Role to Restrict access to BW report acc. to plant & Region

Similar Messages

• Restrict Access to Expense Report template for a Responsibility

  Hello,
  We want to restrict access of a Expense Report template to a specific responsiblity.
  Is there a way to do it.
  Basically we have around 3 Expense Report Template. But we want to restrict access to one of the template to a particular responsibility.
  Any help in this regard is greatly appreciated.
  Thanks

  Hi ,
  To my Knowledge the only option I think right now to restrict the template for an Responsibility is to do is there is check box Enabled/disabled where you define the templates ,Try to disable that check box and see , I think when you try to create an expense report from Internet Expenses after you do this , you cant see the template you have disabled it in the List of values for that Responsibility . I hope that works .
  Thanks
  Deepthi .
  Edited by: 796018 on Sep 20, 2010 10:32 AM

• Creation of roles with restricted access to infoarea

  HI !
  We need to create some custom roles in BW, which will restrict the user (with that role) to access only specific infoareas in BW,  i.e. the reports and Infoproviders etc created under those InfoAreas.
  When I tried to create a role in tcode PFCG, I dont get any such options to restrict by InfoArea. Do we have to create custom Authorization objects for this and assign them to this role? if yes, how do we create such Authorization objects?
  I am totally new to roles/profiles etc... i read the online documentations, but cudnt understand them much.
  <u>Please provide the steps to do this</u>.
  Thanks,
  SUshmita

  hi Sushmita,
  try authorization object S_RS_COMP - business explorer compnent (under RS - business information warehouse),
  you can specify infoarea, infocube
  hope this helps.

• Security report with native roles and the roles they have access to.

  We need a security report that shows the Native/Custom Roles and the roles that they have access to.
  So, an example would be the role US_Acct, and the report would show what roles that has access to (Post Journals, Consolidate, etc).Can this be done?

  Export the Provision report from Shared Services.
  Upload report to Excel or Access.
  Build Tables to show what tasks each Role has access to.
  Build a report that links the provision report and the xref tables.
  You should also do this with Security Classes.

• HR data administration and reporting - restricting access

  Hello All
  We have a single role for HR data adminsitrators.  There is no distinction on PA, PSA u2013 no further breakdown u2013 everyone gets to see everything and they have access to change everything.  How may we restrict access?  Any help would be greatly appreciated.

  Hi,
  Please let me know if you are using Structural authorizations.
  For non-structural security, without any breakdown on PA, PSA, EE groups/subgroups, you may use Organizational key (VDSK1 field of Auth object P_ORIGIN) to restrict the data access.
  In the standard configuration, the field is filled with the values of Personnel Area and Cost Center.In Customizing activity, you can set up Organizational Key and define your own rules for the field.  Ex: Organizational Key with an employeeu2019s Organizational Unit and Cost Center. It can be configured to include any of the data from Infotype 0001 (Organizational Assignment) within HR.
  The Organizational Key essentially provides an additional user-defined field to be used for security restrictions.
  Hope it helps!
  Thanks,
  Sandipan

• How to implement Oracle user/role security with Access front end?

  Hi,
  We have successfully migrated our Access database tables to Oracle 10g using SQL developer. We've recreated all the users and roles(i.e., access groups) in Oracle and granted rights to tables.
  In the Access front end database, in the Database window we have saved linked Oracle tables which replaced the Access tables. The forms, reports, queries run fine with the linked Oracle tables. All the linked table use one ODBC DSN to the Oracle database with the same Oracle user id.
  We need to be able to authenticate users into the Oracle database and RE-link the tables based on their own unique user id. By during so we can allow users to use the Oracle standard user id/role and system privileges to control select, update, ect. rights to the database.
  I've been able to use the VB code within Access to logon into the database with a unique id, but I have not been able to find out how to RE-link the tables to the unique user id using VB. There should be some way to relink tables dynamically, based on users login into the Access front end.
  I don't know a great deal about Access projects, but I do know with SQL server allows login into your Access project and link tables dynamically.
  Can someone give me some assistance or point me in the right direction?
  Thanks in advance,
  Larry

  We had one of our programmers here come up with a VB code solution for re-linking table within Access. However the relinking takes 3-4 minutes for 100+ tables.
  In an effort to help you understand the situation better, I will attempt to elaborate on the problem:
  We have an Access 2003 application which currently has a front end using Access(forms, reports, queries, & VB code) and a MS Access 2003 backend.
  We have migrated the backend tables to Oracle. However, we still have a need to maintain the front end in Access, since we have over 60 forms, 40 reports, 200+ queries in Access. Its easy to understand, we have a significant investment in the front end(Obviously, the plan is to migrate the front end also at some future date).
  In order to utilized the existing front end, we have to validate and modify the current front end connections to the new Oracle backend. One of the features of Access is that you can "link" tables and save the link for runtime. Each Access table can have its own link which is a separate ODBC/JET connection. As such, each separate link has its own userid/database information.
  The other issue with using the Access front-end is that Access utilizes a workgroup file to implement user and group security. The workgroup file contains all the users and which groups the users belong to in Access. Then within Access, you allow users access to object(tables, queries, ect) by their userid and or group. When users open an Access database with Access security enabled, they are required to log into Access. The login is authenticated by the workgroup file. Once, logged into Access, users have rights to Access objects based on their rights granted to their userid and groups they belong. The problem here is that when you remove the linked Access tables and replace them with linked Oracle tables, Access has knowledge about Oracle table rights granted to users; nor would you expect it to.
  The dilema is the disconnect between Access and the fact Oracle utilizes a similar but much more sophisticated security model. It creates users and roles(which are similar to Access groups), and again this is independent of Access security.
  Our solution was to still use the Access workgroup file security along with the Oracle security model. By using the Access userid and then creating a similar Oracle userid with similar table rights granted in Access, you could apply security within Access and also with the Oracle database.
  For example, a user BOB logs into Access via the workgroup file, using VB code, Access then establishes a Oracle connection logining into Oracle using the same unique userid BOB into Oracle.
  After connecting and validating user BOB into Oracle, then the Access tables are relinked to Oracle using the user BOB userid and table rights.
  This Oracle userid has been granted table rights specific for this userid.This allows the user BOB to use the Access application and still be authenticated into the Oracle database.
  The problem with this solution is that the relinking of the saved Access tables takes 3-7 minutes for about 100+ tables. This is not acceptable for users each time they log into the application.
  Our current alternative is to use one Oracle userid to login each user, and use Access form restrictions/security to allow/prevent users from updating/viewing data. Obviously, this is not the optimal solution in respect to security, but it at least allows us to control access to the data(via the forms) by using one logon required for each user, and quick startup time for the application.
  I understand SQL server does a better job in integration, but we use Oracle which is what I am trying to work with.
  Larry

• Restricting access to a  cube while it is being maintained

  Hi,
  We are trying to restrict access via discoverer/excel add in to a CUBE while cube is being maintained. We were able to achieve this by revoking privileges to certain roles before the start of the cube build.
  I would like to know if there is any better way or built in functionality(out of box) that restricts access to a cube a while it is refreshing? Any help is appreciated.

  Ragnar is correct, the best way to do this is to attach the AW in exclusive mode. You can either do this manually yourself before starting your load job, or automatically by scheduling the job and using mutiple processes to load and solve the cube.
  The problem is removing users currently viewing data via Excel/Disco when the job starts. If you can ensure there will be no users accessing the AW when the job starts, then the exclusive attach mode will prevent any users from attaching the AW during the processing. If you cannot guarantee this, then there is a problem because the job will fail when it tries to attach the AW in exclusive mode. Obviously you could put this in a loop and wait until a user exits the front end application and releases the AW. Alternatively, you could write a SQL script to disconnect/kill all sessions accessing the AW - not very nice for the users though if they are building a report because they will lose all their unsaved changes.
  When the AW is attached in exclusive mode, bad news is that Discoverer/Excel will probably generate a nasty Java error message when a user tries to connect using Discoverer/Excel.
  Therefore, overall not an ideal situation. But I cannot think of a really good way to manage this at the moment. Sorry I can't be more helpful.
  Keith Laker
  Oracle EMEA Consulting
  OLAP Blog: http://oracleOLAP.blogspot.com/
  OLAP Wiki: http://wiki.oracle.com/page/Oracle+OLAP+Option
  DM Blog: http://oracledmt.blogspot.com/
  OWB Blog : http://blogs.oracle.com/warehousebuilder/
  OWB Wiki : http://wiki.oracle.com/page/Oracle+Warehouse+Builder
  DW on OTN : http://www.oracle.com/technology/products/bi/db/11g/index.html

• Backend BW roles for users needed when running reports in infoview?

  Hello all,
  We are using SAP BI Queries as the sources of our universes, the user is going to logon to infoview to run report in webi. We have created some access levels in CMC to restrict users, the question is - the user will still need some kind of backend BW roles to have access to the BI query that is developed in BW system right? That way the user can fetch data?
  Let me know
  Thanks in advance.

  Hi,
  If you are using SAP Authentication and Single sign on option in universe connection, the users must have sufficient roles to access SAP BW database.
  if not, the only user login which you create during connection creation having roles to access to BW database is enough. In this case, the user can login to Infoview using any user and can access the report if he has priveleges to the report.
  Hope this helps!

• Restricting access to Queries via Search

  Does anyone have any ideas on restricting access to queries from the Bex search. We have folks that are using the search functionality of Bex and are finding queries that we have not been published to a reporting role. We instruct our query writers that when devloping queries, do not publish them to a reporting role until they are finalized and tested. We are finding that folks are using search in Bex and finding these queries that may be in the middle of development and trying ot use them. In other words, we would like to restrict the Bex search to just queries published to reporting roles.

  Hi Diago,
       Our dilema is that restricting access of the search by query name (via the role) requires the query writer, when finished with the development of their query, to do a savas with a different technical name that falls into the role restrictions of the authorization. This then leaves two versions of the query out there until the original gets deleted, if the query writer happens to remember to do that. It would be great to limit the search mechanism to just published queries. What are other folks doing to get around this issue. It seems that everyone would be running into it unless the search could be restricted in such a manner.

• GRC 5.3 Restrict access in RunRiskAnalysis

  Hi All,
  We are using GRC 5.3 and are looking to restrict access to variant deletion in the RunRiskAnalysis section. The variants are our primary way to run reports for different systems and hence we do not want these to be deleted (accidentally or otherwise).We have created a custom role in UME with action RunRiskAnalysis ad ViewInformer only.
  Please let me know if you have any pointers or suggestions
  Thanks in advance
  Vijaya

  per my knowledge this is not possible.
  GRC created permissions for every different action items in RAR. you can create message with SAP GRC to check if they had created any permission for variant. (i doubt)
  if not please request SAP for one.
  also please check security guide of GRC, will contain all the permission delivered in AC 5.3.
  regards,
  Surpreet

• Restrict access to rows in tables using S_TABU_LIN

  Hello
  Is it possible to use this authorization object to restrict access to rows in data tables, based on role?
  Namely, a query is created for table holding financial documents data, and I would like users in charge of one company code, to only be able to see rows relating to that company code when they execute the query.
  I have defined and activated an organization criteria, and included it in the role authorization data restricted to only one company code value, but the user is still able to see all rows in the table.
  The system trace doesn't show a check for the S_TABU_LIN Object while the user is executing the query.
  Can anyone tell me what I'm missing?
  Thanks in advance
  A.

  If you activate S_TABU_LIN, whenever that org criterion is hit with table data being retrieved then the check will be performed.  If it is a standard SAP table field then that could potentially become problematic depending how you set it up.
  By extending the security in the infoset query you are turning the query from a quick and dirty tool to extract data into something that you can control as you would a bespoke report.  Once your dev team have worked out what they need to do, you can apply the standard auth concept to queries with relative ease and without impacting other parts of your security.
  Another thing to mention is that if your developers use logical databases to retrieve query data then there is usually auth checks incorporated in there (which don't show up in SU53 or ST01).

• Issue with the ROLES in Precalculation of WebTemplate in Reporting Agent.

  HI BWers,
  I am having trouble in understanding the functionality of ROLES and USERS in the Reporting Agent.
  My goal is to pre-calculate WebTemplate,so the users can get the data results based on their ROLES.
  -> When I select ROLES under Authorizations in Reporting Agent; my understanding was it will just pre-calculate the WebTemplate based on Roles. But, when I look at the job details its doing for the Users. I opted for   ROLES because I have 10-Roles and 100-Users, so the job runs for only Roles.
  -> I don't want to select the Users, as it will take longer time and uses lot of system resources.
  Can I just run for ROLES, for that under Authorizations in Reporting Agent do I need to select Precalculate User-Specifically and Select ROLES or just selecting ROLES will do. I tried both, just selecting ROLES is not working and selecting Precalculate User-Specifically & ROLES is not yielding the required results.
  Could you please throw some light on it, I am on BW 3.5 & SP15.
  Any help will be highly appreciated.
  Regards,
  swordfish.

  Hi,
  If you choose the Precalculate by User option, all the data and HTML pages for the Reporting Agent setting are precalculated for each of the selected users in a single job. This applies in both the cases: Roles or users. When you specify a role after selecting the option 'Precalculate by User', the precalculation will be done for all the users assigned to that role and not the role.
  Roles/Users is just 2 different ways of giving the user restriction. If you specify the roles, the system will precalculate for all the users assigned to the role. If you have few users for whom you want the precalculation to be done, then you can specify the user IDs. If you have many users assigned to a particular role for whom you want the precalculation to be done, then you can specify the role.
  Regards,
  Shilpa

• Developer role able to edit a shared report that he did not create

  Hi,
  It seems like user with "BI Publisher Developer" role is able to edit a report
  in shared folder that he has access to.
  Question: How can I create a user who can develop/create/edit his own reports,
  and have view only access to some shared reports and
  have edit access to some other shared reports?
  i.e I want a scenario where there are 2 folders in Shared folder say FolderA and FolderB.
  I want to create a user who is a developer such that he can create reports under My Folder
  for his personal use and also be able to create/edit reports under Shared/FolderA,
  but have only view-only access to Shared/FolderB
  Thanks

  Moderator Action:
  Same reaction as with your other triple multi-post:
  https://forums.oracle.com/thread/2576361
  Do not multi-post.
  That's the same as if you were a spammer.
  This one is also locked.
  Stay with your post that is in the New To Java forum space.
  Stay in the New To Java forum space until you are not a novice any longer.

• How to restrict access in 2008?

  How to restrict access in 2008?
  So, I would like to do the 2 following things:
  1. Grant developers access to read all Active Form Comonents
  2. Create new Form Groups
  3. Not be able to change nS Resticted AFC
  and
  1. Grant developers rights to Create Ous
  2. Add/Rmeove Members to OUs
  3. Remove rights to add/remove to/from Site Admin OU
  Any suggestions on how to do that?
  So far I tried the out of the box Capabilities and Permissions, created custome ones, but still no luck in accomplishing all 3 items.

  Your request #1 is not possible. In paticular, you can't create new form groups and still not be able to change all form groups. Please submit an enhancement request, asking that newScale support your desired role configuration.
  Similar problem with #2.

• How to restrict access to views for some users in the app?

  Hi SDN!
  I have an WD application wich embedded in the portal. Appication has 2 iViews (and 2  pages respectively). These iViews consist several views connected with each other (e.g. one view provide list data, second view is add/edit form for this data). I need to restrict access for some users for view with add/edit form. I can't make separate page for this view.
  What I've done:
  1) create yet another UIContainer for this view in main window and embed view to this container. It was be done for create separate iView for form.
  2) in the portal I create iView for this form but don't embedd in any page.
  When I try to call my form from list data (that is one iView from another) I get exception:
  <b>com.sap.tc.webdynpro.services.exceptions.WDRuntimeException: duplicate usage of view .MyCarRentalAddCity</b>
  Is there a way to get needed functional?
  Thanks,
  Lev

  Hi,
  do you need to remove the IView from the portal menu or do you just want to make a View container in your WD application invisible if the user doesn't have the rights to see it.
  If so, you could create your own roles on the app server:
  You need to create a new class that extends NamePermission like:
  import com.sap.security.api.permissions.NamePermission;
  public class ApplicationAccessPermission extends NamePermission {
             * @param name
            public ApplicationAccessPermission(String name) {
                 super(name);
             * @param name
             * @param action
            public ApplicationAccessPermission(String name, String action) {
                 super(name, action);
  Also, you have to create an Action.XML file that looks like this:
  <BUSINESSSERVICE
       NAME="com.vendor.administration">
       <DESCRIPTION
            LOCALE="en"
            VALUE="actions view usage"/>
       <ACTION
            NAME="View Permission">
            <DESCRIPTION
                 LOCALE="en"
                 VALUE="Show view"
                 />
            <PERMISSION
                 CLASS="com.vendor.utilities.ApplicationAccessPermission"
                 NAME="ShowView"
                 />
       </ACTION>
  </BUSINESSSERVICE>
  If you have created these to files in your packages, you can access this function like:
  IUser user ;
  try {
            user = WDClientUser.getCurrentUser().getSAPUser();
            if(user.hasPermission(new ApplicationAccessPermission("Show view"))){
                 wdContext.currentV_UIElement().setViewVisibility(WDVisibility.VISIBLE);
            }else{
                 wdContext.currentV_UIElement().setViewVisibility(WDVisibility.NONE);
       }catch (WDUMException e1) {
            wdContext.currentV_UIElement().setViewVisibility(WDVisibility.NONE);
                  e1.printStacktrace();
  You have to bind the ViewVisibility attribute of the context to the View Container you want to hide.
  The applicationAccessPermission you defined in the XML File will be visible in the UME Manager of you J2EE engine. With this action you can create a new role and group that you can map to the users that should see you view.
  But, the exception you get is because you have embedded one view twice, which is not possible.
  Hope this helps.
  Regards,
  Dennis