Hi Sanjay,

you have to fill the field 'End of Validity of an Authorization' (0TCTADTO) in the update rule. Use i.e. the constant '12/31/9999'.

regards

Alex

Message was edited by: Alexander Mader

Thanks Alex, That worked a treat. I have other auth errors but at least the correct employees are being brought across.

Thanks again.

You're welcome!

Hope next time I can earn some points ;o)

I am going to open a new question with my new problem. Will certainly give you some points.

Thanks

Hi Sanjay,

the messages only say, that the user has not enough authorizations.

You are right, that the problem is the difference between ODS and auth profile.

Please check if the generation run was successful (with the program RSSB_BW_SHOW_LOG_AUTH_MODIFY).

If it is green, can you please copy the exact values of the ODS PA_DS02 for employee 1 and his auth profile?

We have followed the steps below almost exactly to the letter (except that we only have 0ORGUNIT and 0TCTAUTHH in our auth object since we do not want security down to the position and employee level). In step 6, when profiles are generated, what happens to a user that has had their R/3 structural authorizations removed? i.e. on Day 1, user X is extracted to the 0PA_DS02 or 0PA_DS03 ODS's, and a profile is generated. On day 2, user X has his authorizations removed in R/3, so is no longer in the load to the 2 ODS's - how does their profile get removed in BW?

Any help you can provide would be most appreciated.

Hi Guy,

Welcome to DSN!!

to delete the authorizations of users, who have no structural authorizations in R/3 anymore, you have to add a new row in your ODS with tctusernm = 'D_E_L_E_T_E'.

If you want this deletion on every load, easily add the following lines in the startroutine of your update rule.

  DATA: l_data TYPE data_package_structure.
  STATICS: first_call(1) VALUE 'X'.
  IF first_call = 'X'.
    l_data-tctusernm = 'D_E_L_E_T_E'.
    APPEND l_data TO data_package.
    first_call = ' '.
  ENDIF.

Hope it helps.

regards,

Alex

I'm not actually Guy, my name is Rachel. (I'm now logged in as myself). Thanks for the tip - we had come across this before, but weren't really sure how it worked. Since you add an extra record to the ODS load, what exactly gets deleted? How does this one record know which user profiles to delete? (Does this end up as the first record and then delete everything before the others get regenerated?)

Hi Rachel,

the program, which generates the profiles, usually deletes the profiles of the users, who are in the ODS-Object, before it generates the new ones. But with the User D_E_L_E_T_E in the ODS-Object the program deletes the profiles of all Users, who are in the system. (Only the profiles, not the rows in the ODS-Object.)

(The information which profiles are generated for which user is stored in table RSSBAUTHGENERATD).

Only as a sidenote.

Normally my processchain has following steps.

- Delete the data of the ODS-Object

- Load new authorizations

- Activate data of ODS

- Generate new authorizations

Hope it helps.

regards,

Alex

Alex, this worked perfectly. Thank you so much! I have to ask, where did you find out about this? The SAP documentation for implementing HR Struct. Auths. does not say anything about this. Is there any other documentation out there that you have been using that I don't know about? When you have a moment, I have 2 more questions:

- using the D_E_L_E_T_E process worked, but it deleted all the profiles, even those that had been manually created in BW. We have 3 ID's where the struct auth profile has to be manually created in BW since there is no struct auth in R/3. Is there any way to prevent the deletion of these 3 profiles so we don't have to recreate them each time?

- are you using both the 0PA_DS02 and 0PA_DS03 ODS objects? If we load DS02, it brings across about 80 million records to BW and takes a long time, but we are finding that the authorizations seem to be working properly with just loading the DS03 (hierarchies) ODS (which loads only about 3600 records and takes about 5 minutes). Do you know what we will be losing if we don't load the DS02 ODS?

Thanks for all your help.

Rachel

When generating the authorisations via RSSM, the system creates profiles with values for all valid objects for each user. Is this something you need to do in each system, ie Test and Production? I ask this, because when we have created new users in the Test systems and tried to regenerate, it wont allow this because the system needs to be opened. Is this correct?

Yes, we need to do this in each system. We have been able to generate the profiles via RSSM in Development, but not in our Staging environment, since "change" access is required. In staging we only have display access in the RSSM transaction. In staging, we have to generate the profiles via SE38, running the program RSSB_GENERATE_AUTHORIZATIONS. On the selection screen, enter 0PA_DS02 for "Values" and 0PA_DS03 for "Hierarchies".

Rachel

Thanks for that Rachel. I found the OSS note 611502 which allows you to generate via RSSM once the settings been changed.

I tried running the program, but got the success message 'No log found in database' and nothing was generated.

Hi Rachel,

the only site I found to this topic was this link:

http://help.sap.com/saphelp_nw04/helpdata/en/56/25dc886b0611d5b2f50050da4c74dc/frameset.htm

to question 1:

I have never tried D_E_L_E_T_E with manually created profiles, I thought only the profiles of table RSSBAUTHGENERATD will be deleted. You could try to maintain these authorizations in a role and if the profile also will be deleted.

A other solution could be, that you generate these 3 profiles in the update rule of your ODS(in the start routine).

to question 2:

I haven't used the HR-scenario. I have implemented the authorizations for CO. But if you need only authorizations on orgunit level, then the DS03 should be enough. What I have faced when loading only hierarchy authorizations was, that if you give an user the authorization for all hierarchies with all levels (0TCTATYPE=3; 0TCTACOMPM=3; 0TCTNODE=ROOT_H) (*-authorization), he couldn't run reports without hierarchies. For these users I had also authorizations on values with a *-authorization.

But this solution was an release 30B, so it can be that it will work now, give it a try.

Hope this helps a little.

regards,

Alex

Thanks, Alex. The web site you provided was most interesting, but it doesn't agree with the business content. It talks about 0TCA_DS01-04, whereas we are using 0PA_DS02-03. I'm not sure whether the help is out-of-date, or our business content is out-of-date.

You were right on with your answer to my question 1. We have moved the manually created profiles into a separate role and they are now safe from the delete process. As for question 2, we have not run into any issues related to queries with or without hierarchies, so we are going to go with only the DS03 ODS.

As per your suggestion, we have also created a process chain to delete the old load, load the new data, activate the ODS and generate the profiles, and it is working well.

You have been most helpful; if I knew how to award points, I would do it! (I can't find any buttons or links for awarding points).

Rachel

Hi Rachel,

good to here all is doing well.

You can't give me some points, because it's not your question, only question-owner can give points.

Alex

Hello Mark

In the step 3-5 or step 15 from the how to papaer when you select check for infocube I don't see the ods 0PA_DS02/DS03 .Do we need to add employee also in this ODS?

Thanks

Praveen

I came across the same problem, however I assumed I needed to assign the object to the the HR cubes I wanted to keep secure.

Unfortunately it still isnt working. When we generate the objects the auth values are not stored in the generated auth objects which are assigned to the users. Let me know if you have had any further success.