Structure Authorization Issue

Similar Messages

• Structural Authorizations Issue

  Dear all,
  We are involved in a HCM OM project and we have an issue with the Structural Authorizations.
  We have more than one user who must acces to the same Organizational Unit. This is suppose to be easy because we assign this object code to an user profile (T77pr) 
  The problem is that, the users doesn't have to have acces to the same objects which belongs to this Org Unit. (Objects positions in example).
  I.E.
  User 1 acces Org Unit 1
  User 2 acces Org Unit 1
  User 1 create Positions in Org Unit 1
  User 2 create positions in Org Unit 1
  User 1 cannot acces to positions created by user 2.
  Any idea? how can we restrict this access?
  Thanks in advance,
  L.

  let me take a shot at this by drawing an analogy with a std sap scenario in hcm.
  my-scenario-1:
  1. position to position relationship is maintained for the sake of line managers A/B-002 relationship to be specific & in the absence of chiefs because in an org unit there are 3 line managers with 10 people reporting to each of them
  2. this means
  manager-1 has 10 people reporting to him/her
  manager 2 - has 10 other people
  manager-3 has 10 other people.
  3. the above means manager-1 cannot view people reporting to manager-2 and 3 respectively,.. and extrapolates this to each manager.
  4. how do you handle this via str.auths in sap std?
  now compare the above to your scenario:
  1. I would create a z-relationship for each user and restrict access based on that using a functional module in the structural profile.
  worth a shot .....not very complex if you ask me :-0
  cheers

• SAP BI 7.0 Transport issue with HR Structural Authorization DSO

  Hi,
  I am trying to transport HR Structural Authorization DSO Objects in  BI 7.0  from Dev to QA system. The Data sources are 0PA_DS02 and 0PA_DS03. ( I am sure that there are lots of changes in Authrorization concept in BI 7.0),.
  1. Please suggest me if I need to make any changes and tests before moving these authorization objects to QA system.
  2. Also, do I need to take any pre-cautions while activating business content objects 0TCTAUTH  and 0TCTAUTH_T (Datasources look like are from 3.x) as I am getting issue with the activation of the transfer structure for these objects?
  Thanks a lot for your valuable inputs.
  Regards
  Paramesh
  Edited by: paramesh kumar on May 5, 2009 12:45 AM

  Hi Paramesh.
  You can use the DSOs 0PA_DS02 and 0PA_DS03 in BI7.0 as well. You just need to use the new generation of analysis authorizations in transaction RSECADMIN.
  You can use 0TCTAUTH and 0TCTAUTH_T in BI7.0, however we have experienced som problems with the 0TCTAUTH_T extractor, which dumped because of a poorly designed SELECT statement that was unable to cope with 10000 records. We have replaced it with a generic data source that uses table RSECTEXT directly.
  Regards,
  Lars

• Secured WebDAV Mounted Volume Authorization Issues

  I use a secure WebDAV mounted volume from myDisk.se and up until the latest Security Update have had zero issues being able to manipulate files and folders as I would on a normal volume. However, since the installation of the Security Update (2009-004 (PowerPC) 1.0) I find weird things happening with this mounted volume:
  1) I am able to mount the secured WebDAV share using my security credentials.
  2) I can create a default "untitled" folder but when I try to change its name, the WebDAV authorization dialog pops up and despite entering the same credentials (why, I am not sure as the volume has already been properly credentialed in order to be mounted), access is denied.
  3) Trying to create a file within a folder on the mounted WebDAV volume I previously created pre-update causes the same authorization issue.
  I have no other WebDAV shares I can try to mount from any other companies so I am not sure if this is a myDisk issue or one borne from the Security Update. I am not a .Mac/MobileMe user and that info is not filled out in System Preferences. The internal hard drive has been meticulously maintained with Disk and Permissions repair being run both before and after each and every software update installed. Likewise, the volume's structure is also checked both before and after and shows no need for repairs.
  Any ideas? Perhaps there is a corrupted file somewhere that's affecting the authorizations needed by this third-party WebDAV volume?
  The machine that has this problem is the last model iBook G4/1.33GHz 12" display, 1.5GB RAM, and a 100GB 5400rpm HD which replaced the stock OEM 40GB 4200rpm drive about one year ago.
  I'm not willing to do an Archive and Install at this point as the loss of the WebDAV access to my online volume is not critical. Inconvenient as heck but not to the point where I'm willing (or able) stop my normal work to spend the hours it will take to get WebDAV access back.
  Thanks in advance for any insights.

  same problem here with webdav, I can't mount my idisk from university network on Mac Pro 10.5.3 (although it mounts fine from home network on both ibook and PMG5 10.5.3). Everything was fine with 10.5.2 and I already re-installed 10.5.3 combo. Other bugs as well with .Mac prefs (keeps crashing, sometimes it shows the available space on idisk but still no mounting, with error -35 or -8086), but .Mac sync is OK
  Jun 11 12:34:21 webdavfs_agent[579]: mounting as authenticated user
  Jun 11 12:34:22 kernel[0]: webdav server: http://idisk.mac.com/[username]/: connection is dead
  Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 received VQ_DEAD event (32)
  Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
  Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 type 'webdav', mounted on '/Volumes/[username]', from 'http://idisk.mac.com/[username]/', dead
  Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
  Jun 11 12:34:22 KernelEventAgent[75]: tid 00000000 found 1 filesystem(s) with problem(s)
  Jun 11 12:34:22 kernel[0]: webdav_sendmsg: sock_connect() = 61
  Jun 11 12:34:52: --- last message repeated 1 time ---

• Structural authorization - creation of employee number in webdynpro or abap

  Hello Experts,
  We are facing some problems with the combination of structural authorizations and the creation of a new employee.
  When we use PA40 to create a new employee this does not give any problem.
  In the webdynpro we first execute a call transaction PA40 to apply infotype 0000 and 0001. This works well.
  Except that the call transaction does not set the connection between PA and OM. (so we did program this ourselves)
  In PO13 and the table HRP1001 the same relations are made as when we use PA40 in the sap gui.
  After this we do call transactions PA30 for the next infotypes.
  When we check the SU53 it gives a message: problems with structural authorizations object P (with the employeenumber) starting at 01.01.1800, enddate is empty.
  The employee is manager and connected with his userid in infotype 0105.
  We use in the structural profile the function module  RH_GET_MANAGER_ASSIGNMENT
  We checked with transaction HRHAUTH.
  User has been adjusted to the tables T77UA etc.
  We do not use workflow in this webdynpro
  We used the trace function when this was executed, but it did not give more information about missing structural authorizations.
  This issue was before on SDN (Structural authorization - creation of employee number) but unfortunally there was no solution there for the issue!
  Hope one of you can help me to find the solution!
  With kind regards,
  Rita Mensink

  Hi.
  After 2½ days of frustration I finally nailed this.
  Function group RHAC, that handles the authority checks, initially buffers a table called VIEW containing all objects available for the user. As stated earlier in this conversation, SAP handles creation of relations in HRP1001 (links PA and OM). At this point the new employee number is appended to buffered table VIEW in function group RHAC.
  When execution the PA40 activity through CALL TRANSACTION, the creation of the relations are not handled - and the same goes for updating the buffered table VIEW. The table can be updated using the function module RH_VIEW_ENTRY_INSERT from the same fundtion group:
  This example might be useful
    data: ls_view_entry type hrview,
          ls_related_object type hrobject.
    ls_view_entry-plvar = '01'.
    ls_view_entry-otype = 'P'.
    ls_view_entry-objid = lv_pernr.
    ls_view_entry-begda = '18000101'.
    ls_view_entry-endda = '99991231'.
    ls_view_entry-maint = 'X'.
    ls_related_object-plvar = '01'.
    ls_related_object-otype = 'S'.
    ls_related_object-objid = lv_ny_objid.
    call function 'RH_VIEW_ENTRY_INSERT'
      exporting
        view_entry     = ls_view_entry
        related_object = ls_related_object.
  Best regards
  Poul Steen Hansen
  Senior Technical Consultant
  EDB Consulting Group A/S, Denmark

• R/3 reports related to structural authorization

  Can anyone advise which standard reports/transcation codes in R/3 relate to structural authorization? are some better than others? I am interested in viewing allowable objects etc,.
  Thank you,
  Meghan

  Hi Jim,
  As you have mentioned you have worked a lot on structural authorizations,
  I would request you to kindly help us on the below mentioned scenerio..
  Issue : (Scenario)
  C directly reports to B, and B Reports to A.
  In the above scenario we have logged as B and did the compensation planning for C. A is the approver for the C’s compensation planning.
  As C is HOD for HR Org unit. He will submit compensation plans of his subordinates to B for approval. That means B has to have approval authorization for C’s subordinates and he should not have approval authorization for his direct reporting employees.
  In our scenario, B is able to perform the compensation planning as well as able to approve the same for his direct reporting employees. This shouldn’t happen in our process.
  How can achieve this, Please advice
  Regards
  Raghav

• HR-Structural Authorization-AUTSW ORGPD switch

  Hi All,
  We are facing an issue with our structural authorization.
  Our HR user are unable to view details of the employee who is been terminated in PA20.
  Background:
  1)The user is terminated on 10/2009
  2)when the user was terminated he was assigned to the org unit 10.
  3)Later the org unit 10 also got inactive.like it is not in the org structure anymore this is from 02/2010.
  4)From 02/2010 on HR users are unable to view the employee details (who is terminated and belongs to an inactive org structure) in PA20
  Analysis:
  1) When we see in the OOSB Information the HR user is not having authorization to view this org unit from the time it is moved out of org structure.I.e 02/2010.The endda is showing 02/2010 against the org unit in structural access of the Hr user.
  2)Other observation is that after HR users give PA20 we have taken su53 and it shows taht P_ORGINCON missing authorization for D,infotype 0000,subtype termination.
  3)we have done testing in Dev by changing AUTSW-ORGPD switch to 3 still no use.
  4)We did AUTSW-DFCON to 3 as we ahve context authorization also it also did not work.With DFCON 4 it is working but HR users are able to view not only their counry employee but also other country employees org assignmnet in PA20 which not acceptable.
  Requirement:
  HR users should be able to view terminated employees with org assignment(IT 0001)  but that org unit is not in validity date(i.e A 002 for org unit is delimited) .
  Any suggestions or ideas to handle the terminated employees in the delimited orgunit will be of great help...
  Regards,
  Vani.

  Hi,
  We are using DFCON = 4 and it is working for us. Try this way. If the user terminate then fill the Org Key in IT0001 with some Value YYY and then use this value in P_ORGINCON Filed Value VDSK1 = YYY and also PA restriction.
  Or Write a FM to get the terminate pernr to users structure and use the Context it may work.

• Training Structural Authorization vs MSS/ESS

  Good day all.
  We're maintaining structural authorization for Training module. The requirement is to be able local company maintain theirown training and regional training can maintain the regional training.
  In OOSP we're maintaining object type L only. For the same object id we're using two evaluation path SCMCATAL and L-D-E-§.
  Unfortunately when we assign certain SAP id (manager) to this structural authorization, this manager can't see his/her subordinate. It saying that "No authorization for reading data". When I remove this user from structural authorization this manager is able to see his/her subordinate.
  Is there any others requirements from HR or additional (BASIS) authorization to rectify this issue?

  Hi
  We are maintaining structural authorization in E-learning. Thre is two departement 1 and 2 . Now for few courses are for dep-1 and few are only for dep-2 .
  This structural authorization is already maintained in ESS now we migrated all the data in e-leraning now my problem is how i can use this structural authorization for E-learning as objects are same just Transaction codes and one Appraisal object is differnt.
  Thanks
  Waiting for reply.
  Nutan

• Planning Stucture authorization issue in SCM

  Hello Experts,
  Need your help.
  In our SCM7.0 system, we have implemented FM: /SAPAPO/MCP_PERMISSION_CHECK2 for authorization check to Planning Structure Infocube. That is working fine.
  Now Users are facing authorization issue in Prodcution when they executed transaction /n/SAPAPO/SDP94 with below message.
  Error message: You do not have authorization for all the characteristic values selected Message no. AUTHORITY041
  Analysis authorization trace message: " Message EYE001:    You do not have sufficient authorization for InfoProvider ZDM_PLN1 with activity 03.
  We have assigned customized analysis authorization and that is maintained with InfoProvider  "0TCAIPROV" as " * ".
  Earlier this was working fine in production but now users are getting authorization issue. When we tested in other systems, it is working fine.
  I appreciate your help in this issue.
  Regards
  Ravi
  Edited by: Ravi K on Jul 5, 2011 6:04 PM

  Ravi
  Verify the selections in the Production system v/s the test system. Are they exactly the same ? I can think of two possibilities -
  1. User is attempting to access a selection where he/ she does not have access to at least one of the CVC's filtered by the CVC.
  2. The selection definition should (but does not in your case) contain the characteristic on which the authorization is setup.
  Rishi Menon

• Appraiser Authorization Issue (Objective Settings and Appraisals)

  Hello!
  We are currently using Objective Settings and Appraisals for our
  performance appraisals. ESS and MSS is also used during the process. We
  do not use structural authorizations either.
  Authorizations work fine for the vast majority of employees. However, we have an issue with some of our Human Resources users. For his/her ID they have authorization to certain personnel areas. However, his/her appraiser is in a personnel area they do not have authorization for. As a result, the appraisal does not show up when the user access ESS to work on their appraisal.
  For example we have an HR user who has access to information in
  personnel area 1081. However, her appraiser/manager is actually in 2054. As
  a result when she accesses her appraisal it says no entries exist.
  One solution we tried was selecting the 'No Authorization Check for Appraiser' on the
  template. With this selected, the appraisal shows up with the personnel
  number of the appraiser on the listing. When the appraisal is accessed
  and the user tries to perform an action, the following error pops up stating the
  appraisee person is not allowed and it has the appraiser number within
  the error message.
  Currently, we have the HR employee using a different ID for ESS that allows the
  user to access the appraisal. Is there anything standard that will
  allow the user to view the appraisal without using a different ID?

  Bump

• Structural Authorizations with Training & Event Management

  We have implemented TEM in R/3 4.72.  We also use structural authorizations with our decentralized HR functions.  Our problem is that if a user has one of the profiles assigned, they can get all the way to booking the class and then receive an error that they have no authorization to edit attendances.  If the user has NO profile, they are able to book a class with no problems.  If I add the P-E evaluation path in the profile, it fixes the problem with booking a class, but then gives the users global access (which is what we are trying to avoid).  I know there must be a key somewhere to making this work.  If anyone knows what it is, I would appreciate finding out.
  In the profile, I have given access to objects D, E, F, G, L, R and P with the P-E and P-S-O evaluation paths (using RH_GET_MANAGER_ASSIGNMENT) function.
  Thanks.

  Hello Michelle,
  I think you could solve this issue by using Context Sensitive Authorizations. It is available from 4.7 and above.
  Regards,
  Ahmad

• Structural Authorization in e-recruiting

  Hello all
  We are implementing e-recruiting 603 ehp4 in standalone scenario. By customer requirements, the "recruiter" role was assigned to all manager therefore the standard service "Create requisition request" from MSS is not in use. So  structural authorization we need for the manager to create requisition for his position only.
  So, someone know how to perform this or tell me how to complete the table T77PR -the function module, evaluation path, object  type and so on-
  As always, thank you a lot
  Regards
  E. Ciotta

  Hello Emilio,
  Structural authorization in e-recuitng are a mess (although I have not found any official documentation which states "It won't work" and solution management says that there is no restriction sap support answers on customer request for that topic that it is not supported).
  Trouble with your requirement is when you restrict the structural authorizatuion on positions for the manager and anywhen run internal job market the manager could not access the position information on a publication if he wants to apply as internal candidate anywhere else in the company. Could get quite tricky to solve this (next to all other issues on this topic).
  If it is just about restricting the search I would exactly do this. Either per modification or by a customer development I'd restrict the search result by the structural information without actually switching on structural authorizations.
  For getting the positions you should be able by using an evaluation path for direct and indirect positions of a manager or if not available use employees under a manager. If it does not skip the positions they should be contained in the result. If not copy it and remove the skip flag (and S-P relation as it is not needed). Unfortunately I cannot say which evaluation paths are really standard as most systems I use are enhanced here.
  path should be like:
  NR    Obj.    A/B    Rel.    P    Rel. Obj.    (Descr. Info)
  10    P       B      008     *    S            (get position for employee)
  20    S       A      012     *    O            (get org.units the position is leading position)
  30    O       B      002     *    O            (get all other org.units under the org. unit assuming manager may see all levels)
  40    O       B      003     *    S            (get all "normal" related positions in org.units)  
  50    O       B      012     *    S            (get all leading org.units - could be more than in 10 as we have several org.unit levels)
  Best Regards
  Roman

• Structural Authorization views not displaying in EP

  We are using PD profiles to allow managers in an alternative org unit to approve time in MSS for employees not in their org unit. When you log onto the Enterprise Portal in the MSS Team Overview iview the manager cannot see the employees from the other org unit defined in the structural authorization. He can only see his own employees for his org unit. However, in transaction OOSB when you click the Display Objects button you see the positions and persons that should be visible
  to the manager.  We have assigned the profile through both PO13 to the position and OOSB directly to the user. We make sure to run RHPROFL0 after assignments
  of the profiles. HR has created a custom relationship Z99 and assigned to the positions for the alternate org unit.
  We had a scenario working in our sandbox at one time but we could not reproduce this in the development system.  Any tips would be greatly appreciated.

  Hi John,
  I know SAP_ALL doesn't matter but I wanted to rule out all possibilities of any standard authorization issue to isolate the PD profiles as the real issue. 
  To answer your question, the user can see his own org unit and subordinate employees in MSS.  The manager is a chief and manages his org unit.
  A colleague of mine mentioned that there may need to be some configuration established for the iViews in question so I put it to the HR functional team to confirm the correct customization is set up in the IMG for Integration with Other mySAP.com Components > Business Packages/Functional Packages > Manager Self-Service (mySAP ERP) > Object and Data Provider.  I'll report on the status of this as well when I hear back from them.  Thanks again.

• BI 7.0 Analysis Authorization issue: some reports displaying a blank page.

  Hi All,
  This is regarding BI 7.0 Analysis Authorization issue.
  Overview:
  we have restricted some queries at infoobject level.
  Issue:
  a. For some of the queries, we can see the selection screen but when we try to execute the query by clicking on the execute button (Queries WAD) we get a blank page, meaning nothing is displayed on the output (white/Blank screen).
  b. When we execute the same query through RSRT, we get a message which says "Disconnecting from BW server..".
  c. Let me explain further on this. Basically we are doing this in order to have limited access to Auditors at the client side. At the same time normal users should not get impacted due to this, hence we created two roles. One for normal users and other for Auditors.
  d.  Now the thing is that we execute the same report with normal user ID's the report executes properly and displays the output. it does not show the blank page.
  e. But when we execute the same report with Auditors ID then we get a blank page.
  Any idea why this is so?

  Hi Neha,
  I tried the below also,
  GL Acnt
  I EQ 0000134010
  I EQ :
  but still it didn't work.
  No Infoobject is missing in Authorization Object.
  For your point, "rsecadmin - > analysis -> execute as -> check for the desired user & analyze the log" it didnu2019t allow me to analyze, since as soon as click on execute button a pop-up comes up saying "Disconnecting from the BW server..."
  As mentioned earlier also it is giving me the below message,
  ""I>> Row: 103 Inc: AUTHORITY_02 Prog: CL_RSR_RRK0_AUTHORIZATION                                                                       RS_EXCEPTION        301CL_RSR_RRK0_AUTHORIZATION                         AUTHORITY_02"
  Kindly suggest, since this is a show-stopper for us!
  Thanks,
  Ishdeep Kohli.

• Variable screen/variant screen authorization issue

  HI All,
  We have implemented standard Cost Center Overview Report(0SR_C02_Q0002) in BI 7.
  We have three selection fields:
  1.Company Code which is mandatory
  2.My controlling Area which is also mandatory
  3.Costcenter which is not mandatory
  The requirement we are facing over here is that in the Variable screen/variant screen when I enter a company code, then I need to display dynamically only those "My Controlling Area" values which are assigned to that particular company code and not all. In the same way after selecting the appropriate "My controlling area" value, I need to display only those cost centers in the cost center selection field which are assigned to the selected company code and My controlling area combination and not all.
  can anyone guide me on how to go about on this authorization issue at the variable screen itself.
  Please treat this issue/requirement on high priority.
  Appreciated in advance.
  Regards,
  raps.

  Hi,
  I think that an alternative to solve your concern could be using Web Application Designer (WAD).  In this respect, there are several design options, with different levels of complexity.
  As the simplest alternative, you could create a WAD including your query and three Dropdown Boxes: one for Company, a second for Controlling area and another for Cost center.  The four mentioned elements should be linked to the same dataprovider so, when you select a company, the options in the other two Dropdown boxes and the information in the query are updated.
  In order to enforce mandatory filter selection at Company and Controlling area level, you should set NO_REMOVE_FILTER='X' in both two Dropdown boxes, so that "All values" option -which would mean no filtering- is not offered.
  I hope this helps you.
  Regards,
  Maximiliano