Start of Content Area

Object documentation Authorizations with Variables  Locate the document in its SAP Library structure

Definition

Instead of using a single value or interval, you can also use variables of type customer exit in authorizations. The customer exit is called for these variables while the authorization check is running. The call is carried out with I_STEP = 0. The intervals of characteristic values or hierarchies for which the user is authorized can be returned here. By doing this, the maintenance effort for authorizations and profiles may be considerably reduced.

Note

This type of variable should not be confused with characteristic variables that are filled from authorizations!

For more information about variables with customer exits, see Customer Exit.

Example

Every cost center manager should only be allowed to evaluate data for his/her cost center. Within the SAP authorization standard, a role or a profile with the authorization for the InfoObject 0COSTCENTER equal to ‘XXXX’ (XXXX stands for the particular cost center) would have to be made for every cost center manager X. This has to be entered in the user master data for the cost center manager. In organizations where cost centers change on a regular basis, this involves significant administrative effort.

Using a variable reduces the authorization maintenance workload with the InfoObject 0COSTCENTER equal to ‘$VARCOST’, as well as with the role or the profile, which is maintained for all cost center managers. The value of the variable ‘VARCOST’ is then set for runtime during the authorization check by the CUSTOMER-EXIT ‘RSR00001’.

Maintaining the authorizations restricts the entries for the values to the length of the existing InfoObject. It is possible, however, to use both limits of the interval. In the example 0COSTCENTER with 4 spaces, the variable ‘VARCOST’ is, therefore, entered as ‘$VAR’ – ‘COST’.

Use

Exit variables can be entered beginning with $. If there is a variable value in both the lower and the upper limit, the two are combined as subnames of an overall variable in authorization processing. Intervals are not corrected automatically by the system if an error was found during the check. You get an error message and can analyze the error yourself.

There is a buffer for these variables. If this buffer is switched on, the customer exit is only called up once for a variable with the authorization check. In doing so, you avoid calling up the customer exit for variables over and over, as well as decreasing performance. If you want to call up the customer exit each time, you have to deactivate this buffer in the maintenance of analysis authorizations. To do this, in the main menu, choose Extras Buffering Variables Deactivate.

You can also call up the customer exit for authorizations for hierarchies.

Enter the variables of type hierarchy node into an authorization. To do this, in the hierarchy authorization maintenance, under Node, choose a variable with This graphic is explained in the accompanying text Select Exit Variable. The customer exit is then called up while the authorization check is running. In the return table E_T_RANGE, the technical name of one or more nodes is expected in the LOW fields. In the HIGH field, the InfoObject type of the node is expected.

 

 

End of Content Area