Restricting Authorization for a specific Info-object

Dear All,
I have a scenario where I have to restrict the account managers by specific channels.
I have 2 info-objects, Sold-to party and Sales Channel. Sales Channel is defined as attribute of the the Sold-To Part info-object.
I was exploring the BI authorizations concept in SCM 2007.
I created a authorization called "Test" and assigned the info-object Sales Channel in the authorization and restricted it for one value. This authorization along with 0BI_ALL I have added to the role under BI authorizations.
However in interactive demand planning, I cannot restrict by the sales channel. It allows me to load data for all the channels.
If I remove 0BI_ALL object, then I cannot load anything in interactive planning.
Does anyone have a step by step proceedure for using the BI authorization concept?
Regards,
Kedar

Yes, 0TCAACTVT (activity), 0TCAIPROV (InfoProvider) and 0TCAVALID (validity) have to be made authorization relevant. For the info objects you want to use to control security, also make them authorization relevant in RSD1, imagine the object you want relevant is ZZ_VKORG (sales organization).
Then use RSCEADMIN transcation and 0BI_ALL will include the objects from above, copy 0BI_ALL into a object such as Z_1000 and then change the value for the specific info object that you want to control, imagine that you want sales org 1000 only to be allowed within Z_1000.
Now, you have 2 choices: You can use the normal security maintenance (SU01, PFCG) and you can asssign RSRS_AUTHBIAUTH and set BIAUTH requal to Z_1000 or you can use user maintenance directly within RSCEDAMIN and assign Z_1000 to the user. Either way, it becomes part of the authorization of the user.
You may find that you need to introduce colon authorization concept ( for mixed levels of data and that is just a matter of adding a second line to the allowable values and setting it like "EQ :".
Things to consider:
1. This authorization concept is water tight and will do everything you need, but will do at the expense that if you don't model it first, you will kill yourself trying to make it right. This becomes evident when you trace a security issue (via RSCEADMIN) because the way BI7.0 works is that it will build a minimized superset of authorizations, so it is best to know where you want to get to, rather than starting off by where you know you need to go.
2. To control change or display mode, you will need to influence 0TCAACTVT, even though you might think to use C_APO_SEL3 for ACTVT, the BI7.0 concept works within the BI space and 0TCAACTVT doesn't impact it.
3. If you activate more info objects, 0BI_ALL will get updated automatically but your custom  authorization objecst will not. So, it is best to activate them all at the same time so that you don't have to manually change them.
4. Do the work in development and transport it to the TEST/QA/PROD environments, there are transprt tools within the RSCEADMIN.
This is probably enough to get you going, reply back if you have specific questions or issues.
I've been thru this in a painful way, sometimes the best things learned are learned the hard way

Similar Messages

  • BASIS--to restrict authorization for a PO document type & 122 movement type

    Dear All,
    Plz guide me how to restrict authorization for a PO document type & for a movement type 122 i.e. for eg. if a user has authorization for PO document type IC then he should not be able to rum movement type 122 for any T-code he runs.
    Thanks in advance
    Arpit
    Basis

    Hi,
    Your request was not too clear to me.. As per my unde
    Here is some details of Authorization object related to Purchase Order:
    Document Type in Purchase Order( M_BEST_BSA )
    Purchasing Group in Purchase Order (M_BEST_EKG )
    Purchasing Organization in Purchase Order  (M_BEST_EKO)
    Plant in Purchase Order  (M_BEST_WRK )
    Document Type in Outline Agreement (M_RAHM_BSA )
    Purchasing Group in Outline Agreement (M_RAHM_EKG )
    Purchasing Organization in Outline Agreement ( M_RAHM_EKO )
    Plant in Outline Agreement ( M_RAHM_WRK )
    This can be helpfull to you to restrict authorization to PO..
    In Organization Level, it can be restricted by Purchasing group, Purchasing organization and plant..
    Regards,
    Sandip

  • How to restrict authorization for OBC4

    Dear all
    How to restrict authorization for obc4( field status) for user id wise
    Regards
    nasa

    Hi Nasa
    You try to use the S_TABU_LIN object. With this object you can control access to tables (called from maintenance views, SM30 etc) based on the database key for the table.
    And as far as I cant see, the OBC4 transaction is just a couple of maintenance views for V_T004V andf V_T004F.
    You can find a small how-to [here|http://www.mhn-consulting.com/s_tabu_lin.html]
    Regards
    Morten Nielsen

  • To restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.

    Hi,
    We have  a requirement where we need to restrict authorization for tcode MEK1,MEK2,MEK3,MEK4 at plant level.
    Presently we can restrict authorization at Purchasing organization level but not at Plant level.
    Any pointer please!
    Regards,
    Chetan

    First of all, this is not the right forum to post such a question.  Coming to the requirement, this can be achieved by creating a role in PFCG where you can restrict plant and assign this role to each user id.  Your basis team can do this.
    thanks
    G. Lakshmipathi

  • No authorization for action: CRE with object: ADCP

    Hi,
    I encountered the following error when creating an index:
    No authorization for action: CRE with object: ADCP
    I was at transaction DB02 -> 'Checks' -> Database<->ABAP/4 Dictionary.
    The checks indicate that there are some optional indexes that are not created.
    The error is encountered when I select one of these indexes (eg. ADCP-I01) and try to create it using the 'Create in DB' button.
    Do I have to assign some certain permission to my account? I am already holding the SAP_ALL and S_A.SYSTEM profiles.
    Thanks for any help,
    Tzyy Ming

    Hello,
    As i had expected DDIC userid did the needful.
    to see whether the index is created, you need to do the following.
    start transaction DB02
    click on the refresh button
    You would then get a new pop up with two different buttons.
    now on this pop up click the 'perform database checks' button.
    System might give you a warning 'This will take time' , click yes and wait for the system to refresh the data.
    Once system has refreshed the database data, you should be able to see your newly created index.
    Regards,
    Siddhesh

  • Restrict authorizations for payment item transaction

    Hi All,
    This is regarding authorizations for a banking system.
    The requirement is the users need to be restricted for the following transaction based on the Bank Posting Area or the contract managing unit.
    BCA_PAYMITEM_CREATE
    When the user goes to create payment item the user should be allowed to enter an account which has been created with the contract managing Unit ZSUM007 or Bank Posting area ZSUM. The user should not be allowed to go in for any other values of contract managing unit and Bank Posting Area
    BCA_PAYMITEM_MAINTN
    The user should be allowed to enter an account which has been created with the contract managing Unit ZSUM007 or Bank Posting area ZSUM .The user should not be allowed to go in for any other values of contract managing unit and Bank Posting Area.
    I checked the transactions in SU24 and found only authorization object S_TCODE associated with the transcations BCA_PAYMITEM_CREATE and BCA_PAYMITEM_MAINTN.
    Can someone please suggest a way to acheive this.
    Regards,
    Thamarai.

    Hi Shiva,
    I tried assigning the org unit using PFCG ORGFIELD CREATE.
    Now the org unit in pfcg shows Org. level Contract-Managing Organizational Unit (Encrypted) but there is no coresponding field in the authorization objects in the role.
    Can you please help since the project is very critical.
    Regards,
    Thamarai.

  • How to restrict authorization for MMBE

    Hi,
    I need to restrict the authorization for t-code MMBE according to plant wise. Can anybody tell me about the procedure and authorization object used.
    Regards

    M_MATE_WRK Material Master: Plants is the object that is used to control teh display of data at plant level in tcode MMBE

  • Restrict authorizations for loads from HR to BW for certain data

    Hi,
    our customer wants protect some data in the HR productive system. This data are defined/restricted by certain personal areas.
    It is not enough to use reporting authorizations in BW to restrict presentation in queries or use filters in infopackets during load to avoid this data.
    The requirement is to make load of such data from HR to BW absolutely impossible, even BW administrator cannot see them and must not be able to load them.
    We will probably have to somehow limit ALEREMOTE users authorizations in BW. I do not know how and I even doubt, that extractors in HR source system perform authorizations checks for fields.
    Is there any way to do this?
    Thank you very much,
    Petr

    Hi Petr,
    Create a general enhancement program (restricted authorization) with generic name, which should be called dynamically for every datasource.
    Refer-
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/2d99121a-0e01-0010-e78c-b1ae566a2413?overridelayout=true
    Not personally tested but check following.
    In that program, you may try applying following logic:
    1) You may need to use TYPE ANY field symbols
    2) In While Loop until all fields of C_T_DATA checked, may be a counter based on total number of fields.
        DELETE C_T_DATA where <TYPE_ANY1> EQ (OR use IN) specific value(s) of Personnel Area
        DELETE C_T_DATA where <TYPE_ANY1> CS (Contains, check pattern) specific value(s) of Personnel Area
    ENDWHILE.
    Optionally: For Standard Daatsources in the same program you can add logic based on standard field only "WERKS".
    Note: You may need to research on dynamic pointing using field symbols for every field.
    Thanks
    Arun Purohit

  • Authorization for FBL5n specific customer

    Hi all,
    I have a scenario where we want to restrict sales person to view specific customer. We maintain sales person and customer number relation in a Z table.
    Please advise how I can restrict?

    Hello Ravi
    You can restrict access to master records in order to prevent unauthorized changes from being made. Depending on how you organize your master data, you can assign authorizations for maintaining this data. For example, one user may have authorization to maintain all master data, while another may have authorization to maintain only accounting master data.
    You can also assign different authorizations for different types of processing. All users could have authorization to display master records, while only a limited group of users may be able to create and change master data.
    Authorizations are specified during system configuration and assigned to each user in his or her user master record. If you have any other questions on this subject, you should contact your system administrator. The Implementation Guide (IMG) for Financial Accounting explains how to set up authorizations.
    Suresh

  • How to check the access right for a specific SAP object like MaterialMaster

    Hi!
    How can I check if I have the right to change a specific object like a material or document in SAP vie RFC. I need a remote able function which tells me, if I have enough rights! Or, if such a function does not exist, how can I write my own ABAP code to do this?
    Thanks,
    Konrad

    Hi,
    When initiating a transaction, a system program performs a series of checks to ensure the user is authorized.
    1. The program checks whether the transaction code exists in table TSTC.
    2. The program checks whether the transaction code is locked by the administrator (transaction code SM01).
    3. The program checks whether the user has the authority to start the transaction. Authorization object S_TCODE (transaction start) contains the authorization field TCD (transaction code). The user must have the appropriate authorization for the transaction code to be started (for example, FK01, Create Vendor).
    4. The program checks whether an authorization object is assigned to the transaction code. If this is the case, the program checks whether the user has an authorization for this authorization object. The transaction code/authorization object assignment is stored in table TSTCA.
    Note: An SAP program controls steps 1 through 4. It displays an automatic message to the user if an authorization attempt fails in the step.
    5. The system performs authorization checks in the ABAP program using the ABAP statement AUTHORITY-CHECK.
    Regards
    Sudheer

  • How to track the queries for a given info object

    Hello All,
    I have info object 0COORDER, I wan to know what are list of queries built on this particular info object
    Full points just for solution or suggestion
    varsha

    Hi
    This can be easily found in Meta Data Repositry. RSA1 --> Meta Data Repositry --> Choose the category Infoobject and search for your required infoobject, here you get following Info:
    1. Display Attributes of the Info Object
    2. Navigationla Attributes of the Info Object
    3. Queries in which they are used.
    4. Used by which MP,Cubes,DSO, Info Set , Transfer Rules etc.
    Regards
    Raj Rai

  • Urgent::::Data is not loaded for a perticular info object in ods

    Hi All,
    We have loaded data into an ODS( 0PRC_DS01) in development server. It was successfully loaded into it all info objects.Reports were working well.
    When we transported it to production, data loading was taking longggg  time (15000 for 9 hours).So, we have done two things to improve the loading speed.
    1) we have created an index based on the fields in the where clause RCLNT,RLDNR,RYEAR, DOCNR, POPER in JVSO1 table.
    (JVSO1 is an R/3 table from where key data coming to datasource 0EN_JVA_2.)
    2)We have updated the optmizer statistics.
    Now the problem is, data is not loaded to one perticular info object JOINT VENTURE PARTNER in dso. Which was loaded successfully in development.
    Please help us........We will assign points for helpful answers

    Hi Chek in the transfer and update rules whether u mapped the fields with target and also check whether u have routine. and check whether the data is coming for that object from the source.
    Khaja

  • Table for Communication structure Info Objects

    Hi all,
    Is there any table which has list of all infosources along with the Info objects assigned to it.
    I tried to see in RSKSFIELD but some of the infosources are not present in this table.
    regards,
    Rk

    hi krishna,
    RSIS for the available Infosources but this is for the transaction data. If you need to know which Infosource is from which Infocube then check RSUPDINFO table.
    RSDCUBE table: displays the list of available cubes.
    RSODS table: to find the ODS/DSO.
    regards,
    raghu.

  • Steps for creating 0MATERIAL info-object

    Hi,
    Guys I need help for the below mentioned activities, I need detailed step by step guidance.
    Create a copy of 0MATERIAL info-object  (and name it as ZZY_MAT) with a minimum of 10 attributes (few navigational and few display).
    Create a transformation and DTP (for source system PC_FILE) and do a data load for atleast 100 material numbers.
    Thanks and regards,
    Jagadeesh v
    <Moderator Message: Please read the [help|http://help.sap.com]>
    Edited by: Siegfried Szameitat on Aug 25, 2010 11:26 AM

    Hi,
    try 0LO-IO.
    regards
    Siggi

  • Need Data source names for 0RPM_SIGH&0RPM_PIHG info objects

    Hi All,
    We are loading the data from SAP-xRPM to BW.I need to load the data fro the info objects 0RPM_SIGH&0RPM_PIHG.But i am not having suffisient information that which data source is providing data .So please help out to finding the master data data sources.
    Full points will be  given for the correct solution.*
    Thanks & Regards
    Ramakanth.

    hi,
    check out the following pdf document regarding rpm data sources.
    http://help.sap.com/saphelp_nw70/helpdata/en/44/16e6f7a6f30d19e10000000a114a6b/RN_703_en_final.pdf
    http://help.sap.com/saphelp_nw70/helpdata/en/44/a27fca9a895da3e10000000a1553f6/RN_7032_en.pdf
    hope this help you
    regards
    harikrishna N

Maybe you are looking for