cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Bex Authorization issue

Go to solution
Former Member

on ‎09-16-2010 1:13 PM

0 Kudos

Hi all !

We are using BI 7.01 (new authorization concept) and we are facing an issue.

We've setup variables for the authorization values management in RSECADMIN with specific ABAP code to fill these values.

This part works perfectly.

In the Bex, we've defined variables with type "Authorization" and ready for input, optional.

If the user enter a value he's allowed to, it works.

But, we are expecting the system to automatically display only the authorized values when the user leaves the variable empty.

But it's not the case in our system. He's facing "No authorization".

It's the same when he's entering an interval. For example, he's allowed to display company code A and D. If he enters A - D (A to D), he receives "No authorization" message. But if he enters A;D (A and D), it works.

We were not able to find any explanation neither in SAP help nor in SDN.

We'are thinking about a bug or a missing OSS note. But we've no clue.

If someone is able to help us, it would be really appreciated.

Best regards.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎09-16-2010 1:29 PM
0 Kudos

If you use authorization variable with ready for input it populates user authorized values in the selection screen then if user go with those values then it works fine, but when user removes those auto populated values then system try to consider all values of that characteristic and compares against the authorized values and it fails as user doent have authorization for all values.

When user enters range in authorization variable it checks for all values within that ragnge ex: A - D, it check for A,B, C, D then if user got authorization only for A & D ultimately authorization fails as user does not have authorization for B and C.

Show replies
Show replies
Former Member
‎09-16-2010 2:47 PM
0 Kudos

Thank you for your quick answer.

This is how I understood it.

But now my question is the following : How to populate the values if the user left them blank ?

Regards

Former Member
‎09-16-2010 2:59 PM
0 Kudos

Create a customer exit variable and populate user authorized values(you need to hadle it by maintaining authorized values in table.....or some other way) if the user left them blank then only you have to fill those values.

Check if this document helps you: [http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/50921621-e285-2d10-3f92-8f3b86eebf93?quicklink=index&overridelayout=true]

Former Member
‎09-16-2010 3:17 PM
0 Kudos

Thanks a lot !!!

I'll try this and I'll tell if it solves my issue.

Regards

Former Member
‎09-17-2010 10:14 AM
0 Kudos

Hi,

I've read your document, but it's not really related with what we want to achieve.

We want the system to show only what the user is allowed to "inside" what he enters in the variable.

In other words, we want to make a union between the authorized values and the variable values entered by the user (whatever the way it is, single values, intervals, blank...).

I was expecting the system to do this automatically and natively, but not. So, if I'm right, I've to rewrite partially the autorization management.

Any other idea ?

Regards

Former Member
‎09-17-2010 11:35 AM
0 Kudos

Hi Emmanuael,

i think your goal could be reached automatically and natively if i understood you well.

Have you already tried this approach:

authorization part:

1. Create a authorization object for the characteristic (i.e Company Code 0COMP_CODE)

2. Regarding to step 1 you could have to create diferent objects it depends on your business requirements, for instance 3 companies & 4 user types ( users that see all comp; only comp A,...)

3. create a role tcode:PFCG where you associate the relevant authorization object

4. associate roles to user ou user groups

Reporting part

1. Create a Variable type Authorization on your relevant characteristic (i.e. 0COMP_CODE -> new variable type autho.)

Variables Settings:

Characteristic => XX

Variable represents => Selection Option

Ready for input => Checked ( you have to test these setting during reporting tests because i always used this option unchecked)

Regards,

Renato Pedro

Former Member
‎09-17-2010 12:23 PM
0 Kudos

Hi Renato.

Thanks for your help.

We already acheived all these steps.

The system is effectivelly filling the variable with the authorized values when you start the report, but if the user change these values or even delete them, then he's facing authorization issue (see above the description of this issue).

We want the user to be able to select the values he needs to display, but always within the authorized values.

Regards

Emmanuel

brian_keenan
Contributor
‎09-17-2010 2:27 PM
0 Kudos

Hi,

The best way to achive what you want is to seperate the variable into 2 variable.

An authorization variable on the "Characteristic restrictions" side, which is not user input

and a user input variable on the "default values" to restrict further.

So with this if you make no input.....then the authorized values will still always be shown rather that a failure.

Former Member
‎09-17-2010 2:57 PM
0 Kudos

Hi Emmanuel,

sorry at the first time i don't read the part that using auth is already working.

One suggestion have you included in your role the value " : ".

Having this value " : " by the authorization concept should return only permited values for that role.

Hope it helps,

renato pedro

Edited by: renato pedro on Sep 17, 2010 4:04 PM

Former Member
‎09-17-2010 4:18 PM
0 Kudos

Hi Brian.

Thank you a lot because your solution is working perfectly !

The only bad point is that we have to review all the workbooks...

Renato, adding ":" in the authorized values doesn't help. Maybe this must be done in addition with another change...

Regards,

Emmanuel

Former Member
‎09-23-2014 2:35 PM
0 Kudos

Hi,

It was happening to me the same issue, and trying to split variables as you said, it's not working in my case.

Do you know why?

Thanks

Former Member
‎09-26-2014 2:02 PM
0 Kudos

Hi,

It's solved now in my case. I did what you said, Brian, but you forgot to mention that Authorization Variable must be as "Selection Option". In my case I had as multiple single values.

Regards.

Answers (1)

Answers (1)

former_member366279
Contributor
‎09-24-2010 7:38 AM
0 Kudos

Hello Emmanuel,

I would like to explain to you how the authorization check works.

The authorization check does NOT find out the authorized part and display the authorized part.

What it does is: compare the requested data and authorized data.

When the authorized data covers the requested data, the query result is shown. When not, "no authorization" error occurs.

The "requested data" is decided by query restriction. Fixed filter, customer exit, authorization variable, or user input value.

Anyway, the "requested data" is what you have to take care of instead of expecting the system to do it automatically.

(There is only one exception to this. Sometime hierarchy can do a auto-filter.)

When the user manually removes the restriction which is gotten by authorization variable, then the requested data is more

than authorization data, so no authorization.

So the question for you is that, user should not be given the chance to manually remove the restriction.

For this, as Brian said, you have to put this variable to "characteristic restriction" area.

But then the workbook cannot call the authorization variable. This only works for "default values" area.

I think you can tell the user not to remove the restriction completely. If you don't like the values filled from authorization variable,

they can pick values from F4 help. F4 help only shows the authorized values.

When they pick from F4 help, the query would work.

When they manually type in a value which is out of the range of F4 help, it is fair that they should get "no authorization" message.

Best regards,

Patricia

Show replies
Show replies
Former Member
‎09-24-2010 9:23 AM
0 Kudos

Hello Patricia.

Thank you very much for your extremelly detailled answer.

Now I understand how the authorization mecanism is working.

I put in place the double restriction given by Brian (one in restricted characteristic and the other in free characteristics) and it works perfectly.

Again, thanks a lot to all of you.

Points distributed...

Best regards,

Emmanuel

Ask a Question