Value based authorization

Hi Experts,
I would like to know how does SAP authorize that the user can update/edit/view the particular business document (example: sales order, purchase requisition) depends on field value.
example1:
user A is not suppose to view purchase requisition of more than 10000$. But user B can view this PR.
example2:
user X cannot release SO 123123123 because of some values (it could be SO type, customer, no of items or total amount). But user Y can release this SO.
Basically how to restrict security access when information is dynamically changed.
Thanks,
Sukhbold

Hi,
as you know authorization check is always a question if user has authorization for particular object and values. Therefore you have to map values into sets. For example PO with total value less than 1000$ is set A and everything else is set B and then check if a user has authorization for set A or B. For example this is how PO release strategies work, To summarize it, an application needs to map values into discrete values and then authorization checks is performed for these new values.
If you want to implement something like this then I would suggest using BRF+ if you are on sufficient release level. This allows you to pass business rules definition back to business. You just need to agree on interface.
Cheers

Similar Messages

  • User based authorization to create Purchase Orders out of Purchase Req.?

    Hello,
    I have the following requiment for my client:
    User based authorization to create Purchase Orders out of Purchase Req.?
    I am told the same can be achieved using same standard menu path in IMG/Customizing.
    Please advise with the menu path and detials, Usefull answers will be rewarded.
    Thanks

    Using OMET Function Authorization, you can restrict users to create Purchase orders without Purchase Reqn.
    Using OMET trxn code Create one Function Authorixation Called pr and in General Parameters tab Select the Field Selection and in Possible reference Objects Tab Mark the With ref to Prs check box and save.
    Next, you've got to associate via SU01 
    Click Parameters, insert a new parameter id EFB to the authorization code. 
    Type in Parameters value you want e.g. XX 
    You have to assign the control for ALL the SAP buyers via thier SAP users id.
    Logoff and login again. Then try to create a Purchase Order without a reference.
    From Next time whenever you try to create with out referring PR it will not allow you to Save PO.
    Regards,
    Ashok

  • Value Based Status Profile

    Dear Gurus,
    I want to use status profile for setting the document status.
    I have scenario in which i need to use value based status.
    That means a user 1 should be able to set the status if the Net Value of the sales order has reached A amount
    If the Net Value is above A and upto B User 2 should be able to set the status. and so on.
    I am aware of the authorization key in the status profile, but do not know how to link it to a value.
    Your reply in this matter is highly appreciated.
    Thanks
    KS

    Not sure what kind of status you want but if you are looking for value based  credit release then it can be done through maintain authorization option in credit management section of basic functions.

  • Instance Based Authorization

    I am trying to find a way to access the instance of a Resource in an AuthorizationProvider
    in order to be able to determine if a specific user can access one instance of
    that resource.
    Example, my Resource is an EntityBean named: TestEntityBean, the code is as follow:
    public abstract class TestEntityBean implements EntityBean{
    // some defaul methods
    public java.lang.Long ejbCreate(Long key, String name) throws CreateException
    System.out.println("TestEntityBean.ejbCreate");
    setSecurityid(key);
    setSecurityname(name);
    return getSecurityid();
    public abstract Long getSecurityid();
    public abstract void setSecurityid(Long securityid);
    public abstract String getSecurityname();
    public abstract void setSecurityname(String securityname);
    public void ejbPostCreate(Long key, String name) throws CreateException {
    System.out.println("TestEntityBean.ejbPostCreate");
    I am using CMP, and my DB is ORACLE. When my authorization provider intercepts
    the request to getSecurityName() I can see:
    This defines my resource being used (aka my TestEntityBean and the method) but
    how can I find out what is the EntityBean content? i.e. for example how can I
    define what is the primary key of this object?
    If I am offline, would u have recommendations on how to implement an instance
    based authorization model? (ref to articles...?)
    Thank you

    This is what the AuthorizationProvider named MmlFileAuthorizationProviderImpl gives
    me:
    MmlFileAuthorizationProviderImpl.isAccessAllowed
    subject = Subject:
    Principal: user1
    Principal: myGroup
    Principal: developers
    Principal: mySecondGroup
    Private Credential: principals=[user1, myGroup, developers, mySecondGrou
    p]
    roles = Anonymous,writer_user,reader_user,creator_user
    resource = type=<ejb>, application=_appsdir_mml_ear, module=tests
    ecurity.jar, ejb=TestEntityEJB, method=getSecurityname, methodInterface=Local,
    s
    ignature={}
    direction = ONCE
    handler = weblogic.ejb20.internal.DummyContextHandler@1c32369
    MmlFileAuthorizationProviderImpl.isAccessAllowed
    subject = Subject:
    Principal: user1
    Principal: myGroup
    Principal: developers
    Principal: mySecondGroup
    Private Credential: principals=[user1, myGroup, developers, mySecondGrou
    p]
    roles = Anonymous,writer_user,reader_user,creator_user
    resource = type=<ejb>, application=_appsdir_mml_ear, module=tests
    ecurity.jar, ejb=TestEntityEJB, method=getSecurityname, methodInterface=Local,
    s
    ignature={}
    direction = ONCE
    handler = weblogic.ejb20.internal.EJBContextHandler@1372a7a
    Resource hashcode: -1318771256
    ID: 2145579658558124
    Type: <ejb>
    Keys[0]: application
    Keys[1]: module
    Keys[2]: ejb
    Keys[3]: method
    Keys[4]: methodInterface
    Keys[5]: signature
    Values[0]: appsdirmml_ear
    Values[1]: testsecurity.jar
    Values[2]: TestEntityEJB
    Values[3]: getSecurityname
    Values[4]: Local
    Values[5]: {}
    Looking for policy for resource(type=<ejb>, application=_appsdir_mml_ear, module
    =testsecurity.jar, ejb=TestEntityEJB, method=getSecurityname, methodInterface=Lo
    cal, signature={})
    I get all the information about the resource ... i.e. which entitybean object
    is being used, but I can not have access to nay of the bean onformation, and this
    is what I need to enable Instance base Authorization for this bean.
    Basically how else can I say:
    User Paul can do anyhting with this TestEntityBean being object "123" ?
    User Jonh can only read the TestEntityBean "123" but can access and write in all
    other bean TestEntityBean ?
    Am i making sense? Can anyon help?
    "Seyvet" <[email protected]> wrote:
    >
    I am trying to find a way to access the instance of a Resource in an
    AuthorizationProvider
    in order to be able to determine if a specific user can access one instance
    of
    that resource.
    Example, my Resource is an EntityBean named: TestEntityBean, the code
    is as follow:
    public abstract class TestEntityBean implements EntityBean{
    // some defaul methods
    public java.lang.Long ejbCreate(Long key, String name) throws CreateException
    System.out.println("TestEntityBean.ejbCreate");
    setSecurityid(key);
    setSecurityname(name);
    return getSecurityid();
    public abstract Long getSecurityid();
    public abstract void setSecurityid(Long securityid);
    public abstract String getSecurityname();
    public abstract void setSecurityname(String securityname);
    public void ejbPostCreate(Long key, String name) throws CreateException
    System.out.println("TestEntityBean.ejbPostCreate");
    I am using CMP, and my DB is ORACLE. When my authorization provider
    intercepts
    the request to getSecurityName() I can see:
    This defines my resource being used (aka my TestEntityBean and the method)
    but
    how can I find out what is the EntityBean content? i.e. for example how
    can I
    define what is the primary key of this object?
    If I am offline, would u have recommendations on how to implement an
    instance
    based authorization model? (ref to articles...?)
    Thank you

  • Value based on the periodic unit price (only with pr.ctrl S)

    Dear all,
    There is this field in mateial master called "Value based on the periodic unit price (only with pr.ctrl S)" in accounting view 1,
    1 - May I know what is this field about (in between our company using material ledger).
    2 - May I know why the value of this field are different between our company period 6 and period 7 for this year? what contribute to it? and is it something wrong with different value between two different period or absolutely normal?
    Thanks.
    Tuff

    Dear all,
    Does anyone know my question?
    Thanks,
    tuff

  • Value based on the periodic unit price(only with pr.ctrl S) field in MatMas

    Dear all,
    There is this field in mateial master called "Value based on the periodic unit price (only with pr.ctrl S)" in accounting view 1,
    1 - May I know what is this field about (in between our company using material ledger).
    2 - May I know why the value of this field are different between our company period 6 and period 7 for this year? what contribute to it? and is it something wrong with different value between two different period or absolutely normal?
    Thanks.
    Tuff

    Hi Tuffy,
    For your 1st query:
    PUP field in Accounting 1 (if ML is active, Price Determination indicator=3) is the result of Actual Costing Run (CKMLCP) closing entry.
    For your 2nd query:
    In most of the cases the values will be different in Previous Period and Current Period. e.g.Period 6 values are the results of Actual Costing Run (CKMLCP) in 1st week of Period 6 for Previous Period (i.e. Period 5). Period 7 values are the results of Actual Costing Run (CKMLCP) in 1st week of Period 7 for Previous Period (i.e. Period 6).
    The reason for the different values: Price differences, Exchange rate differences, Price/Exchange rate differences from Low lower materials, etc.
    Thanks & Regards,
    ADI

  • Value based on the periodic unit price (only with pr.ctrl S) field in mat.

    Dear all,
    There is this field in mateial master called "Value based on the periodic unit price (only with pr.ctrl S)" in accounting view 1,
    1 - May I know what is this field about (in between our company using material ledger).
    2 - May I know why the value of this field are different between our company period 6 and period 7 for this year? what contribute to it? and is it something wrong with different value between two different period or absolutely normal?
    Thanks.
    Tuff

    Hi Tuffy,
    For your 1st query:
    PUP field in Accounting 1 (if ML is active, Price Determination indicator=3) is the result of Actual Costing Run (CKMLCP) closing entry.
    For your 2nd query:
    In most of the cases the values will be different in Previous Period and Current Period. e.g.Period 6 values are the results of Actual Costing Run (CKMLCP) in 1st week of Period 6 for Previous Period (i.e. Period 5). Period 7 values are the results of Actual Costing Run (CKMLCP) in 1st week of Period 7 for Previous Period (i.e. Period 6).
    The reason for the different values: Price differences, Exchange rate differences, Price/Exchange rate differences from Low lower materials, etc.
    Thanks & Regards,
    ADI

  • Preaggregation across value based hierarchy dimension in 11g

    Hi All,
    I have created a cube with 6 dimensions in olap 11g. One of those six dimensions has only one hierarchy which is value based hierarchy. I have chosen level based aggregation as I know at what levels exactly users are going to query. When I was going through the dimensions to choose levels to preaggregate I noticed there were no options available for my value based hierarchy dimension ( I could see "all" option for the same case in 10g) then I tried to look for definitions of underlying objects just to make sure it will preaggregate data across my value based hierarchy dimension.
    I found value set corresponding to my value based hierarchy dimension in <CUBE NAME>SOLVEAGGMAP object , which AWM uses to decide which dimension values to preaggregate but if I do rpr on that value set (rp r<CUBE NAME>SOLVE<DIMENSION NAME>_PVSET) it shows NA so my question is can I pre aggregate across value based hierarchy dimension in olap 11g?
    Olap Version: 11.2.0.1
    AWM version: 11.2.0.1
    Thanks

    Even if you know exactly which levels your users will query, percent based precompute (e.g. 30%) may still be faster in practice because queries are returned using 'sparse looping' instead of 'dense looping'. This was the single biggest performance advantage of 11g over 10g.
    But if you still want to use level based precompute, then you should look at the XML template for the cube (as saved by AWM, for example). In it you should find something called PrecomputeCondition. This defines the set of members that are precomputed. Here is an example I just created using the GLOBAL schema
    <PrecomputeCondition>
    <![CDATA[
      "TIME" LEVELS ("TIME"."MONTH", "TIME".CALENDAR_QUARTER, "TIME".CALENDAR_YEAR),
      CHANNEL LEVELS (CHANNEL.TOTAL_CHANNEL, CHANNEL.CHANNEL),
      CUSTOMER LEVELS (CUSTOMER.MARKET_SEGMENT, CUSTOMER.REGION, CUSTOMER.SHIP_TO),
      PRODUCT LEVELS (PRODUCT.CLASS, PRODUCT.FAMILY, PRODUCT.ITEM)]]>
    </PrecomputeCondition>The PrecomputeCondition is also visible through the USER_CUBES view.
    SELECT PRECOMPUTE_CONDITION
    FROM USER_CUBES
    WHERE CUBE_NAME = 'MY_CUBE';You can hand modify this condition in the XML to specify an alternative 'non level based' precompute condition for any dimension. For example, if you define an attribute named 'SHOULD_PRECOMPUTE' on your PRODUCT dimension that is 1 for members to be precomputed and 0 for all others, then you can change the condition as follows.
    <PrecomputeCondition>
    <![CDATA[
      "TIME" LEVELS ("TIME"."MONTH", "TIME".CALENDAR_QUARTER, "TIME".CALENDAR_YEAR),
      CHANNEL LEVELS (CHANNEL.TOTAL_CHANNEL, CHANNEL.CHANNEL),
      CUSTOMER LEVELS (CUSTOMER.MARKET_SEGMENT, CUSTOMER.REGION, CUSTOMER.SHIP_TO),
      PRODUCT WHERE PRODUCT.SHOULD_PRECOMPUTE = 1]]>
    </PrecomputeCondition>If you recreate the cube from the XML with this condition, then the PVSET valueset you discovered should contain all dimension members for which the attribute value is 1.   This gives you complete control over what is precomputed.   Note that AWM doesn't support this form of condition, so it won't show up if you go to the Precompute tab, but it is valid for the server.  The PL/SQL below will modify the PrecomputeCondition (for the cube named MYCUBE) without going through AWM.
    begin
      dbms_cube.import_xml(q'!
    <Metadata
      Version="1.3"
      MinimumDatabaseVersion="11.2.0.2">
      <Cube Name="MY_CUBE">
        <Organization>
          <AWCubeOrganization>
            <PrecomputeCondition>
              <![CDATA[
               "TIME" LEVELS ("TIME"."MONTH","TIME".CALENDAR_QUARTER, "TIME".CALENDAR_YEAR),
               CHANNEL LEVELS (CHANNEL.TOTAL_CHANNEL,CHANNEL.CHANNEL),
               CUSTOMER LEVELS (CUSTOMER.MARKET_SEGMENT,CUSTOMER.REGION,CUSTOMER.SHIP_TO),
               PRODUCT WHERE PRODUCT.SHOULD_PRECOMPUTE = 1]]>
            </PrecomputeCondition>
          </AWCubeOrganization>
        </Organization>
      </Cube>
    </Metadata>
    end;
    /

  • Value based hierarchy 11g question

    Hi,
    in my BMM i've created a level based hierarchy composed of two levels: TOTAL and Audiologist
    Total level is setted as Grand Total level and doesn't have logical columns.
    At audiologist level insted i drag and drop two logical columns: Audiologist Code and Audiologist Name
    Then i created two keys.
    First Key: Audiologist Code - Use to display: None
    Second Key: Audiologist Code and Audiologist Name - Use to display : YES
    Graphically my hierarchy is as follow:
    Total-----
    Audiologist
    Audiologist Code
    Audiologist Name
    Now i would like that if i drill down Total appear simultaneously two columns: Audiologist Code and Audiologist Name.
    Is it possible? I remember that in 10 it was.
    It's quite urgent.
    Thanks

    Based on my experience of OWB10gR2 the option to create a "Value Based" hierarchy is only enabled if you create an AW based OLAP model. If you want to create a ROLAP model then I do not think this is possible.
    Question is why create a ROLAP model when you could get better performance and more powerful analytical features by using a multidimensional model within an analytic workspace.
    Keith

  • How to get ATINN value based on material number and Class Type ?

    I have below SELECT stmt code which gives the correct value of atwrt based on materil no and ATINN.
    However in quality system, it is failing because in quality system "atinn" value is not 0000000381. It is different.
    So how can I get ATINN(Internal characteristic) value based on material number and Class Type?
    -Obtain the batch characterstic value for the Material******************
      SELECT atwrt
        UP TO 1 ROWS
        INTO v_charvalue
        FROM ausp
       WHERE objek = mcha-matnr
         AND atinn = '0000000381'   " 'US80_FRENCH_ON_LABEL'
         AND klart = '001'.
    THANKS N ADVANCE.

    Hi SAm,
    use the Below function module to get the Atinn for Atwrt for thr Class and MAterial combination..
    CALL FUNCTION 'CLAF_CLASSIFICATION_OF_OBJECTS'
          EXPORTING
            classtype          = '023'       "Class type
            object             = w_object  "Material number with Leading zeros
            no_value_descript  = 'X'      "Default X
            objecttable        = 'MCH1'    "Table name Mara or MCH1 or MARC
          TABLES
            t_class            = t_class   "It return the Batch class available for the above combination
            t_objectdata       = t_char  "Return Batch characteristics(ATWRT) and their value ATINN in this table
          EXCEPTIONS
            no_classification  = 1
            no_classtypes      = 2
            invalid_class_type = 3
            OTHERS             = 4.
    Regards,
    Prabhudas

  • Problem in populating lookup values based on the lookup query from database

    HI all
    I have problem of population look-up values based on look-up query
    I am giving the details what i am trying
    I need to populate the values from the UD_LDAP_USR table into the field of UD_USRGRPC_NisNetTriple of type lookup
    i planned to set the properties of lookup as like this
    look up query as select UD_LDAP_USR_COMMON_NAME as NisNetTriple from UD_LDAP_USR
    ColumnNames as UD_LDAP_USR_COMMON_NAME
    Column captions as UD_LDAP_USR_COMMON_NAME
    Column width as 30
    Lookup Column Name as UD_LDAP_USR_COMMON_NAME
    But when i try to add ColumnName as wht i mentioned above i m getting invalid property exception,update failed
    I am not sure about that are we able to use other Connector table prefix with UD into the another processFrom
    Let me give update on this issue
    Urgent,struck my work here
    thanks
    Nagaraj

    Thanks for the reply raghav
    I tried but it was not working
    I gave like what u specified but no use
    It is throwing exception like set look-up query for the field
    Any one help me out on this issue
    Edited by: Nagaraju Chowdary on Jan 21, 2013 3:41 AM
    Edited by: Nagaraju Chowdary on Jan 21, 2013 3:42 AM

  • Parent-child hierarchy (Value based hierarchy)

    As anyone created a parent-child hierarchy using Oracle Warehouse Builder or Analytic Workspace Manager. I am using Oracle 10g Rel2 (and AWM) and OWB 10g Rel2.
    The values in the dimension table defines the hierarchy.
    I don't see an option of creating a value-based hierarchy in OWB though it is mentioned that it supports this particular hierarchy.
    In AWM, I am able to create the hierarchy but when I try to view the data in the dimension it gives an error BIB-9531 Invalid hierarchy specified.
    Can you please let me know if I am missing something.
    Thanks a lot in advance!
    Regards,
    Maruthi

    I've done some work with this, and it hasn't been easy going. There is no built-in ability to form a hierarchy of measure columns, at least nothing that can be predefined as the drill for a fact column. For example: I have 220 details of expense that have an exact arrangement with 5 levels and subtotals. Besides the expense detail there are say 4 dimensions, so the expense detail would be the 5th dimension. I have both arrangements in my rpd: 4D and 5D. They can be used together or separately. The 4D basically has 1000's of measures and there is no relationship between them besides the display arrangement in Answers. The 5D has a 5 column dimension that can drill the expense column from Total_Expense down to the 220 rows of detail expense.

  • Value based hierarchy (parent-child)

    Does anybody have any experience in modeling a parent-child dimension ( value based hierarchy instead of level based ) in OBIEE?
    Swapan.

    I've done some work with this, and it hasn't been easy going. There is no built-in ability to form a hierarchy of measure columns, at least nothing that can be predefined as the drill for a fact column. For example: I have 220 details of expense that have an exact arrangement with 5 levels and subtotals. Besides the expense detail there are say 4 dimensions, so the expense detail would be the 5th dimension. I have both arrangements in my rpd: 4D and 5D. They can be used together or separately. The 4D basically has 1000's of measures and there is no relationship between them besides the display arrangement in Answers. The 5D has a 5 column dimension that can drill the expense column from Total_Expense down to the 220 rows of detail expense.

  • Value based Hierarchies

    Hello,
    Has anyone created a parent-child hierarchy using Oracle Warehouse Builder or Analytic Workspace Manager. I am using Oracle 10g Rel2 (and AWM) and OWB 10g Rel2.
    The values in the dimension table defines the hierarchy.
    I don't see an option of creating a value-based hierarchy in OWB though it is mentioned that it supports this particular hierarchy.
    In AWM, I am able to create the hierarchy but when I try to view the data in the dimension it gives an error BIB-9531 Invalid hierarchy specified.
    Can you please let me know if I am missing something.
    Thanks a lot in advance!
    Regards,
    Maruthi

    To create a value based hierarchy:
    define the storage as MOLAP, as a minimum create 2 attributes one for the dimension member (define as business in Identifier column), one for the parent member referenece (define as parent in Identifier column), the hierarchy will have no levels. If you add this dimension into a map, you should have a mapping port for both the dimension member and the parent reference. The dimension will use 'Use natural keys from data source'.
    There is an expert for simplifying some of this, not sure on when it will be made available on OTN, it drives the creation of the dimensional objects from tables/views etc..

  • Set default value based on current day value and setItems in Design studio

    Hello
    I have 2 filters on my dashboard - year and month. The default display of the dashboard should populate current year data. Is it possible to create formula to populate dynamic default value based on the current date using setSelectedValue() ?
    Also, for the calendar month, the items are set as below
    DD_MONTH.setItems(DS_1.getMemberList("0CALMONTH",
    MemberPresentation.INTERNAL_KEY, MemberDisplay.TEXT, 12, "ALL");
    This displays month values as 01/2014, 02/2014 ... How can I change these value to display as January if mm = 01 and February if mm = 02 etc..
    Thanks
    Sirisha

    Hi Victor,
    I have tried using below statment to populate current year as the default selection value for the dropdown. Used it on Startup, but for some reason it loads all the data when the dashboard is opened the first time. Any ideas?
    DS_1.setFilter("0CALYEAR",[Convert.subString(APPLICATION.getInfo().dateNowInternalFormat, 4,6)]);
    Thanks
    Sirisha

Maybe you are looking for

  • How to create an editable table in webdynpro for ABAP? Help!

    Hi Experts,         I have a requirement where I have to create a webdynpro for ABAP table for new row/rows entry, delete row/rows and update row/rows data. This is something like table control in normal ABAP. how can I achieve this? Is there any suc

  • File crashes when doing a data merge

    Doing an NCR job and trying to number 1-1000. The file merges all the way to the end. I get no overset text prompt, go to close the file and it crashes everytime. I thought it might be a font error so I made the order form a PDF and the font for the

  • How can i get my youtube to work without it stopping in the middle of video's?

    Whenever I am viewing a video on youtube, it will stop playing at random points and if I click the play button it won't work. This doesn't happen 24/7 but I really want to get it sorted. I have tried re-booting but that doesn't seem to work. Please h

  • Change Unit of Measure for Non-stock item PR

    Good day! I have created a non-stock PR. After I saved it, the transaction was then converted to RFQ and then to PO. In PO, it was found out that the unit of measure was incorrect. We have reverse/cancelled both RFQ and PO but the unit of measure fie

  • Transforming xml data to cross tab in rtf template

    Hi everyone, Here is my requirement, I need the following output -------------------------------------------Date Territory-------District------Office---1/3/2011----1/10/2011---1/17/2011------Grand Total(Header row) Central ----------Chicago---Buffalo