Authorization Check when Executing a Query (SAP Library

Authorization Check when Executing a Query

Use

The authorization check is run when you open a query as well as every time you take a navigation step. This has the following advantages compared to BW 1.2B:

For free characteristics you no longer need the ‘*’ authorization.

If you do not have authorization for certain key figures, these columns and the columns that are related to them are not shown.

The following occurs when you run the authorization check for the selection criteria:

If a characteristic is not in any authorization object or not flagged as relevant for authorization in the InfoObject Maintenance, its characteristic values in the selection criteria are not included in any authorization check.

If a characteristic of a relevant authorization object does not appear in the selection criteria of this query, the system checks whether the user has the authorization ‘:’ for this characteristic. If you want the user to be able to display the value that is summarized with a characteristic, you must give him/her an ‘:’ authorization for the relevant field.
The hierarchy authorization (for leaves) also applies to characteristic values. This means that a user has authorization, for example, for the node "region A" of the hierarchy for the characteristic 0REGION. In another hierarchy, which is drilled down on according to this characteristic, the user also has authorization for the node "Region A".

The "#" character stands for the authorization to display the value "not assigned" ("posted with INITIAL").

If a user does not have sufficient authorization for at least one characteristic or key figure of the query, the system interrupts the execution of the query and does not display any values.

When you enter authorization values you must be sure to enter the right type of value. If the InfoObject is, for example, 0PROFIT_CTR of the type ‘numeric with 10 digits, you must enter the value ‘0000004001’. If you only enter ‘4001’ and ‘4001’ is selected in the query, the user is still not authorized because ‘4001’ is interpreted internally as ‘0000004001’.

Prerequisites

The checking process fails if no authorizations are displayed.

Activities

The system runs the authorization check independently during the execution of a query. If a query is interrupted because of a missing authorization, you can display a log for the authorization check.

For this, choose Extras ® Authorization Check Log in the role maintenance (transaction RSSM).

Select the user and choose Create. This activates the user log.

Display gives you the current log for the selected user.

Delete deactivates the user log.