The authorization check is run when you open a query as well as every time you take a navigation step. If you do not have authorization for certain key figures, these columns and the columns that are related to them are not shown.
See also: Authorization to Work with a Query
The following occurs when you run the authorization check for the selection criteria:
· If a characteristic is not in any authorization object or not flagged as relevant for authorization in the InfoObject Maintenance, its characteristic values in the selection criteria are not included in any authorization check.
· If a characteristic of a relevant authorization object does not appear in the selection criteria of this query, the system checks whether the user has the authorization : (colon) for this characteristic. If you want the user to be able to display the value that is summarized with a characteristic, you must give him/her a colon authorization for the relevant field.
· The hierarchy authorization (for nodes) also applies to characteristic values. This means that a user has authorization, for example, for the node Region A of the hierarchy for the characteristic 0REGION. In another hierarchy, which is drilled down on according to this characteristic, the user also has authorization for the node Region A.
· The # character stands for the authorization to display the value Not Assigned (Posted with INITIAL).
· The user needs full authorization to display all characteristic values, indicated by a * (asterisk) .
· The authorization for key figures (1KYFNM) is also checked for formula variables from the replacement path. 1KYFNM = ATTRINM’ is required there, because this attribute is generally a key figure.
· With formulas that only contain variables or constants, 1KYFNM = SPACE or # (pound sign) is requested.
· If a user does not have sufficient authorization for at least one characteristic or key figure of the query, the system interrupts the execution of the query and does not display any values.
When you enter authorization values you must be sure to enter the right type of value. If the InfoObject is, for example, 0PROFIT_CTR of the type numeric with 10 digits, you must enter the value 0000004001. If you only enter 4001 and 4001 is selected in the query, the user is still not authorized because 4001 is interpreted internally as 0000004001.
You cannot specify the values with wildcard (for example, 47*), these are not supported by the authorization check. Only specify complete single values or intervals.
The checking process fails if no authorizations are displayed.
The system runs the authorization check independently during the execution of a query.
If a query is interrupted because of a missing authorization, you can display a log for the authorization check.
...
1. From the SAP Easy Access initial screen of the SAP Business Information Warehouse, choose SAP Menu → Business Explorer → Authorizations → Reporting Authorization Objects.
2. Select Authorization Check Log in the lower half of the screen.
3. Select the user. The Insert User into List pushbutton activates logging of authorization check for this user.
4. Display Log, you can see the current log for the selected user.
5. With Remove User from List, you can deactivate the log for the user again.