22.12.10

SAP Note 15211 - CO form reports: authorization concept

Symptom:

One of the following symptoms occurs:

  • No report data is displayed and the system generates message GR601 "Report & does not contain any data pages".
  • The system generates message GR587 "No authorization for &1 of &2 read records". When you choose menu option 'Selection log' (the corresponding menu option in Release 2.2 is called 'Display statistics'), you can see that data records have been selected, however, they cannot be displayed because of missing authorization. It is also possible that the system first generates message GR585 "Messages are defined" and only displays message GR587, when the function 'Extras: Messages' is triggered.
  • No report data is displayed and the system generates message GR850 "You do not have authorization to display the selected data".
  • No report data is displayed and the system generates error message GR552 "A report could not be output".
  • The report is not executed and the system generates error message GR846 "You do not have authorization to select".
  • The report is not executed and the system generates error message DB645 "SUBMIT authorization & necessary".
  • The report is not executed and the system generates error message GR843 "You do not have authorization for these selection criteria".
Cause and prerequisites

You have no authorizations for the CO-CCA, CO-OPA, CO-ABC or the Report Writer/Painter.

Solution
Collective note for the authorization concept in reporting of
Overhead Cost Controlling as of Release 3.1H:

For cost centers and internal orders, a new authorization check has been implemented in Release 4.0A which can be used as an alternative to the "old" authorization checks already available before Release 4.0A. The new authorization check available as of Release 4.0A offers a standardization of the checks of different subfunctions as, for example, planning, master data maintenance and reporting on a standard authorization object, an easier maintenance and the assignment of authorizations at the level of responsibility areas.

The following authorization objects can be used:

old checks new checks as of Rel. 4.0B
(only Reporting) ------------------------------------------------------------------------
Cost centers K_REPO_CCA K_CCA

Internal orders K_REPO_OPA K_ORDER

Business processes - K_ABC

These authorization objects permit a restriction of the authorization to the following fields:

Authorization object Fields ------------------------------------------------------------------------
K_REPO_CCA Activity, Controlling area, Cost center,
Cost element

K_CCA CO-OM Responsibility area, CO action,
Cost element

K_REPO_OPA Activity, Controlling area, Order type,
Cost element

K_ORDER CO-OM Responsibility area, Order type,
Authorization phase, CO action, Cost element

K_ABC CO-OM Responsibility area, CO action,
Cost element

As of Release 4.0A, you can choose between the new and the old authorization check for each area (cost centers, internal orders). The simultaneous use of the old and the new authorization check within one area is not possible. For the authorization check you do NOT want to use, all authorizations (*) for the corresponding authorization objects must be assigned to the users.
If you do not want to use the new logic, do not make any changes for the time being, since all authorization for the new objects is contained in the SAP_NEW_40A profile.
If you want to change to the new authorization objects,

  • assign the 'ALL authorization' for the old authorization objects,
  • do not
  • maintain the authorizations for the new authorization objects.


The two authorization fields CO-OM responsibility area and CO action have been implemented with the new authorization check.

CO-OM responsibility area:
The controlling objects cost center, order and business process are considered as a responsibility area in a standard hierarchy. Each node and each element of a standard hierarchy are a responsibility area. You enter the responsibility areas in the authorization maintenance. It is thus possible to create an authorization hierarchy very easily - for example, using cost center nodes.
The new authorization concept works according to the inheritance principle: if you have the authorization for a node of the standard hierarchy, you have automatically the same authorization for all nodes and components below this node. (So far you had to have the explicit authorization for every single object; It was not sufficient if you had the authorization for a node to which the cost object is assigned.) )
In the object K_ORDER you can also enter cost centers and nodes of the cost center standard hierarchy in addition to orders. If you have, for example, the authorization for node K1 for selecting data, you may also select the data of all orders which are under node K1 in the hierarchy via its responsible cost center. However, if you have only the authorization for node K1 in authorization object K_CCA, you may not select the orders below node K1, since you require the corresponding authorization for the authorization object K_ORDER for order processing.

CO action:
Together with an activity, every business transaction results in a CO action. This makes it easier to summarize business transactions. For example, the first two digits for transaction "Reporting" are always '30'. The next two digits characterize the activities in reporting, which correspond to the activities of the old authorization checks:

Activity Meaning
------------------------------------------------------------------------
27 Select and display totals records
28 Select and display line items
29 Display extracts

In the Report Writer, an authorization check for the authorization objects mentioned is performed at two different dates:

      a) A check is performed using activity 27 or 28 during database selection on record level. The system does not process database records for which you have no authorization for the above-mentioned activities.
      b) When displaying an extract, the system performs a check using activity 29. At this stage, an authorization check is no longer possible on record level and thus on individual values. For this reason, the system can no longer perform a check for the cost element field. To display extracts you therefore require an authorization which makes no restriction for the cost element field. Prior to Release 3.1H, this restriction also applies to the fields cost center and order type. In detail, this means for Releases up to Release 3.1G: if a cost center group contains only one cost center or if a representative cost center is maintained for the cost center group, you must have the authorization for this cost center. In all other cases you must have the authorization for all (*) cost centers. For order groups, you must always have the authorization for all (*) order types.

The following applies as of Release 4.0 when you use representative values for cost center groups: You must either have the authorization for the representative cost center or the authorization for all cost centers of the group to display the report for a cost center group. However, when you use representative values for order groups you must have both the authorization for the representative order and for all other orders of the group.


In addition to these application-specific authorization objects, the system checks the following technical authorization objects when calling up the Report Writer/Painter reports:

    1. G_800_GRP Report Writer: report. The authorization object allows a restriction of the authorization for fields activity/authorization group. For the activity, value "03" (Display) is sufficient. In report maintenance, you can enter an authorization group in the report header (see online documentation Report Writer), the authorization for which is checked during execution. The authorization group must be defined in table TBRG.
    2. G_803J_GJB Report Writer: report group. Same as G_800_GRP.
    3. G_800S_GSE sets: The authorization object permits a restriction of the authorization for fields activity/authorization group. Similar to G_800_GRP.
    4. S_PROGRAM Basis: program run checks. The Report Writer generates ABAP programs when you generate a report group. These programs are called up when you execute a Report Writer report. The authorization group in the attributes of these programs is assembled automatically from text "RW_" and the Report Writer library (thus, for example, "RW_1VK" or "RW_6O1").

The authorization object permits a restriction of the authorization for fields activity/authorization group. For the activity, value "SUBMIT" is sufficient. For the authorization group, you can either enter "*" or the authorizations for individual libraries, specified in the above-mentioned rule.



If you have no authorization, you can usually find out which authorization object was called up during the failed check by using Transaction SU53 (as of Release 3.0 also accessible via System -> Utilities -> Display authorization check).


Use the following check list to solve the problem:


Symptom: You execute a report but the system displays no data (message GR601) or data is missing (message GR585 or GR587). From the selection log you can see that data records have been selected, but they cannot be displayed because of missing authorization.

Cause: A check for authorization object K_REPO_CCA, K_CCA, K_REPO_OPA, K_ORDER or K_ABC with activity 27 or 28 failed. Use Transaction SU53 to display the field combinations that have been tested.

Solution: The authorizations for the mentioned authorization objects can be viewed in the user master data.

  • Do you have an authorization for the checked authorization object which contains activities 27 or 28?
  • Does this authorization cover the selected combinations of the authorization fields (for example cost element, controlling area and so on)?
  • Contact your system administrator to adjust your authorizations accordingly.



Symptom: You display an extract, the system generates error message GR850.

Cause: Use Transaction SU53 to find out whether a check for authorization object K_REPO_CCA, K_CCA, K_REPO_OPA, K_ORDER or K_ABC with activity 29 was successful or not.

Solution: You can display the authorizations for the mentioned authorization object in the user master data.

  • Do you have an authorization for the checked authorization object which contains activity 29?
  • Does this authorization cover the necessary combinations for the authorization fields (for example cost element, controlling area and so on.)?
    1. (All releases) The authorization must always apply to all cost elements (that is cost element = '*'), since a restriction to individual cost elements is not possible for activity 29.
    2. (Only up to Release 3.1I) You have entered cost center intervals or individual values in the selection screen: In activity 29 it is not possible for technical reasons to check the authorization for the individual cost centers. In this case you must have an authorization for all cost centers (that is cost center = '*'). Alternative: Use cost center groups in the selection screen.
    3. (Only up to Release 3.1I ) You have entered a cost center group in the selection screen: Have you maintained a representative cost center for this cost center group (and also for all subordinated cost center groups if you use the variation!) (Master Data -> ) a representative cost center maintained ( master data -> Change Cost Center Group, see also online documentation) and do you have an authorization for this representative cost center? Note: The authorization for a cost center group does not mean that you also have an authorization for the subordinated groups.
  • Contact your system administrator to adjust your authorizations accordingly.



Symptom: When you execute a report, the system generates error message GR552.

Cause: Use Transaction SU53 to find out whether the check of authorization object G_800_GRP was successful or not.

Solution: You can display the authorizations for the mentioned authorization object under menu path 'Tools -> Administration -> User maintenance -> Users -> Information -> Overview -> User values' and subsequent choice of the points 'Cross-application authorization objects' and 'Report Writer: report'.

  • Do you have an authorization for the mentioned authorization object which contains activity '03'?
  • Has the report been assigned to an authorization group? If yes, do you have an authorization for the authorization object G_800_GRP which contains this authorization group or the entry '*' for the authorization group?
  • Contact your system administrator to adjust your authorizations accordingly.



Symptom: When you execute a report, the system generates error message GR846, GR601 or GR587.

Cause: Use Transaction SU53 to find out whether the check of authorization object G_803J_GJB was successful or not.

Solution: You can display the authorizations for the mentioned authorization object under the menu path 'Tools -> Administration -> User maintenance -> Users -> Information -> Overview -> User values' and subsequent choice of the points 'Cross-application autorization objects' and 'Report Writer: report groups'.

  • Do you have an authorization for the mentioned authorization object which contains activity "03"?
  • Has the report group been assigned to an authorization group? If yes, do you have an authorization for authorization object G_803J_GJB which contains this authorization group or the entry '*' for the authorization group?
  • Contact your system administrator to adjust your authorizations accordingly.



Symptom: When you execute a report, the system generates error message DB645.

Cause: Use Transaction SU53 to see whether a check of authorization object S_PROGRAM was successful or not.

Solution: You can display the authorizations for the mentioned authorization object under the menu path 'Tools -> Administration -> User maintenance -> Users -> Information -> Overview -> User values' and subsequent choice of the points 'Basis: Development Environment' and 'ABAP: program run checks'.

  • Do you have an authorization for authorization object S_PROGRAM which contains the entry 'SUBMIT' for the field 'User action ABAP/4 program'? Has the value "*" or a value composed according to the above-mentioned rules been entered in this authorization for the field 'Authorization group ABAP/4 program'?
Contact your system administrator to adjust your authorizations accordingly.

Additional key words

COBERICHTE KSBB SU01 GR55 SU53 KN009 SART authorizations K_CCA K_REPO_CCA K_ORDER K_REPO_OPA, K_ABC ----- SUPPORTGUIDE 20010208103353 -----
REPORTWRITER, SGRW_AUTHORITY, SGRW_DOCU_CONS_NOTE
SGRW_OM


By -

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)