Variables in Authorizations

Hello Gurus,
       I hope you can help me with a problem. We use BI7 and at the moment we have 3 authorisation relevent objects Sales Office, Cost Centre and Sold To. We load this data via spreadsheets for each user, some will have a * and some will have restrictions based on values (certain Sold To's or Sales Offices etc. However, we would like to introduce a new authorisation object called Ship To. There is a one to many relationship between Sold To and Ship To held in a table called ZCUST_SLS. So, instead of creating another spreadsheet for Ship To and loading this, I would like to explore using a variable to determine Ship To's from the Sold To using a customer exit variable in RSECADMIN.
          I know that the variable will be of the format $<variable_name> and will be created in CMOD using enhancement RSR00001 for the necessary coding, but what I would like to know is how do I reference the Sold To for this user to be able to determine its relavent Ship To.
For example
User DJONES
Current Authorisations
Sales Office *
Sold To 1234567
Cost centre *
I would like to add a new Auth object called Ship To using a customer exit variable which uses abap code to look up the table ZCUST_SLS to determine the Sold To's,
many thanks

HI,
Authorizations with Variables
Definition
Instead of using a single value or interval, you can also use variables of type customer exit in authorizations. The customer exit is called for these variables while the authorization check is running. The call is carried out with I_STEP = 0. The intervals of characteristic values or hierarchies for which the user is authorized can be returned here. By doing this, the maintenance effort for authorizations and profiles may be considerably reduced.
Every cost center manager should only be allowed to evaluate data for his/her cost center. Within the SAP authorization standard, a role or a profile with the authorization for the InfoObject 0COSTCENTER equal to u2018XXXXu2019 (XXXX stands for the particular cost center) would have to be made for every cost center manager X. This has to be entered in the user master data for the cost center manager. In organizations where cost centers change on a regular basis, this involves significant administrative effort.
Using a variable reduces the authorization maintenance workload with the InfoObject 0COSTCENTER equal to u2018$VARCOSTu2019, as well as with the role or the profile, which is maintained for all cost center managers. The value of the variable u2018VARCOSTu2019 is then set for runtime during the authorization check by the CUSTOMER-EXIT u2018RSR00001u2019.
Maintaining the authorizations restricts the entries for the values to the length of the existing InfoObject. It is possible, however, to use both limits of the interval. In the example 0COSTCENTER with 4 spaces, the variable u2018VARCOSTu2019 is, therefore, entered as u2018$VARu2019 u2013 u2018COSTu2019.
Use
Exit variables can be entered beginning with $. If there is a variable value in both the lower and the upper limit, the two are combined as subnames of an overall variable in authorization processing. Intervals are not corrected automatically by the system if an error was found during the check. You get an error message and can analyze the error yourself.
There is a buffer for these variables. If this buffer is switched on, the customer exit is only called up once for a variable with the authorization check. In doing so, you avoid calling up the customer exit for variables over and over, as well as decreasing performance. If you want to call up the customer exit each time, you have to deactivate this buffer in the maintenance of analysis authorizations. To do this, in the main menu, choose Extras ® Buffering Variables ® Deactivate.
You can also call up the customer exit for authorizations for hierarchies.
Enter the variables of type hierarchy node into an authorization. To do this, in the hierarchy authorization maintenance, under Node, choose a variable with  Select Exit Variable. The customer exit is then called up while the authorization check is running. In the return table E_T_RANGE, the technical name of one or more nodes is expected in the LOW fields. In the HIGH field, the InfoObject type of the node is expected.
Tarak

Similar Messages

  • Derivation from variable type authorization in exit

    Hi Experts,
    I have got a query with two variables "AUTH" type authorization and "DERI" which should be derivate from "AUTH".
    "DERI" is type Exit.
    my problem, in the exit "AUTH" is not in i_t_var_range. Where do I get the value of "AUTH" from, to use it in the exit logic?
    Thanks for your help
    Pierre

    I Peter
    I needed to make the same thing.
    Did you found a solution?
    Best regards
    Joã

  • Variable filled Authorizations

    Business Requirement:
        There are 50 sales organizations in a company. And BW team does not want me to create 51 roles ie 50 one for each one and one for all. They want me to create 1 role with variable and this variable should be filled in EXIT routine.
    Procedure:
    1.      Authorization relevant
    2.      Created custom authorization using RSSM
    3.      Applied custom authorization to CUBE using RSSM
    4.      Created a role for custom authorization using PFCG
    5.      Created a Global variable ‘processing type authorization’ using BEx
    6.      Dragged authorization variable in report.
    It works if I put a value in a role directly (Fixed value)
    But looking for a flexible and better solution
    Avenues tried:
       CMOD -> Project -> EXIT_SAPLRRS0_001 -> source code (Tab) -> INCLUDE ZXRSRU01 and coded.
    Need to use I_STEP = 0. Yes I can use if it visits in the customer exit, but it is not visiting to customer exit.
    I have changed processing type to customer exit and used I_STEP = 1 and 2, it visits the customer exit and applies the value then it fails with Authorization error.
    Question: Is any one has done it, if so how? If not any thoughts?
    If use processing type = customer exit then I do not need to create authorization object and role etc. Create a global variable on infoobject and fill that variable in customer exit.
    Is there any other way?
    Sam / Raman

    Hi,
    you did already
    - Authorization relevant
    - Created custom authorization using RSSM
    - Applied custom authorization to CUBE using RSSM
    Please try the following steps
    1. Create in BEx a variable, e.g. "E", processing by
       "Customer exit", not ready for input
    2. Created a role for custom authorization using PFCG,
       in the custom authorization use "$E" instead of a
       fixed value.
    3. Fill the variable in ZXRSRU01
        when 'E'.
          l_temp = ... "value corresponding to sy-uname
          l_s_range-low  = l_temp.
          l_s_range-sign = 'I'.
          l_s_range-opt  = 'EQ'.
          APPEND l_s_range TO e_t_range.
    Best regards
    LL

  • Variables with Authorization as Processing type ...

    Hi Gurus, I also wanted to see if we have any good example for this kind of variable?
    I also have a question. If we have Authorizations on 0ORGUNIT and 0EMPLOYEE. The users will be able to see only what they are supposed to see. Now what is the use of a variable that is built on this chareacteristics with processing type "Authorization"? Since they already are restricted to see the data?

    Consider this example:
    Every cost center manager should only be allowed to evaluate data for his/her cost center. Within the SAP authorization standard, a role or a profile with the authorization for the InfoObject 0COSTCENTER equal to ‘XXXX’ (XXXX stands for the particular cost center) would have to be made for every cost center manager X. This has to be entered in the user master data for the cost center manager. In organizations where cost centers change on a regular basis, this involves significant administrative effort.
    Using a variable reduces the authorization maintenance workload with the InfoObject 0COSTCENTER equal to ‘$VARCOST’, as well as with the role or the profile, which is maintained for all cost center managers. The value of the variable ‘VARCOST’ is then set for runtime during the authorization check by the CUSTOMER-EXIT ‘RSR00001’.
    Maintaining the authorizations restricts the entries for the values to the length of the existing InfoObject. It is possible, however, to use both limits of the interval. In the example 0COSTCENTER with 4 spaces, the variable ‘VARCOST’ is, therefore, entered as ‘$VAR’ – ‘COST’.
    refer:
    http://help.sap.com/saphelp_nw04s/helpdata/en/91/a62c42fb6fdd2ce10000000a1550b0/frameset.htm for more details

  • Bps variable by authorization

    Dear Friends,
    I can tell a bps variable value is authorization-derived.
    How can  I know straightaway what is the authorization / object tied to this so that I can check / set the  authorization?
    Please can you give me some hints.
    regards
    H.C

    <FONT FACE = "Tahoma", Font Color = "Blue">
    Hi<br>
    In BW 3.x, you can even go to t-code SU01, Enter User ID (whose authorizations have to checked) and press the Display button at top to see User Profile.<br>
    In the next screen, you can navigate to different tabs like roles, profiles etc to get more details. If you double click on any role, system will display the specifics of that role.
    <br><br>
    Hope it helps.<br>
    Cheers Abhijit</FONT><FONT FACE = "Verdana", Font Color = "Red">
    Please assign Reward Points if I deserve them in your opinion
    </FONT>

  • Variable value to be populated based on user authorization

    Hi all,
    I want to have a variable with single value on plant.
    when the user executes the report, value of the variable has to be populated automatically based on the authorization of the login user and it has to show the output without displaying the selection screen.
    Kindly guide me of, what type of variable to create and to proceed.
    Thanks.
    I

    Hi
    Restriction Plant from user authorization can be achieved by the following steps
    1. Plant infoobject should be authorization relevant.
    2. make authorization object including plant and restrict to the plant u needed and assign the profile to the user
    3. in BEX create variable of authorization type on plant. this variable will get the default values for the plant from the user authorization on the selection screen of the query.
    4. if you dont want to display the variable on the selection screen then remove the chek box in variable that " variable is not ready for input"
    thanks
    radhika

  • Webi  Bypassing BEx Authorization Variable with SAP Exit

    BEx query has Hierarchy Node Variable with Authorization as processing type. Its set as User Input ready
    When the Webi report is refreshed, the LoVs appear as per the Authorization. However, if user doesn't select any value (pushes from right to left in variable screen) he gets NOT_AUTHORIZED error. Which is not intended, it should check the authorization in the background via SAP exit and populate the result. This is how it runs inBEx query.
    However, in Webi it's giving NOT_AUTHORIZED error? This is how the product is designed to work or is it a bug.
    I see several forum threads and SAP KBAs/notes but they are not answering my question. Could anyone please help.
    I am ready to provide more details on this error.
    Thanks,
    Tilak

    Hi,
    this is how authorization variable would work in any of the clients and not just Web Intelligence.
    You created an authorization variable which is configured as "read for input", so the user is getting prompted.
    So In Web Intelligence the LoV shows up.
    if the user does not select a value, then you are not sending a value, so you basically asking for all data and you are not allowed to see all data and therefore you are getting the message "no authorization".
    if you are making authorization variables as ready for input then the user needs to select the proper values - regardless of the BI tool.
    if you want the authorization to be check in the background then the authorization variable should be configured to not have ready for input.
    regards
    Ingo Hilgefort

  • Creation of variable in BEx from user authorization

    Hi gurus,
       i want to create a variable with user authorization in BEx. Can any one please tell me the steps to create the variable for authorization.
    Thanks in advance
    sandy

    Hi,
    You will get a better and quicker answer if you post this in the BI forums.
    Eddy
    PS.
    Put yourself on the SDN world map (http://sdn.idizaai.be/sdn_world/sdn_world.html) and earn 25 points.
    Spread the wor(l)d!

  • Creating variable with the user Authorization in BEx

    Hi gurus,
    i want to create a variable with user authorization in BEx. Can any one please tell me the steps to create the variable for authorization.
    Thanks in advance
    sandy

    Hi,
    Please take a look and refer the section Use of Variable filled Authorizations(User Exit)
    Advanced Features of SAP BW Reporting Authorizations
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06
    Hope this helps.
    Cheers,
    Gimmo

  • Authorization Variable message

    Guru assistance requested.
    I am testing two separate "test user ID's" for authorization relevant objects.
    Objects are Division / Sales Organization / Plant.
    Test user 1 is functioning correctly.
    Test user 2 is triggering a message when I logon to BEx and choose my query.
    Message dialog box reads:
    "!" Value if variable ZPLNT_XXXX is automatically converted.
    I can not eleminate this message from occuring.
    Test User 1 has authorization restrictions on "Divisions and Plants"
    Test User 2 has authorization reswtrictions on "Sales Organizations and Plants"
    I am not receiving any message with Test User 1 and connot explain the reason behind the above
    information message.
    Any ideas.
    Authorization variables are identical for all three objects and both Test Users have authority to the
    roles with each infoprovider.
    Thanks....Dan

    Sachin,
    I went into Query Designer again and looked at my variables:
    All authority  variables are identical in character definition:
    General Tab: Type of Value = Characteristic Value
    General Tab: Processing by Authorization
    Detail Tab: Multiple Single Values
    Detail Tabl: Variable is Optional ..... ready for input field is "blank"
    This  is my query filter:
    Selection:
    Filter on Variables 0DIVISION / 0CURTYPE / 0PLANT / 0SALESORG / 0FISCPER.
    0CURTYPE is defined for B0 on the COPA InfoProvider.
    All others are Selections are user elected variable options.
    The Authorization variable is a restriction I placed on the "Default Value" of characteristic objects
    0DIVISION / 0PLANT / 0SALESORG
    (So as not to display the object).
    As the user .... I logon to BW.
    Navigate BEx Analyzer >>  Open Query: Choose Query Name then "open"
    At this point the dialog box appears  -- below I select my filter options.
    Dialog box reads:
    There are messages:
    Type" !"  ..... Description: Value if variable ZPLNT_XXXX (my variable name) is automatically converted.
    If the query is the issue .... I would think that this message would appear for both test users.
    Not just User#2.
    Also of note ... I have never seen this message below, but then, I am now just beginning to test
    user "authority variables" over  authorization relevant objects.
    Ant other thoughts.
    Thank you ..... Dan

  • Authorization Variable not prefilling on RRI jump

    Hi,
    I have an Authorization Variable which prefills according to the users authorized values - this works fine in all instance EXCEPT when I jump from another query.
    Has anyone seen this before?
    Anybody know why?
    What is the function which prefills the variable?
    The jump goes to a web analyzer session. The session works fine if I just execute the jump query - but as soon as the url contains passed variables the authorization variable does not prefill.
    eg. http://sldn1450dap:6777/sap/bw/BEx?SAP-LANGUAGE=EN&CMD=LDOC&INFOCUBE=H3FST_M_M&QUERY=QFCMM_AD0060_V2_JMP - works fine, variable prefills
    http://sldn1450dap:6777/sap/bw/BEx?SAP-LANGUAGE=EN&CMD=LDOC&INFOCUBE=H3FST_M_M&QUERY=QFCMM_AD0060_V2_JMP&VAR_NAME=8BBS_ID&VAR_VALUE=43RUCKR22P5SIA2LJXEE2XJBN - variable does not prefill
    Desperate to sort this one out. 2 days to release deadline and spending days on this.
    Regards
    Neville

    Hi Neville,
    First query also has the same authorization variable?
    if yes it should work.
    Otherwise add the same object and variable in the first query also.
    Regards,
    Vijay.

  • Analysis Authorization in BO 4.0 Webi report

    Hi All,
    I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
    We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
    However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
    I have tried:
    1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
    2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
    3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
    Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
    (BO 4.0 no service pack or fix pack installed on the system yet)
    Thanks - Appreciate your help !
    Prasad Rasam

    Ingo,
    1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
    >> Correct you need to setup you OLAP Connection with SSO.
    >>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
    Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
    Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
    2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
    >> The variable in the BEx query needs to be an authorization variable.
    >>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
    Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
    regards
    Ingo Hilgefort

  • Hierarchy Authorization Aggregate (:)

    There is a thread for this question in Bex discussion but this issue is not entirely belong to Bex so I am duplicating here also.
    I have successfully set up the Cost Center Hierarchy Node variable using authorization in our BI environment. One last issue I am facing is following.
    When the data appears for a user who has access to 4 out of 10 cost centers in a hierarchy node, the summarized node data is showing the totals for all the cost centers included in the node. User would like to see the subtotal of only the cost centers they have authorization for. Of course the reason aggregated values are displayed is due to the : authorization provided for Cost Center in AA object, what I am wondering is if there are any other alternatives of ":" to force the query aggregate only the values from Authorization Hierarchy Node variable. Although SAP note 727354 suggests the following
    A colon authorization is not taken into account when you use a
    variable of the type "Fill from authorization", since it is not known at the
    time of the variable processing whether or not the affected characteristic is in
    the drilldown.
    I do have Authorization Hierarchy Node variable for Cost Centers in use but still the hierarchy node displays the summarized values for all the cost centers. I am hoping someone has run into this issue before me and there is a solution.
    Any help will be highly appreciated.
    Thanks!
    -Aslam

    Following is what I received from SAP, although disappointing but it is I what I thought too.
    Suggestion is not to use hierarchy node variable and replace with single values.
    Well the reason of choosing the hierarchy node variable was a business requirement. So I have delivered the news to business and now it will be up to them to go ahead with what comes from SAP by default (Total for all cost centers in the node regardless of user authorization) with the usage of hierarchy node or go in another direction...
    Thanks everyone to take the time and provide your input.
    09/08/2014 - 16:30:39 EST - Reply by SAP     
    Dear customer,
    I believe this is your case. Let me know if I get this wrong.
    Since the user is authorized for the TOP node, he's able to see the
    aggregated values of non-authorized cost centers, although these nodes
    are not authorized. Please notice that this is not an error. The
    system behaviour is as designed.
    If you don't want to have the aggregated values in the nodes, please
    try to change your query-design and filter according to "single
    values" instead of "nodes" in the authorization variable.

  • How to identify what customer exit variables are used in which query?

    Hi all,
    When i happened to check the CMOD transaction code i can find a list of customer exits are used. But i want to know what are those customer exist are used in which query? can anyone let me know the procedure of identifying it.
    Thanks a lot
    Pooja

    hii pooja
    check the foll links
    Very Urgent: Customer Exit Variable
    customer exit variable
    MIssing Authorisation for customer exit variable query
    Authorization variable or customer exit variables
    if it is helpful assign points
    thanks.

  • ISE Authorization Profile Question

    Hi,
    We are implementing ISE at a university and using dynamic VLAN allocation to segment the traffic into vlans of a manageable size - we do not want to use geographically based vlans for a number of reasons. However there is one scenario which I am struggling with.
    A number of students will be living in university owned houses which are not directly connected to the university network. In these houses an ISP will provide an ADSL circuit. These ADSL circuits will be aggregated back at the university data centre and will connect down one piece of wire to the university network. I haven't completed my testing yet but the general theory is that we can use multi-auth to allow them on to the network and apply appropriate access restrictions (these restrictions will differ from those applied to those applied when they connect "on campus") . However, in order to do this, I will need to create an authorization policy based on where they are coming from (ie what switch and what port). I can see how I can use Identity Groups to identify which switch the traffic is coming from but for the life of me I have no idea how I would identify the port.
    Anyone have any ideas how I might achieve my goal?
    Thanks
    Alan              

    Hi
    Cisco ISE allows for a wide range of variables within authorization policies to ensure that only authorized users can access the appropriate resources when they access the network. The initial release of Cisco ISE supports only RADIUS-governed access to the internal network and its resources. The authorization policy result is Cisco ISE assigning an authorization profile that might also involve a downloadable ACL specifying traffic management on the network policy enforcement device. The downloadable ACL specifies the RADIUS attributes that are returned during authentication and that define the user access privileges granted once authenticated by Cisco ISE.
    An authorization profile acts as a container where a number of specific permissions allow access to a set of network services. The authorization profile is where you define a set of permissions to be granted for a network access request and can include:
    • A profile name
    • A profile description
    • An associated DACL
    • An associated VLAN
    • An associated SGACL
    • Any number of other dictionary-based attributes

Maybe you are looking for