The : authorization is for the case I mentioned before, to allow the user to see

only aggregated values (totals) without seeing the details (desaggregation). Th

is can only be usefull for example, in your case you might wanted that all users
could see values for all employees (the total by all employees), but if he/she
tries to see its details, he/she could be seeing sensitive data about other empl
oyees than their own, and you wouldn't want that, therefore giving a lack of aut
horization.
Personally I never use the : authorization, but there you have it, an explanatio
n of what it does and how to use it.
For you to be able to execute the query without the : or the * values, in your a
uthorization object defined in RSECADMIN where you had the : values, replace the
m by meaning authorization values for the user to execute it, and in the query b
uild authorization variables for those characteristics, therefore, when you exec
ute the query, those values assigned for that authorization of RSECADMIN are aut
omatically loaded to the query.
=======================================================================
Pickup a query as an example. That query is build over lets say infoProvider A.
Than you go to transaction RSECADMIN and create a ZDUMMY authorization. You give
a description. Then you click on the InfoProvider button and insert the name A
and click enter. Mark all characteristics but don't mark the options of : values
neither the * values.
You'll see several characteristics added to your new authorization but with no v
alues. Now double click each one and assign the values you want the test user to
access.
Afterwards click on the special charact. button at the left of the InfoProvider
button. Now, three new characteristics are added:
0TCAACTVT
0TCAIPROV
0TCAVALID
And values are automatically assigned to them. They can be left like that, they
will be OK. 0TCAACTVT represents activity and can have the value 03, of display
of the values; 0TCAIPROV represents InfoProvider and by default those authorizat
ion values will be for every InfoProvider, if you want you can change it from *
to the value A, in this case, your InfoProvider A; 0TCAVALID can be *, which is
valid for ever.
After that save the authorization and assign it to the test user.
Now test it, and you'll see only the values that you assign before in your ZDUMM
Y authorization will be valid for that query.
==================================================
Whether colon (:) i.e. authorization for aggregates, will work is determined by
the design of your query and whether any restriction for the field is being used
. I can think of a few cases below
: authorization will work
- Field not included in query
- Field include in query but part of the free characteristics. : authorization w
ill work
- Field included in rows of the query. No restriction
: will not work. You need
* to give access
- Field included in rows of the query and the field is restricted to particular
value. : will not work. Both * and actual restricted values can be used to give

access.