Regarding BW Authorization

Similar Messages

• Regarding Prepayments,Authorization and capture of funds

  Hi..
  I have questions regarding the authorization and capture of funds in 11.5.10.2 when the Prepayment concept is used. I have read in OM manual that the authorization and capture happens in AR while creating a receipt.So how can I know that they happen immediately one after other in AR ??? i mean can I look into any columns of particular tables gets populated when authorization happens and some particular field is populated when capturing happens???
  Mainly when prepayments are used does the authorization and capture happen in AR only one after other immediately?????
  Can some one please help me....
  Thanks...

  Hi,
  when you create the batch-input session, you could set a user-name with the good authorization.
  You could ask anybody to call your batch-input in SM35, the authorization of the transaction inside your batch is check with the username set in the batch.
  So how did you create your batch-input session ??
  Fred

• Regarding BI Authorization Issue

  Dear Friends,
  can anyone help me to solve this issue..
  I have a Authorization Issue, u201CNO Authorization u201C
  Error : EYE 007 ( Insufficient Authorizations )
  I have follow this stepsu2026
  Steps 1 :-
  Define Authorization-Relevant Characteristics ( ZCUSTOMER )
  Note : I have 0Division values C100 and C200, I want to restrict the user on ZCUSTOMER = 100.
  Steps 2 :-InfoObjects as u201Cauthorization-relevantu201D
  Eg: 0TCAACTVT
  0TCAIPROV
  0TCAVALID
  0TCAKYFNM
  ZCUSTOMER
  Steps 3 :-Using T-code : (RSECADMIN) created the Analysis Object
  For example : ZAUTH In That I have taken
  ZCUSTOMERrestricted with value C100.
  0TCAACTVT with 3 ( Display )
  0TCAIPROV with * ( Astric )
  0TCAVALID with *
  0TCAKYFNM with *
  Steps 4 :-
  Assign Authorizations to Roles
  Use authorization object S_RS_AUTH for the assignment of
  authorizations to roles.
  Maintain the authorizations as values for field BIAUTH
  Ex: ZTESTA1
  S_RS_AUTH
  Here I have given my Authorization Analysis Object ( ZTESTA1) which I have created in RSECADMIN.
  S_RS_COMP
  Activity Create or generate, Change, Display, Delete, Execute <...>
  InfoArea : ZDEMO_ MIHI
  InfoCube : ZCUBET
  Name (ID) of a reporting compo : ZTEST_Q0001
  Type of a reporting component Calculated key figure, Query View, Query, Restricted key figure <...>
  S_RS_COMP
  Activity Create or generate
  InfoArea :ZDEMO_ MIHI
  InfoCube : ZCUBET
  Name (ID) of a reporting compo :ZTEST_Q0001
  Type of a reporting component :Query
  S_RS_COMP1
  Activity Display, Execute
  Name (ID) of a reporting compo : ZTEST_Q0001
  Type of a reporting component :All values
  Owner (Person Responsible) for *
  S_RS_COMP1
  Activity Change, Display, Delete, Execute, Enter, Include, Assign
  Name (ID) of a reporting compo ZTEST_Q0001
  Type of a reporting component All values
  Owner (Person Responsible) for :*
  S_RS_ICUBE
  Activity Create or generate
  Infocube Sub Objects: DATA, Update rules, Data Definition, Aggregats
  InfoArea :ZDEMO_ MIHI
  InfoCube : ZCUBET
  S_RS_IOBC
  Activity Create or generate
  InfoArea :ZDEMO_ MIHI
  Infoarea Catalog : zioc_test, Zkf_test
  S_RS_IOBJ
  Activity Create or generate
  InfoArea :ZDEMO_ MIHI
  InfoObjets: ZCUSTOMER, ZDOCNO,ZMATERIAL
  Steps 5 :-
  AND Assign this Role to User.
  Steps 6 :- ERROR
  When I execute the Report it is showing u201CNO Authorization u201C
  u201C Insufficient Authorization u201C
  EYE 007.
  Regards
  Siva

  Hi,
  In RSECADMIN try to put on the trace with your user id & execute the query . System will give you list of authorization object with red color which needs to be reconsidered in order to execute report without error.
  Hope that helps.
  Regards
  Mr Kapadia

• Help regarding BI Authorization

  Hi Experts,
  I am working for first time on BI analysis authorization and I am having below queries to be clarified. Can you all please clarify my queries and help me.
  1. In the project, we will not use HR and will therefore have to do local maintenance of authorizations in each system (for data access, we will also use a central identity management system). This will for sure affect the possibility of the automatic generation of authorizations. My first question is: can it still be used at all (can we load some data via flat-file or maintain some master data in BI)?
  2. Is the concept of having queries linked to PFCG roles to be used at all in BI 7 (according to SAP standard), or is the thought that InfoProvider authorization should be used instead via 0TCAIPROV?
  3. Is the following a correct way to do authorizations in BI 7, or if there is something that should be changed to comply with standard?
  - Make the following characteristics authorization relevant: 0COMP_CODE, 0SALESORG, 0PLANT
  - Activate the technical content for analysis authorizations: 0TCA*
  - Create authorizations in RSECADMIN, where we link a authorization object to a characteristic value (for instance, assign object: "XY" to characteristic=0comp_code with value=1010)
  - Link the authorizations just created to PFCG roles (for instance create a PFCG role "XY access" which gives access to company code 1010).
  - Create PFCG roles for "Report User" and "BW Developer" which have access to read respective create/change/delete rights of queries.
  - Create PFCG roles with certain queries linked to them.
  - Assign the PFCG roles to BW Users.
  4. Does the BI 7 authorization concept enable the use of user groups, or should authorizations be assigned on a user to user basis?
  5. What happens if I make a characteristic authorization relevant and then include this characteristic in a query and do not do any restriction on this characteristic (i.e. I do not provide any auth values to the system), will I then get an authorization error?
  6. If automatic generation of user authorizations is used together with for instance SAP HR and loaded daily, does this mean that any other manual authorization assignments will be deleted/reset upon the next automatic generation?
  7. Is the following a correct way to do authorizations in BI 7, or if there is something that should be changed to comply with standard?
  - Make the following characteristics authorization relevant: 0COMP_CODE, 0SALESORG, 0PLANT
  - Activate the technical content for analysis authorizations: 0TCA*
  - Create authorizations in RSECADMIN, basically one object that has a restriction for each of the authorization relevant characteristics and that uses different customer exit variables to determine which values to use. This customer exit then reads some table (which we maintain manually in BI) to find the values for each user based on user name.
  - Link the authorization just created to a PFCG role.
  - Give all reporting users this PFCG role.
  - Create PFCG roles with certain queries linked to them.
  - Assign the PFCG query roles to users.
  Thank you very much in advance for helping.
  Thanks & Regards,
  Sharath

  Sharath,
  Here are some insights/replies to the list of questions you supplied. BW Security can be complicated but the trick is NOT to allow the requirements to allow it to be complicated.
  1) Are you sure you dont mean the IdM system will assist with role-based access assignments? If that is the question then, yes. For the data access (linked to roles via S_RS_AUTH : Analysis Authorizations) you could employee a flat-file load to DSOs and variable security on the authorizaiton relevant charactistics.
  2) Yes, you will need to have authorizations to queries/reports via S_RS_COMP/S_RS_COMP1 still maintained in the roles. The InfoProvider (data access) will be maintained in the Analysis Authorization (S_RS_AUTH). You need to have both in order to successfully pass the auth checks from query/report to data.
  3) Fundimentally (BW Security 101) sounds correct but again it typcially depends on the implementation and requirements on how you setup the anaylsis authoriations along with the roles.
  4) No sure what you mean about "user groups" Analysis Authorizations can be assigned to "Users" or "Roles".  You could always assign roles to user groups via SU10 or via IdM solution.
  5) Depends on how its used in the query. If the query is dependant on a value to render the report (included in intial SQL stmt) then you will get "No Authoriation". If its setup as a free characteristic or drill-down, then you wont get authorization error until a statment checks values for authorization.
  6) Depends on how it was implemented. refer to #3
  Hope that helps a little.
  Thanks,
  Matt

• Regarding the Authorization in ABAP-HR

  Hi all,
      I want to know about the Authorizations in the ABAP-HR. If any body is having any material regarding the can you plz share with me...
  thanks in advance,
  Suresh

  Hi Kutam,
  Chk these Links....
  Can i have the list of infotypes .
  abap hr
  http://www.asug.com/client_files/Calendar/Upload/HR_STRUCTURAL_AUTHORIZATIONS.ppt
  Reward Points if Useful
  All the Best
  Gokul

• Regarding the authorization objects

  hi
  this is the requirement.
  how to provide the authorization for the given transaction code and they provided field for that and some numbers.
  please provide me the code for this
  thanks in advance

  Hi,
  Check below code,
  AUTHORITY-CHECK OBJECT 'B_ALE_MODL'<- author. object
  ID 'ACTVT' FIELD A_ACTVT<-Fields
  ID 'CUSTMODEL' FIELD A_CUSTMODEL.<-Field
  IF SY-SUBRC <> 0 AND NOT A_OWN_REACTION IS INITIAL.
  MESSAGE ID 'B1' TYPE 'E' NUMBER '125'
  WITH 'B_ALE_MODL' A_ACTVT A_CUSTMODEL ''.
  ENDIF.
  Thanks and Regards,
  Chandra M

• Regarding Analysis Authorizations in role.

  Dear all,
  I am working in Analysis authorization. we need to restrict the user from whole dimension.(for ex: access should be restrcited to whole Material Dimension)
  Senario 2: how to restrict the access to one of the object in whole dimension (for ex: we need to restrict the access to material object in material dimension, but user can have authorization for other objects like division)
  How to do this. any pointers would be appreciated.
  thanks in advance.
  Regards,
  Mohankumar.g

  Good morning,
  I would start with your scenario 2 query.
  Build your analysis authorisation including the standard 3  info objects (Activity, Validity Date, Info Areas) and any other info object required.  Specifically, for your material object to be checked (including any of the others), it has to be made Authorization Relevant in the info object itself (usually done by your BW consultant).
  Once this has been done, you'll be able to add the info object to your authorisation.
  So the authorisation here, would be restricted to the various info sources and your material object could be specified here.
  In order for this to work, your BW consultant would also need to add an Authorisation variable to the report - although I'm sure your consultant would know about this requirement.
  For your first scenario you would have to build the authorisation in exactly the same was as in your 2nd scenario, however the material object info object would be wild-carded.
  Hope this answers your questions?
  Regards
  Lucille

• Regarding user authorization of t-code

  I am trying to give authorization for one of my user regarding SM35 
  I did YAT and got attached file. MY ABAP programmer said it is not authorization issue it is something related to system error can you please help me out and guide me what should I do. 
  The problem is whenever she run SM35 it always said Server is not active. I checked using SM13 for server and it is active so I am not sure why it is going on please go through file and If you need more information email me 

  Hi,
  when you create the batch-input session, you could set a user-name with the good authorization.
  You could ask anybody to call your batch-input in SM35, the authorization of the transaction inside your batch is check with the username set in the batch.
  So how did you create your batch-input session ??
  Fred

• Regarding full authorization except basis and abap

  Hello Gurus,
  I want to provide full authorization to my super users excluding Basis and ABAP transactions such as PFCG,SU01,STMS,SCXX,SEXX. Is it possible by providing some standard profile? If yes then which profiles are that? and if no then how to solve this problem.
  Please reply if u can.
  Thanks and Regards,
  Jayendra
  email - [email protected]

  Hi Jayendra,
                       You copy SAP_ALL to some ZSAP_ALL role and remove what ever the Transactions you want to remove from ZSAP_ALL.Then you assign this role to all your super users.
  Regards,
  Hari.

• Regarding sap authorizations

  hi all
  is there anyway to limit the users access to only their own batch input sessions in tcode sm35 using sap authorizations.
  thanks in advance
  mohan

  hi,
  check this
  Checking User Authorizations in your ABAP Program
  How to set Authorization to an ABAP Programs?
  Much of the data in an R/3 system has to be protected so that unauthorized users cannot access it. Therefore the appropriate authorization is required before a user can carry out certain actions in the system. When you log on to the R/3 system, the system checks in the user master record to see which transactions you are authorized to use. An authorization check is implemented for every sensitive transaction.
  If you wish to protect a transaction that you have programmed yourself, then you must implement an authorization check.
  This means you have to allocate an authorization object in the definition of the transaction.
  For example:
  program an AUTHORITY-CHECK.
  AUTHORITY-CHECK OBJECT <authorization object>
  ID <authority field 1> FIELD <field value 1>.
  ID <authority field 2> FIELD <field value 2>.
  ID <authority-field n> FIELD <field value n>.
  The OBJECT parameter specifies the authorization object.
  The ID parameter specifies an authorization field (in the authorization object).
  The FIELD parameter specifies a value for the authorization field.
  The authorization object and its fields have to be suitable for the transaction. In most cases you will be able to use the existing authorization objects to protect your data. But new developments may require that you define new authorization objects and fields.
  Use T/Code SE80 to Create Authorization object.
  if u find it useful mark the points
  Regards,
  Naveen

• Regarding the authorization based on persinal subarea

  dear experts,
                    my company has two offices what we want that in HR that one offices will not see  the live datas of another office,for this we have two subarea raipur & raigarh what i did that in the authorization object P_ORGIN i added subarea BTRTL after this whenever i go to "SU01" & assign in the roles  it gives THIS error------
  *Authorization default values of transaction PC00_M01_CDTB for object P_ORGIN
  inconsistent*               
  WHAT IS THE SOLUTION FOR THIS PROBLEM...
  PLEASE suggest me how to restrict the authorization on personal subarea...
  Also after adding the fields BTRTL in the object P_ORGIN   i want to remove it again how will i do this......

  hi,
  Have a look at this pdf.It may help u.
  http://www.sap-press.de/download/dateien/726/sappress_authorization_system_engl.pdf
  http://wiki.ittoolbox.com/index.php/SAP_HR_-_Check_your_basics-Answers-1#DATA_AND_AUTHORIZATIONS
  cheers,
  Manoj.

• Need Clarification Regarding Structural Authorization

  Hi Gurus,
  When you do need to implement Structural Authorization? How do you know when you don't need it?
  I'm currently on an ECC6 implementation project and was informed that we do not need to implement it even though we are implementing the HR organization structure along with ESS and MSS.
  Your inputs are highly appreciated.

  for one it can be useful to implement structural authorizations when you want to restrict not only on the enterprise structure (e.g. personnel area, employee group etc.) but also on organizational atributes (position, org. units and the likes).
  this decision is purely based on the requirement of your company's security demands.
  as for your second question, I assume that there is a misunderstanding of terms.  HR roles as such are the same as non-HR roles in so far that they can be assigned to the user directly through SU01 or PFCG.
  the advantage of having an org. structure is that you may also assign the roles through this structure as well.  this in itself has nothing to do with whether you would want to implement structural athorizations.
  I hope to have clarified things a litlle for you.

• Regarding BI authorizations

  hi all,
  i need to create a report based on the role & authorizations of the user. Where to start and how to do it.
  should i first create query?
  jeeva

  Hi,
  Try
  http://help.sap.com/saphelp_nw04s/helpdata/en/52/671595439b11d1896f0000e8322d00/frameset.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/ed/845890b89711d5993900508b6b8b11/frameset.htm
  http://help.sap.com/saphelp_nw04s/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/frameset.htm
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea
  http://help.sap.com/saphelp_nw70/helpdata/en/be/076f3b6c980c3be10000000a11402f/content.htm
  http://help.sap.com/saphelp_nw70/helpdata/EN/37/a90af089d1453eb595f5a1098285f1/frameset.htm
  Thanks,
  JituK

• Regarding open authorizations

  Gurus,
  Is it any harm in keeping open authorization that is one of empty value to the fields for an object, moving that role to production and assigning it to end users. Please clarify this.
  Thanks

  These are APO authorization objects.
  Have you checked if the object C_APO_SEL2 is still in the role, if yes then C_APO_SEL3 may not be required. C_APO_SEL2 is an obsolete object.
  I would assume if the users are able to function normally as per their requirements then you may leave them open. There is no setting to deactivate the field within a role unless you alter the standard object altogether which is not recommended.
  To ensure that there fields are not checked you can run trace and find when the object is called what are the fields being checked.
  However trace can also not be hundred percent reliable

• Regarding the Authorizations

  Hi all,
  I need to give authorization of tcode Like MMPV  for one user.
  I had done by using PFCG then i went to role and then i given the tcode.
  but it is not working , he is getting again the Auth problem

  Did you maintain the Authorization data correctly? For eg, MMPV Tcode, is the user trying to create or change or display the tcode?
  Also, check if the org structure has been setup correctly.
  Lemme know if this helps.
  Thanks
  Sudhan Shan