on 11-28-2013 3:16 PM
Hi friends,
Client created 3 hierarchies and can see in VDH1 for customer hierarchy.
Seems like we need to get these into BW and use them for authorizations.
Tried searching SCN and could find 0cust_sales to be used. Also the datasource 0CUST_SALES_LKDH_HIER as its time dependent.
But am not clear of how can I use these in authorizations. Am new to BW.
Please guide me in this.
Hi
How can I define authorizations based on these at node level for reporting?
- First of all 0cust_sales must be authorization relevant..
- Then goto tx RSECADMIN create a new analysis object add 0cust_sales as char.
- Click on 0cust_sales then under details "hierarchy authroization" assign one of the nodes of the hierarchy you need to authorize.
- Repeat that and create as many analysis objects as you need for all the levels you need to authorize.
- Then assign the analysis objects to indivdual roles and the roles to the user or assign the object directly.
hope that clarifies
Martin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Martin,
Thanks for these inputs. There are 2 hierarchies. And am loading them to same infoobject which is a template of 0cust_sales.
ROOT - Node 1
- 00/DR01/02564 - Node 2 (Level 1)
- 00/DR01/02566 - Node 3 (Level 2)
- 00/DR02/02570 - Node 4 (Level 3)
- 00/DR02/02572
- 00/DR02/02580 - Node 5 (Level 4)
- 00/FG01/02568 - Node 6 (Level 2)
- 00/FG02/02574 - Node 7 (Level 3)
-----------------------------------------------------------------
There are further more such groups at corresponding levels.
Say the users need access only after the Level 3. Will it be one object with type of auth "1" and selected node 4? Can there be more node selections in single object?
For each level, is it a new object of auth or how? Please help me understand
Client needs such restriction in queries. Is it that we drag and drop the custom info object which has both hierarchies loaded into the query and nothing else?
Hi
There are further more such groups at corresponding levels.
Say the users need access only after the Level 3. Will it be one object with type of auth "1" and selected node 4? Can there be more node selections in single object?
Yes that would work and you can select more than one node to the analysis object.
For each level, is it a new object of auth or how? Please help me understand
each level you want to authorize you have to create an object for.
Client needs such restriction in queries. Is it that we drag and drop the custom info object which has both hierarchies loaded into the query and nothing else?
you can create an authorization hierarchy variable and the user will only see the levels he has been granted through the analysis object.
hope that helps
Martin
Thanks Martin.
This is what I see in maintenance of HIER for plant A.
We have similar HIER for other plant B.
ROOT - Node 1
-> 00/DR01/02564 - Node 2 (Level 1)
-> 00/DR01/02566 - Node 3 (Level 2)
-> 00/DR02/02570 (UK) - Node 4 (Level 3)
-> 00/DR02/02580
-> 00/DR02/02581
-> 00/DR02/02572 (US) - Node 7 (Level 3)
-> 00/DR02/02582
-> 00/DR02/02583
Here is how I want to proceed forward with the constraints I have:
Create 2 roles for Level 1 and Level 2 with node below sub tree for each of these 2 HIER, which means total 4 roles.
Have some confusion for Level 3 though. Since user needs to see ONLY US and the others ONLY UK,
do I need to create separate roles of these? How about the other plant B which has similar Level 3 US and UK, but with different customer no instead of 02570 and 02572?
Martin,
Apologies to ask again but this is very important for me. Hence asking in such a detail.
Both the HIER of plant A and B loaded to ZHIEROB.
Is it like -
ROOT - Node 1
-> 00/DR01/02564 - Node 2 (Level 1)
-> 00/DR01/02566 - Node 3 (Level 2)
-> 00/DR02/02570 (UK) - Node 4 (Level 3)
-> 00/DR02/02580
-> 00/DR02/02581
-> 00/DR02/02572 (US) - Node 7 (Level 3)
-> 00/DR02/02582
-> 00/DR02/02583
For above Plant A HIER, need to create 4 roles as below FOR EACH NODE and NOT LEVEL as such?
Again need to create similarly for Plant B HIER with same infoobject as both HIER loaded to it.
Please confirm once
Hi Aditya,
Let's first deal with bringing data to BW and then I'll give a simple solution for creating authorizations for your hierarchy.
For loading data to BW 7.3, you still can use 3.x flow. It is not mandatory. However, you can migrate this flow.
Br, H
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Harish,
Created a new infoobject based on 0cust_sales and copied the transfer rules of BI Content and modified accordingly. Now loaded both hierarchies in this object in 3 x flow. Ref table was KNVH, hence used 0CUST_SALES_LKDH_HIER datasource.
Please look at my latest reply to Martin. Kindly assist.
Hi Aditya,
Either you can follow Martin's approach, but the downside is that you need to create multiple authorizations for new node entries.
One altrernative would be to write an abap program to update a table (this table contains users with authorized nodes and sub-trees and can be maintained manually also) for hierarchies for each user and read this table in the customer exit for variable created for 0cust_sales in your report.
This approach is easy to implement if you have abap background.
Br, H
Hi Harish,
Being hard to understand. Can you please provide more info.
Please look at the below:
ROOT - Node 1
- 00/DR01/02564 - Node 2 (Level 1)
- 00/DR01/02566 - Node 3 (Level 2)
- 00/DR02/02570 - Node 4 (Level 3)
- 00/DR02/02572
- 00/DR02/02580 - Node 5 (Level 4)
- 00/FG01/02568 - Node 6 (Level 2)
- 00/FG02/02574 - Node 7 (Level 3)
-----------------------------------------------------------------
There are further more such groups at corresponding levels.
Say the users need access only after the Level 3. Will it be one object with type of auth "1" and selected node 4? Can there be more node selections in single object?
For each level, is it a new object of auth or how? Please help me understand
Client needs such restriction in queries. Is it that we drag and drop the custom info object which has both hierarchies loaded into the query and nothing else?
If you have maintained these authorizations in a table, you can easily provide authorizations based on it.
For eg.
User | Level 1 | Level 2 | Level 3 | Level 4 |
---|---|---|---|---|
User 1 | ROOT | 00/DR01/02564 | 00/DR01/02566 | * |
User 2 | ROOT | 00/DR01/02564 | * | * |
User 3 | ROOT | * | * | * |
Now, User 1 is authorized to see only data of level 3 (00/DR01/02566) and everything below. Likewise, User 3 is authorized to see all levels below ROOT.
In this fasion, you can maintain authorizations for users based on this table. In your report, you need to create a customer exit variable for this infoobject and read this table in your exit to determine what authorization the user is assigned to, based on sy-uname.
If you follow this approach, you don't need to create multiple authorizations and assign to users. You simply need to maintain this table periodically to enable authorizations for users.
Br, H
Hi,
Am still stuck below:
When I try to migrate the datasource, it says not supported with some PSA error.
Is it mandatory to load in 3x flow? Am on BW 7.3
Can I load the same to a custom infoobject so that no dependency on 0cust_sales? Create a new one as a template based on 0cust_sales?
How can I define authorizations based on these at node level for reporting? Please explain with some example. The SDN doc was incomplete as it only gave some screens but not the explanation required.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Aditya
After your replicate your data sources [cust_sales] from ECC, create Info package, pick the hierarchy you need in the hierarchy selection tab, run the info package
regards
Raj
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Rajeev,
Am able to see 3 hierarchies in the infopackage for 0cust_sales.
Should this be done only in 3.5 flow? Any doc as such please?
Can I load the same to a custom infoboject so that no dependency on 0cust_sales?
How can I define authorizations based on these at node level? Seen the web but no clear doc on hierarchy authorizations
Please guide
Hi,
not sure what authorisaton you are using.
You can make Infoobject authorisation relevant. also you have to define necessary authorisation for the nodes etc.
In the variable also you can have authorisation variables by which only those authorised values will be displayed.
Thanks and regards
Kiran
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Kiran,
Can you please be more specific? Am new to this concept and am finding this hard.
Can I load the HIER to a custom infoobject so that no dependency on 0cust_sales? Create a new one as a template based on 0cust_sales?
How can I define authorizations based on these at node level for reporting? Please explain with some example. The SDN doc was incomplete as it only gave some screens but not the explanation required.
Please help in this regard
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Aditya,
Are you able to extract this hierarchy in BW? First check if you are able to see this hierarchy name when you check for available hierarchies in OLTP system in your info-package.
If you are not able to find it let me kw.
Regarding authorization please check below link.
http://help.sap.com/saphelp_nw04/helpdata/en/8f/57f438114ee836e10000000a114084/content.htm
Regards
Shabnam
Hi Shabnam,
Am not clear about this. Client has 3 hierarchies in VDH1 in source.
I was told to extract them into BW and use them in authorizations.
Have gone through some docs but seems like they had some standard steps but not how to deal such scenarios step by step.
Please give over view if possible of how can I proceed
User | Count |
---|---|
84 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.