cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorization Incomplete

Go to solution
Former Member

on ‎04-10-2006 8:54 AM

0 Kudos

Hi mates,

I intend to create a Role 'FINANCEONLY' where this role will only allow it`s user to view the InfoArea " Enterprise Controlling - 0ECPCA" belonging to Finance only and not other InfoArea's like HR and so forth.

The following are the Authorization Objects and it`s settings which I have implied :-

S_RS_COMP

Activity : 03,16

InfoArea : 0ECPCA

InfoCube : 0PCA_C01

Name : *

Type : *

Activity : 03,16

InfoArea : 0ECPCA

InfoCube : 0PCA_C01

Name : *

Type : *

However, the other InfoArea's still appears and this authorisation still allows the execution of queries from other InfoArea's

Please advice promptly mates!

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-10-2006 2:09 PM
0 Kudos

Hi John,

occurs to me that there is a competing role with Object INFOArea '*' somewhere as well.

Check the objects for InfoCubes, ODS and so on. I assume that one of the basic settings contain an '*' and overrules your settings.

Perform a Trace or else check the roles assigned to your test-user.

Please let me know the result.

Cheers

Sven

Show replies
Show replies
Former Member
‎04-12-2006 4:16 AM
0 Kudos

The following are the Profile's assigned to my 'OnlyFinance' User

SAP_NEW : New authorization checks

SAP_NEW_40C : New developments for Release 4.0C from HR and Logistics

S_BI-WHM_RFC : Business Information Warehouse, RFC user in the Warehouse

T-BD620049 : Profile for role ONLYFINANCE

This user contains only a Single Role 'ONLYFINANCE'

====================================================

Now, to ease things, I have only a SINGLE Authorisation Object

<b>S_RS_COMP</b> with the following settings

Activity : 03,16

InfoArea : 0ECPCA

InfoCube : 0PCA_C01

Name : *

Type : *

Activity : 03,16

InfoArea : 0ECPCA

InfoCube : 0PCA_C01

Name : *

Type : *

================================================

Although, this works! WHAT I ACTUALLY need is this 'ONLYFINANCE' user should only be able to Display(03)/Execute(06) Queries from <b>InfoArea 0ECPCA</b> and <b>InfoCube 0PCA_C01</b>

This 'ONLYFINANCE' user should NOT be able to Display/Execute queries from other InfoAreas or InfoCubes, but this is clearly not happening

I would really really appreciate some urgent help on this mates !

Thanking everyone in advance !

Message was edited by: John Mcluskey

Answers (1)

Answers (1)

Former Member
‎04-12-2006 7:26 AM
0 Kudos

Hello John,

You are defining what users can do but not what users can not do, Try doing it other way around.

I suppose You need to look into S_RS_ICUBE as well.

Go to PFCG

insert the name of your Role

Go to Authorisation Tab and Click "Display authorisation Data"

Go to S_RS_COMP , S_RS_COMP1 and S_RS_ICUBE

Change it accordingly.

San.

Show replies
Show replies
Former Member
‎04-12-2006 7:39 AM
0 Kudos

Hi SAN,

That's precisely my question,

How do I authorise to say that this 'ONLYFINANCE' Role, will only allow display/maintain/execution of query belonging to InfoArea '0ECPCA' and the attempt to Display/Maintain/Execute query from OTHER INFOAREA <b>will fail ?</b>

Please help, mates !

Former Member
‎04-12-2006 7:52 AM
0 Kudos

Hi,

It seems you are following the concept properly. But a small doubt, make sure that "user comparision" is done every time whenever there is a change in authorization object.

With rgds,

Anil Kumar Sharma .P

Former Member
‎04-12-2006 8:42 AM
0 Kudos

Hi Anil,

Thanks for "user comparison" note! I will use it each time I exercise some restriction now in PFCG

But, Anil I still don`t think I`m doing it rite !

Because, what I seem to be doing is telling the system to only restrict 'Execute and Display' for Queries belonging to InfoArea 0ECPCA and InfoCube 0PCA_C01

BUT, I`m not telling the system to BLOCK AUTHORIZATION for other InfoArea's or other Infocubes

Please explain how can I achieve this ?

P/S: The intention for this role is simply to block the user to build queries from OTHER InfoAreas apart from Financial ones. Please advice if you have a better approach to achieving this ?

Ask a Question