on 09-16-2010 1:13 PM
Hi all !
We are using BI 7.01 (new authorization concept) and we are facing an issue.
We've setup variables for the authorization values management in RSECADMIN with specific ABAP code to fill these values.
This part works perfectly.
In the Bex, we've defined variables with type "Authorization" and ready for input, optional.
If the user enter a value he's allowed to, it works.
But, we are expecting the system to automatically display only the authorized values when the user leaves the variable empty.
But it's not the case in our system. He's facing "No authorization".
It's the same when he's entering an interval. For example, he's allowed to display company code A and D. If he enters A - D (A to D), he receives "No authorization" message. But if he enters A;D (A and D), it works.
We were not able to find any explanation neither in SAP help nor in SDN.
We'are thinking about a bug or a missing OSS note. But we've no clue.
If someone is able to help us, it would be really appreciated.
Best regards.
If you use authorization variable with ready for input it populates user authorized values in the selection screen then if user go with those values then it works fine, but when user removes those auto populated values then system try to consider all values of that characteristic and compares against the authorized values and it fails as user doent have authorization for all values.
When user enters range in authorization variable it checks for all values within that ragnge ex: A - D, it check for A,B, C, D then if user got authorization only for A & D ultimately authorization fails as user does not have authorization for B and C.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Create a customer exit variable and populate user authorized values(you need to hadle it by maintaining authorized values in table.....or some other way) if the user left them blank then only you have to fill those values.
Check if this document helps you: [http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/50921621-e285-2d10-3f92-8f3b86eebf93?quicklink=index&overridelayout=true]
Hi,
I've read your document, but it's not really related with what we want to achieve.
We want the system to show only what the user is allowed to "inside" what he enters in the variable.
In other words, we want to make a union between the authorized values and the variable values entered by the user (whatever the way it is, single values, intervals, blank...).
I was expecting the system to do this automatically and natively, but not. So, if I'm right, I've to rewrite partially the autorization management.
Any other idea ?
Regards
Hi Emmanuael,
i think your goal could be reached automatically and natively if i understood you well.
Have you already tried this approach:
authorization part:
1. Create a authorization object for the characteristic (i.e Company Code 0COMP_CODE)
2. Regarding to step 1 you could have to create diferent objects it depends on your business requirements, for instance 3 companies & 4 user types ( users that see all comp; only comp A,...)
3. create a role tcode:PFCG where you associate the relevant authorization object
4. associate roles to user ou user groups
Reporting part
1. Create a Variable type Authorization on your relevant characteristic (i.e. 0COMP_CODE -> new variable type autho.)
Variables Settings:
Characteristic => XX
Variable represents => Selection Option
Ready for input => Checked ( you have to test these setting during reporting tests because i always used this option unchecked)
Regards,
Renato Pedro
Hi Renato.
Thanks for your help.
We already acheived all these steps.
The system is effectivelly filling the variable with the authorized values when you start the report, but if the user change these values or even delete them, then he's facing authorization issue (see above the description of this issue).
We want the user to be able to select the values he needs to display, but always within the authorized values.
Regards
Emmanuel
Hi,
The best way to achive what you want is to seperate the variable into 2 variable.
An authorization variable on the "Characteristic restrictions" side, which is not user input
and a user input variable on the "default values" to restrict further.
So with this if you make no input.....then the authorized values will still always be shown rather that a failure.
Hi Emmanuel,
sorry at the first time i don't read the part that using auth is already working.
One suggestion have you included in your role the value " : ".
Having this value " : " by the authorization concept should return only permited values for that role.
Hope it helps,
renato pedro
Edited by: renato pedro on Sep 17, 2010 4:04 PM
Hello Emmanuel,
I would like to explain to you how the authorization check works.
The authorization check does NOT find out the authorized part and display the authorized part.
What it does is: compare the requested data and authorized data.
When the authorized data covers the requested data, the query result is shown. When not, "no authorization" error occurs.
The "requested data" is decided by query restriction. Fixed filter, customer exit, authorization variable, or user input value.
Anyway, the "requested data" is what you have to take care of instead of expecting the system to do it automatically.
(There is only one exception to this. Sometime hierarchy can do a auto-filter.)
When the user manually removes the restriction which is gotten by authorization variable, then the requested data is more
than authorization data, so no authorization.
So the question for you is that, user should not be given the chance to manually remove the restriction.
For this, as Brian said, you have to put this variable to "characteristic restriction" area.
But then the workbook cannot call the authorization variable. This only works for "default values" area.
I think you can tell the user not to remove the restriction completely. If you don't like the values filled from authorization variable,
they can pick values from F4 help. F4 help only shows the authorized values.
When they pick from F4 help, the query would work.
When they manually type in a value which is out of the range of F4 help, it is fair that they should get "no authorization" message.
Best regards,
Patricia
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Patricia.
Thank you very much for your extremelly detailled answer.
Now I understand how the authorization mecanism is working.
I put in place the double restriction given by Brian (one in restricted characteristic and the other in free characteristics) and it works perfectly.
Again, thanks a lot to all of you.
Points distributed...
Best regards,
Emmanuel
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.