BW: What is permission variable: Authorization

In fact, permission variables are not a type of variables, which are commonly known as variables. They are a processing by option that can act on characteristic value variables and hierarchy node variables.

First, read the official documentation:

Authorization

Use

The processing typeAuthorizationEnables variables to be filled with values automatically from the user authorization.

Integration

The processing typeAuthorizationCan be usedCharacteristic value variablesAndHierarchy node Variables.

Prerequisites

You have maintained

Authorizations in transaction rsmm.

Features

When you create a variable, if you chooseProcess with authorization, The variable is automatically filled with the values of the user's authorization. When the user opens a query, the data is selected automatically according to his or her authorizations.

Note that when they are automatically filled, variables do not have to be ready-for-input, which means a variables screen does not necessarily appear when you open the query or web application. the user opens the query with the authorization variable, and can see only the data that corresponds to his or her authorizations.

Activities

In the variable wizard inGeneral informationDialog step, choose the processing typeAuthorization.

Pasted from

See authorizations with variables

Authorizations with variables

Definition

Instead of using a single value or interval, you can also use variables in authorizations. the customer exit is called up for these variables while the authorization check is running. the call is carried out with I _step = 0. the intervals of characteristic values or hierarchies for which the user is authorized can be returned here. by doing this, the maintenance load for authorizations and profiles can be CED significantly.

Every cost center manager shocould only be allowed to evaluate data for his/her cost center. within the sap authorization standard, a role or a profile with the authorization for the infoobject 0 costcenter equal to 'xxxx' (XXXX stands for the participating cost center) wocould have to be made for every cost center manager x. this then has to be entered in the user master record for the cost center manager.

Using variables reflect CES the authorization maintenance workload with the infoobject 0 costcenter equal to '$ varcost', as well as with the role or the profile, which is maintained for all cost center managers. the value of the variable 'varstart' is then set for runtime During the authorization check by the customer-exit 'rsr00000000001 '.

Maintaining the authorizations restricts the entries for the values to the length of the existing infoobject. it is possible, however, to use both limits of the interval. in the example 0 costcenter with 4 spaces, the variable 'varcost' is, therefore, entered as '$ var'-'cost '.

There is a buffer for these variables. if this buffer is switched on, the customer exit is only called up once for a variable with the authorization check. in doing so, you avoid calling up the customer exit for variables over and over, as well as decreasing performance. if you want to call up the customer exit each time, you have to deactivate this buffer in the setting up reporting authorizations. to do this, go to the main menu and chooseExtras CompatibilityBuffer for variables (customer-Exit)Deactivate ..

You can also call up the customer exit for authorizations for hierarchies. There are two ways to do this:

...

1. enter the variable in the authorization for characteristic 0tctauthh. the customer exit is then called up while the authorization check is running. in the low fields of the return table e_t_range, the System anticipates the technical name for the hierarchy authorization that you specified in the authorization maintenance (transaction rssm ).

As a result, all parameters are available for such an authorization. Nevertheless, you must also create a new definition for each node.

2. where revoke authorizations differ from an authorization for a hierarchy only in respect to the nodes and not to the other authorizations, we suggest the following solution: different users can be authorized for a specific hierarchy area (subtree ). the highest node is different for each user.

Do this by creating an authorization for a hierarchy in the transaction rssm and enter this in the authorization or role. instead of specifying a participant node, you specify the variable in the authorization maintenance (transaction rssm ). the customer exit is then called up for the node while the authorization check is running. the return table e_t_range must be filled according to the customer exit documentation (nodes in the low field, infoobject of the node in the high field ).

Pasted from

Finally, let's look at several authorization methods:

Authorization using variables

When starting a query, data selection can be automatically follow user authorization. you need to use variables here. since the variables are filled automatically, these must not be entry-ready. as a result, they do not appear in the variable screen. it is thus possible to start a query and to adjust authorizations, without the user having to do anything.

1. Filling the variables automatically:
   In variable maintenance, chooseProcessing from authorization.Here, the variable is automatically filled with the values in the user authorizations. This applies not only to selection variables (characteristic values) but also to node variables.
   Do not use single value-or interval variables, because these can only contain exactly one value or interval respectively.
   You can find additional information under authorization.
2. Filling the variables in the customer exit.
   You can processAll variable types(Characteristic value variables, hierarchy node variables, formula-and text variables) using the processing typeCustomer exit.Do this by choosing sap EnhancementRsr00001.This is the usual method in BW reporting. also refer to processing using a customer exit.
   If you need the authorized values or hierarchy nodes, use the following function modules:
   Rssb_get_auth_for_user returns the permitted single values and intervals.
   Rssb_get_auth_hier_for_user returns the node at the top of the permitted hierarchy section, as well as all permitted sub-areas. you shoshould only use this module in special cases. this is because it uses the internal display of the hierarchy and nodes.
   You can find additional information under authorizations with variables.
3. Filling variables with 'sap exit 'or 'replacement path' types:
   You can use the characteristic 0 tctusernm with the variable 0 tctusee, which are always filled with an SAP exit with the user name (sy-uname ). the user name is set (no entry field) and is rechecked in the authorization check. you only need one authorization with the variables for all users (lower maintenance load ). the user also safeguards data when the query is changed.
   You can find additional information under using existing authorizations
4. Filling variables using a query:

   The variable can also be filled using the result from another query.

   Use here the functions of

   Report-report interface. also refer to using existing authorizations.

Pasted from

In general, to use it, you must first maintain the permission, tcode: rsecadmin

Next, Set permissions for an IO, maintain permissions in rsecadmin, add Io, set the value range, and then assign permissions to users. In this way, after logging on, the user is restricted by permissions.