Show TOC

Authorizations with VariablesLocate this document in the navigation structure

Definition

Instead of using a single value or interval, you can also use variables of type customer exit in authorizations. The customer exit is called for these variables while the authorization check is running. The call is carried out with I_STEP = 0. The intervals of characteristic values or hierarchies for which the user is authorized can be returned here. By doing this, the maintenance effort for authorizations and profiles may be considerably reduced.

Note

This type of variable should not be confused with characteristic variables that are filled from authorizations!

For more information about variables with customer exits, seeCustomer Exit.

Tip

Every cost center manager should only be allowed to evaluate data for his/her cost center. Within the SAP authorization standard, a role or a profile with the authorization for the InfoObject 0COSTCENTER equal to 'XXXX' (XXXX stands for the particular cost center) would have to be made for every cost center manager X. This has to be entered in the user master data for the cost center manager. In organizations where cost centers change on a regular basis, this involves significant administrative effort.

Using a variable reduces the authorization maintenance workload with the InfoObject 0COSTCENTER equal to '$VARCOST', as well as with the role or the profile, which is maintained for all cost center managers. The value of the variable 'VARCOST' is then set for runtime during the authorization check by the CUSTOMER-EXIT 'RSR00001'.

Maintaining the authorizations restricts the entries for the values to the length of the existing InfoObject. It is possible, however, to use both limits of the interval. In the example 0COSTCENTER with 4 spaces, the variable 'VARCOST' is, therefore, entered as '$VAR' - 'COST'.

Use

Exit variables can be entered beginning with $. If there is a variable value in both the lower and the upper limit, the two are combined as subnames of an overall variable in authorization processing. Intervals are not corrected automatically by the system if an error was found during the check. You get an error message and can analyze the error yourself.

There is a buffer for these variables. If this buffer is switched on, the customer exit is only called up once for a variable with the authorization check. In doing so, you avoid calling up the customer exit for variables over and over, as well as decreasing performance. If you want to call up the customer exit each time, you have to deactivate this buffer in the maintenance of analysis authorizations. To do this, in the main menu, choose Extras → Buffering Variables → Deactivate.

You can also call up the customer exit for authorizations for hierarchies.

Enter the variables of type hierarchy node into an authorization. To do this, in the hierarchy authorization maintenance, under Node, choose a variable with Select Exit Variable. The customer exit is then called up while the authorization check is running. In the return table E_T_RANGE, the technical name of one or more nodes is expected in the LOW fields. In the HIGH field, the InfoObject type of the node is expected.