Hierarchy Authorization

Thanks for your response Bill, however I have tried creating an authorization object that includes just 0costcentre (without 1kyfnm since I don't wish to restrict on key figures) and the access is still blocked when the hierarchy is active -- it appears that the hierarchy is included for authorization checking simply by the inclusion of cost centre in the authorization object not by the inclusion of 0tctauthh.

The paper "Authorizations in an SAP BW Project" states that infoobject authorizaiton alone is not sufficient to grant access to the related hierarchy nodes. So I have to put something in 0tctauthh; it is not practical to create hierarchy authorizations for all the different cost centre groups; apart from being very laborious we have multiple hierarchies defined on cost centre and authorizations on nodes that are not active in a particular query result in warning messages.

Thanks Lothar, but none of the documentation I have found on working with authorizations and hierarchies answers my question (including help.sap.com, 'How to... Work with Hierarchy Authorizations', ASAP for BW Accelerator 'Authorizations', 'Authorization in An SAP BW Project', Notes: 557924, 653383, 654947, etc..). I'm very familiar with how to grant access using hierarchy nodes, but would like to know whether it is possible by any documented method to grant access to cost centres irrespective of any active hierarchy.

Through trial and error I previous found that it worked if I created an authoirzation object with 0costcenter and 0tctauthh and assigned..

costcenter = 'ABC*'

0tctauthh = :

Several support packs later I now find that this is no longer working, but since I don't know for sure whether it was ever working by design I'm reluctant to take the Customer Message route.

Hi Robert

If I understand your problem correct you want to give every user a different authorization depending on their respective cost center connection.

If that is the case you could give the auhorization using a customer-exit to fill the authorization variable.

Here is what SAP recommends:

<i>Where many authorizations differ from an authorization for a hierarchy only in respect to the nodes and not to the other authorizations, we suggest the following solution: Different users can be authorized for a specific hierarchy area (subtree). The highest node is different for each user.

Do this by creating an authorization for a hierarchy in the transaction RSSM and enter this in the authorization or role. Instead of specifying a particular node, you specify the variable in the authorization maintenance (transaction RSSM). The customer exit is then called up for the node while the authorization check is running. The return table E_T_RANGE must be filled according to the customer exit documentation (nodes in the LOW field, InfoObject of the node in the HIGH field).</i>

Remember to put a $ sing in front of the variable name in RSSM.

In the role enter the technical name of hierarchy authorization in 0TCTAUTHH and leave 0COSTCENTER 'BLANK'

If you then need to grant the user access to any additional cost centers you could maintain these in a customer table and make the exit read from this as well.

Br

Mikkel