Second Level Authorization for ESS

Hi,
I have an issue regarding ESS . The requirement is to provide a second level authorization when anybody clicks on the content in ESS. i,e a logon screen. On successful authentification the user has to see the required info. We should also be able to provide a 5 min idle time out. Can anybody help me with this.
Thanks,
Abhishek

Abhishek, Did you find any solution for second level authentication for ESS?

Similar Messages

"Low-level" authorizations for accessing BW reports - add users to role

Using the advice in Topic "Low-level" authorizations for accessing BW reports, I have been able to publish a query to a role that has 3 test users and each user gets the same query but with different data, as determined in the tables.
Is there a way to look up the users and e-mail addresses from a table and associate them to the role? We have several hundred e-mail recipients that will not need BW access, but only need an e-mail with a static report that contains data on their own territories.

Hi!
i think programatically it might be complex. You got to maintain a seperate variant of report per user and use this variant to send mail. that means you need to maintain a variant and a Broadcast setting per user. once maintained you can use it any number of times the values will be recalculated everytime.
with regards
ashwin
PS n: Assigning point to the helpful answers is the way of saying thanks in SDN. you can assign points by clicking on the appropriate radio button displayed next to the answers for your question. yellow for 2, green for 6 points(2)and blue for 10 points and to close the question and marked as problem solved. closing the threads which has a solution will help the members to deal with open issues with out wasting time on problems which has a solution and also to the people who encounter the same porblem in future. This is just to give you information as you are a new user.

Determining second level approver for travel expense claim workflow

Hi Experts...
In Travel Expense claim workflow,we are using two level Approval.The employee has to enter his data for expense claim through ESS..Then expense claim is submitted and sent via workflow to the Travel department. Travel Dept verifies the expenses against the bill and approves the claim by selecting the next level approver and attaching the scanned copies of the bill.
I made copy from the standard workflow WS20000040.
How can i select the next level appover in first level approval step???
Is there any FM or BAPI or BADI???
Please help me ...
Thanks in Advance
Regards,
Hemalatha.

Hi Hemalatha,
I have small tricky workaround to find out the second level of approver.The Standard Rule available can reused again by passing manager's Position.i.e
After first level completed , store manager position in container variable and pass it to the same task rule so the task is sent to the manager's approver .
Message me if needed more details.
**Award Points if useful

Plant level authorization for Notification Change

Hi All
We have 7 plants and person belong to one plant is able to open and change the notification of other plants.
In the role we have given restriction for the plant for the Tcode IW 22 and for the object SWERK .In the Notification only Workcenter and Plant fields are mandatory.
How can we restrict for a user belong to a particular plant can only change his plant notifications using IW22 only ---not IW28
Thanks in advance
gangs

Dear gangs,
Check in all the roles of that user in orgnozation levels maintenance plant and planning plant.
It may happen in one role you have ristricted for that user, but in other roles it may be having the t.code authorization for IW22 and with other plant also.
Check that also.
Regards,
Praveen.

Problem in second level navigation for some users.

Hello friends,
We have a group with few users, we have assigned certain roles to that group, all the roles are visible to all but the order of second level navigatin has changed for some users and not for all. Please suggest some solution.
Thanks,
Mitts

Hi Mittal,
Is there any merging of roles going on?
When you assign new roles, does the 2nd level navigation contain the same nodes but in a different order, or are there additional nodes added?
Perhaps you can explain in more detail the set up.
Daniel

Error after second level approval in ESS leave request

Hi Experts
I am using custom workflow for Ess Leave request process which is copied from WS21500001.
I have added custom class methods to change status from approved to sent.
Then another method i have set next appovaer.
The problem i m facing is that I am getting an error on portal after second approval approves the request.
i.e Field syomol has not been assigned yet.
from st22 i found its generating from
Include LPT_ARQ_REQUEST_UIAF06 - Form   execute_approver_update
By debugging i found that Its not getting next approval with status T as there is only first approval with status 'A'
This results in unassigned field symbol. and then error.
Please help me resolve this issue.
Please confirm why next approver is not found in method.

Hi All
Thanks for your reply.
I checked why it was giving a dump.
This execute_approver_update subroutine takes approval data from table ptreq_approver .
I filled this with resp actor id after request is approved and status is changed to sent.
For every emp its unique actor id is saved in ptreq_actor table agaist his pernr.
   SELECT SINGLE actor_id FROM PTREQ_ACTOR INTO actor_id WHERE objid = nextApprover_pernr.
    wa_appr-mandt = sy-mandt.
    wa_appr-request_id = Request_ID. "Req.requestID ( from Workflow )
    wa_appr-version_no = version_no. "Req.Version ( from Workflow )
    wa_appr-seqnr = seqnr. "Same as version no but in char
    wa_appr-approver_ins = actor_id. "Employee actor id from ptreq_actor
    wa_appr-status = 'T'. "Manual
    append wa_appr to it_appr.
    INSERT PTREQ_APPROVER FROM TABLE it_appr .
    commit work and wait.
This resolved my issue.
Thanks

Object level authorization for SLT Configuration schema in HANA DB

Hi All,
We have connected SLT with HANA DB (& ECC as source system).
Now for certain users we wanted to restrict the access for certain tables ( tables owned by SLT Schema, i.e schema created in HANA DB with the configuration name provided in the SLT configuration).
With the SYSTEM user object level authorization's of another schema is not possible hence , an error is thrown when we are trying to provide/control the access of single table for a user.
Is it ok that we generate a password for SLT schema and try login with schema owner. Is it the best practice or Is there any other way around.
Regards,
Kumar

Hi Santosh,
You can find more info about SLT Roles and Authorization from below security guide.
http://help.sap.com/hana/SAP_HANA_Security_Guide_Trigger_Based_Replication_SLT_en.pdf
Regards,
V Srinivasan

We need to give field-level authorization for some fields

The schenario is as follows :
1. There are various storage locations within a plant.
2. There is one or more people incharge of creating PO and receiving
stocks for every storage location.
3. We dont want to authorise the person incharge of one storage
location to receive stock in another storage location or even view the
other storage locations at the time of creating the PO or any other
transaction. The user incharge of one storage location should not be
able to view any other storage location in any storage location field's
drop down.
regards
Manish
+91 9811647727

Hi Umesh,
Please see the documentations for authorization profile P_ABAP in the R/3 library and the following:
SU03 -> HR Human resources -> position your cursor to P_ABAP HR: Reporting -> choose button "Docu." -> the pop-up "help - P_ABAP" appears.
There is an example, which describes a similar issue regarding RPTIME00 and the Basic pay infotype (0008).
The standard reports of personnel administration are based on logical database PNP I would recommend to set your authorization as follows:
Object HR: Master data (P_ORGIN) (two authorizations)
Infotype                  0002             ' '
Subtype                   *                ' '
Authorization level       R                ' '
Organizational key        ' '              0001YYYYXXX
Object HR: Reporting (P_ABAP)
Report name                SAPDBPNP
Degree of simplification   1
Please note, that if a user has authorization for e.g. the birthday list , (s)he will be able to view the birth date through thisquery, although (s)he cannot access to IT0002 through PA20.
Another possibility would be using Customer-Specific Authorization Object P_NNNNN. I have attached a file with a very comprehensive documentation regarding HR authorizations. P_NNNNN is documented on pages 40 ff.
Hope this help
Sarah

Field level Authorization for IT0002

Hi All,
We have a requirement to control the authorization for the field NI Number/Social Security number from IT0002.
This field is getting displayed in various standard reports which are in use by administrators/Managers etc....
We want to disable the access of this field to every one, even the HR administartor.
Kindly suggest if this is possible using authorizations.
I know that we can hide the field in display access for PA20 or PA30, but I am particularly serching the option for various reports.
Regards,
Umesh Chaudhari.

Hi Umesh,
Please see the documentations for authorization profile P_ABAP in the R/3 library and the following:
SU03 -> HR Human resources -> position your cursor to P_ABAP HR: Reporting -> choose button "Docu." -> the pop-up "help - P_ABAP" appears.
There is an example, which describes a similar issue regarding RPTIME00 and the Basic pay infotype (0008).
The standard reports of personnel administration are based on logical database PNP I would recommend to set your authorization as follows:
Object HR: Master data (P_ORGIN) (two authorizations)
Infotype                  0002             ' '
Subtype                   *                ' '
Authorization level       R                ' '
Organizational key        ' '              0001YYYYXXX
Object HR: Reporting (P_ABAP)
Report name                SAPDBPNP
Degree of simplification   1
Please note, that if a user has authorization for e.g. the birthday list , (s)he will be able to view the birth date through thisquery, although (s)he cannot access to IT0002 through PA20.
Another possibility would be using Customer-Specific Authorization Object P_NNNNN. I have attached a file with a very comprehensive documentation regarding HR authorizations. P_NNNNN is documented on pages 40 ff.
Hope this help
Sarah

Object level authorizations for deffirent user restrictions

Hi
i have 1 object, this object have only 3 values?
i need authorizations for this object at report level?
rsa1- i keep authorization relevant?
rsecadmin i can include this object , here i need give from value and to value? i have 3 values only? suppose user 1 want only 1 value? user 2 need 2 and 3 value? how can i restrict like this ? ple let em know

Hi Suneel,
Go to RSECADMIN.
Here, in maintain authorizations, create authorization for your characteristics along with the special characteristics.
i.e. in your case, create authorization(assume 0plant is marked as authorization relevant)
0PLANT
0TCAACTVT
0TCAIPROV
0TCAVALID
Double click on each characteristic to assign them the authorized value set.
Thus, you will create two authorizations
Z_PLANT_1
0PLANT...................I..EQ..............1
0TCAACTVT.............I...EQ..............3
0TCAIPROV.............I...EQ..........ZPROVIDER
0TCAVALID..............I...EQ...........*
Z_PLANT_2&3
0PLANT...................I..EQ..............2
..............................I..EQ..............3
0TCAACTVT.............I...EQ..............3
0TCAIPROV.............I...EQ..........ZPROVIDER
0TCAVALID..............I...EQ...........*
Go to RSECADMIN again in user tab in assignment, assign these authorizations created to the respective users.
Like assign User1 -
>Z_PLANT_1
................User2 -
>Z_PLANT_2&3
Refer the link below for more information
[Analysis Authorization|http://help.sap.com/saphelp_nw70/helpdata/en/66/019441b8972e7be10000000a1550b0/frameset.htm]
Hope this helps,
Best regards,
Sunmit.

BI7 InfoObject Value Level Authorization for Queries

Hi Guys/Gals,
this is my requirement.....
we have a HR ODS which has personal information of employees from 72 Companies.
we have a query based on this ODS ....
My requirement is when User A runs the query only data from Company A must be displayed...
and when User B runs the same query only data from Company B must be displayed....
no pop-ups for the company code .....
i posted this question yesterday & got a few replies....i tried them out... but there is this issue...
i used the RSECADMIN & created the AO which includes the 0COMP_CODE....
then i added it to the role using PFCG....
when i add the AO i created in the " BI Analysis Authorizations: Na " section...
the query gives a "no authorization" error.....
then one of u guy asked me to add it in to the
"SAP Business Information Warehouse - Reporting" section,,,, so i did that....
but unless i also add " BI Analysis Authorizations: Na " with * the query doesn't work....
and when i add " BI Analysis Authorizations: Na " with * &
"SAP Business Information Warehouse - Reporting" with the AO i created...
the filter doesn't work... it displays all the data
please help me.....

Hello Christopher,
your thread is a little bit confusing and unclear. I just had a look at the other two threads you posted and here are my comments:
Prerequisite for the use of BI 7.0 analysis authorizations:
- each user needs authorizations for the three special dimensions (0TCAACTVT, 0TCAIPROV and 0TCAVALID) otherwise queries won't run!
As a consequence you will have to create analysis authorizations like this:
ZCOMP_1000
0COMP_CODE I EQ 1000
0TCAACTVT I EQ 03
0TCAIPROV I EQ your HR DSO
0TCAVALID I EQ *
ZCOMP_2000
0COMP_CODE I EQ 2000
0TCAACTVT I EQ 03
0TCAIPROV I EQ your HR DSO
0TCAVALID I EQ *
You can then assign these authorizations directly to your specific users using RSU01 or you will create a role and add the authorization object S_RS_AUTH with value ZCOMP_1000 and another one that contains S_RS_AUTH with value ZCOMP_2000.
Of course your users will need authorizations for standard reporting such as S_RFC, S_RS_COMP, S_RS_COMP1.
S_RS_ICUBE, S_RS_ODSO, S_RS_MPRO, S_RS_ISET are not necessary any more for reporting because they were replaced by 0TCAIPROV in the analysis authorization.
Finally the query selection must be COMPLETELY be a part of the user's authorizations. This is best done by an query variable that is filled from the user's authorizations at runtime.
Good luck,
Petra

Object level authorizations for reports

HI
I have 20 charactesr in cube , around 15 have navigational attributes.
i need to give authorizations for 5 objects only .( navigational attributes).
i have 10 reports, i need 2 reports only authorizations relavant.
if i restrict 5 objects authorizations , its effect all queris? in this scenerio i need to create 2 cubes?
ple let me know

hi suneel,
As you said you require authorization for 2 reports, you can restrict those Infoobjects with the authorization variables and in the other 3reports use that object but do not restrict to the authorization variables..
So, the user will be able to see whole data for 3 reports where authorization is not used.
Hope it is clear.
Thanks
Lavanya

Missed authorizations for ess personal id

Hi,
I configured ESS. I can see all the services..except Personal id under personal information.
kindly let me know what role should i assign to get this view.
i assigned composite role to the end user. even though i m not getting...
thanks in advance
renu

yes, i did it. i can able to access other ess service... only for personal id(persoanl Information) i m getting belwo error...
Critical Error
A critical error has occured. Processing of the service had to be terminated. Unsaved data has been lost.
Please contact your system administrator.
You have no authorization to display
com.sap.pcuigp.xssfpm.java.FPMRuntimeException: You have no authorization to display
     at com.sap.pcuigp.xssfpm.java.MessageManager.raiseException(MessageManager.java:112)
     at com.sap.pcuigp.xssfpm.java.MessageManager.raiseException(MessageManager.java:122)
     at com.sap.xss.per.helpers.MessageHelper.raiseException(MessageHelper.java:43)
     at com.sap.xss.hr.per.in.pid.fc.FcPerPidIN.readRecord(FcPerPidIN.java:269)
     at com.sap.xss.hr.per.in.pid.fc.wdp.InternalFcPerPidIN.readRecord(InternalFcPerPidIN.java:535)
     at com.sap.xss.hr.per.in.pid.fc.FcPerPidINInterface.readRecord(FcPerPidINInterface.java:146)
     at com.sap.xss.hr.per.in.pid.fc.wdp.InternalFcPerPidINInterface.readRecord(InternalFcPerPidINInterface.java:197)
     at com.sap.xss.hr.per.in.pid.fc.wdp.InternalFcPerPidINInterface$External.readRecord(InternalFcPerPidINInterface.java:273)
     at com.sap.xss.hr.per.in.pid.overview.VcPerPidINOverview.onBeforeOutput(VcPerPidINOverview.java:257)
     at com.sap.xss.hr.per.in.pid.overview.wdp.InternalVcPerPidINOverview.onBeforeOutput(InternalVcPerPidINOverview.java:243)
     at com.sap.xss.hr.per.in.pid.overview.VcPerPidINOverviewInterface.onBeforeOutput(VcPerPidINOverviewInterface.java:134)
     at com.sap.xss.hr.per.in.pid.overview.wdp.InternalVcPerPidINOverviewInterface.onBeforeOutput(InternalVcPerPidINOverviewInterface.java:132)
     at com.sap.xss.hr.per.in.pid.overview.wdp.InternalVcPerPidINOverviewInterface$External.onBeforeOutput(InternalVcPerPidINOverviewInterface.java:208)
     at com.sap.pcuigp.xssfpm.wd.FPMComponent.callOnBeforeOutput(FPMComponent.java:603)
     at com.sap.pcuigp.xssfpm.wd.FPMComponent.doProcessEvent(FPMComponent.java:569)
     at com.sap.pcuigp.xssfpm.wd.FPMComponent.doEventLoop(FPMComponent.java:438)
     at com.sap.pcuigp.xssfpm.wd.FPMComponent.wdDoInit(FPMComponent.java:196)
     at com.sap.pcuigp.xssfpm.wd.wdp.InternalFPMComponent.wdDoInit(InternalFPMComponent.java:110)
     at com.sap.tc.webdynpro.progmodel.generation.DelegatingComponent.doInit(DelegatingComponent.java:108)
     at com.sap.tc.webdynpro.progmodel.controller.Controller.initController(Controller.java:215)
     at com.sap.tc.webdynpro.progmodel.controller.Controller.init(Controller.java:200)
     at com.sap.tc.webdynpro.clientserver.cal.ClientComponent.init(ClientComponent.java:430)
     at com.sap.tc.webdynpro.clientserver.cal.ClientApplication.init(ClientApplication.java:362)
     at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.initApplication(ApplicationSession.java:756)
     at com.sap.tc.webdynpro.clientserver.session.ApplicationSession.doProcessing(ApplicationSession.java:291)
     at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessingPortal(ClientSession.java:733)
     at com.sap.tc.webdynpro.clientserver.session.ClientSession.doApplicationProcessing(ClientSession.java:668)
     at com.sap.tc.webdynpro.clientserver.session.ClientSession.doProcessing(ClientSession.java:250)
     at com.sap.tc.webdynpro.clientserver.session.RequestManager.doProcessing(RequestManager.java:149)
     at com.sap.tc.webdynpro.clientserver.session.core.ApplicationHandle.doProcessing(ApplicationHandle.java:73)
     at com.sap.tc.webdynpro.portal.pb.impl.AbstractApplicationProxy.sendDataAndProcessActionInternal(AbstractApplicationProxy.java:860)
     at com.sap.tc.webdynpro.portal.pb.impl.AbstractApplicationProxy.create(AbstractApplicationProxy.java:220)
     at com.sap.portal.pb.PageBuilder.updateApplications(PageBuilder.java:1288)
     at com.sap.portal.pb.PageBuilder.SendDataAndProcessAction(PageBuilder.java:326)
     at com.sap.portal.pb.PageBuilder$1.doPhase(PageBuilder.java:868)

"Low-level" authorizations for accessing BW reports

May I please have your attention for the following:
Each employee is represented by a costcenter in our R/3, and thus, BW-system.
Plan is as follows: by filling in the costcenter on the selection-screen of a BW-webreport on can see his/her own financial data for a certain (posting)period.
Is there a way to restrict access without creating separate users/roles/profiles for each costcenter??(we have a lot of potential users who only need to see the report but do not need access to BW itself (RSA1 etc)).
I'm thinking about some sort of mapping:
e.g. user SANTA logs on -> ABAP-program/function maps it to correct costcenter e.g. 1234 -> user is only authorized for this costcenter...
But is this possible and where to implement it??
Thanx a lot in advance for your hints!!!
Best regards,
Marco

Thanks al lot for your replies.
Corwin, I tried your solution and I've almost got it working....
1. made a table in DDIC to link username to costcenter
2. set up a reporting auth. via RSSM
3. created a variable (ZCOSTC) type 'Authorization' in the query designer
4. wrote some code in the user-exit (via SMOD) to fill this variable (translate username to costcenter via mentioned table)
5. created a role incl. authorization with reference to variable: value '$ZCOSTC'
This reference is not working unfortunately enough.
Everything works fine when I replace $ZCOSTC by an existing costcenter.
Am I forgetting something??
Thanx again!
Best regards,
Marco

Second level value for batch

How can one assign 2nd level value fot Batches,below I elaborate the actual problem
Batch Class:Z_Bar which is assign to material
1st level value eg: Locator
                           Carbon
                           Grade
Each value have its own value say for Locator: the values are A,B,C
                                                       Carbon: the values are 4,4.5,5
                                                       Grade : the values are S1,S5,S7 etc
User want to see the the final value as a combination of three like: A4.5S7,or A5S1
I try by creating 1st level value as charactaristics but it is not working....Can any body help

Partha,
You can define a separate Characteristic, which should concatenate the values of characteristics Locator, Carbon and Grade. Since I dont have the access to system now, I cant explain in details, however go through this help material of SAP...it would clearly explain how it should be done...[Concatenation of Characteristic Values|http://help.sap.com/erp2005_ehp_04/helpdata/EN/92/58c683417011d189ec0000e81ddfac/frameset.htm]
Regards,
Prasobh

Second Level Authorization for ESS

Similar Messages

Maybe you are looking for