Maintaining Authorizations for Hierarchies

Use

Authorizations for hierarchies determine up to which subarea of a hierarchy a user may drilldown.

Prerequisites

Before you can set authorizations for hierarchies, you must first transfer and activate the InfoObject 0TCTAUTHH from the Business Content. Make sure that the indicator Relevant for Authorization is set. You must also create an authorization object for which you want to set the authorization.

Authorization for a hierarchy on the Profit Center characteristic (0PROFIT_CTR):

Define an authorization object with 0PROFIT_CTR and 0TCTAUTHH.

Example: You define a hierarchy for the basic characteristic B. For characteristic B there is a referencing characteristic R. If you use this hierarchy for characteristic R in the query, authorization for the basic characteristic B is checked. However, you can change this logic so that characteristic R is checked for instead. In the maintenance screen for reporting authorizations, choose the following path from the main menu Extras → Compatibility → Ref. Characteristics with Hierarchy → Switch Off.

You need the characteristic 0TCTAUTHH to specify the hierarchy in the authorization. If you add this characteristic to an authorization object, you can specify authorizations for hierarchies for all InfoObjects in the authorization object.

Procedure

...

       1.      In the SAP Easy Access initial screen of the SAP Business Information Warehouse, choose SAP Menu → Business Explorer →Reporting Authorization Objects.

       2.      Choose Authorizations → Authorization Definition for Hierarchies → Change.

       3.      In the Definition, select the InfoObject, hierarchy and node.

If there are several users who are authorized to work with just one part of a hierarchy (subtree) but the top node is different for each, you have the option of specifying a variable instead of a node.

See also: Variable Types

Instead of selecting a node, you can also set the Top of hierarchy indicator. This enables you to ensure that a user is authorized to use a hierarchy from the top node down to a determined level.

You can select the top node here. However, if the hierarchy is being used in a query without a filter on this node, the user will not be able to execute the query.

This is because the top-most visible node does not represent the actual top of the hierarchy. As, for example, there are other Remaining Leaves, there should always be exactly one internal node at the top of the hierarchy. Therefore, there is one internal node above the top-most visible node. If the hierarchy is used in a query without the top-most node being determined, it is compared with this unseen, internal node. So that the user has the correct authorizations, select the internal top of the hierarchy for this option.

       4.      Select the authorization type:

¡        0 for the node

¡        1 for a subtree below the node

¡        2 for a subtree below the node up to and including a level (absolute)

You must define a level for this type. A typical example of an absolute level is data protection with regard to the degree of detail of the data (works council ruling: no reports at employee level only at more summarized levels).

¡        3 for the entire hierarchy

¡        4 for a subtree below the node up to and including a level (relative)

You must specify a level that is defined relative to the node for this type. It makes sense to specify a relative distance if an employee may only expand the hierarchy to a certain depth below his or her initial node, but this node moves to another level when the hierarchy is restructured.

       5.      For types 2 and 4 you can specify, in Hierarchy Level, the level to which the user can expand the hierarchy.

¡        With authorization type 2 (up to and including a level, absolute) the level refers to the absolute number of the level in the hierarchy where the top-most node of the hierarchy is level 1.

¡        With authorization type 4 (up to and including a level, relative) the level number refers to the number of levels starting from the selected node itself which is level 1.

       6.      In the Validity Area you specify in exactly which ways a hierarchy authorization has to match a selected display hierarchy for it to be included in the authorization check.

¡        Type 0 (very high) : The name, version and key date of the hierarchy on which the hierarchy authorization is based have to agree with the selected display hierarchy.

¡        Type 1: The name and version of the hierarchy on which the hierarchy authorization is based have to agree with the selected display hierarchy.

¡        Type 2: The name of the hierarchy on which the hierarchy authorization is based has to agree with the display hierarchy.

¡        Type 3 (lowest) : None of the characteristics have to match.

Note that in some circumstances, setting a check level that is too low may lead to more nodes being selected using hierarchy node variables that are filled from authorizations, than actually exist in the display hierarchy for the query. This can cause an error message.

As a general rule, select the highest possible level for the check.

       7.      If you set the Node variable default value indicator, this definition of an authorization for a hierarchy is used as the default value for node variables.

If more than several authorizations are assigned to a user for different subareas of the same hierarchy, one of these authorizations has to be defined as the default value. Only one node can be selected for a node variable on the variable screen of a query. So that this variable can be filled from the authorizations, the correct variable type has to be selected and an authorization has to be determined as the default value.

       8.      Specify a technical name for this definition. If you do not enter a value, a unique ID is set.

       9.      Now create an authorization for the new authorization object. To do this, enter the technical name of the definition as a characteristic value for the characteristic 0TCTAUTHH. Hierarchy authorizations and authorizations for characteristic values are added:

¡        Specify the value ‘ ‘ (a blank character) as a characteristic value if only hierarchy authorizations are to be in effect. If you specify more values these are authorized additionally.

¡        Specify the value “:” (a colon) when queries are also allowed without this characteristic.

The value '*’ (all characteristic values) is not supported for the characteristic 0TCTAUTHH. Nevertheless, if you specify the value ‚*’ a ‚:’ is automatically generated instead because no other valid value is found.

If you would like the user to be able to see all values and hierarchies for a characteristic, use the value '*' for this characteristic.

If you use a drilldown hierarchy in the query, you restrict the highest node by a fixed node or a node variable.

Definitions of authorizations for hierarchies must be transported separately. See: Transporting Additional Information

Alternative Procedure:

You can make authorizations for hierarchies in a different way.

See: Maintaining Authorizations Manually

See also:

Hierarchy Attributes