Object level authorization for SLT Configuration schema in HANA DB
Hi All,
We have connected SLT with HANA DB (& ECC as source system).
Now for certain users we wanted to restrict the access for certain tables ( tables owned by SLT Schema, i.e schema created in HANA DB with the configuration name provided in the SLT configuration).
With the SYSTEM user object level authorization's of another schema is not possible hence , an error is thrown when we are trying to provide/control the access of single table for a user.
Is it ok that we generate a password for SLT schema and try login with schema owner. Is it the best practice or Is there any other way around.
Regards,
Kumar
Hi Santosh,
You can find more info about SLT Roles and Authorization from below security guide.
http://help.sap.com/hana/SAP_HANA_Security_Guide_Trigger_Based_Replication_SLT_en.pdf
Regards,
V Srinivasan
Similar Messages
-
Object level authorizations for deffirent user restrictions
Hi
i have 1 object, this object have only 3 values?
i need authorizations for this object at report level?
rsa1- i keep authorization relevant?
rsecadmin i can include this object , here i need give from value and to value? i have 3 values only? suppose user 1 want only 1 value? user 2 need 2 and 3 value? how can i restrict like this ? ple let em knowHi Suneel,
Go to RSECADMIN.
Here, in maintain authorizations, create authorization for your characteristics along with the special characteristics.
i.e. in your case, create authorization(assume 0plant is marked as authorization relevant)
0PLANT
0TCAACTVT
0TCAIPROV
0TCAVALID
Double click on each characteristic to assign them the authorized value set.
Thus, you will create two authorizations
Z_PLANT_1
0PLANT...................I..EQ..............1
0TCAACTVT.............I...EQ..............3
0TCAIPROV.............I...EQ..........ZPROVIDER
0TCAVALID..............I...EQ...........*
Z_PLANT_2&3
0PLANT...................I..EQ..............2
..............................I..EQ..............3
0TCAACTVT.............I...EQ..............3
0TCAIPROV.............I...EQ..........ZPROVIDER
0TCAVALID..............I...EQ...........*
Go to RSECADMIN again in user tab in assignment, assign these authorizations created to the respective users.
Like assign User1 -
>Z_PLANT_1
................User2 -
>Z_PLANT_2&3
Refer the link below for more information
[Analysis Authorization|http://help.sap.com/saphelp_nw70/helpdata/en/66/019441b8972e7be10000000a1550b0/frameset.htm]
Hope this helps,
Best regards,
Sunmit. -
Object level authorizations for reports
HI
I have 20 charactesr in cube , around 15 have navigational attributes.
i need to give authorizations for 5 objects only .( navigational attributes).
i have 10 reports, i need 2 reports only authorizations relavant.
if i restrict 5 objects authorizations , its effect all queris? in this scenerio i need to create 2 cubes?
ple let me knowhi suneel,
As you said you require authorization for 2 reports, you can restrict those Infoobjects with the authorization variables and in the other 3reports use that object but do not restrict to the authorization variables..
So, the user will be able to see whole data for 3 reports where authorization is not used.
Hope it is clear.
Thanks
Lavanya -
"Low-level" authorizations for accessing BW reports - add users to role
Using the advice in Topic "Low-level" authorizations for accessing BW reports, I have been able to publish a query to a role that has 3 test users and each user gets the same query but with different data, as determined in the tables.
Is there a way to look up the users and e-mail addresses from a table and associate them to the role? We have several hundred e-mail recipients that will not need BW access, but only need an e-mail with a static report that contains data on their own territories.Hi!
i think programatically it might be complex. You got to maintain a seperate variant of report per user and use this variant to send mail. that means you need to maintain a variant and a Broadcast setting per user. once maintained you can use it any number of times the values will be recalculated everytime.
with regards
ashwin
<i>PS n: Assigning point to the helpful answers is the way of saying thanks in SDN. you can assign points by clicking on the appropriate radio button displayed next to the answers for your question. yellow for 2, green for 6 points(2)and blue for 10 points and to close the question and marked as problem solved. closing the threads which has a solution will help the members to deal with open issues with out wasting time on problems which has a solution and also to the people who encounter the same porblem in future. This is just to give you information as you are a new user.</i> -
Plant level authorization for Notification Change
Hi All
We have 7 plants and person belong to one plant is able to open and change the notification of other plants.
In the role we have given restriction for the plant for the Tcode IW 22 and for the object SWERK .In the Notification only Workcenter and Plant fields are mandatory.
How can we restrict for a user belong to a particular plant can only change his plant notifications using IW22 only ---not IW28
Thanks in advance
gangsDear gangs,
Check in all the roles of that user in orgnozation levels maintenance plant and planning plant.
It may happen in one role you have ristricted for that user, but in other roles it may be having the t.code authorization for IW22 and with other plant also.
Check that also.
Regards,
Praveen. -
Object level checking for some of the basis tcodes(internal audit)
Hi masters,
in our company every month we check access controls for some of basis tcodes,i am giving it below,is the selection for Tcode and object level values combinations are correct or is there any modifications please notify.
Tcodes Imp Auth Objects Auth fields Auth values
SCC1 S_CLNT_IMP Actvt 21,60
S_TABU_CLI CLIIDMAINT X
SCC4 S_TABU_CLI CLIIDMAINT X
S_TABU_DIS Authorization Group *
Actvt 01,02
SCC5 S_CLNT_IMP Actvt 21,60
S_TABU_CLI CLIIDMAINT X
SCC7 S_TRANSPRT Request type *
Actvt 43,60,75
S_CLNT_IMP Actvt 21,60
SCC8 S_DATASET PROGRAM *
Actvt 06,34,A7
S_TRANSPRT Request type *
Actvt 43,60,75
SCC9 S_TABU_CLI CLIIDMAINT X
S_CLNT_IMP Actvt 21,60
SCCL S_TABU_CLI CLIIDMAINT X
S_CLNT_IMP Actvt 21,60
SCU0 S_TABU_DIS Authorization Group SS
Actvt 01,02
S_TABU_RFC Actvt 3
OBR1
SM01 S_ADMI_FCD TLCK
SM04 S_ADMI_FCD PADM
SM12 S_ENQUE S_ENQ_ACT DPFU,DLOU
SM13 S_ADMI_FCD UADM,UMON
SM50 S_ADMI_FCD PADM
SM54 S_ADMI_FCD NADM
SM55 S_ADMI_FCD NADM
SM56
SM59 S_ADMI_FCD NADM
RFCA
SMLT S_LANG_ADM Actvt 02,16,61
Table *
SPAD S_SPO_DEV SPODEVICE *
SP01 S_SPO_DEV SPODEVICE *
S_ADMI_FCD SP01,SP0R
ST01 S_ADMI_FCD ST0M,ST0R
ST05 S_ADMI_FCD ST0M,ST0R
RZ04 S_RZL_ADM Actvt 1
RZ06 S_RZL_ADM Actvt 1
RZ10 S_RZL_ADM Actvt 1
RZ21 S_RZL_ADM Actvt 1
S_BTCH_JOB JOBGROUP *
JOBACTION DELE,RELE
SM49 S_LOG_COM Command *
Opsystem *
Host *
S_RZL_ADM Actvt 1
SM69 S_RZL_ADM Actvt 1
SM63 S_RZL_ADM Actvt 1
SMLG S_RZL_ADM Actvt 1
SE16 S_TABU_DIS Authorization Group *
Actvt 01,02
SM30 S_TABU_DIS Authorization Group *
Actvt 01,02
SM31 S_TABU_DIS Authorization Group *
Actvt 01,02
SPRO S_PROJECT PROJECT_ID *
APPL_COMP *
PROJ_CONF *
Actvt 02,06
S_DOKU_AUT DOKU_ACT MAINTAIN
DOKU_DEVCL *
DOKU_MODE *
SPRO_ADMIN S_PROJECTS APPL_COMP *
PRCLASS *
Actvt 01,70
S_PROJECT PROJECT_ID *
APPL_COMP *
PROJ_CONF *
Actvt 02,06
PFCG S_USER_AGR ACT_GROUP *
Actvt 01,02
S_USER_PRO Actvt 01,02
PROFILE *
SM19 S_ADMI_FCD AUDA,AUDD
SU01 S_USER_AGR *
01,02
S_USER_GRP Class *
Actvt 01,02
SU02 S_USER_PRO Profile *
Actvt 01,02
SU03 S_USER_AUT OBJECT *
AUTH *
Actvt 01,02
S_USER_PRO Profile *
Actvt 01,02
SU05
SU10 S_USER_GRP Class *
Actvt 01,02
SU12 S_USER_GRP Class *
Actvt 01,02
SU20 S_DEVELOP DevClass *
ObjectType SUSO
ObjectName *
P_Group *
Actvt 01,02
SU21 S_DEVELOP DevClass *
ObjectType SUSO
ObjectName *
P_Group *
Actvt 01,02
SU22 S_DEVELOP DevClass *
ObjectType SUST
ObjectName *
P_Group *
Actvt 01,02
CMOD S_DEVELOP DevClass *
ObjectType CMOD
ObjectName *
P_Group *
Actvt 01,02
SA38 S_PROGRAM P_Action SUBMIT,BTCSUBMIT
P_Group *
SD11 S_DEVELOP DevClass T,Y,Z*
ObjectType UDMO,UENO
ObjectName *
P_Group *
Actvt 01,02
SE11 S_DEVELOP DevClass T,Y,Z*
ObjectType DOMA,DTEL.ENQU
ObjectName *
P_Group *
Actvt 01,02
SE12 S_DEVELOP DevClass T,Y,Z*
ObjectType DOMA,DTEL.ENQU
ObjectName *
P_Group *
Actvt 01,02
SE13
SE14 S_DEVELOP DevClass T,Y,Z*
ObjectType INDX.MCID,TABL
ObjectName *
P_Group *
Actvt 01,02
SE15 S_DEVELOP DevClass *
ObjectType *
ObjectName *
P_Group *
Actvt 3
SE37
SE38 S_DEVELOP DevClass T,Y,Z*
ObjectType FUGR,PROG
ObjectName *
P_Group *
Actvt 01,02
SE93 S_DEVELOP DevClass T,Y,Z*
ObjectType TRAN
ObjectName *
P_Group *
Actvt 01,02
SE41 S_DEVELOP DevClass *
ObjectType *
ObjectName *
P_Group *
Actvt 01,02
SE43 S_DEVELOP DevClass *
ObjectType *
ObjectName *
P_Group *
Actvt 3
SE43N S_DEVELOP DevClass '
ObjectType '
ObjectName '
P_Group '
Actvt 01,02
SE51 S_DEVELOP DevClass T,Y,Z*
ObjectType FUGR,PROG,DYNP
ObjectName *
P_Group *
Actvt 01,02
SE80 S_DEVELOP DevClass T,Y,Z*
ObjectType *
ObjectName *
P_Group *
Actvt 01,02
SE81 S_DEVELOP DevClass *
ObjectType *
ObjectName *
P_Group *
Actvt 01,02
SE82 S_DEVELOP DevClass Y,Z
ObjectType APPLTREE
ObjectName *
P_Group *
Actvt 01,02
SE91
SE92
SE92N
SNRO S_NUMBER NROBJ *
Actvt 02,17,11
SQ00 S_QUERY Actvt 02,23
SQ01 S_QUERY Actvt 02,23
SQ02 S_QUERY Actvt 02,23
SQ03 S_QUERY Actvt 23
SQVI
SM35 S_BDC_MONI BDCAKTI ABTC,AONL,DELE
SM35P S_BDC_MONI BDCAKTI ANAL
SM36 S_BTCH_ADM BTCADMIN Y
SM37 S_BTCH_JOB Jobaction PROT,SHOW
Jobgroup *
SM39
SM62
SM64 S_BTCH_ADM BTCADMIN Y
SE01 S_CTS_ADMI CTS_ADMFCT EPS1,EPS2,PROJ
S_TRANSPRT Actvt *
Ttype *
SE06 S_C_FUNCT PROGRAM SAPLSTRF,SAPLSTRI
CFUNCNAME SYSTEM
ACTVT 16
S_TRANSPRT Actvt 43,60,65
Ttype *
SE09 S_TRANSPRT Actvt 43,60,65
Ttype *
S_CTS_ADMI CTS_ADMFCT EPS1,EPS2,PROJ
SE10 S_TRANSPRT Actvt 43,60,65
Ttype *
S_CTS_ADMI CTS_ADMFCT *
SPAM S_CTS_ADMI CTS_ADMFCT IMPA,IMPS
S_TRANSPRT Actvt 43,60,65
Ttype PATC,PIEC
STMS S_CTS_ADMI CTS_ADMFCT *
S_RFC Actvt 16
RFC_NAME EPSF,STPA
RFC_TYPE FUGR
Edited by: rameshbabu muddana on Mar 2, 2009 10:56 AMhi,thanks for reply "you should not care about the transaction start s_tcode at all - only check the object required"
It has made manditory policy to check for users and roles every month with given criteria of Tcode and object,now i have been given the task to check the combination of Tcode and object value combination are correct or not,please validate the combinations and suggest,we are using ECC 5.0,i had gone through wild card use (#) when we check in SUIM,i am getting confused that when i give # followed by value, data i am getting different from without #.please provide an example for SE16 with S_TABU_DIS
how to check?
i am checking in this way
S_TCODE SE16
S_TABU_DIS
Activity
Value 01or 02
Authorization Group
Value #&NC& -
We need to give field-level authorization for some fields
The schenario is as follows :
1. There are various storage locations within a plant.
2. There is one or more people incharge of creating PO and receiving
stocks for every storage location.
3. We dont want to authorise the person incharge of one storage
location to receive stock in another storage location or even view the
other storage locations at the time of creating the PO or any other
transaction. The user incharge of one storage location should not be
able to view any other storage location in any storage location field's
drop down.
regards
Manish
+91 9811647727Hi Umesh,
Please see the documentations for authorization profile P_ABAP in the R/3 library and the following:
SU03 -> HR Human resources -> position your cursor to P_ABAP HR: Reporting -> choose button "Docu." -> the pop-up "help - P_ABAP" appears.
There is an example, which describes a similar issue regarding RPTIME00 and the Basic pay infotype (0008).
The standard reports of personnel administration are based on logical database PNP I would recommend to set your authorization as follows:
Object HR: Master data (P_ORGIN) (two authorizations)
Infotype 0002 ' '
Subtype * ' '
Authorization level R ' '
Organizational key ' ' 0001YYYYXXX
Object HR: Reporting (P_ABAP)
Report name SAPDBPNP
Degree of simplification 1
Please note, that if a user has authorization for e.g. the birthday list , (s)he will be able to view the birth date through thisquery, although (s)he cannot access to IT0002 through PA20.
Another possibility would be using Customer-Specific Authorization Object P_NNNNN. I have attached a file with a very comprehensive documentation regarding HR authorizations. P_NNNNN is documented on pages 40 ff.
Hope this help
Sarah -
Field level Authorization for IT0002
Hi All,
We have a requirement to control the authorization for the field NI Number/Social Security number from IT0002.
This field is getting displayed in various standard reports which are in use by administrators/Managers etc....
We want to disable the access of this field to every one, even the HR administartor.
Kindly suggest if this is possible using authorizations.
I know that we can hide the field in display access for PA20 or PA30, but I am particularly serching the option for various reports.
Regards,
Umesh Chaudhari.Hi Umesh,
Please see the documentations for authorization profile P_ABAP in the R/3 library and the following:
SU03 -> HR Human resources -> position your cursor to P_ABAP HR: Reporting -> choose button "Docu." -> the pop-up "help - P_ABAP" appears.
There is an example, which describes a similar issue regarding RPTIME00 and the Basic pay infotype (0008).
The standard reports of personnel administration are based on logical database PNP I would recommend to set your authorization as follows:
Object HR: Master data (P_ORGIN) (two authorizations)
Infotype 0002 ' '
Subtype * ' '
Authorization level R ' '
Organizational key ' ' 0001YYYYXXX
Object HR: Reporting (P_ABAP)
Report name SAPDBPNP
Degree of simplification 1
Please note, that if a user has authorization for e.g. the birthday list , (s)he will be able to view the birth date through thisquery, although (s)he cannot access to IT0002 through PA20.
Another possibility would be using Customer-Specific Authorization Object P_NNNNN. I have attached a file with a very comprehensive documentation regarding HR authorizations. P_NNNNN is documented on pages 40 ff.
Hope this help
Sarah -
BI7 InfoObject Value Level Authorization for Queries
Hi Guys/Gals,
this is my requirement.....
we have a HR ODS which has personal information of employees from 72 Companies.
we have a query based on this ODS ....
My requirement is when User A runs the query only data from Company A must be displayed...
and when User B runs the same query only data from Company B must be displayed....
no pop-ups for the company code .....
i posted this question yesterday & got a few replies....i tried them out... but there is this issue...
i used the RSECADMIN & created the AO which includes the 0COMP_CODE....
then i added it to the role using PFCG....
when i add the AO i created in the " BI Analysis Authorizations: Na " section...
the query gives a "no authorization" error.....
then one of u guy asked me to add it in to the
"SAP Business Information Warehouse - Reporting" section,,,, so i did that....
but unless i also add " BI Analysis Authorizations: Na " with * the query doesn't work....
and when i add " BI Analysis Authorizations: Na " with * &
"SAP Business Information Warehouse - Reporting" with the AO i created...
the filter doesn't work... it displays all the data
please help me.....Hello Christopher,
your thread is a little bit confusing and unclear. I just had a look at the other two threads you posted and here are my comments:
Prerequisite for the use of BI 7.0 analysis authorizations:
- each user needs authorizations for the three special dimensions (0TCAACTVT, 0TCAIPROV and 0TCAVALID) otherwise queries won't run!
As a consequence you will have to create analysis authorizations like this:
<b>ZCOMP_1000</b>
0COMP_CODE<i> I EQ</i> 1000
0TCAACTVT <i>I EQ</i> 03
0TCAIPROV <i>I EQ</i> your HR DSO
0TCAVALID <i>I EQ</i> *
<b>ZCOMP_2000</b>
0COMP_CODE<i> I EQ</i> 2000
0TCAACTVT <i>I EQ</i> 03
0TCAIPROV <i>I EQ</i> your HR DSO
0TCAVALID <i>I EQ</i> *
You can then assign these authorizations directly to your specific users using RSU01 or you will create a role and add the authorization object S_RS_AUTH with value ZCOMP_1000 and another one that contains S_RS_AUTH with value ZCOMP_2000.
Of course your users will need authorizations for standard reporting such as S_RFC, S_RS_COMP, S_RS_COMP1.
S_RS_ICUBE, S_RS_ODSO, S_RS_MPRO, S_RS_ISET are not necessary any more for reporting because they were replaced by 0TCAIPROV in the analysis authorization.
Finally the query selection must be COMPLETELY be a part of the user's authorizations. This is best done by an query variable that is filled from the user's authorizations at runtime.
Good luck,
Petra -
Second Level Authorization for ESS
Hi,
I have an issue regarding ESS . The requirement is to provide a second level authorization when anybody clicks on the content in ESS. i,e a logon screen. On successful authentification the user has to see the required info. We should also be able to provide a 5 min idle time out. Can anybody help me with this.
Thanks,
AbhishekAbhishek, Did you find any solution for second level authentication for ESS?
-
InfoObject level authorization for Queries
Hello Experts,
I'm working on an authorization object to restrict my queries. Basically we want to restrict the queries based on Personnel area. I've created an authorization from RSECADMIN with the following variables.
0PERS_AREA eq XXXX
0TCAACTVT eq 03
0TCAIPROV eq my infocube
0TCAVALID cp *
I've made my info object 0PERS_AREA as authorization relevant and I've assigned this object to a user say 'A' from RSECADMIN. Now for the personnel area in my query I've created a variable of type 'characteristic value', variable name as ZPERSA, processing by 'Authorization', variable represents 'Multiple Single Values' and not ready for input. FYI, I've created this variable from single values selection.
When I execute the query with user A, I expect it to display the data for personnel area XXXX only but it displays the data for all the personnel areas. Can someone please help whats wrong here.
Regards,
NRHi Viki,
I've checked that earlier and I've tried all options like creating a value range variable with and without ready for input and with single values and multiple single values. But the query gives me all the personnel area records when I execute the query.
Can someone please help. Its very urgent.
NR -
"Low-level" authorizations for accessing BW reports
May I please have your attention for the following:
Each employee is represented by a costcenter in our R/3, and thus, BW-system.
Plan is as follows: by filling in the costcenter on the selection-screen of a BW-webreport on can see his/her own financial data for a certain (posting)period.
Is there a way to restrict access without creating separate users/roles/profiles for each costcenter??(we have a lot of potential users who only need to see the report but do not need access to BW itself (RSA1 etc)).
I'm thinking about some sort of mapping:
e.g. user SANTA logs on -> ABAP-program/function maps it to correct costcenter e.g. 1234 -> user is only authorized for this costcenter...
But is this possible and where to implement it??
Thanx a lot in advance for your hints!!!
Best regards,
MarcoThanks al lot for your replies.
Corwin, I tried your solution and I've almost got it working....
1. made a table in DDIC to link username to costcenter
2. set up a reporting auth. via RSSM
3. created a variable (ZCOSTC) type 'Authorization' in the query designer
4. wrote some code in the user-exit (via SMOD) to fill this variable (translate username to costcenter via mentioned table)
5. created a role incl. authorization with reference to variable: value '$ZCOSTC'
This reference is not working unfortunately enough.
Everything works fine when I replace $ZCOSTC by an existing costcenter.
Am I forgetting something??
Thanx again!
Best regards,
Marco -
User level Authorization for SSO by using SOAP Sender
Hi,
Scenario : Non-SAP to PI 7.31 using SOAP Sender adapter.
Authentication we need to go for user based level at the receiver system where the information shall be passed from the sender (non-SAP) and also we 're using Single Sign On method for this interface.
Note : Previously we achieved this through WS-RM using SAML certificates, but this adapter doesn't support in PI7.31 single stack since we have option only by using SOAP adapter.
Please suggest how can i achieve this for my current landscape.
Thanks for your help.
Warm regards,
Ram.Hi!
The SOAP Adapter itself has no queueing mechanism. But the PI has one if you work asynchronously.
To pick files it may be helpful to use the Axis Framework of SOAP Adapter whre you can add your own adapter modules.
Very helpful tips concerning the SOAP Adapter can be found in the SAP Note 856597 (FAQ SOAP Adapter XI 3.0 Pi 7.0 PI 7.1).
For Axis Adapter FAQ refer to SAP note 1039369
Hope this helps.
Regards,
Volker -
User level authorization for process order
Hi,
Greetings for the day.
As we all know that there are three main screen of process order
1. Header Data
2. Operations data
3. Materials Data
Now, we want to restrict the users to access the screen as below. (T-Code: COR1 & COR2)
Header
PP, MM, QM Users can change
Operations
PP, QM Users can change, MM user can display only
Materials
MM, QM Users can change, PP user can display only
How can we achieve this?
Please guide me.Hi
Yes, that is impossible to control that way in standard, so I think you may consider the the user exits to write your own source codes to check the changes done by user and prohibit the save.
PPCO0018 Check for changes to production order header
PPCO0019 Checks for changes to order operations
PPCO0008 Enhancement in the adding and changing of components
Regards.
Leon. -
Authorizations for object level
Hi
Normally BI query I can get object level authorizations,
I have customer.
I can restrict customer ( 1-10) for 1 user , this query is with me now.
if i build universe, and web intelligence
in BO this authorizations will get automatically?
or i need to restrict customer also in web intelligence.
is there any radio buttons, drop boxes for my reports in BO?
how to publish BO reports in my portal for end user purpose?Hi,
when you use a BI query with authorization variables the authorization variable will take care of the BI security and yes the OLAP universe will leverage it as well.
there is nothing "special" to do in the Universe
Ingo
Maybe you are looking for
-
How can we make an outer join (+) between 2 Queries
in the data model, i have 2 queries i.e Q_master and Q_detail i want to make a data link between these two queries and also make an outer join between these two queries(i.e. to display all the detail records, whether they have details or not) please
-
How to find the userid who created the Datasource?
hi experts, How to find out which user has created or generated the Data source based on PLANNING AREA in APO? when i replicate the data source it is showing my name, but the issue is i would like to know the Person (USER) who had generated or create
-
All EPM products to be installed are disabled in installtool.sh
Hi experts I need reinstall the all EPM products, then I executed the unistall tool and removed all files under Middleware/*, so now when I execute the installTool.sh and pass the my Middleware home and selected a New Installation, on the next screen
-
How can i get my music off of my email to my iPod touch 2nd gen and iPod 4th gen?
How can i get my music off of my email to my iPod touch 2nd gen and iPod 4th gen?
-
Hi Experts, We have the requeriment to download all the opportunities' attachments. We need the number of the opportunity and his attachment, and be able to download it to local pc. Thanks, Regards, Jose Manuel Romero.