Problem of hierarchy authorization on 0PLANT

Similar Messages

• Hierarchy Authorization Problem

  Hi experts!
  I am implementing Analysis Authorization Using Variable and one of the object is Org unit hierarchy authorization. The idea is to populate the personnel's authorized value of org unit into the hierarchy authorization and it is then allowed to see its node and anything below its node.
  Say for example I am Authorized to Orgunit A0 and I should see A1 and A2 as well which are the children of A0 and when I ran the query I am only able to see A0 only thou there are records of A1 and A2
  What should I toggle to be able to see A0 together with its children (A1 and A2)?
  The settings in for hierarchy authorization is TYPE 1( Subtrees below the node ) and Validity Range 2 (Name Identical)
  Points will be awarded !
  Edited by: Chee Jason on Aug 20, 2008 9:08 AM

  Just an update on the problem here
  I suspect it is the problem with my customer exit because when I maintain the value directly it, appears correctly.
  I wonder if I do it correctly. Here is a snippet of the code... Please advise me. Thanks!
  DATA: L_S_RANGE  TYPE RSR_S_RANGESID
  L_S_RANGE-LOW = 'A0'.
  L_S_RANGE-SIGN = 'I'.
  L_S_RANGE-OPT = 'EQ'.
  Append L_S_RANGE TO E_T_RANGE
  Edited by: Chee Jason on Aug 20, 2008 11:40 AM

• Bw time dependent hierarchy authorization in Hr - Key date problem - 0orgunit

  Hello Gurus,
  I'm facing a problem with the 0Orgunit hierarchy authorization.
  In the Rsecadmin screen we set the hierarchy authorization for 0orgunit characteristic, before selecting the hierarchy node, we enter the key date.
  I tried many cases, but neither of the key dates gives the correct results in the report. (Todays date, 01.01.1900, 31.12.9999 etc..)
  In the report the key date variable is generated by RSTHJTMAINT transaction. I guess, this is creating a problem with the authorization key date.
  A similar problem is told in the following link as well:
  http://scn.sap.com/thread/1437951
  I spend some hours, and tried many possibilities (validity period etc.), but I could'nt get it worked.
  I'm not sure if I had this error before 7.31 update.
  With this opportunity, I want to thank you every one in the Sdn community. It helps a lot for resolving our issues and sharing the knowledge.
  Thanks a lot.
  Regards.

  Hi Norbert,
  Can you check that the SAP note 1301644 has been applied in your system.
  Best Regards,
  Des Gallagher

• Problem in transporting authorization object

  Hi,
  I am facing a problem in transporting the authorization object. We have an existing cube in development and production. In production the object has 3 authorization objects checked. Now I want to change the authorization object assignment in my cube. So I changed the assignment in the development, but when I tried to transport the authorization object it collected all the cubes where the authorization object is used.
  I want to transport only the authorization object associated with that cube, not all. I understand that logically if we are transporting the authorization object from RSSM, it takes all the assignments. But I don't want to do that because there may be some inconsistencies between the system.
  Can you tell me weather we have any other way, so that the authorization object is transported only for one particular cube assignment not all.
  Thanks in advance
  Prashant

  Hi,
  I tried that but not getting anything.
  Can you please tell me the steps.
  Steps I have done are as follows.
  1. Go to RSSM and select the authorization object.
  2. We have a button which says transport authorization object. I clicked on that.
  3. I got a list of all the authorization objects there. I selected my authorization objects and clicked on Transfer Object button.
  4. Then I get the hierarchy authorization objects.
  5. After that I selected a request and everything is included in that request. I didn't got your above mentioned option.
  Do you want me to go to the table RSSTOBJDIR and delete all the other entries??
  It would be great if you can tell me the steps to do that.
  Thanks in advance
  prashant

• Hierarchy authorization based on 0CCA_O01

  Hello experts,
  I have loaded single values & intervals for costcenters authorizations into 0CCA_O01. I have no heirarchy authorizations available.
  Now user still wants to select costcenters in query by hierarchy nodes, but he should only see nodes and leaves determined by single authorizations.
  Anybody have an idea how could this be done?
  Any help will be appreciated.
  BR
  Ondrej

  Hi,
  I am not sure if we can do a load via flat file into 0CCA_O01. If yes, please create a flat file containing hierarchy authorization details and load it to 0CCA_O01.
  If not, we can create another DSO for hierarchy authorization.
  I hope it should solve your problem.
  Regards,
  Gaurav

• Hierarchy authorization with variables of type exit

  Hi all,
  I am trying to implement hierarchy based authorizations with variables. After collecting information from the SAP documentation and this forum, I think I know more or less how to do it, but it's not working and it has me very confused.
  These are the steps I have followed:
  - From RSSM, I have created a hierarchy authorization object including my characteristic and 0TCTAUTHH
  - From RSSM again, I have created a hierarchy authorization pointing to the node $ZG_V_008
  - From the Query designer, I have created a hierarchy node variable of processing type customer exit ZG_V_008 (are any special settings needed here?)
  - From the Query designer, I have created <b>another</b> hierarchy node variable of processing type authorization, and I have used this variable to restrict the hierarchy for my characteristic
  - I have edited the EXIT_SAPLRRS0_001 to watch for I_STEP = 0 and give values to ZG_V_008 (we'll get to my code later in case we solve this issue first
  It is my understanding that with this setup, the user exit will be called to process the value of ZG_V_008 in I_STEP = 0, however, when debugging, I don't see any calls for the function with I_STEP = 0.
  What have I done wrong?
  Thanks a lot in advance.
  Guillermo

  Thanks, Jimmy, but that does not help much: my problem is that my user exit is not evaluated with I_STEP=0, but there are no error messages or anything like that.
  I have created a test user <b>without</b> a developer role to see if that could have any impact, but it's still not working.
  Any ideas?

• Strange problem: different hierarchy in InfoObject and RSSM hierarchy auth

  Dear Experts,
       I faced a strange problem: we had defined hierarchy on InfoObject 0ORGUNIT, for example, Organization unit: 50106592 under company A department AA.
       When we define hierarchy authorization via Tcode:RSSM ( we still not migrate to new authorization conception), when I search OU:50106592, it was found under "not assignment" .
       I can not understand why it appear different hierarchy, anyone can help me ?
  Regards
  Jie

  Hi Sushant,
  I went through the note, but we do not have any variable on the hierarchy. Its a navigational attribute which is restricted on Hierarchy.
  Thank you,
  -Jaimin

• Problem during hierarchy load from ECC 6.0 to BW

  Hello,
  I encountered a problem during hierarchy loads from ECC to BW:
  I get the following in BW:
  Error when updating Idocs in Source System
  Diagnosis
  Errors have been reported in Source System during IDoc update:
  Once I go into ERP and look at the IDocs I get the following message:
  Idoc Error 26:
  EDI: Syntax error in IDoc (segment cannot be identified)
  Message no. E0078
  Diagnosis
  The segment E1RSSH does not occur at the current level of the basic type (extension ).
  This error can have several reasons:
  The segment E1RSSH is assigned to a group whose header segment does not occur.
  The segment E1RSSH does not exist in the syntax description of the basic type  (extension ).
  The sequence of segments in the group in which the segment appears is incorrect.
  Previous errors ('mandatory' segment or group missing) may be due to this error.
  Procedure
  Please check the IDoc or the syntax description of the basic type  (extension ).
  Can anyone help?

  The most basic setting in a BW system is its connectivity with the R/3 system (which is a basis team activity, but BI consultant can always help).
  Issue: While creating source system, I am getting an error "Segment E1RSSH does not exist".
  Diagnosis
  Segment E1RSSH is in the syntax description, but it does not exist.
  The issue was that some of the entries in the table EDISEGMENT were missing.
  As this a standard table, it is recommended to restore the table from Backup or from another BI system. (Please ask your basis team to do it.)
  Now, the significance of the segments: We all know that we require 3 message types in total to communicate with R/3 system. RSRQST, RSSEND and RSINFO.
  Now each of the message types has some segments which help in communication.
  You can see this segment types in the t-code we30. Just enter the basic idoc type and click on display.
  This error is not a common error, but can be useful if at any stage of implementation or support, the table gets disturbed and you have issues with source system connectivity.
  Thanks
  SM

• Hierarchy authorization default pick

  Hi ,
     I have got a profit center hierarchy which is used in the reporting in the selection screen in BW7.0 . I had created authorisations and its working fine through RSECADMIN. but i have got a question, if i leave the selection screen variable profit center empty and execute the report, it says you are not authorized,but then it works fine if i mention a hierarchy node in there. I had mentioned the values in the authorisation, as 2*,,but it doesn' tpick up any..any clues plz..
  thanks in advance.

  Hi,
  I am working with the SAP security team to get custom authorization on the Profit Center Hierarchy in place. We need to restrict access to the hierarchy nodes (only certain users need access to certain nodes in the hierarchy).
  1) We got into RSECADMIN --> Maintenance --> Created a new authorization object --> added profit center --> in the hierarchy authorization tab, added the hierarchy node and selected the Type of Authorization and Validity range as required and saved the auth object.
  2) We created a role in PFCG and added the authorization object to the role(no other authorization objects)
  3) Assigned the role to a user and tried testing the reports.
  The user could see all the nodes in the hierarchy and also data on the nodes restricted to him/her. Is there any step I am missing? Does the auth object need to be generated in RSECADMIN?
  Please advice.
  Thanks,
  Vivek

• How to understand the hierarchy structure of 0PLANT io?

  how to understand the hierarchy structure of 0PLANT io ?
  i can understand the hierarchy structure of PRODUCT io,
  well, i hope someone could explain the hierarchy structure of 0PLANT io
  thanks.

  Hi
  You can use following hierarchy tables
  RSTHIERNODE - Texts of Non-Postable Hierarchy Nodes
  RSEHIERNODE - Master Data: Hierarchy Nodes that Cannot Be Posted To
  RSMHIERNODE - Master data: Hierarchy nodes that cannot be posted to
  RSHIEDIR - Hierarchy Catalog
  RSHIEDIRT - Hierarchy directory texts
  RSREQHIER - Data Request hierarchy
  RSROLEHIERARCHY - Role hierarchy
  In addition to these have a look at K table & I table for 0PLANT.
  K table - Hierarchy SID table
  I table - Hierarchy structure table
  Hope this will help..!!
  Thanks,
  Vikrant

• Restriciting BI query for Hierarchy authorization for a defined group

  Hi Friends
  We are trying to restrict the Display with respect to the company codes group.
  We have defined the authoirzation for BI w.r.t to the company code and groups ( collection of co.codes ) ..We have defined the authoirzation object under Rsecadmin and restricted the display for only group eg: GH3 . However when we ran the query we can see all the companies / groups. Also tried with putting the GHR group under Hierarchy authorization but still have the same result.
  Can you please let me know what is going wrong
  thank for all your help..

  We have defined the authoirzation for BI w.r.t to the company code and groups ( collection of co.codes ) ..We have defined the authoirzation object under Rsecadmin and restricted the display for only group eg: GH3 .
  Did you check if the infoprovider(s) which your query is hitting upon has company code and company groups checked as authorization relevant in RSA1?
  Thanks
  Sandipan

• Possible to combine Value and Hierarchy Authorizations?

  Hello Experts!
  Could anyone please tell me something about the interaction between value and hierarchy authorizations for the same info object?
  I created an authorization for an info object which makes use of both in some queries. But if you activate a hierarchy in query designer, the value authorizations seem not to work anymore. Instead the hierarchy authorizations restrict the analysis result. I get datasets in the result without having the corresponding value authorizations.
  Is there a way to ONLY use value authorizations which also work if you activate a hierarchy on an info object???
  Thanks in advance.....
  Bye,
  Joerg

  No you can't. GRE is only designed to carry routing protocols and multicast traffic over VPNs.
  It is also bad design practise to design a network that carry's L2 vlan's over a WAN or internet link.
  You have to ask yourself why you would want to carry VLANs over VPNs?
  Hope this helps.

• Profit Center Hierarchy: Authorization Error

  Hello,
  Right we are generating hierarchies for users on the object Profit center.  We want to have a separate data role that gives access to the authorization object ZPROFITCTR.  What should the values be for PROFIT_CTR and TCTAUTHH if we want to check what authorizations have already been generated for the user?  I am thinking there must be a way to do this rather than create a different data role for each user.
  I have done a lot of reading and have found if you specify the value ' ' for OTCTAUTHH as a value if only hierarchy authorizations are to be in effect.  I thought this would mean generated heirarchies would be checked and would give a user access to 0PROFITCTR, but that was not the case.
  Thanks,
  Brian

  try to re-transport PCA
  IMG; CO--> PCA --> tools --> transaport customizing set. -->
  but i believe if you transport only the "master data" Q will function fine. ( try OKEQ first)

• Hierarchy Authorization in free characteristics not working

  Hi,
  we found aproblem while running a query with authorization objects for a hierarchy node (0SALES_OFF).
  - Z_HPRODPIS (Hierarchy for sales offices) with fields:
  - 0SALES_OFF Sales Office
  - 0TCTAUTHH Authorization for hierarchy
    We create hierarchy authorization for nodes:
     - Type of authorization           2
     - Hierarchy level                    3
  We would like to have characteristic 0SALES_OFF in the free characteristics section when running the query.
  In this case we get an error "No authorizations", but after drill down in rows, hierarchy node members for 0SALES_OFF are displayed.
  Is this an usual behavior?
  We would not like to create several queries, if we could cover user requirements with one query with several characteristics as free characteristics (also 0SALES_OFF).
  Thanks, Tomaz

  Hi !
  have you tried restricting it with a variable?
  with regards
  ashwin

• Hierarchy authorization

  Hi All,
  We have upgraded our BI system to the new security approach 7. We created the corresponding roles/objects thru the RSECADMIN t-code for 0COUNTRY and some other infoObjects where the 0COUNTRY is navegational attribute, for example the 0COMP_CODE__0COUNTRY, and everything is workink fine.
  The 0COUNTRY and (i.e.) the 0COMP_CODE__0COUNTRY are checked as Authorization Relevant.
  Now, we want to create a hierarchy for the 0COUNTRY infoObject, and I would like to know if the security done at the value level is enought to restrict the data or we need to create some new roles/objects thru the RSECADMIN in order to do the same restriction done to the flat values now at the hierarchy.
  We dont mind the intermediate nodes (regions), just the country values for the hierarchy.
  For example, we need the following hierarchy:
  World
  |_ Europe
       |_ Germany
       |_ Italy
       |_ Spain
  |_ Asia
       |_ China
       |_ Japan
  With variable authorization we need:
  If user has just Spain, show Spain.
  World
  |_ Europe
       |_ Spain
  If user has Germany, Italy, Spain.
  World
  |_ Europe
       |_ Germany
       |_ Italy
       |_ Spain
  If user has *.
  World
  |_ Europe
       |_ Germany
       |_ Italy
       |_ Spain
  |_ Asia
       |_ China
       |_ Japan
  Right now, without using hierarchy, the data is showing ok depending on the authorization that user has (allways using authorization variables in the query).
  Regards, Federico

  Hi Federico,
  Yes, your approach is right. You can restrict the InfoObject 0COUNTRY and then maintain the country values in the Analysis Authorizations (its no more a hierarchy authorization).
  The EQ can be used to maintain a single country (you need to add multiple EQs if you wish to add morethan 1 country in the same analysis authorization)
  The CP can be used to maintain with a pattern such as A* countries etc
  The BT can be used to give a range.
  However, ensure that the user has authorization to all the Infoareas (bottom - up) and queries so that his/her authorization can be restricted.
  Regards,
  Raghu