Variables in Authorizations
Hello Gurus,
I hope you can help me with a problem. We use BI7 and at the moment we have 3 authorisation relevent objects Sales Office, Cost Centre and Sold To. We load this data via spreadsheets for each user, some will have a * and some will have restrictions based on values (certain Sold To's or Sales Offices etc. However, we would like to introduce a new authorisation object called Ship To. There is a one to many relationship between Sold To and Ship To held in a table called ZCUST_SLS. So, instead of creating another spreadsheet for Ship To and loading this, I would like to explore using a variable to determine Ship To's from the Sold To using a customer exit variable in RSECADMIN.
I know that the variable will be of the format $<variable_name> and will be created in CMOD using enhancement RSR00001 for the necessary coding, but what I would like to know is how do I reference the Sold To for this user to be able to determine its relavent Ship To.
For example
User DJONES
Current Authorisations
Sales Office *
Sold To 1234567
Cost centre *
I would like to add a new Auth object called Ship To using a customer exit variable which uses abap code to look up the table ZCUST_SLS to determine the Sold To's,
many thanks
HI,
Authorizations with Variables
Definition
Instead of using a single value or interval, you can also use variables of type customer exit in authorizations. The customer exit is called for these variables while the authorization check is running. The call is carried out with I_STEP = 0. The intervals of characteristic values or hierarchies for which the user is authorized can be returned here. By doing this, the maintenance effort for authorizations and profiles may be considerably reduced.
Every cost center manager should only be allowed to evaluate data for his/her cost center. Within the SAP authorization standard, a role or a profile with the authorization for the InfoObject 0COSTCENTER equal to u2018XXXXu2019 (XXXX stands for the particular cost center) would have to be made for every cost center manager X. This has to be entered in the user master data for the cost center manager. In organizations where cost centers change on a regular basis, this involves significant administrative effort.
Using a variable reduces the authorization maintenance workload with the InfoObject 0COSTCENTER equal to u2018$VARCOSTu2019, as well as with the role or the profile, which is maintained for all cost center managers. The value of the variable u2018VARCOSTu2019 is then set for runtime during the authorization check by the CUSTOMER-EXIT u2018RSR00001u2019.
Maintaining the authorizations restricts the entries for the values to the length of the existing InfoObject. It is possible, however, to use both limits of the interval. In the example 0COSTCENTER with 4 spaces, the variable u2018VARCOSTu2019 is, therefore, entered as u2018$VARu2019 u2013 u2018COSTu2019.
Use
Exit variables can be entered beginning with $. If there is a variable value in both the lower and the upper limit, the two are combined as subnames of an overall variable in authorization processing. Intervals are not corrected automatically by the system if an error was found during the check. You get an error message and can analyze the error yourself.
There is a buffer for these variables. If this buffer is switched on, the customer exit is only called up once for a variable with the authorization check. In doing so, you avoid calling up the customer exit for variables over and over, as well as decreasing performance. If you want to call up the customer exit each time, you have to deactivate this buffer in the maintenance of analysis authorizations. To do this, in the main menu, choose Extras ® Buffering Variables ® Deactivate.
You can also call up the customer exit for authorizations for hierarchies.
Enter the variables of type hierarchy node into an authorization. To do this, in the hierarchy authorization maintenance, under Node, choose a variable with Select Exit Variable. The customer exit is then called up while the authorization check is running. In the return table E_T_RANGE, the technical name of one or more nodes is expected in the LOW fields. In the HIGH field, the InfoObject type of the node is expected.
Tarak
Similar Messages
-
Derivation from variable type authorization in exit
Hi Experts,
I have got a query with two variables "AUTH" type authorization and "DERI" which should be derivate from "AUTH".
"DERI" is type Exit.
my problem, in the exit "AUTH" is not in i_t_var_range. Where do I get the value of "AUTH" from, to use it in the exit logic?
Thanks for your help
PierreI Peter
I needed to make the same thing.
Did you found a solution?
Best regards
Joã -
Variable filled Authorizations
Business Requirement:
There are 50 sales organizations in a company. And BW team does not want me to create 51 roles ie 50 one for each one and one for all. They want me to create 1 role with variable and this variable should be filled in EXIT routine.
Procedure:
1. Authorization relevant
2. Created custom authorization using RSSM
3. Applied custom authorization to CUBE using RSSM
4. Created a role for custom authorization using PFCG
5. Created a Global variable processing type authorization using BEx
6. Dragged authorization variable in report.
It works if I put a value in a role directly (Fixed value)
But looking for a flexible and better solution
Avenues tried:
CMOD -> Project -> EXIT_SAPLRRS0_001 -> source code (Tab) -> INCLUDE ZXRSRU01 and coded.
Need to use I_STEP = 0. Yes I can use if it visits in the customer exit, but it is not visiting to customer exit.
I have changed processing type to customer exit and used I_STEP = 1 and 2, it visits the customer exit and applies the value then it fails with Authorization error.
Question: Is any one has done it, if so how? If not any thoughts?
If use processing type = customer exit then I do not need to create authorization object and role etc. Create a global variable on infoobject and fill that variable in customer exit.
Is there any other way?
Sam / RamanHi,
you did already
- Authorization relevant
- Created custom authorization using RSSM
- Applied custom authorization to CUBE using RSSM
Please try the following steps
1. Create in BEx a variable, e.g. "E", processing by
"Customer exit", not ready for input
2. Created a role for custom authorization using PFCG,
in the custom authorization use "$E" instead of a
fixed value.
3. Fill the variable in ZXRSRU01
when 'E'.
l_temp = ... "value corresponding to sy-uname
l_s_range-low = l_temp.
l_s_range-sign = 'I'.
l_s_range-opt = 'EQ'.
APPEND l_s_range TO e_t_range.
Best regards
LL -
Variables with Authorization as Processing type ...
Hi Gurus, I also wanted to see if we have any good example for this kind of variable?
I also have a question. If we have Authorizations on 0ORGUNIT and 0EMPLOYEE. The users will be able to see only what they are supposed to see. Now what is the use of a variable that is built on this chareacteristics with processing type "Authorization"? Since they already are restricted to see the data?Consider this example:
Every cost center manager should only be allowed to evaluate data for his/her cost center. Within the SAP authorization standard, a role or a profile with the authorization for the InfoObject 0COSTCENTER equal to XXXX (XXXX stands for the particular cost center) would have to be made for every cost center manager X. This has to be entered in the user master data for the cost center manager. In organizations where cost centers change on a regular basis, this involves significant administrative effort.
Using a variable reduces the authorization maintenance workload with the InfoObject 0COSTCENTER equal to $VARCOST, as well as with the role or the profile, which is maintained for all cost center managers. The value of the variable VARCOST is then set for runtime during the authorization check by the CUSTOMER-EXIT RSR00001.
Maintaining the authorizations restricts the entries for the values to the length of the existing InfoObject. It is possible, however, to use both limits of the interval. In the example 0COSTCENTER with 4 spaces, the variable VARCOST is, therefore, entered as $VAR COST.
refer:
http://help.sap.com/saphelp_nw04s/helpdata/en/91/a62c42fb6fdd2ce10000000a1550b0/frameset.htm for more details -
Dear Friends,
I can tell a bps variable value is authorization-derived.
How can I know straightaway what is the authorization / object tied to this so that I can check / set the authorization?
Please can you give me some hints.
regards
H.C<FONT FACE = "Tahoma", Font Color = "Blue">
Hi<br>
In BW 3.x, you can even go to t-code SU01, Enter User ID (whose authorizations have to checked) and press the Display button at top to see User Profile.<br>
In the next screen, you can navigate to different tabs like roles, profiles etc to get more details. If you double click on any role, system will display the specifics of that role.
<br><br>
Hope it helps.<br>
Cheers Abhijit</FONT><FONT FACE = "Verdana", Font Color = "Red">
Please assign Reward Points if I deserve them in your opinion
</FONT> -
Variable value to be populated based on user authorization
Hi all,
I want to have a variable with single value on plant.
when the user executes the report, value of the variable has to be populated automatically based on the authorization of the login user and it has to show the output without displaying the selection screen.
Kindly guide me of, what type of variable to create and to proceed.
Thanks.
IHi
Restriction Plant from user authorization can be achieved by the following steps
1. Plant infoobject should be authorization relevant.
2. make authorization object including plant and restrict to the plant u needed and assign the profile to the user
3. in BEX create variable of authorization type on plant. this variable will get the default values for the plant from the user authorization on the selection screen of the query.
4. if you dont want to display the variable on the selection screen then remove the chek box in variable that " variable is not ready for input"
thanks
radhika -
Webi Bypassing BEx Authorization Variable with SAP Exit
BEx query has Hierarchy Node Variable with Authorization as processing type. Its set as User Input ready
When the Webi report is refreshed, the LoVs appear as per the Authorization. However, if user doesn't select any value (pushes from right to left in variable screen) he gets NOT_AUTHORIZED error. Which is not intended, it should check the authorization in the background via SAP exit and populate the result. This is how it runs inBEx query.
However, in Webi it's giving NOT_AUTHORIZED error? This is how the product is designed to work or is it a bug.
I see several forum threads and SAP KBAs/notes but they are not answering my question. Could anyone please help.
I am ready to provide more details on this error.
Thanks,
TilakHi,
this is how authorization variable would work in any of the clients and not just Web Intelligence.
You created an authorization variable which is configured as "read for input", so the user is getting prompted.
So In Web Intelligence the LoV shows up.
if the user does not select a value, then you are not sending a value, so you basically asking for all data and you are not allowed to see all data and therefore you are getting the message "no authorization".
if you are making authorization variables as ready for input then the user needs to select the proper values - regardless of the BI tool.
if you want the authorization to be check in the background then the authorization variable should be configured to not have ready for input.
regards
Ingo Hilgefort -
Creation of variable in BEx from user authorization
Hi gurus,
i want to create a variable with user authorization in BEx. Can any one please tell me the steps to create the variable for authorization.
Thanks in advance
sandyHi,
You will get a better and quicker answer if you post this in the BI forums.
Eddy
PS.
Put yourself on the SDN world map (http://sdn.idizaai.be/sdn_world/sdn_world.html) and earn 25 points.
Spread the wor(l)d! -
Creating variable with the user Authorization in BEx
Hi gurus,
i want to create a variable with user authorization in BEx. Can any one please tell me the steps to create the variable for authorization.
Thanks in advance
sandyHi,
Please take a look and refer the section Use of Variable filled Authorizations(User Exit)
Advanced Features of SAP BW Reporting Authorizations
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
Hope this helps.
Cheers,
Gimmo -
Authorization Variable message
Guru assistance requested.
I am testing two separate "test user ID's" for authorization relevant objects.
Objects are Division / Sales Organization / Plant.
Test user 1 is functioning correctly.
Test user 2 is triggering a message when I logon to BEx and choose my query.
Message dialog box reads:
"!" Value if variable ZPLNT_XXXX is automatically converted.
I can not eleminate this message from occuring.
Test User 1 has authorization restrictions on "Divisions and Plants"
Test User 2 has authorization reswtrictions on "Sales Organizations and Plants"
I am not receiving any message with Test User 1 and connot explain the reason behind the above
information message.
Any ideas.
Authorization variables are identical for all three objects and both Test Users have authority to the
roles with each infoprovider.
Thanks....DanSachin,
I went into Query Designer again and looked at my variables:
All authority variables are identical in character definition:
General Tab: Type of Value = Characteristic Value
General Tab: Processing by Authorization
Detail Tab: Multiple Single Values
Detail Tabl: Variable is Optional ..... ready for input field is "blank"
This is my query filter:
Selection:
Filter on Variables 0DIVISION / 0CURTYPE / 0PLANT / 0SALESORG / 0FISCPER.
0CURTYPE is defined for B0 on the COPA InfoProvider.
All others are Selections are user elected variable options.
The Authorization variable is a restriction I placed on the "Default Value" of characteristic objects
0DIVISION / 0PLANT / 0SALESORG
(So as not to display the object).
As the user .... I logon to BW.
Navigate BEx Analyzer >> Open Query: Choose Query Name then "open"
At this point the dialog box appears -- below I select my filter options.
Dialog box reads:
There are messages:
Type" !" ..... Description: Value if variable ZPLNT_XXXX (my variable name) is automatically converted.
If the query is the issue .... I would think that this message would appear for both test users.
Not just User#2.
Also of note ... I have never seen this message below, but then, I am now just beginning to test
user "authority variables" over authorization relevant objects.
Ant other thoughts.
Thank you ..... Dan -
Authorization Variable not prefilling on RRI jump
Hi,
I have an Authorization Variable which prefills according to the users authorized values - this works fine in all instance EXCEPT when I jump from another query.
Has anyone seen this before?
Anybody know why?
What is the function which prefills the variable?
The jump goes to a web analyzer session. The session works fine if I just execute the jump query - but as soon as the url contains passed variables the authorization variable does not prefill.
eg. http://sldn1450dap:6777/sap/bw/BEx?SAP-LANGUAGE=EN&CMD=LDOC&INFOCUBE=H3FST_M_M&QUERY=QFCMM_AD0060_V2_JMP - works fine, variable prefills
http://sldn1450dap:6777/sap/bw/BEx?SAP-LANGUAGE=EN&CMD=LDOC&INFOCUBE=H3FST_M_M&QUERY=QFCMM_AD0060_V2_JMP&VAR_NAME=8BBS_ID&VAR_VALUE=43RUCKR22P5SIA2LJXEE2XJBN - variable does not prefill
Desperate to sort this one out. 2 days to release deadline and spending days on this.
Regards
NevilleHi Neville,
First query also has the same authorization variable?
if yes it should work.
Otherwise add the same object and variable in the first query also.
Regards,
Vijay. -
Analysis Authorization in BO 4.0 Webi report
Hi All,
I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
I have tried:
1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
(BO 4.0 no service pack or fix pack installed on the system yet)
Thanks - Appreciate your help !
Prasad RasamIngo,
1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
>> Correct you need to setup you OLAP Connection with SSO.
>>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
>> The variable in the BEx query needs to be an authorization variable.
>>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
regards
Ingo Hilgefort -
Hierarchy Authorization Aggregate (:)
There is a thread for this question in Bex discussion but this issue is not entirely belong to Bex so I am duplicating here also.
I have successfully set up the Cost Center Hierarchy Node variable using authorization in our BI environment. One last issue I am facing is following.
When the data appears for a user who has access to 4 out of 10 cost centers in a hierarchy node, the summarized node data is showing the totals for all the cost centers included in the node. User would like to see the subtotal of only the cost centers they have authorization for. Of course the reason aggregated values are displayed is due to the : authorization provided for Cost Center in AA object, what I am wondering is if there are any other alternatives of ":" to force the query aggregate only the values from Authorization Hierarchy Node variable. Although SAP note 727354 suggests the following
A colon authorization is not taken into account when you use a
variable of the type "Fill from authorization", since it is not known at the
time of the variable processing whether or not the affected characteristic is in
the drilldown.
I do have Authorization Hierarchy Node variable for Cost Centers in use but still the hierarchy node displays the summarized values for all the cost centers. I am hoping someone has run into this issue before me and there is a solution.
Any help will be highly appreciated.
Thanks!
-AslamFollowing is what I received from SAP, although disappointing but it is I what I thought too.
Suggestion is not to use hierarchy node variable and replace with single values.
Well the reason of choosing the hierarchy node variable was a business requirement. So I have delivered the news to business and now it will be up to them to go ahead with what comes from SAP by default (Total for all cost centers in the node regardless of user authorization) with the usage of hierarchy node or go in another direction...
Thanks everyone to take the time and provide your input.
09/08/2014 - 16:30:39 EST - Reply by SAP
Dear customer,
I believe this is your case. Let me know if I get this wrong.
Since the user is authorized for the TOP node, he's able to see the
aggregated values of non-authorized cost centers, although these nodes
are not authorized. Please notice that this is not an error. The
system behaviour is as designed.
If you don't want to have the aggregated values in the nodes, please
try to change your query-design and filter according to "single
values" instead of "nodes" in the authorization variable. -
How to identify what customer exit variables are used in which query?
Hi all,
When i happened to check the CMOD transaction code i can find a list of customer exits are used. But i want to know what are those customer exist are used in which query? can anyone let me know the procedure of identifying it.
Thanks a lot
Poojahii pooja
check the foll links
Very Urgent: Customer Exit Variable
customer exit variable
MIssing Authorisation for customer exit variable query
Authorization variable or customer exit variables
if it is helpful assign points
thanks. -
ISE Authorization Profile Question
Hi,
We are implementing ISE at a university and using dynamic VLAN allocation to segment the traffic into vlans of a manageable size - we do not want to use geographically based vlans for a number of reasons. However there is one scenario which I am struggling with.
A number of students will be living in university owned houses which are not directly connected to the university network. In these houses an ISP will provide an ADSL circuit. These ADSL circuits will be aggregated back at the university data centre and will connect down one piece of wire to the university network. I haven't completed my testing yet but the general theory is that we can use multi-auth to allow them on to the network and apply appropriate access restrictions (these restrictions will differ from those applied to those applied when they connect "on campus") . However, in order to do this, I will need to create an authorization policy based on where they are coming from (ie what switch and what port). I can see how I can use Identity Groups to identify which switch the traffic is coming from but for the life of me I have no idea how I would identify the port.
Anyone have any ideas how I might achieve my goal?
Thanks
AlanHi
Cisco ISE allows for a wide range of variables within authorization policies to ensure that only authorized users can access the appropriate resources when they access the network. The initial release of Cisco ISE supports only RADIUS-governed access to the internal network and its resources. The authorization policy result is Cisco ISE assigning an authorization profile that might also involve a downloadable ACL specifying traffic management on the network policy enforcement device. The downloadable ACL specifies the RADIUS attributes that are returned during authentication and that define the user access privileges granted once authenticated by Cisco ISE.
An authorization profile acts as a container where a number of specific permissions allow access to a set of network services. The authorization profile is where you define a set of permissions to be granted for a network access request and can include:
• A profile name
• A profile description
• An associated DACL
• An associated VLAN
• An associated SGACL
• Any number of other dictionary-based attributes
Maybe you are looking for
-
I recently tried to update iTunes to 12.0.1 and got this error message: The procedure entry point ADAdPolicyEngine_DidEnterStation could not be located in the dynamic link library iAdCore.dll. After that, I get: iTunes did not install properly. Rei
-
APEX 3.1 export to 2.1
Hi all, Is there anyway I can install a 3.1 application I exported onto a 2.1 instalation of APEX? Thanks S
-
Hi ! We have been burgled and my Macbook has been stolen All my data and pictures were on it. Do you know if Apple could locate it by any way ? As soon as it will be connected to the Internet it should try to look for updates, Apple should be able to
-
Hi guys! I went through <a href="/people/michal.krawczyk2/blog/2005/09/09/xi-alerts--step-by-step target="d">this</a> weblog and configured it correctly. It is working. My question is: how does XI know, that the mapping error should be sent to michal
-
Open Catalog Interface (OCI)
There is an OCI interface for SAP R3. Is there an OCI interface for Business One?