Query authorization

Dear All,
Want to set user wise query authorization, is it possible.
Regards
Bharat.

Dear Bharat,
Yes its possible.
Query authorization
Regards
MANGESH PAGDAHRE.

Similar Messages

Infoset Query Authorization

Hi guys,
I've created some infoset queries, and assigned those queries to specific user group. My purpose is to let only specific user group (e.g. Accounts User Group, to access only relevant queries)
But later I found out, those users can actually switch to another group (at SQ01 -> Other User Group), and access those queries that they shouldnt be accessing.
May I know if there's any way to prohibit this switch of group? Or is there any authorization that can be set?
All ideas are appreciated. Thanks ^^

Hi TY Ng,
By including the InfoSet query in a role, you ensure that the InfoSet query is started with an InfoSet (and a query), and can therefore be easily used for appropriate reporting within the role.
The basis for this is the assignment of user groups to roles, the option of calling the InfoSet query from different roles, and, in doing so, noting the specified context for this role.
You assign user groups and InfoSets with transaction SQ10. You can also create and manage menu entries for the InfoSet query with this transaction.
In order to include the InfoSet query in a role, you have to assign user groups first to the role and subsequently to one or more InfoSets.
Check
Please check administrator authorization for the SAP Query (authorization object S_Query, field ACTVT, value 23).
Check whether the correct work area is set before you reassign user groups. If you call the role administration by using transaction SQ02 (see above), the work area set in transaction SQ02 is transferred.
Hope you get some help
Atul

Query authorizations

Hi Experts/Fellow SDNers,
I am currently restricting a BW system and have a few questions/would like some confirmation on a few points to make sure I am understanding things correctly. My understanding of BW is limited so kindly bare with me:
1. Basically, it would appear that query access is restricted by the object S_RS_COMP. In S_RS_COMP, the field RSZCOMPID (Name) allows me to restrict access to queries by name (i.e. Z* will provide access to all queries with name starting with 'Z'). One thing that is confusing me is the 2 additional fields: RSINFOAREA (InfoArea) and RSINFOCUBE (InfoCube). My colleague advised, a BW query basically pulls information from an InfoProvider (such as an InfoCube/ODS Object). So, does this mean that even if I allow access to a query by name through RSZCOMPID, if the InfoCube it requires is not included in the RSINFOCUBE field, then the query will fail?
2. I need help in understanding the differences between S_RS_COMP and S_RS_COMP1. From what I can see, they are very similar. Documentation I have read advises that S_RS_COMP1 allows users to administer certain queries but besides the RSZOWNER (Owner - Person Responsible) field, I don't see what else it offers over S_RS_COMP. If I don't need to restrict by Owner, then I have no need for S_RS_COMP1? Would it make sense for the fields in S_RS_COMP and S_RS_COMP1 to always match (i.e. same values in ACTV, RSZCOMPID, and RSZCOMPTP)?
3. Before, it was my (mistaken) understanding that a query that is published to a role (i.e. exists in a role's role menu) automatically granted the user who was assigned to this role access to that query. I performed a quick test and this seemed not to be the case. I gave the user roles that granted access to queries Z*, but non of the roles had any queries published. I logged in through BEx and sure enough, I could manually type/find the query name and execute the query even though it was not under the Roles list. Therefore, other than making the name of the query appear when you click on the Roles button in BEx, are there any other uses to publishing a query to a certain role?
As always, any help is greatly appreciated!

Are you on BI or old BW, because in BI you also have Analysis Authorization objects which also play a vital role in deciding what can be accesses and what can't be
>
Benjamin Seto wrote:
>
> 1. Basically, it would appear that query access is restricted by the object S_RS_COMP. In S_RS_COMP, the field RSZCOMPID (Name) allows me to restrict access to queries by name (i.e. Z* will provide access to all queries with name starting with 'Z'). One thing that is confusing me is the 2 additional fields: RSINFOAREA (InfoArea) and RSINFOCUBE (InfoCube). My colleague advised, a BW query basically pulls information from an InfoProvider (such as an InfoCube/ODS Object). So, does this mean that even if I allow access to a query by name through RSZCOMPID, if the InfoCube it requires is not included in the RSINFOCUBE field, then the query will fail?
>
Yes, you are right with that. You need to have access to data ( infoproviders) even though you have the queries access. Just like if you have access in SAP to do things and don't have access to the computer itself
>
> 2. I need help in understanding the differences between S_RS_COMP and S_RS_COMP1. From what I can see, they are very similar. Documentation I have read advises that S_RS_COMP1 allows users to administer certain queries but besides the RSZOWNER (Owner - Person Responsible) field, I don't see what else it offers over S_RS_COMP. If I don't need to restrict by Owner, then I have no need for S_RS_COMP1? Would it make sense for the fields in S_RS_COMP and S_RS_COMP1 to always match (i.e. same values in ACTV, RSZCOMPID, and RSZCOMPTP)?
>
If you are not going to restrict by owner then it makes sense to exclude this Authorization Object in the roles.
> 3. Before, it was my (mistaken) understanding that a query that is published to a role (i.e. exists in a role's role menu) automatically granted the user who was assigned to this role access to that query. I performed a quick test and this seemed not to be the case. I gave the user roles that granted access to queries Z*, but non of the roles had any queries published. I logged in through BEx and sure enough, I could manually type/find the query name and execute the query even though it was not under the Roles list. Therefore, other than making the name of the query appear when you click on the Roles button in BEx, are there any other uses to publishing a query to a certain role?
>
You need to save queries on the role, then only they will appear to the user. You can use BEx Query designer to create and save queries on the role. They will appear in the role menu in PFCG also.
We have created a separate reporting role which only has the link to queries.
HAPPY NEW YEAR
Cheers !!
Zaheer

ADHOC Query Authorization

Hi Experts,
How authorization can be assigned to a query created by PAAH transaction (adhoc query).
If a query is created by particular user/user group, it should not be altered by other user / user group.
Please advice.Thanks in Advance.
Regards,
IFF

Hello,
Through P_PERNR we could restrict the authorisations for adhoc query for a particular user.
Using the employee sbu group field value found under the P_ORGINCON authorisation object we could restrict the authorisations for a particular group of users.
Hope this answers your query.
Kindly let me know if you need any further help in this regards.
Pramathesh.

BI Query Authorization issue

Hi,
When a test user execute a query he is getting Insuffucient athorization
In RSECADMIN i executed as a test user and got the log
Please update me how to resolve the issue
No Sufficient Authorization for This Subselection (SUBNR)
Following CHANMIDs Are Affected:
17 ( 0TCAKYFNM )
Thanks

Hi there,
Regarding the 0TCAKYFNM "containing" information of all key figures, that's why I put the "", because this object doesn't contain anything, it is simply an InfoObject standard that SAP has with the flag marked in authorization relevant in transaction RSD1. This object exists for assigning key figures authorization used through the transaction RSECADMIN.
Even without the user notice, this object is checked against all the queries over all the InfoProviders.
If you go to transaction RSD1 for the InfoObject 0TCAKYFNM click on display on the Business Explorer tab you'll see the option AuthorizationRelevant marked. This will force the check for key figures assignment for all the queries against the authorization grnated through this object assigned to the user.
So if in this transaction RSD1 you change on the tab Business Explorer for this object 0TCAKYFNM and uncheck the AuthorizationRelevant, none of the key figures will be checked against the authorizations the users have to the InfoObject 0TCAKYFNM (since this InfoObject will no longer be authorization relevant).
If you leave the flag AuthorizationRelevant for the InfoObject 0TCAKYFNM as it is (marked), then in RSECADMIN as you did before, instead of granting * values (all values, all key figures) for the 0TCAKYFNM, you granted for instance the value 0QUANTITY and assign this authorization to the users, if this user executed a query with only the 0AMOUNT key figure he/she would receive lack of authorization, since he/she was only authorized to see values for 0QUANTITY key figure. So resuming, the values you assign for the InfoObject 0TCAKYFNM will be the key figures the user is authorized to see the query, and if you assing * it will be all the key figures (all values)
Hope this helps,
Regards,
Diogo.

Infoset query authorization problem

Hi All,
We created one Infoset(used PNP Logical database) - SQ02 in DEV system and transported to PRD system. Users are creating their own queries and check the data. Actually this is Cluster system. Three or more different hospitals clubbed together so company codes are different for each hospital.
Doubts are
1. Is it possible to restrict own hospital users to execute the query created by one user ?
2. Whether other hospital user can run the query created by one hospital and see all hospitals information?
Please let me know if I am not clear .
Regards,
Venkat.O

If I understood your question correctly, you want certain infoset to be used by specific users and not all. You can do it by defining an "Authorization Group" and assigning it to desired users.
To do so, select your infoset >> choose change >> select 'Global Properties' from the menu bar >> specify a group name in Authorization Group field.
Later you can update your user role with S_PROGRAM authorization object.
Hope it helps...

BEx query Authorization works in BW but fails in WebI

Have a BEx query which has 5 fields marked as authorization relevent. Some of the fields use BW Auth variable in the BEx query, although not all fields do. The BEx query runs fine and does not throw any authorization failures. One of the fields is Org Unit, which uses hierarchy node variable. This field and its user variable exist in two different queries, using different multiprovider.
One BEx query and its corresponding universe and WebI report fails when user tries to refresh Org Unit prompt values in WebI, however a secondar query with identical field and variable does not fail. A trace on BW side does not reveal any authorization failures. We tried refreshing the universe and even creating a whole new universe, refreshing it, etc.. however the issue is not resolved.
Has anyone seen this problem before? If so, how did you resolve it.

Hi,
You need Single sign-on (SSO).
Regards

Query authorization problem

Hi,
I had an old query on a multiprovider (two infocubes were added in multiprovider). The report was running fine. Then according to new requirement i added one more infocube to the multiprovider and added related key figures in the query.
But after that the query is not running properly. The new cube added to multiprovider has a authorization object "z:indauth" which has restriction on character "ci_dipind" which was not present in the previous cubes. I added this character (ci_dipind) in free characteristics. But then also report is not showing any data and the message given is "No applicable data found". Actually before this modification, query was running fine.
Please guide me for the same.
Regards,
Pravin.

Hi
You can check the values for which the authorization is not there using the transaction st01. There switch on the authorization trace and then run the query with your parameters. Then switch off the trace and analyse the values.
There you can find what authorizations you are lacking and then can act accordingly.
Cheers
Vishal Vashishta

Query authorizations and the result in Bex Analyzer

Hi,
Is the following possible to achieve by nesting authorizations?
User X has the following 2 authorization roles:
role 1 (description: FIGL)
|--- Query 1
role 2 (description: FIGL)
|--- Query 2
Visualisation in BEx:
Folder FIGL
|--- Query 1
|--- Query 2
At the moment I see
FIGL
|--- Query 1
FIGL
|--- Query 2
I hope the ASCII art is a little bit clear
As you can see, both roles are technical 2 different objects, so they are split. Any possibility to let the queries from role 1 to appear in role 2 (merge them in the visualisation)? I already played with the "derive from role" option, but this totally replaced the menu from the receiving role...
kr,
Rutger Hennico

Hi.
'ZCDAY' = User date Variable on 0CALDAY. (If User will give date).
'ZDYS'   = Formula Variable with Customer Exit, Dimension ID = Number.
DATA: DY TYPE SY-DATUM.
WHEN 'ZDYS'.
      LOOP AT i_t_var_range INTO loc_var_range WHERE vnam = 'ZCDAY'.
        CLEAR l_s_range.
        DY = loc_var_range-low+6(2).
        l_s_range-low = DY.
        l_s_range-sign = 'I'.
        l_s_range-opt = 'EQ'.
        APPEND l_s_range TO e_t_range.
        CLEAR l_s_range.
      ENDLOOP.
if there is no User Input then use..**
WHEN 'ZDYS'.
      LOOP AT i_t_var_range INTO loc_var_range.
        CLEAR l_s_range.
        DY = loc_var_range-low+6(2).
        l_s_range-low = DY.
        l_s_range-sign = 'I'.
        l_s_range-opt = 'EQ'.
        APPEND l_s_range TO e_t_range.
        CLEAR l_s_range.
      ENDLOOP.
Thanks
Reddy

Regarding ABAP Query authorization group

Hi Team,
This is regarding ABAP Query!
I have created one authorization group, for testing i have assigned my id in authorization group.
After creation of ABAP query,standard program got generated. Now i have created one transaction code at the last for the ABAP Query.
Now the isse is even though i have deleted my id from the authorization group. I am able to execute the query from SQ01 and with the Transaction code .
It should not happen...i want who soever id is mapped to the transaction code ...that member should only be able to run that query, otherwise there is no use of authorization group.
Please help me out in this case.
Thanks & Regards,
Anil Kumar Sahni

Are you sure that you don't have access to that authorisation group? Execute report RSUSR002. In the 'Authorization Object 1' block inform S_TABU_DIS in 'Auth.Object' and accept. Then inform Activity=03 and Auth.Gruop= your group.
You will get a list of all the users which, theoretically, will be able to execute the query. If you press 'Roles' or 'Profiles' in the toolbar of the listing you will get to know why you have authorisation. May be you have the SAP_ALL profile.
Also, one more thing to take into account: how have you created your transaction? Is it referring directly to the generated report? Then it is an error, you should execute program SAP_QUERY_CALL. Read this post: [Relate transaction to query;

BW/query Authorizations

We are implementating BW MM. As a part of planning phase we are trying to find out the authorization needed for Users. Requirement comes from user is to restrict queries at Plant/Sloc/Porg/Pgrp level.
What my understanding about authorization is here
Use Object S_RS_COMP to restrict at infoarea and query level, not very sure how S_RS_COMP1 works (pls explain)
Use RSSM to create customized objects and add above char. This object will later be added to the profile and values will be assigned accordingly.
Now q has asked, how to give user to only run the reports.
1. Is it by giving Bex access and restrict at infocube and query level and then to char level (I think covered above)
2. Use Bex Browser to give link for queries (by running on web copy and paste link in the role)
3. Give authorization for workbook
I am not very familiar with 2 & 3rd option. Pls advise
Is there anything that I missed?
Thanks in advance
Alok

Hi Rohini,
The note 588144 says:
SymptomThis note describes how as BW queries can be entered in roles.
If you are unable to open queries in the BEx Analyzer or the BEx Query Designer using the Open dialog box in the roles view, the problem described below may be occurring in your system.
Similarly, this problem may the reason why short dump XXX appears in the the system log.
Other terms
BW, BEx, 20B, 21C, 30A, 30B, in 310, relative addressing
Reason and Prerequisites
BW 3.0B and higher
The URL on the BW query was probably created manually in role maintenance as follows:
1. Call role maintenance (transaction PFCG)
2. Enter the role and select Role/Change in the menu
3. Selecting the "Menu" tab
4. Click on the "+ Other" switch
5. Select the "SAP BW query URL" field
6. Enter the description in "Text"
7. Enter the URL in "Object Description" (use both input fields if necessary)
Creating the URL using the following steps is also incorrect:
1. Call role maintenance (transaction PFCG)
2. Enter the role and select Role/Change in the menu
3. Select the "Menu" tab
4. Select switch "+ Report"
5. Select selection field "BW Report" (this is only suitable for BW workbooks; see note 570632)
6. ...
If you create the entry manually, the corresponding entry in table AGR_HIER will not contain any value in the SAP_GUID field.The field SAP_GUID usually contains the query's GENUNIID.The query cannot be opened because of the missing SAP_GUID value.See the section on the correction of manual entries under "Solution" below.
For information on entering URLS manually, see note 400348.
BW 2.0B/2.1C
Saving URLs in roles is not supported in BW 2.0B/2.1C.
Solution
Creating BW Queries in Roles with the BEx Query Designer
The BEx Query Designer allows you to select a role when you save URLs.
Creating BW Queries in Roles with the Open Dialog Box in the BEx Analyzer and the BEx Query Designer
The Open dialog box has two switches - "Enter in Role" and "Add to Favorites", which allow you to enter a BW query in a role.
Creating BW Queries in Roles with the Bex Browser
The BEx Browser allows you to copy BW queries bewteen different roles, within a role and to your favorites using Drag&Drop.
Correcting Incorrect Entries in BW Queries
You can only correct incorrect entries in BW queries with help from SAP.
With rgds,
Anil Kumar Sharma .P

BEx Query Authorization

Hi,
I have created one BI user which will be used to execute BEx queries & workbooks only.
I want to give him access of all queries & workbooks to that user but don't want to give any other access nor SAP_ALL.
R/-
Pradip

Hi there,
You should give him authorizations to the objects S_RS_COMP and S_RS_COMP1 under pfcg role transaction.
Also give him authorization to new authorization objects created under RSECADMIN.
For that go to transaction RSECADMIN and create new authorization. Give a description. Click on the InfoCube button and select the InfoProvider name where the query is built. Select all the objects that appear and select * for them. Click on the new button at the left side of the InfoCube for Insert Special Charac. Save the authorization.
Do this for all different InfoProviders where the queries exist that you wish to grant authorizations to the user.
Assign these new authorizations under RSECADMIN to the user or under PFCG role with authorization object S_RS_AUTH
Diogo.

ABAP or infoset query authorization

hi,
i want to give the authorization to abap query in bw ie sq01 sq01 and sq03 .
user should only excecute the query based on the given user group.
thanks
Jimmy

Jimmy,
in SQ02->Role/User group assignment button should give that option.. is this not looking for?
in SQ01->InfosetQuery, it will ask for "user assignment"..
Are these not useful?
Regards,
Hari

InfoArea change effect on Query authorization

Hi Gurus -
If we move an InfoProvider to a different InfoArea, does the users will run into Authorization issues? Do we need to re-define the query? As far as I know, it shouldn't effect the users. Please advise me. THANKS.

It depends what authorization given to users.
If it is just query display authorization for user, should not effect users.
If authorization defined in info area level also, will effect.
Thanks.

Error in LIME Query-Authorization object C_Lime_Loc cannot be checked..

hi,
I am very new to SAP Basis. i am facing the subject mentioned error in one of the user in a client when i run MM03 T.code.Su53 is showing Successful.
Temporaily ,I have provided the user with Profile SAP_ALL along with roles specified for the user and things are working fine.
i have tried assigning this object to all the Roles in the user but still in vain. Request some guidance to resolve this problem and thus removing the SAP_ALL profile to the concern user.Thanks in advance.
Edited by: Selva kannan on May 5, 2008 2:13 PM

Hi,
Heartly thanks for your feedback.
Actally the error reads: Error in Lime Query:Authrization object C_Lime_Loc cannot be checked.
SU53 is displaying last authorization is successful.
i have already added the object C_LIME_Loc to all the roles and checked the T.code MM03 without SAP_ALL profile.but failed.
I had compared the t.code su24 output in the user once with SAP_ALL profile and once without SAP_ALL and found both has same(identical) checked value. need help as i can feel that there is some authrization in SAP_ALL which is missing in my roles. how do i detect this....how do i check the objects in SAP_ALL related to this error.

Query authorization

Similar Messages

Maybe you are looking for