Showing results for 
Search instead for 
Did you mean: 

Hierarchy Authorization

Former Member
0 Kudos

I have a seemingly simple question that is proving difficult to answer. You would have my undying gratitude if you can help..

If an authorization object includes fields 0COSTCENTER and 0TCTAUTHH what assignments should be made in the authorization to grant a role access to cost centre 'WXYZ' irrespective of any hierarchy that may or may not be active in the query?

Accepted Solutions (0)

Answers (5)

Answers (5)

Former Member
0 Kudos

Note 502574 describes how you can generate authorization profiles in BW according to the settings in the R/3 costcenter hierarchy.

The generated profiles can also be used for a personalization of the queries according to the responsibility area of the user.

Former Member
0 Kudos

SAP's response to my Customer Message on this topic follows. It confirms that an active hierarchy is implicitly made authorization relevant along with the associated InfoObject. It seems there is no simple way of maintaining authorization by, for example, just cost centre.

If I understand the proposed solution it is necessary to create a separate hierarchy authorization in RSSM for every cost centre manager or group, within which the cost centres must be selected individually (and maintained whenever a new one is added). Failure to maintain these in synch with the cost centre fields would result in inconsistencies in reporting depending on whether the hierarchy is active or inactive.


Hello Rob,

There may be a possibility that you get authorized what you want:

1) If a query uses a active display hierarchy in a query, then you

need to have a hierarchy authorization (with 0TCTAUTHH in the auth.-

object). There is no other way. If a characteristic is marked as

"Authorization relevant", then it's hierarchy structures(!) are

also considered as authorization sensitive and no flat-list-

authorization can authorize a hierarchical display. (Only exception:

'*' authorizes everything.)

You can not set the *values* as "authorization relevant" but not

the hier.-structures. It's both or nothing.

2) But there may be a possibility: Use hierarchy authorizations in

order to authorize individual values. Normaly the values are

part of the hierarchies (they are 'leafs'), so you can als select

single values in the F4-help for hierarchys.

The trick now is: When defining a hier.-authorization, for a leaf,

select "Validity Period" (COMPMODE) = 3 (All hierarchies).

Now this entry (node=leaf) is authorized regardless of the hierarchy

you are using in the query. Of course you must make sure, that

there is no real 'node' (not leaf) in any hierarchy that has the

same name as one of the authorized values, as this node would also be


I hope I could help you.

Best regards,

C.R., BW IMS Development

Former Member
0 Kudos

Hi Robert

If I understand your problem correct you want to give every user a different authorization depending on their respective cost center connection.

If that is the case you could give the auhorization using a customer-exit to fill the authorization variable.

Here is what SAP recommends:

<i>Where many authorizations differ from an authorization for a hierarchy only in respect to the nodes and not to the other authorizations, we suggest the following solution: Different users can be authorized for a specific hierarchy area (subtree). The highest node is different for each user.

Do this by creating an authorization for a hierarchy in the transaction RSSM and enter this in the authorization or role. Instead of specifying a particular node, you specify the variable in the authorization maintenance (transaction RSSM). The customer exit is then called up for the node while the authorization check is running. The return table E_T_RANGE must be filled according to the customer exit documentation (nodes in the LOW field, InfoObject of the node in the HIGH field).</i>

Remember to put a $ sing in front of the variable name in RSSM.

In the role enter the technical name of hierarchy authorization in 0TCTAUTHH and leave 0COSTCENTER 'BLANK'

If you then need to grant the user access to any additional cost centers you could maintain these in a customer table and make the exit read from this as well.



Former Member
0 Kudos

Hello Robert,

in our SAP BW system the use hierarchy authorizations on 0ORGUNIT. We use an authorization object with fields


Since your question seems interesting for us too, I tried several things but without success.

Former Member
0 Kudos


one has to use transaction RSSM and "Authorization Definition for Hierarchies".

For example see SAP Help Documentation for SAP BW

the chapter "Maintaining Authorizations for Hierarchies".

Former Member
0 Kudos

Thanks Lothar, but none of the documentation I have found on working with authorizations and hierarchies answers my question (including, 'How to... Work with Hierarchy Authorizations', ASAP for BW Accelerator 'Authorizations', 'Authorization in An SAP BW Project', Notes: 557924, 653383, 654947, etc..). I'm very familiar with how to grant access using hierarchy nodes, but would like to know whether it is possible by any documented method to grant access to cost centres irrespective of any active hierarchy.

Through trial and error I previous found that it worked if I created an authoirzation object with 0costcenter and 0tctauthh and assigned..

costcenter = 'ABC*'

0tctauthh = :

Several support packs later I now find that this is no longer working, but since I don't know for sure whether it was ever working by design I'm reluctant to take the Customer Message route.

Former Member
0 Kudos

Authorization for Hierarchy Node works differently than for InfoObject Value. I don't think you can use Hierarchy Node authorization to limit access for particular COSTCENTERs. To do so, you need to create an authorization object including 0COSTCENTER and 1KYFNM.

Hope that helps.

Former Member
0 Kudos

Thanks for your response Bill, however I have tried creating an authorization object that includes just 0costcentre (without 1kyfnm since I don't wish to restrict on key figures) and the access is still blocked when the hierarchy is active -- it appears that the hierarchy is included for authorization checking simply by the inclusion of cost centre in the authorization object not by the inclusion of 0tctauthh.

The paper "Authorizations in an SAP BW Project" states that infoobject authorizaiton alone is not sufficient to grant access to the related hierarchy nodes. So I have to put something in 0tctauthh; it is not practical to create hierarchy authorizations for all the different cost centre groups; apart from being very laborious we have multiple hierarchies defined on cost centre and authorizations on nodes that are not active in a particular query result in warning messages.