其实权限变量不是变量的一种,大家的俗称而已,它是可以作用于characteristic value variables and hierarchy node variables的一种Processing by的选择。
首先看官方文档:
Authorization
Use
The processing type Authorization enables variables to be filled with values automatically from the user authorization.
Integration
The processing type Authorization can be used with characteristic value variables and hierarchy node variables.
Prerequisites
You have maintained the
authorizations in transaction RSMM.
Features
When you create a variable, if you choose Process with Authorization, the variable is automatically filled with the values of the user's authorization. When the user opens a query, the data is selected automatically according to his or her authorizations.
Note that when they are automatically filled, variables do not have to be ready-for-input, which means a variables screen does not necessarily appear when you open the query or Web application. The user opens the query with the authorization variable, and can see only the data that corresponds to his or her authorizations.
Activities
In the variable wizard in the General Information dialog step, choose the processing type Authorization.
Pasted from <http://help.sap.com/saphelp_nw04/helpdata/en/44/599b3c494d8e15e10000000a114084/content.htm>
然后看Authorizations with variables
Authorizations with Variables
Definition
Instead of using a single value or interval, you can also use variables in authorizations. The Customer Exit is called up for these variables while the authorization check is running. The call is carried out with I_STEP = 0. The intervals of characteristic values or hierarchies for which the user is authorized can be returned here. By doing this, the maintenance load for authorizations and profiles can be reduced significantly.
Every cost center manager should only be allowed to evaluate data for his/her cost center. Within the SAP authorization standard, a role or a profile with the authorization for the InfoObject 0COSTCENTER equal to 'XXXX' (XXXX stands for the particular cost center) would have to be made for every cost center manager X. This then has to be entered in the user master record for the cost center manager.
Using variables reduces the authorization maintenance workload with the InfoObject 0COSTCENTER equal to '$VARCOST', as well as with the role or the profile, which is maintained for all cost center managers. The value of the variable 'VARCOST' is then set for runtime during the authorization check by the CUSTOMER-EXIT 'RSR00001'.
Maintaining the authorizations restricts the entries for the values to the length of the existing InfoObject. It is possible, however, to use both limits of the interval. In the example 0COSTCENTER with 4 spaces, the variable 'VARCOST' is, therefore, entered as '$VAR' – 'COST'.
There is a buffer for these variables. If this buffer is switched on, the customer exit is only called up once for a variable with the authorization check. In doing so, you avoid calling up the customer exit for variables over and over, as well as decreasing performance. If you want to call up the customer exit each time, you have to deactivate this buffer in the Setting Up Reporting Authorizations. To do this, go to the main menu and choose Extras Compatibility Buffer for Variables (Customer-Exit) Deactivate..
You can also call up the customer exit for authorizations for hierarchies. There are two ways to do this:
...
1. Enter the variable in the authorization for characteristic 0TCTAUTHH. The customer exit is then called up while the authorization check is running. In the LOW fields of the return table E_T_RANGE, the system anticipates the technical name for the hierarchy authorization that you specified in the authorization maintenance (transaction RSSM).
As a result, all parameters are available for such an authorization. Nevertheless, you must also create a new definition for each node.
2. Where many authorizations differ from an authorization for a hierarchy only in respect to the nodes and not to the other authorizations, we suggest the following solution: Different users can be authorized for a specific hierarchy area (subtree). The highest node is different for each user.
Do this by creating an authorization for a hierarchy in the transaction RSSM and enter this in the authorization or role. Instead of specifying a particular node, you specify the variable in the authorization maintenance (transaction RSSM). The customer exit is then called up for the node while the authorization check is running. The return table E_T_RANGE must be filled according to the customer exit documentation (nodes in the LOW field, InfoObject of the node in the HIGH field).
Pasted from <http://help.sap.com/saphelp_nw04/helpdata/en/6d/58f438114ee836e10000000a114084/content.htm>
最后看几种处理Authorization的方式:
Authorization Using Variables
When starting a query, data selection can automatically follow user authorization. You need to use variables here. Since the variables are filled automatically, these must not be entry-ready. As a result, they do not appear in the variable screen. It is thus possible to start a query and to adjust authorizations, without the user having to do anything.
- Filling the Variables Automatically:
In variable maintenance, choose Processing from Authorization. Here, the variable is automatically filled with the values in the user authorizations. This applies not only to selection variables (characteristic values) but also to node variables.
Do not use single value- or interval variables, because these can only contain exactly one value or interval respectively.
You can find additional information under Authorization. - Filling the variables in the customer exit.
You can process all variable types (characteristic value variables, hierarchy node variables, formula- and text variables) using the processing type Customer Exit. Do this by choosing SAP enhancement RSR00001. This is the usual method in BW reporting. Also refer to Processing using a Customer Exit.
If you need the authorized values or hierarchy nodes, use the following function modules:
RSSB_GET_AUTH_FOR_USER returns the permitted single values and intervals.
RSSB_GET_AUTH_HIER_FOR_USER returns the node at the top of the permitted hierarchy section, as well as all permitted sub-areas. You should only use this module in special cases. This is because it uses the internal display of the hierarchy and nodes.
You can find additional information under Authorizations with Variables. - Filling Variables with 'SAP Exit' or 'Replacement Path' Types:
You can use the characteristic 0TCTUSERNM with the variable 0TCTUSEE, which are always filled with an SAP exit with the user name (sy-uname). The user name is set (no entry field) and is rechecked in the authorization check. You only need one authorization with the variables for all users (lower maintenance load). The user also safeguards data when the query is changed.
You can find additional information under Using Existing Authorizations -
Filling Variables Using a Query:
The variable can also be filled using the result from another query.
Use here the functions of the
Report-Report Interface. Also refer to Using Existing Authorizations.
Pasted from <http://help.sap.com/saphelp_nw04/helpdata/en/e7/56b23bdb0d0156e10000000a11402f/content.htm>
总的来说,如果要使用它,首先要维护权限,TCODE:RSECADMIN
然后呢,给某个IO设置权限相关,然后RSECADMIN里维护权限,把IO添加进去,设置下值范围,再把权限分配给用户,这样,用户登录以后就受到权限的约束了。