權限變量 --轉載

其實權限變量不是變量的一種，你們的俗稱而已，它是能夠做用於characteristic value variables and hierarchy node variables的一種Processing by的選擇。

   

首先看官方文檔：

   

Authorization 

Use

The processing type Authorization enables variables to be filled with values automatically from the user authorization.

Integration

The processing type Authorization can be used with characteristic value variables and hierarchy node variables.

Prerequisites

You have maintained the

authorizationsin transaction RSMM.

Features

When you create a variable, if you choose Process with Authorization, the variable is automatically filled with the values of the user's authorization. When the user opens a query, the data is selected automatically according to his or her authorizations.

Note that when they are automatically filled, variables do not have to be ready-for-input, which means a variables screen does not necessarily appear when you open the query or Web application. The user opens the query with the authorization variable, and can see only the data that corresponds to his or her authorizations.

Activities

In the variable wizard in the General Information dialog step, choose the processing type Authorization.

   

Pasted from <http://help.sap.com/saphelp_nw04/helpdata/en/44/599b3c494d8e15e10000000a114084/content.htm>

   

   

而後看Authorizations with variables

   

   

Authorizations with Variables 

Definition

Instead of using a single value or interval, you can also use variables in authorizations. The Customer Exit is called up for these variables while the authorization check is running. The call is carried out with I_STEP = 0. The intervals of characteristic values or hierarchies for which the user is authorized can be returned here. By doing this, the maintenance load for authorizations and profiles can be reduced significantly.

Every cost center manager should only be allowed to evaluate data for his/her cost center. Within the SAP authorization standard, a role or a profile with the authorization for the InfoObject 0COSTCENTER equal to 'XXXX' (XXXX stands for the particular cost center) would have to be made for every cost center manager X. This then has to be entered in the user master record for the cost center manager.

Using variables reduces the authorization maintenance workload with the InfoObject 0COSTCENTER equal to '$VARCOST', as well as with the role or the profile, which is maintained for all cost center managers. The value of the variable 'VARCOST' is then set for runtime during the authorization check by the CUSTOMER-EXIT 'RSR00001'.

Maintaining the authorizations restricts the entries for the values to the length of the existing InfoObject. It is possible, however, to use both limits of the interval. In the example 0COSTCENTER with 4 spaces, the variable 'VARCOST' is, therefore, entered as '$VAR' – 'COST'.

There is a buffer for these variables. If this buffer is switched on, the customer exit is only called up once for a variable with the authorization check. In doing so, you avoid calling up the customer exit for variables over and over, as well as decreasing performance. If you want to call up the customer exit each time, you have to deactivate this buffer in the Setting Up Reporting Authorizations. To do this, go to the main menu and choose Extras  Compatibility  Buffer for Variables (Customer-Exit)  Deactivate..

You can also call up the customer exit for authorizations for hierarchies. There are two ways to do this:

...

      1.      Enter the variable in the authorization for characteristic 0TCTAUTHH. The customer exit is then called up while the authorization check is running. In the LOW fields of the return table E_T_RANGE, the system anticipates the technical name for the hierarchy authorization that you specified in the authorization maintenance (transaction RSSM).

As a result, all parameters are available for such an authorization. Nevertheless, you must also create a new definition for each node.

      2.      Where many authorizations differ from an authorization for a hierarchy only in respect to the nodes and not to the other authorizations, we suggest the following solution: Different users can be authorized for a specific hierarchy area (subtree). The highest node is different for each user.

Do this by creating an authorization for a hierarchy in the transaction RSSM and enter this in the authorization or role. Instead of specifying a particular node, you specify the variable in the authorization maintenance (transaction RSSM). The customer exit is then called up for the node while the authorization check is running. The return table E_T_RANGE must be filled according to the customer exit documentation (nodes in the LOW field, InfoObject of the node in the HIGH field).

   

Pasted from <http://help.sap.com/saphelp_nw04/helpdata/en/6d/58f438114ee836e10000000a114084/content.htm>

   

   

   

最後看幾種處理Authorization的方式：

   

   

Authorization Using Variables 

When starting a query, data selection can automatically follow user authorization. You need to use variables here. Since the variables are filled automatically, these must not be entry-ready. As a result, they do not appear in the variable screen. It is thus possible to start a query and to adjust authorizations, without the user having to do anything.

1. Filling the Variables Automatically:
   In variable maintenance, choose Processing from Authorization. Here, the variable is automatically filled with the values in the user authorizations. This applies not only to selection variables (characteristic values) but also to node variables.
   Do not use single value- or interval variables, because these can only contain exactly one value or interval respectively.
   You can find additional information under Authorization.
2. Filling the variables in the customer exit.
   You can process all variable types (characteristic value variables, hierarchy node variables, formula- and text variables) using the processing type Customer Exit. Do this by choosing SAP enhancement RSR00001. This is the usual method in BW reporting. Also refer to Processing using a Customer Exit.
   If you need the authorized values or hierarchy nodes, use the following function modules:
   RSSB_GET_AUTH_FOR_USER returns the permitted single values and intervals.
   RSSB_GET_AUTH_HIER_FOR_USER returns the node at the top of the permitted hierarchy section, as well as all permitted sub-areas. You should only use this module in special cases. This is because it uses the internal display of the hierarchy and nodes.
   You can find additional information under Authorizations with Variables.
3. Filling Variables with 'SAP Exit' or 'Replacement Path' Types:
   You can use the characteristic 0TCTUSERNM with the variable 0TCTUSEE, which are always filled with an SAP exit with the user name (sy-uname). The user name is set (no entry field) and is rechecked in the authorization check. You only need one authorization with the variables for all users (lower maintenance load). The user also safeguards data when the query is changed.
   You can find additional information under Using Existing Authorizations
4. Filling Variables Using a Query:

   The variable can also be filled using the result from another query.

   Use here the functions of the

   Report-Report Interface. Also refer to Using Existing Authorizations.

   

Pasted from <http://help.sap.com/saphelp_nw04/helpdata/en/e7/56b23bdb0d0156e10000000a11402f/content.htm>

   

   

   

總的來講，若是要使用它，首先要維護權限，TCODE：RSECADMIN

而後呢，給某個IO設置權限相關，而後RSECADMIN裏維護權限，把IO添加進去，設置下值範圍，再把權限分配給用戶，這樣，用戶登陸之後就受到權限的約束了。