynpro.progmodel.generation.DelegatingComponent.doInit(DelegatingComponent.java:108)
         at com.sap.tc.webdynpro.progmodel.controller.Controller.initController(Controller.java:215)
         at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
         at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.init(ClientComponent.java:430)
         at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.init(ClientApplication.java:362)
         at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.initApplication(ApplicationSession.java:754)
         at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:289)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingPortal(ClientSession.java:733)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:668)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:250)
         at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
         at com.sap.tc.webdynpro.clientserver.session.core.ApplicationHandle.doProcessing(ApplicationHandle.java:73)
         at com.sap.tc.webdynpro.portal.pb.impl.AbstractApplicationProxy.sendDataAndProcessActionInternal(AbstractApplicationProxy.java:860)
         at com.sap.tc.webdynpro.portal.pb.impl.AbstractApplicationProxy.create(AbstractApplicationProxy.java:220)
         at com.sap.portal.pb.PageBuilder.updateApplications(PageBuilder.java:1288)
         at com.sap.portal.pb.PageBuilder.createPage(PageBuilder.java:355)
         at com.sap.portal.pb.PageBuilder.init(PageBuilder.java:548)
         at com.sap.portal.pb.PageBuilder.wdDoInit(PageBuilder.java:192)
         at com.sap.portal.pb.wdp.InternalPageBuilder.wdDoInit(InternalPageBuilder.java:150)
         at com.sap.tc.webdynpro.progmodel.generation.DelegatingComponent.doInit(DelegatingComponent.java:108)
         at com.sap.tc.webdynpro.progmodel.controller.Controller.initController(Controller.java:215)
         at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
         at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.init(ClientComponent.java:430)
         at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.init(ClientApplication.java:362)
         at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.initApplication(ApplicationSession.java:754)
         at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:289)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingStandalone(ClientSession.java:713)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:666)
         at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:250)
         at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
         at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doContent(DispatcherServlet.java:62)
         at com.sap.tc.webdynpro.serverimpl.defaultimpl.DispatcherServlet.doPost(DispatcherServlet.java:53)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    Would appreciate kind guidance to resolve issue.
    Thanks in advance.
    Aashish

    I am closing this thread as opened at wrong place.
    Thanks,
    Aashish

  • Adding authorization objects to Report Painter reports

    Hello Everyone,
    Is there way to add authorization objects to report painter reports ? I know it is possible to add auth group at the header level but I need to limit access at run time to specific objects, say for example, Cost Center. Is this possible ?
    I have seen the Get_Reporter.pdf document and it seems to discusses adding auth group but not auth objects.
    Thanks in advance.
    Dorothy

    hi
    good
    use this tcode to create authorization
    SU21  Maintain Authorization Objects
    this link ll give you idea to create the authorization object for the report painter.
    http://www.virtuosollc.com/PDF/Get_Reporter.pdf
    Award points if helpful.
    thanks
    mrutyun

  • Authorization object in zee report

    Dear experts,
    How to restrict a user from viewing ohter sales office.
    What are the steps to be followed.
    Who will create authorization 0bject or authorization group abaper or functional person.
    I am using AUTHORITY-CHECK in my report for a authorization object which is already created but
    it is not giving the correct results.
    Do I have to make a new authorization object and class for this.
    How should I control my zee transaction which is attached to this report.

    Hi,
    How to restrict a user from viewing ohter sales office.
    What are the steps to be followed.
    Who will create authorization 0bject or authorization group abaper or functional person.
    You need to identify the correct authorization object. BASIS team can help you in this.
    Usually all security related activities is taken care by the BASIS team. It depends on project to project.
    I am using AUTHORITY-CHECK in my report for a authorization object which is already created but
    it is not giving the correct results.
    What do you mean by not giving correct results. You might be having access to the sales areas you are trying to execute. That why check is successful.
    Do I have to make a new authorization object and class for this.
    Not required i hope as you already got the reply for this.
    How should I control my zee transaction which is attached to this report.
    Give the right authorization group in T-code as well (SE93). Even if you don't give, since you already have the check in the program, no issues i hope. But it is always advised to control this through BASIS at user role level rather than at ABAP level.
    Please note that authorization check statement won't give any error. You need to through the error if sy-subrc NE 0
    after the AUTHORITY-CHECK statement.
    Hope you are clear now:)
    Thanks,
    Vinod.

  • Authorization Object for HR Reports

    Hi All,
    I have to restrict the users based on Company Code so that the users can only access the data for which they authorized from the standard HR reports.
    Please suggest the authorization object.
    With Regards
    Akshat

    Hi Akshat,
    For HR perspective its best to use P_ORGIN Authorization Object which gives you flexibility at following level:
    INFTY: Infotype Number
    SUBTY: Subtype Number
    AUTHC: Authorization Level
    WERKS: Personnel Area
    PERSG: Employee Group
    PERSK: Employee Subgroup
    VDSK1: Organizational Key
    You can consult functional consultant for its parameters and further help.
    Hope this helps.
    Regards,
    Naveen

  • Limiting the Report Layout access other than Authorization Object S_ALV_LAYO

    Dear Experts,
    We have an issue of Layout Access limit to Users coz unwittingly these are being deleted.
    (Example: IW39 à after F8 à Settings à Layout.)
    The Authorization object S_ALV_LAYO which limits the access, has been defined in the multiple Roles, where every User been assigned with these Roles across Three Continents.
    Instead of hampering the existing Streamlined Roles, looking for other Options since if it may give odd behaviour after modifying the Roles then all the Users across the continents will be effected.
    It will be grateful if we get other options to limit the Layout access instead of controlling through Authorization Object.
    Thank you & Have a Great Day!

    Thank you Sebastian & Terence,
    The Global Roles has maintained with Authorization Object (S_LAYO_ALV) and these are been assigned to Every User coz all Users should access these reports.
    So now every User has maintained with the Authorization Object to access.
    Now we are trying to Control the Access to limited Users through without hampering the well maintained/streamlined  Roles, since if any adverse effects on the modified roles may impact to all the Users across the continents.
    Looking for other options.
    Thanks, I appreciate your time and efforts on this.

Maybe you are looking for

  • Customer line item missing in accounting doc after billing

    Hi experts... We are facing an issue after generating  billing document, accounting document is created automatically but in that accounting document the customer itself is missing in the entry where as other line items like revenues, taxes are visib

  • I can't uninstall iTunes...

    When i go to add or remove programs and i try to remove itunes it opens a box that sawys please wait while windows configures iTunes and it gets about 1/5 of hte way and just stops at 22 seconds left. I have a feeling it has something to do with the

  • Publications - Successful job run - View Log File

    Hi everyone, We have a growing number of Publication (based on Webi documents) that are scheduled and I want to report on Errors & Warnings. When a Job Fails, I can use our Auditing universe and get visibility of the failure reason. When a Job is Suc

  • Jumping between apps without cmd shift

    In Tiger, I could work across various apps and in the finder without cmd shifting between apps as long as they were visible in one or the other monitor. In Leopard I have to cmd shift or select the gray bar at the top or along the side of an app to u

  • Comment mettre à jour MAC OS 10.5.8 vers snow leopard avec un dvd hs

    Mon macbook pro de 2008 est en MACOS 10.5.8, j'ai lu qu'il y a un passage obligé vers 10.6 snow leopard pour évoluer vers les autres versions plus récentes et éventuellement yosemite...Seul hic, mon lecteur dvd est hs, et visiblement, le snow n'est p