Authorizations with variables 

Definition

Instead of a single value or interval, you can use variables in authorizations. The Customer Exit is called up for these variables while the authorization check is running. The authorized intervals of characteristic values or hierarchies can be restored here. By doing this, the maintenance workload for authorizations and profiles may be considerably reduced.

Every cost center manager should only be allowed to evaluate data for his/her cost center. In the framework of the SAP authorization standard, a role or a profile with the authorization for the InfoObject 0COSTCENTER equal to ‘XXXX’ (XXXX stands for the particular cost center) would have to be made for every cost center manager X. This must then be entered to the cost center manager in the user master record.

Using variables reduces the effort put into authorization maintenance with the InfoObject 0COSTCENTER equal to ‘$VARCOST’, as well as with the role or the profile, which is maintained for all cost center managers. The value of the variable ‘VARCOST’ is then set for the runtime during the authorization check, by the CUSTOMER-EXIT ‘RSR00001’.

Maintaining the authorizations restricts the entries for the values to the length of the existing InfoObject. It is possible, however, to use both limits of the interval. In the example 0COSTCENTER with 4 spaces, the variable ‘VARCOST’ is, therefore, entered as ‘$VAR’ – ‘COST’.

You can also call up the customer exit for authorizations for hierarchies. You have two options here:

  1. Enter the variable in the authorization for the characteristic 0TCTAUTHH. The customer exit is then called up while the authorization check is running. In the LOW fields of the return table E_T_RANGE, the system anticipates the technical name for the hierarchy authorization from transaction RSSM.

    2. As a result, all parameters are available for such an authorization. Nevertheless, you must also create a new definition for each node.

  2. Where many authorizations differ from an authorization for a hierarchy only in respect to the nodes and not to the other authorizations, we suggest the following solution: Different users can be authorized for a specific hierarchy area (subtree). The highest node is different for each user.

Do this by creating an authorization for a hierarchy in the transaction RSSM and enter this in the authorization or role. IN RSSM, you enter the variable instead of a concrete node. The customer exit is then called up for the node while the authorization check is running. The return table E_T_RANGE must be filled according to the customer exit documentation (nodes in the LOW field, InfoObject of the node in the HIGH field).

See also:

Authorizations Using Variables

Using Variables