cancel
Showing results for 
Search instead for 
Did you mean: 

Authorization on Bex Queries.

Former Member
0 Kudos

Hello,

below is the current scenario,

Auth Object

Account

Segment

Company

Hierarchy object

ROLE1

Account - * (all accounts allowed)

Segment - AIM

COMPANY - 3000

ROLE2

Account - * (all accounts allowed)

Segment - *

COMPANY - *

USER Jhon has ROLE1 under him.

Requirement:

New Query is developed

In this Query ALONE User Jhon should be able to see ALL Companies and Segments data (meaning ROLE2 should be used).

and In the OLD queries still user should be able to see the data as per the ROLE1

any ideas will be rewarded.

Accepted Solutions (0)

Answers (6)

Answers (6)

Former Member
0 Kudos

Hi Shashi,

as you can see, the FM mentioned in the previous post is a customer created FM, no standard. I dont know if there is a kind of template available, but at the end you have to programm a FM which retrieves the data you request.

The Customer Exits in our BW look all different, depending of the logic it is used. Thats the reason why i cannot propose a special fm, sorry. At the end the follwoing has to be filled, since this is the relevant table

APPEND l_s_range TO e_t_range.

Try to debug with rsrt or rssmq and you will see, which Fm you have to use to get your authorized values. Also try to check if you have already some cusomer exits in you system.

Take care,

Maik

Former Member
0 Kudos

Hi,

your customer exit could look similar like this one. for i_vnam the Variable you use in the report will be checked.

If you run report for role1, the auth. for role1 one should be retrieved otherwise the auth. for role2.

CASE i_vnam.

  • --- ROLE1 -----------------------------

WHEN 'ROLE1'.

IF i_step = 2.

CALL FUNCTION 'Y_AUTH_VALUES_GET_4_USER'

EXPORTING

user = 'SY-UNAME'

profn_list = 'ROLE1'

TABLES

values = i_values

nodelist = i_nodelist.

  • LOOP AT i_values.

  • l_s_range-sign = 'I'.

  • l_s_range-opt = 'EQ'.

  • l_s_range-low = i_values-von.

  • l_s_range-high = i_values-bis.

  • APPEND l_s_range TO e_t_range.

  • ENDLOOP.

LOOP AT i_nodelist.

l_s_range-sign = 'I'.

l_s_range-opt = 'EQ'.

l_s_range-low = i_nodelist-bis.

l_s_range-high = i_nodelist-von.

APPEND l_s_range TO e_t_range.

ENDLOOP.

ENDIF.

  • - ROLE2-----------------------------

WHEN 'ROLE2'.

IF i_step = 2.

CALL FUNCTION 'Y_AUTH_VALUES_GET_4_USER'

EXPORTING

user = 'SY-UNAME'

profn_list = 'ROLE2'

TABLES

values = i_values

nodelist = i_nodelist.

LOOP AT i_nodelist.

l_s_range-sign = 'I'.

l_s_range-opt = 'EQ'.

l_s_range-low = i_nodelist-bis.

l_s_range-high = i_nodelist-von.

APPEND l_s_range TO e_t_range.

ENDLOOP.

ENDIF.

ENDCASE.

For more information search for the FM EXIT_SAPLRRS0_001 in this NG, there are a lot of good Threads.

HTH.

Good luck,

Maik.

Former Member
0 Kudos

Y_AUTH_VALUES_GET_4_USER

i am not able to get this FM.

Former Member
0 Kudos

Hi,

it is also possible to use a customer exit and 2 different variables. In the Cusotmer exit U check, which variable is used in the query. Depending on this, U make your selection, either role1 or role2. This is common and often used in projects within SAP IT.

Bye,

Maik

Former Member
0 Kudos

Hello,

This looks interesting for me.

can you give me some technical details with examples with my scenario given in my first post.

former_member619464
Active Contributor
0 Kudos

Hi,

First create a role with the following authorizations (full)

Account - * (all accounts allowed)

Segment - *

COMPANY - *

Define a query without any restrcitions/filter so that when the user John runs, he can find all the data from this query.

Now define one more query wherein restrict Segment as AIM

COMPANY as 3000. Now when the user John runs this query, he can find only AIM segment & company 3000 from this query.

In this way, just by defining only one role, you can achieve ur requirement by using restrictions at the report level.

Regards,

R.Ravi

Former Member
0 Kudos

Hi,

If for this query alone the user has to see all the data then donot restrict those characteristics with authorization variables.

If you do this the authorization will not be applicable to this particular query.

Hope this helps

Assign points if useful

Regards,

venkat

former_member619464
Active Contributor
0 Kudos

Hi,

I guess you cant achieve this with the same info provider. So I wud suggest to create another cube (a copy of the existing one)and develop a new query for this new cube. You can define full authorization for John for this new cube. By this way, you can have two different roles for the same user.

Hope this helps...

REgards,

R.Ravi

Former Member
0 Kudos

Hi ravi,

thanks for reply but having a new Cube is not a accepted solution at us now so could you think of way with the same Cube and same user, can we achieve this lets say restrict the ROLE a sepecific Query something like this.