I have a seemingly simple question that is proving difficult to answer. You would have my undying gratitude if you can help..
If an authorization object includes fields 0COSTCENTER and 0TCTAUTHH what assignments should be made in the authorization to grant a role access to cost centre 'WXYZ' irrespective of any hierarchy that may or may not be active in the query?
Authorization for Hierarchy Node works differently than for InfoObject Value. I don't think you can use Hierarchy Node authorization to limit access for particular COSTCENTERs. To do so, you need to create an authorization object including 0COSTCENTER and 1KYFNM.
Hope that helps.
Hi,
one has to use transaction RSSM and "Authorization Definition for Hierarchies".
For example see SAP Help Documentation for SAP BW
http://help.sap.com/saphelp_bw33/helpdata/en/8b/134c3b5710486be10000000a11402f/frameset.htm
the chapter "Maintaining Authorizations for Hierarchies".
Hello Robert,
in our SAP BW system the use hierarchy authorizations on 0ORGUNIT. We use an authorization object with fields
0ORGUNIT and 0TCTAUTHH.
Since your question seems interesting for us too, I tried several things but without success.
SAP's response to my Customer Message on this topic follows. It confirms that an active hierarchy is implicitly made authorization relevant along with the associated InfoObject. It seems there is no simple way of maintaining authorization by, for example, just cost centre.
If I understand the proposed solution it is necessary to create a separate hierarchy authorization in RSSM for every cost centre manager or group, within which the cost centres must be selected individually (and maintained whenever a new one is added). Failure to maintain these in synch with the cost centre fields would result in inconsistencies in reporting depending on whether the hierarchy is active or inactive.
____________________________________________________
Hello Rob,
There may be a possibility that you get authorized what you want:
1) If a query uses a active display hierarchy in a query, then you
need to have a hierarchy authorization (with 0TCTAUTHH in the auth.-
object). There is no other way. If a characteristic is marked as
"Authorization relevant", then it's hierarchy structures(!) are
also considered as authorization sensitive and no flat-list-
authorization can authorize a hierarchical display. (Only exception:
'*' authorizes everything.)
You can not set the *values* as "authorization relevant" but not
the hier.-structures. It's both or nothing.
2) But there may be a possibility: Use hierarchy authorizations in
order to authorize individual values. Normaly the values are
part of the hierarchies (they are 'leafs'), so you can als select
single values in the F4-help for hierarchys.
The trick now is: When defining a hier.-authorization, for a leaf,
select "Validity Period" (COMPMODE) = 3 (All hierarchies).
Now this entry (node=leaf) is authorized regardless of the hierarchy
you are using in the query. Of course you must make sure, that
there is no real 'node' (not leaf) in any hierarchy that has the
same name as one of the authorized values, as this node would also be
authorized.
I hope I could help you.
Best regards,
C.R., BW IMS Development
Note 502574 describes how you can generate authorization profiles in BW according to the settings in the R/3 costcenter hierarchy.
The generated profiles can also be used for a personalization of the queries according to the responsibility area of the user.
Add a comment