Skip to Content
author's profile photo Former Member
Former Member

Hierarchy Authorization

I have a seemingly simple question that is proving difficult to answer. You would have my undying gratitude if you can help..

If an authorization object includes fields 0COSTCENTER and 0TCTAUTHH what assignments should be made in the authorization to grant a role access to cost centre 'WXYZ' irrespective of any hierarchy that may or may not be active in the query?

Add comment
10|10000 characters needed characters exceeded

5 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Mar 01, 2004 at 06:15 PM

    Authorization for Hierarchy Node works differently than for InfoObject Value. I don't think you can use Hierarchy Node authorization to limit access for particular COSTCENTERs. To do so, you need to create an authorization object including 0COSTCENTER and 1KYFNM.

    Hope that helps.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Thanks for your response Bill, however I have tried creating an authorization object that includes just 0costcentre (without 1kyfnm since I don't wish to restrict on key figures) and the access is still blocked when the hierarchy is active -- it appears that the hierarchy is included for authorization checking simply by the inclusion of cost centre in the authorization object not by the inclusion of 0tctauthh.

      The paper "Authorizations in an SAP BW Project" states that infoobject authorizaiton alone is not sufficient to grant access to the related hierarchy nodes. So I have to put something in 0tctauthh; it is not practical to create hierarchy authorizations for all the different cost centre groups; apart from being very laborious we have multiple hierarchies defined on cost centre and authorizations on nodes that are not active in a particular query result in warning messages.

  • author's profile photo Former Member
    Former Member
    Posted on Mar 04, 2004 at 08:49 AM

    Hi,

    one has to use transaction RSSM and "Authorization Definition for Hierarchies".

    For example see SAP Help Documentation for SAP BW

    http://help.sap.com/saphelp_bw33/helpdata/en/8b/134c3b5710486be10000000a11402f/frameset.htm

    the chapter "Maintaining Authorizations for Hierarchies".

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Thanks Lothar, but none of the documentation I have found on working with authorizations and hierarchies answers my question (including help.sap.com, 'How to... Work with Hierarchy Authorizations', ASAP for BW Accelerator 'Authorizations', 'Authorization in An SAP BW Project', Notes: 557924, 653383, 654947, etc..). I'm very familiar with how to grant access using hierarchy nodes, but would like to know whether it is possible by any documented method to grant access to cost centres irrespective of any active hierarchy.

      Through trial and error I previous found that it worked if I created an authoirzation object with 0costcenter and 0tctauthh and assigned..

      costcenter = 'ABC*'

      0tctauthh = :

      Several support packs later I now find that this is no longer working, but since I don't know for sure whether it was ever working by design I'm reluctant to take the Customer Message route.

  • author's profile photo Former Member
    Former Member
    Posted on Mar 05, 2004 at 10:35 AM

    Hello Robert,

    in our SAP BW system the use hierarchy authorizations on 0ORGUNIT. We use an authorization object with fields

    0ORGUNIT and 0TCTAUTHH.

    Since your question seems interesting for us too, I tried several things but without success.

    Add comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Apr 01, 2004 at 06:20 AM

    SAP's response to my Customer Message on this topic follows. It confirms that an active hierarchy is implicitly made authorization relevant along with the associated InfoObject. It seems there is no simple way of maintaining authorization by, for example, just cost centre.

    If I understand the proposed solution it is necessary to create a separate hierarchy authorization in RSSM for every cost centre manager or group, within which the cost centres must be selected individually (and maintained whenever a new one is added). Failure to maintain these in synch with the cost centre fields would result in inconsistencies in reporting depending on whether the hierarchy is active or inactive.

    ____________________________________________________

    Hello Rob,

    There may be a possibility that you get authorized what you want:

    1) If a query uses a active display hierarchy in a query, then you

    need to have a hierarchy authorization (with 0TCTAUTHH in the auth.-

    object). There is no other way. If a characteristic is marked as

    "Authorization relevant", then it's hierarchy structures(!) are

    also considered as authorization sensitive and no flat-list-

    authorization can authorize a hierarchical display. (Only exception:

    '*' authorizes everything.)

    You can not set the *values* as "authorization relevant" but not

    the hier.-structures. It's both or nothing.

    2) But there may be a possibility: Use hierarchy authorizations in

    order to authorize individual values. Normaly the values are

    part of the hierarchies (they are 'leafs'), so you can als select

    single values in the F4-help for hierarchys.

    The trick now is: When defining a hier.-authorization, for a leaf,

    select "Validity Period" (COMPMODE) = 3 (All hierarchies).

    Now this entry (node=leaf) is authorized regardless of the hierarchy

    you are using in the query. Of course you must make sure, that

    there is no real 'node' (not leaf) in any hierarchy that has the

    same name as one of the authorized values, as this node would also be

    authorized.

    I hope I could help you.

    Best regards,

    C.R., BW IMS Development

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Robert

      If I understand your problem correct you want to give every user a different authorization depending on their respective cost center connection.

      If that is the case you could give the auhorization using a customer-exit to fill the authorization variable.

      Here is what SAP recommends:

      <i>Where many authorizations differ from an authorization for a hierarchy only in respect to the nodes and not to the other authorizations, we suggest the following solution: Different users can be authorized for a specific hierarchy area (subtree). The highest node is different for each user.

      Do this by creating an authorization for a hierarchy in the transaction RSSM and enter this in the authorization or role. Instead of specifying a particular node, you specify the variable in the authorization maintenance (transaction RSSM). The customer exit is then called up for the node while the authorization check is running. The return table E_T_RANGE must be filled according to the customer exit documentation (nodes in the LOW field, InfoObject of the node in the HIGH field).</i>

      Remember to put a $ sing in front of the variable name in RSSM.

      In the role enter the technical name of hierarchy authorization in 0TCTAUTHH and leave 0COSTCENTER 'BLANK'

      If you then need to grant the user access to any additional cost centers you could maintain these in a customer table and make the exit read from this as well.

      Br

      Mikkel

  • author's profile photo Former Member
    Former Member
    Posted on Apr 02, 2004 at 04:28 PM

    Note 502574 describes how you can generate authorization profiles in BW according to the settings in the R/3 costcenter hierarchy.

    The generated profiles can also be used for a personalization of the queries according to the responsibility area of the user.

    Add comment
    10|10000 characters needed characters exceeded