On Authorization - BPS

Hi mates,
I have an BPS Application in which extensive Manual Planning functions are used. Hence, user does deal with Master Data Maintainance and Query Generation
I am trying to create a Authorization Role for this! Basically this Role should allow user to develop queries as well as maintain the Info Objects master Data.
Additionally, this role would also allow everything to be done in BPS0
Please advice if there are any SAP Authorisation templates I can use?
Thus far I've only used S_RS_COMP & S_RS_COMP1 & S_RS_ICUBE and S_TRANSLAT & S_BDS_DS & R_AREA
However, it doesn`t even allow RSA1 to be executed!
Please advice mate !
Message was edited by: John Mcluskey

Hi,
Check the following documentation, It might help you.
Authorizations for Business Planning and Simulation
Use
The activities that you can carry out in BW-BPS are covered by the SAP authorization concept. This allows you to grant different users different rights for accessing planning functionality.
Integration
Business Information Warehouse authorizations
As well as planning-specific authorizations, planning users normally require other authorizations too such as reporting authorizations or authorizations for master data. Make sure that the user is provided with all the necessary authorizations.
To assign authorizations for changing and displaying plan data separately, you must include the ACTVT (activity) field in the reporting authorization object. In this field the value 02 represents the authorization to change. Value 03 represents the authorization to display plan data. If you do not include the field then this corresponds to an authorization to change plan data.
You can find more information on setting up and maintaining authorizations under Maintaining Authorizations.
Authorizations for SAP R/3 systems
In addition to that, because of internal dependencies, you need authorization for the following authorization objects for data entry using planning layouts:
Authorization object
Object class
Description
BC-SRV-KPR-BDS: Authorizations on document set (S_BDS_DS)
BC_Z
Controls access to documents that belong to a document set of the Business Document Service (BDS).
Authorization object for the translation environment (S_TRANSLAT)
BC_C
Controls access to the translation functions of the SAP System. Determines whether, in which languages and which text types are to be translated.
Features
The following authorization objects exist for Business Planning and Simulation:
Authorization objects of object class RS for BW-BPS
Authorization object
Description
Planning level (R_AREA)
Controls access to the planning area and all lower-level objects. You must set up read access to planning areas for people who will work with the BW-BPS component. Otherwise, they will not be able to access any of the subordinate planning elements.
Planning level (R_PLEVEL)
Controls access to the planning area and all lower-level objects.
Planning package (R_PACKAGE)
Controls access to planning packages (including ad hoc packages).
Planning methods (R_METHOD)
Controls access to planning functions and the corresponding parameter groups.
Parameter group (R_PARAM)
Controls access to the individual parameter groups of a particular planning function.
Global planning sequence (R_BUNDLE)
Controls access to global planning sequences (you control authorizations for planning sequences that you create for a planning level with the authorization objects R_METHOD, R_PLEVEL, or R_AREA).
No separate authorization for execution is defined for this authorization object. Whether a global planning sequence can be executed or not, depends on the authorization objects for the planning functions contained in it.
Planning profile (R_PROFILE)
Controls access to the planning profile. A planning profile restricts the objects that can be viewed. If you wish to view the planning objects, you must have at least display authorization for the appropriate planning profile.
Planning folder (R_PM_NAME)
Controls access to planning folders. In order to be able to work with planning folders, you also require the necessary authorizations for the planning objects combined in the folder.
Using the Web Interface Builder
Controls access to Web interfaces that you create and edit with the Web Interface Builder, and from which you can generate Web-enabled BSP applications.
Authorization for planning session and subplan (R_STS_PT)
Controls access to the Status and Tracking System. The object enables a check to be carried out whether a user is allowed access to a certain subplan or a version of it with the Status and Tracking System.
Executing Customizing for the BW-BPS Status and Tracking System (R_STS_CUST)
Controls access to Customizing for the Status and Tracking System. The object enables or forbids a user to execute Customizing.
Authorization for special access Status and Tracking System (R_STS_SUP)
This authorization object provides the assigned users with the status of a superuser in relation to the Status and Tracking System. The object enables changing access to all plan data, independent of whether and where a user of the cost center hierarchy it is based on is assigned. The authorization object is intended for members of a staff controller group, who are not part of the line organization of the company, but who nevertheless must be able to intervene in the planning process.
Combination of authorizations
In accordance with the hierarchical relationships that exist between the various types of planning objects, authorizations that are assigned to an object on a higher level are passed on to its subordinate objects. An authorization that has been passed on can be enhanced but not restricted on a lower level.
The following table presents the combination possibilities using the example of a change authorization for planning area and level:
Change planning area
Change planning level
Authorization available for level
Yes
no
yes
Yes
yes
yes
No
no
no
No
yes
yes
In practice this behavior means that you can proceed according to two different strategies when setting up authorizations:
· Minimization of Customizing Effort: You assign authorizations for planning objects on as high a level as possible, and thereby enable access to the planning objects without further authorization assignment on lower levels.
· Optimization of Delimitation of Access Rights: You assign authorizations for planning objects on as low a level as possible, and therefore make sure that access to a planning object is only possible for the person responsible for this.
Activities
Create the user profiles you require and then assign authorization objects to these profiles. Then assign the newly created user profiles to possible users.
You can find further information on the activities associated with the different authorization objects in the online documentation on the authorization objects themselves. You can call this up in the maintenance transaction "Role Maintenance" (PFCG).
RC

Similar Messages

Authorization in BPS

Hi Everybody.
We have Multi-Planning Area ZMPA that consists of standard planning areas ZSPA1 (infoProvider ZICPA1) and ZSPA2 (infoProvider ZICPA2).
ZICPA1 infoProvider has:
- characteristics
     0BUS_AREA;
     0CALQUART1
     0CALYEAR;
     0CMMT_ITEM;
     0FM_AREA;
     0FUNDS_CTR.
- a key figure 0OI_EXPENSE.
ZICPA2 infoProvider has:
- characteristics
     0BUS_AREA;
     0CALQUART1
     0CALYEAR;
     0CMMT_ITEM;
     0FM_AREA;
     ZFUNDCTR.
- a key figure 0OI_EXPENSE.
ZFUNDCTR is compounded with 0CALYEAR, 0CMMT_ITEM, 0FM_AREA. ZFUNDCTR has a navigation attribute 0FUNDS_CTR.
Example of ZFUNDCTR master data:
ZFUNDCTR   0CALYEAR    0CMMT_ITEM   0FM_AREA      ZFUNDCTR-0FUNDS_CTR
01        Y1          A1           2700          01
01        Y1          A2           2700          01
02        Y1          A1           2700          02
02        Y1          A3           2700          02
03        Y1          A3           2700          03
03        Y1          A4           2700          03
Where Y1 - year value,
A1..A4 - different values.
0FUNDS_CTR is an authorization relevant characteristic. We have selected the 'Obsolete Concept with RSR Authorization Objects' and have created an authorization object ZOFUND for InfoProvider ZICPA1 only.
The planning function ZMPAPF at the ZMPA area should copy data from ZSPA2 to ZSPA1 with formula like this:
=== begin ===============
Operand {0FUNDS_CTR,ZFUNDCTR,Plng Area}
DATA s_fund TYPE STRING.
DATA V_0FUNDS TYPE 0FUNDS_CTR.
DATA V_ZFUNDS TYPE ZFUNDCTR.
foreach V_ZFUNDS in REFDATA.
s_fund = V_ZFUNDS.
V_0FUNDS = s_fund.
{V_0FUNDS,#,Plng Area} = {#,V_ZFUNDS,ZSPA2} .
endfor.
=== the end ==============
1) A User has an authorization object ZOFUND with values '01' and '02' .
But when he performs this planning function there becomes an error that he hasn't an Authorization. System can not to read data from {#,V_ZFUNDS,ZSPA2} because User hasn't an Authorization ZOFUND = #. But ZOFUND authorization have not been selected for ZICPA2 infoProvider.
Have you any comments?
2) We have given an authorization value '#' for this User to solve the problem. And now User can see all values in the list of authorization relevant variable in the BPS. I think it's not correct. For example he can see only '#', '01', '02' values for autorization type variable in the BEx Analyzer .
SAP NetWeaver BI 7.0, Support Package 15.
With best wishes, Alexander.

Hi,
To answer ur first question, as u didnt select infocube2 for authorization and the planning function level contains 0FUNDS_CTR, system cant read any record from infocube2 example {#,V_ZFUNDS,ZSPA2}.
Now after giving # access, he can see all values for the variable but the planning function wont work because authorization is not checked for cube2.
i hope u should give authorization check for cube2 also. and see giving only # value to cube2.
i didnt understand what exactly is the planning function doing.
i guess it is dealing only those records which have 0funds_ctr as # from cube2.
u can try this.
Bindu

Authorization issue in BPS

Hi guys,
I've the authorization issue in a BPS application, where a user can upload a flatfile into a BPS-cube, but only when I select in the authorization object S_RS_AUTH 0BI_ALL.
Without selecting 0BI_ALL (another analysis authorization) yields to the message, that the user has not enough authorization...
Now the user gets access to data in the BW reporting to all the organizational marks like the organization unit (0ORGUNIT).
How is it possible to design the authorizations / analysis authorization, that the same user can upload data via flatfile, but gets only access to transaction data for organizational data which he should see???
How should the analysis authorization should be designed? Has it something to do with the techn. char. like 0TCAACTVT?
THX in advance!
Clemens

Hi,
Have you tried creating Authorization Variable for organizational Unit ?
This will give restricted access to data based on the authorization assigned .
Thanks
Pratyush

Analysis Authorization with SEM-BPS

Hi,
We have performed technical upgrade from BW 3.5 to BI 7.0. We want to migrate to BI 7.0 functionality phase wise.
We have SEM-BPS and now we want to migrate to Analysis Authorization of BI 7.0.
Once we have igrated to Analysis Authorization, will there be any impact on SEM-BPS? Can we still use SEM-BPS with New Analysis Authorizations? We do not want to move to BI-IP in near future?.
Please advise.
Best Regards,
UR

Dear UR,
Iu2019m going to try helping you,
In difference of reporting functionality, in planning, the data of an InfoCube is not just read; it is also changed or created.
There are two planning tools in BI: BW-BPS (Business Planning and Simulation), and BI Integrated Planning.
There are two main tcode: BPS0 and RSPLAN
There are three authorization objects to manage Integrated Planning:
S_RS_PL_ADMIN - Planning Administrator
S_RS_PL_PLANNER u2013 Planner
S_RS_PL_PLANMOD_D u2013 Planning Modeler (Development System)
The main object in the planning scenario is InfoCube real-time, where can available writing in small package that arrive in parallel. In some cases the security requirements for reporting and planning can be merging. In this case you need authorization object for checking planning, as authorization object above, and you need authorization object for using a query for planning requires as S_RS_COMP.
In addition to authorization for displaying data, the authorizations for changing data you need analysis authorization (the analysis authorization focus in the InfoProvider, no in Aggregation Level).
In your analysis authorization design for reporting stuff, you should use in 0TCAACTVT characteristic 03 value. In the planning stuff, you should use in 0TCAACTVT characteristic 03 and 02 values. As explain following:
Using the characteristics 0TCAACTVT (activity), you can restrict the authorization to different activities. Read (03) is set as the default activity; you must also assign the activity Change (02) for integrated planning.
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/b1/0c9441b8972e7be10000000a1550b0/frameset.htm
I hope this suggestion can help you answer question,
Luis

BW authorizations in BPS layout

Dear all,
My question may seem basic, but I don't have any experience with authorizations.
I need to use already existing BW authorizations in my BPS layouts, so well, I created auth. variables on the needed characteristics and assigned it to my layout.
==> nothing changes when I'm launching the layout.
I wonder if I need to ask the modification of the already existing BW roles in order to add field ACTVT? Will this have an impact on already existing BW reports for the users?
Also, does something need to be done in RSSM (or other T-code) in order to activate the auth. for my planning cubes?
Thank you in advance for your help!!

Ravi,
The objects you mentionned talk about area, planning, etc,... so they are usefull when a user wants to launch a layout in order to let him launch/plan it or not, etc... . That's the first step, and that doesn't interest me.
Second step is that when launching, the user will get his layout. This layout will be generated regarding the design I made in BPS0 and then also the variables I've used.
If I've restricted my planning level by using variables of type authorization on an char. that is in the lead column of my planning layout, it should restrict the diplayed/available rows regarding that authorization (ex : only company code 1000 for user A; company code 2000 for user B ; company code 1000 and 2000 for user C ==> coming from reporting authorizations in BW)
So I really think we don't speak about the same thing... or it's me that doesn't understand! (that's also possible )

Issue with authorizations for BPS

Hi Experts,
There was an issue with authorizations for BPS. We have a large number of agents that need to enter plan data via a layout. In order to control the necessary authorizations, we would like to filter via something similar to a user exit using a function module in order to avoid having to define authorization objects for each of the agents who have access to the systems. Right now, we are not sure if there is user exit concept available as it is for BW variables. Any body experienced similar issue may share their experience.
Regards,
Ankit

Hi,
In BPS, you can use user specific variables or you can set up a Variable of type exit. You can also have a variable of type authorization which uses the security / authorization of the BW system.
Hope it helps...
Cheers,
Tanish

BPS You have no authorization for the requested data

We are implementing Hierarchy node based security for our BPS.
When the user tries to display the planning layout, they get the error message "You have no authorization for the requested data "
I have given authorization to the relavant Infocubes, also checked the all the Authorization Relavant Info Objects and added theses Info Object to the custom authorization created in RSECADMIN.
Also added the info objects 0TCAACTVT, 0TCAIPROV, 0TCAVALID to the custom authorization.
In pfcg, this authorization has been added to S_RS_AUTH. I have also given activity 02, 03, 16 values and a * to planning areas, functions, packages, groups, levels, folders, ... to the objects R_AREA
R_BUNDLE
R_METHOD
R_PACKAGE
R_PARAM
R_PLEVEL
R_PM_NAME
R_PROFILE
But still we get the same error.
Has anyone encountered this problem? Can you please provide me some clues to resolve this issue

Thank you very much Grevaz, but that template does not help.
I did run both ST01 trace and BI RSECADMIN trace. RSECADMIN Trace shows the below authorization failure
Subselection (Technical SUBNR) 1
Supplementation of Selection for Aggregated Characteristics
No Check for Aggregation Authorization Required
Following Set Is Checked Comparison with Following Authorized Set Result Remaining Quantity
Characteristic Contents
0FUNDS_CTR
0TCAACTVT
SQL Format:
FUNDS_CTR BETWEEN '4012001000'
AND '4012001999'
AND TCAACTVT = '03'
Characteristic Contents
0FUNDS_CTR Node 1 I EQ #
I EQ :
0TCAACTVT I EQ 02
I EQ 03
Partially Authorized (Average) Characteristic Contents
0FUNDS_CTR
0TCAACTVT
SQL Format:
FUNDS_CTR > '4012001000'
AND FUNDS_CTR <= '4012001999'
AND NOT FUNDS_CTR IN ('4012001001','4012001002','4012001003','4012001004','4012001005','4012001006','4012001007','4012001008','4012001009','4012001010')
AND TCAACTVT = '03'
Value selection partially authorized. Check of remainder at end
Following Set Is Checked Comparison with Following Authorized Set Result Remaining Quantity
Characteristic Contents
0FUNDS_CTR
0TCAACTVT
SQL Format:
FUNDS_CTR > '4012001000'
AND FUNDS_CTR <= '4012001999'
AND NOT FUNDS_CTR IN ('4012001001','4012001002','4012001003','4012001004','4012001005','4012001006','4012001007','4012001008','4012001009','4012001010')
AND TCAACTVT = '03'
Characteristic Contents
0FUNDS_CTR Node 1 I EQ #
I EQ :
0TCAACTVT I EQ 02
I EQ 03
Not Authorized
All Authorizations Tested
Message EYE007: You do not have sufficient authorization
No Sufficient Authorization for This Subselection (SUBNR)
Following CHANMIDs Are Affected:
206 ( 0FUNDS_CTR )
Authorization Check Complete
We have created custom authorization and trying to restrict based on hierarchy node.
One point I observed is, when I give access to all nodes with a wildcard * in the custom authorization, then the error disappears and the layout is visble. But our point here is to try to restrict based on the nodes and we cannot give display access to all nodes.

Authorizations in SEM-BPS (Web Layouts)

Hi all,
I have a question that hopefully somebody can help me in solving it.
We have a bps application, with authorizations maintained in the sap normal way: pfcg, rssm, etc.
The question is that we started to build some web (alv) layouts, and need to maintain the same authorization schema.However, the authorizations are not verified in the web layouts.
Can somebody provide some hint in solving this problem ?
Best Regards,
Ricardo

Hi Raman,
Sorry but your tip doesn't work
That's precisely our problem: the authorization scheme we implemented in the "SAP GUI side" doesn't work in the web side". Using web layouts, I still can acess some layouts I shouldn't be allowed to (user dependent)
Thank you anyway
Regards,
Ricardo

Authorizations for BW reportings and BW BPS

Hello,
The project we are working on contains two aspects : one in BPS and one in BW reporting
First the user needs to input or change data in the BPS application and then he can check his figures in a BW Report. We want each user to have authorizations only for his company and his business unit.
So we created authorization objects (RSSM) with a typical user profile (does not have SAP_ALL and all profiles required to customize anything).
In this authorization object we put different characteristics such as : Company, Business Unit, Activity and Version.
In the (PFCG), for company and business unit we put the values needed for the user. For Activity, we put "change" and "display". And for version we put "*".
We can then change values in the BPS layouts but we do not have access to the concerned report in BW.
Could somebody help us on this matter ??? Or does somebody have informations on how to implement this kind of authorizations ?
Thank you very much for your help

Hi Jacques,
I hope the following links and documents ll be useful to u.
BUSINESS PLANNING AND SIMULATION BPS:
go to https://websmp103.sap-ag.de/bi
-> SAP BW 3.5 -> SAP BW Business Planning and Simulation
Here you can find "HOW TO... Guides - BPS", "SEM-BPS ASAP" and other useful section with many documents...
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/ae9fba90-0201-0010-d490-cbf9a364de95
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/biw/d-f/enhancements bw-bps formerly sem-bps in sapnetweaver 04.ppt
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/biw/d-f/frequently asked questions - planning with sap netweaver bi.faq#q-6
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/5d90209f-0501-0010-59a2-9243ac94a4d7
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/biw/s-u/sap bw business planning and simulation - how to guides list.htm
http://help.sap.com/saphelp_sem40bw/helpdata/en/05/242537cedf2056e10000009b38f936/frameset.htm
Hierarchies in BPS appln :
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/ae9fba90-0201-0010-d490-cbf9a364de95
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/biw/d-f/enhancements bw-bps formerly sem-bps in sapnetweaver 04.ppt
for BEx-reporting
http://searchsap.techtarget.com/searchSAP/downloads/chapter-august.pdf
http://searchsap.techtarget.com/featuredTopic/0,290042,sid21_gci1121728,00.html?bucket=REF
Hope it helps...let me know
regards,
R.Ravi

BPS / BW authorizations

Hi All,
I have the following scenario in SEM 3.50:
BW
Characteristic Company is authorization relevant
Activity is included in the authorization object
The test-user has reading rights for all companies, writing is restricted.
BPS:
Company is not included in the planning level
Company is derived using characteristic relations (Attribute)
Problem:
If Company is not included in the level, I have to set ':' within BW authorization object for company - else I will receive an auth. error.
If ':' is set writing is not restricted to specific companies.
Does anyone have a coule whats my problem?
Tanks in advance
Steffen

Hi,
Do you need to store the actual value of Company or just display it for informational purposes in the layout? If it's just as an information you can change the following:
- Don't derive company code
- Change your layout
- Click on the tab: Lead column in step two
- Click on Attribute button
- Select Company code
- Save/run layout
Company code is only displayed in the layout and you don't have to worry about write access to data.
Hth.,
-Jacob

BPS Hierarchy Authorizations

Hi All,
We are implementing hierarchy node based authorizations for our BPS and related queries and it works fine. We have 300+ nodes and for this we would require a role for each node of the hierarchy (that would be 300+ roles).
Now we are planing to use a hierarchy node exit varaible so that we end up with only one role. Can someone please let me know if there are complications in this approach or, if anybody has implemented this, can you please share your experience.
Thanks,
Jay
Message was edited by:
jayaroop gullapalli

Marc,
Thanks a lot for the solution.
Firstly pardon me for my ignorance.
Do I really not need any roles at all? How would the users get access to the planning functions related to their fund centers (its a fund centers based hierarchy)?
Please correct me if I am wrong, I think I will need one role that gives access to the planning functions and the authorizations in RSECADMIN will restrict to fund center nodes. But this way, half the burden of building 300+ roles is now decreased. Thanks for this solution.
Our fund center hierarchy is based on the characteristic 0FUNDS_CTR and not on 0TCTAUTH. It looked like the second option in point 4 of the link you provided will not serve my case.
http://help.sap.com/saphelp_nw2004s/helpdata/en/e3/fc8b41b5b3b45fe10000000a1550b0/frameset.htm
Would I have to build 300+ authorizations using RSECADMIN for each node?
Again thanks a lot for your guidance
Message was edited by:
jayaroop gullapalli

BPS Authorization

Hi all,
Need your valuable input to resolve this.
I intend to restrict BPS users to access BPS data pertaining to their cost centers only. I am creating BPS hierarchy node variable with user defined values. My expectation is that if a user with defined node in the variable execute the planning layout, all cost centers within the defined node will be made available for combination navigation.
The problem is that when the user is assigned to an authorisation profile with access to the right planning area, level and folder, the user is getting the following errror message.
Characteristic combinations: No values could be found for chara. Cost Center
Message no. UPC527
When I assign this user with SAP_ALL profile, this problem is gone.
I have no authorization objects (via RSSM) created for both cases.
Any input to solve the issue will be awarded points. Thanks
Regards.

Can't you get the necessary input when doing SU53?
D

Authorization to run a bps function from web

Hi gurus,
We have a layout that the users will access from web. For this we have created a Web Interface. This layout has also a planning function that calls an abap program.
We have created a profile and the user is able to access and run that function from GUI, however from WEB that fuctions does not run the abap.
The user already have the following authorization objects: S_ICF, S_DEVELOP, R_BUNDLE, R_PLEVEL, R_WEBITF, S_RS_ICUBE, S_RS_IOBJ, but it looks like something is still missing.
I´d appreciate any help
Thanks,
Pablo

You may want to run Su53 and see the error.
You need to grant authorizations for the BPS objects that may be called when the web inyterface executes.
PL take a look at the link:
http://help.sap.com/saphelp_sem350bw/helpdata/en/05/242537cedf2056e10000009b38f936/frameset.htm
Ravi Thothadri

Bps variable by authorization

Dear Friends,
I can tell a bps variable value is authorization-derived.
How can I know straightaway what is the authorization / object tied to this so that I can check / set the authorization?
Please can you give me some hints.
regards
H.C


Hi 
In BW 3.x, you can even go to t-code SU01, Enter User ID (whose authorizations have to checked) and press the Display button at top to see User Profile. 
In the next screen, you can navigate to different tabs like roles, profiles etc to get more details. If you double click on any role, system will display the specifics of that role.
 
Hope it helps. 
Cheers Abhijit
Please assign Reward Points if I deserve them in your opinion

BW-BPS and new analysis authorization concept

We are using BW-BPS on Netweaver 2004s SP8 and the new autorization concept is switched on.
Where do we need to pay attention?
Which authorization objects stay the same and which are now to be maintained in analysis authorizations?
Thanks for your suggestions.
Anja

In NW04S, BPS and BI IP share the same new authorization concept so you tend to have to rebuild specific profiles used for BPS. The old BW-BPS tend to have authorization for R_* and they need to be redone using the new authorization concept and it can take some time if you have a lot of profiles.

On Authorization - BPS

Similar Messages

Maybe you are looking for