cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Intersecting Authorizations

Former Member

on ‎09-08-2008 1:29 PM

0 Kudos

Hello Gurus,

Im having a trouble with authorizations in BI-IP . Im trying to do authorizations for cost planning. But values for combination of cost centers and cost elements are intersecting. And when i use both of them, i get message that user is not authorized. For example ;

USER01 will have two authorizations : Authorization1 and Authorization2

Authorization 1:

Cost Center : 1100 , Cost element : 77000001 - 77000099 (for only his department)

Authorization 2 :

Cost Center : 1100 - 1400 , Cost element : 76000001 - 760000099 (other department's costelemnts)

USER01 is going to enter his values to the input ready query. And when he opens the query, he chooses the variable value of costcenter. If he chooses 1100, he must see the costelemnts of 77000001-7700009 and 76000001 - 760000099 .

But if he chooses 1200, he must see the only costelements from 7600000 to 76000099 .

In rsecadmin, i created two authorization objects. And i added 0TCT* infoobjects and the other authorization related objects. I created two roles (PFCG) and assigned those authorizations to those roles. And i assigned those roles to the USER01.

I added the authorization related variables for costelement, and costcenter to the query.

When i give the user roles individually,the authorization works ok. And the query returns right results.

Problem is; when i give the two role in same time, authorization fails.

I made all analysis from rsecadmin. Authorization fails in only costcenter and costelement combinations . Other authorization objects works ok.(infocube, rrmx etc. )

Is there anybody who faced a similar situation?

Thanks in advance,

Regards...

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎09-08-2008 1:39 PM
0 Kudos

Can you try this?

Authorization 1:

Cost Center : 1100 , Cost element : 77000001 - 77000099 (for only his department)

76000001 - 760000099

Authorization 2 :

Cost Center : 1101 - 1400 , Cost element : 76000001 - 760000099 (other department's costelemnts)

Show replies
Show replies
Former Member
‎09-08-2008 1:59 PM
0 Kudos

Hi Bindu,

Thanks for the reply. But i already tried it.

I would appreciate for further help.

Former Member
‎09-08-2008 2:38 PM
0 Kudos

Hi there,

Read this note 820183

Sometimes you have intersection values dependent on your authorization.

Diogo.

Former Member
‎09-08-2008 2:51 PM
0 Kudos

Hi,

I used new authorization concepts as the note says. And i dont use ' * ' for costelement or costcenter.

Would you please explain some more?

Fatih..

Former Member
‎09-08-2008 2:58 PM
0 Kudos

Ok,

That note refers this one 1053989.

This was the note that I wanted to post here.

Check it please.

Diogo

Former Member
‎09-08-2008 3:18 PM
0 Kudos

Hi,

I had checked that note also. But i use intervals correctly ,i think.I dont use + or * signs. If thats what u mean.

Former Member
‎09-08-2008 3:29 PM
0 Kudos

Hi,

I believe the problem remains in the intervals.

Authorization 1:
Cost Center : 1100 , Cost element : 77000001 - 77000099 (for only his department)
Authorization 2 :
Cost Center : 1100 - 1400 , Cost element : 76000001 - 760000099 (other department's costelemnts)

Check these cases:

First, change the Authorization 2 to this:

Authorization 2 :

Cost Center : 1200 - 1400 , Cost element : 76000001 - 760000099 (other department's costelemnts)

Now try with the values 1100 (should only use values from the first authorization), and then try any interval between 1200 to 1400, should only see values from the second changed authorization.

Now try to keep Authorization 1, Authorization 2 change it to what I referred before (between 1200 - 1400) and now create a third authorization also like this:

Authorization 3 :

Cost Center : 1100, Cost element : 76000001 - 760000099 (other department's costelemnts)

Now check with the values 1100 and see if it makes the union between authorization 1 and authorization 3, it should. The intervals sometimes don't allow union, it's a little bit odd, but it's what the system do!

Also post your RSECADMIN log in here to see what the system is trying to check.

Diogo.

Former Member
‎09-08-2008 3:59 PM
0 Kudos

Hi,

I already tried that also. Its not working. Log is big to put here. But it writes; ''Partially or Fully Authorized (Intersection)'' . If you give your mail adress, i can send you log.

Thanks in advance..

Former Member
‎09-08-2008 4:03 PM
0 Kudos

Ok,

Check my e-mail in my profile.

Diogo.

Former Member
‎09-10-2008 8:24 AM
0 Kudos

Any other ideas Gurus ?

Former Member
‎09-10-2008 10:40 AM
0 Kudos

Ok,

I did check your log but I'm a little bit confused...

Your first SQL code of the log shows this:

SQL Format:

COSTCENTER = '0000003100'

AND TCAACTVT = '03'

Did you inserted the value 0000003100 for Costcenter, and what value did you inserted for Costelement? Because it is not showed in the first SQL code, so the system matches that value 3100 with an authorization that has in fact Costcenter = 3100 but tries to see all the values for Costelement and you only have particular values inserted.

Also check this:

Characteristic Contents

0COSTCENTER I EQ 0000003100

0COSTELMNT I EQ 7300000006

I EQ 7303000001

I EQ 7303000002

I EQ 7303000003

I EQ 7303000004

I EQ 7303000005

I EQ 7303000006

I EQ 7303000008

I EQ 7303010001

I EQ 7303010003

I EQ 7303010004

I EQ 7303010006

0TCAACTVT I CP *

This is the content of one of your authorizations.

So imagine you execute the query with the following values:

0COSTCENTER I EQ 0000003100

0COSTELMNT I EQ 7300000006

I EQ 7303000004

I EQ 7303010001

What I meant here is you execute the query selecting the costcenter 3100 and several individual values, 7300000006 and 7303000004 and 7303010001 in the costelement. This should execute OK.

But if you execute with this values:

0COSTCENTER I EQ 0000003100

0COSTELMNT I BT 7303000001-7303000006 (from 7303000001 to 7303000006) this will give you lack of authorization as per what the SAP note referred before states.

Therefore try also to complement that previous authorization with this:

Characteristic Contents

0COSTCENTER I EQ 0000003100

0COSTELMNT I EQ 7300000006

I EQ 7303000001

I EQ 7303000002

I EQ 7303000003

I EQ 7303000004

I EQ 7303000005

I EQ 7303000006

I EQ 7303000008

I EQ 7303010001

I EQ 7303010003

I EQ 7303010004

I EQ 7303010006

0COSTELMNT I BT 7303000001-7303000006

0COSTELMNT I BT 7303010003-7303010004

0TCAACTVT I CP *

So If you execute again with intervals it will be OK.

Diogo.

Former Member
‎09-10-2008 12:23 PM
0 Kudos

Hello Diogo,

Thanks for sharing your time. I really appreciate it.

But it confused me also. Becouse as you said, first authorization shows that, i didnt do any restriction for costelemnt. But i did before. and i executed again today. and it shows normal in new log. Probably it was a refresh problem after changing the authorizations.

Anyway, about the second part, i think i should explain some about query. Becouse, i didnt restrict 0COSTELMNT in query with input ready variable. I dont prompt the user to choose costelements while query execution. I restricted the cost element with only authorization variable. and i make the user to choose cost center only. And i expect the query to show cost elements depending cost center.

And about this part in bold ;

0COSTCENTER I EQ 0000003100

0COSTELMNT I EQ 7300000006

I EQ 7303000001

I EQ 7303000002

I EQ 7303000003

I EQ 7303000004

I EQ 7303000005

I EQ 7303000006

I EQ 7303000008

I EQ 7303010001

I EQ 7303010003

I EQ 7303010004

I EQ 7303010006

0COSTELMNT I BT 7303000001-7303000006

0COSTELMNT I BT 7303010003-7303010004

0TCAACTVT I CP *

Do you mean giving costelmnt authorization more than one time ? Or how ?

Thanks and i assigned some points for your help....

Former Member
‎09-10-2008 12:29 PM
0 Kudos

Hi,

About the bold part I mean complement your current authorization in RSECADMIN with the selection interval also.

Try that and test it again.

Diogo.

Former Member
‎09-15-2008 8:28 AM
0 Kudos

Hi,

I tried what you offered. But still not authorized. Anyway, i dont want to give only one costcenter authorization to the user. Becouse it works for only one costcenter.

He/she will be responsible more than one costcenter. But he/she will see different costelements when he/she chooses one costelement from variable in query.

Maybe i should ask the question like that : How can i give different ''costcenter-costelement '' combinations authority to one user ?

Thanks.

Ask a Question