The : authorization is for the case I mentioned before, to allow the user to see
only aggregated values (totals) without seeing the details (desaggregation). Th
is can only be usefull for example, in your case you might wanted that all users could see values for all employees (the total by all employees), but if he/she tries to see its details, he/she could be seeing sensitive data about other empl oyees than their own, and you wouldn't want that, therefore giving a lack of aut horization. Personally I never use the : authorization, but there you have it, an explanatio n of what it does and how to use it. For you to be able to execute the query without the : or the * values, in your a uthorization object defined in RSECADMIN where you had the : values, replace the m by meaning authorization values for the user to execute it, and in the query b uild authorization variables for those characteristics, therefore, when you exec ute the query, those values assigned for that authorization of RSECADMIN are aut omatically loaded to the query. ======================================================================= Pickup a query as an example. That query is build over lets say infoProvider A. Than you go to transaction RSECADMIN and create a ZDUMMY authorization. You give a description. Then you click on the InfoProvider button and insert the name A and click enter. Mark all characteristics but don't mark the options of : values neither the * values. You'll see several characteristics added to your new authorization but with no v alues. Now double click each one and assign the values you want the test user to access. Afterwards click on the special charact. button at the left of the InfoProvider button. Now, three new characteristics are added: 0TCAACTVT 0TCAIPROV 0TCAVALID And values are automatically assigned to them. They can be left like that, they will be OK. 0TCAACTVT represents activity and can have the value 03, of display of the values; 0TCAIPROV represents InfoProvider and by default those authorizat ion values will be for every InfoProvider, if you want you can change it from * to the value A, in this case, your InfoProvider A; 0TCAVALID can be *, which is valid for ever. After that save the authorization and assign it to the test user. Now test it, and you'll see only the values that you assign before in your ZDUMM Y authorization will be valid for that query. ================================================== Whether colon (:) i.e. authorization for aggregates, will work is determined by the design of your query and whether any restriction for the field is being used . I can think of a few cases below : authorization will work - Field not included in query - Field include in query but part of the free characteristics. : authorization w ill work - Field included in rows of the query. No restriction : will not work. You need * to give access - Field included in rows of the query and the field is restricted to particular value. : will not work. Both * and actual restricted values can be used to give