Analysis Authorization in BO 4.0 Webi report

Similar Messages

• Hierarchy Analysis Authorization in BW and BOBJ Webi Report

  Hello,
  We have a scenario wherein we have implemented Analysis Authorizations (Hierarchy) on Organizational Unit info object (0ORGUNIT) and need to report on BOBJ WEBI. Our scenario is as following
  ORGUNIT    - L0 (Overall Enterprise Level)     
  -     L1 (Enterprise - Continent Wise Split)
  -     L2 (Enterprise u2013 Country Wise Split)
  -     L3(Enterprise u2013 City Wise Split)
  E.G- 
        LO (Company ABC) MANAGER 0 will have access to the entire organization
             -L1 (ASIA) MANAGER1 will have access to ASIAN Subcontinent
                    -L2 (India) MANAGER 2 will have Access to country India
                              -L3 (New Delhi) MANAGER 2.1 will have access to city Delhi
                              -L3 (Mumbai) MANAGER 2.2 will have access to city Mumbai
                     -L2 (Malaysia) MANAGER 3 will have access to Country Malaysia
                                -L3 (Kuala Lampur)
                                -L3 (pahang)
               - L1 (Europe)
                                          u2026..
  The requirement is that the CEO of the company should be able to see the entire set of data ( L0-L4).We have continent managers who can see that data specific to their continent, similarly at L3 Level the city manageru2019s should see the data only for their specific city.
  In BI we have used analysis authorization based on hierarchies. We have created an authorization object say ZAUTH1 and have assigned the hierarchy L0 from RSECADMIN. Now, in Webi when we create a report a sample row comes as :
  L0 Org Unit     L1 Org Unit     L2 Org Unit     L3 Org Unit     SALES Key Figure
  Company ABC     Asia          India          Mumbai          1000
  Now, we have MANAGER 2.2 who has only access to the data specific to his city (Mumbai). There is an Analysis Authorization object created for him ZAUTH2, by ONLY assigning the org unit hierarchy L3 (for Mumbai). When we run the bex report with the user MANAGER 2.2 u2013 it correctly displays the result and the user is only able to see the data for L3 Org Unit (Mumbai). However when you bring this data to Webi u2013 the report comes in the below format:
  L0 Org Unit     L1 Org Unit     L2 Org Unit     L3 Org Unit     SALES Key Figure
  Mumbai                                           1000
  The L3 org unit has now got assigned to L0 Org unit , as this is the only org unit assigned to the MANAGER 2.2 user .
  In such a case we are not able to write any generic formulae for the report. Is there a way to correct this issue? u2018Mumbaiu2019 should either get assigned to the L3 OrgUnit column is webi report , or is there a workaround that is possible ?
  Thanks and Best Regards,
  Vj

  Hi Vijay,
  The problem you speak of is known and comes from the fact that the hierachy is flattened in the process of delivering it to WebI. Therefore there is no real 'solution' to the problem, just some work-arounds you can think of...
  1)
  Create a report variable that starts looking at the lowest level, if it is empty check one up, and so on until you found what you were looking for (the lowest leaf available), which by definition must be there (even if it is top level).
  Using similar logic you can also get a 'number of levels avaible' and so fill in the complete tree (duplicating the highest level).
  This is difficult to explain when end users create their own reports, though you could provide a template report with these variables in there already.
  2)
  Extend the hierarchy with duplicates below the lowest level.
  So i.e. L0 Company - L1 Continent - L2 Country - L3 City- L4 City - L5 City- L6 City.
  This will give back on the four levels for top authorization
  L0 Company - L1 Continent - L2 Country - L3 City
  For authorization on Continent:
  L0 Continent - L1 Country - L2 City- L3 City
  For autorization City
  L0 City- L1 City - L2 City- L3 City
  So in all situations the fourth level, the L3 Object will hold the City level.
  This you can then use in your report.
  Hope this helps,
  Marianne

• Analysis Authorization In Dev and impact of reports and roles in prod trans

  Hello,
  We are planning to switch to analysis authorization. We plan to make that change first in Dev and we were wondering what would be the impact on roles and reports we transport from dev (which is switched to Analysis Authorization) to production( on Old authirization) ? We wont transport new things to production till we switch to new auth in Prd.
  Thanks a lot,
  BP.

  Hello
  Even if you are transporting the roles from dev to quality and production, the analysis authorization objects will not be checked until you set "current procedure..." in RSCUSTV23.
  So there is no harm in transporting the roles and auhotrization until you change the concept to analysis.
  regards,
  Payal

• Authorization Error ERR_WIS_30263 when creating WebI reports

  Dear all,
  I'm currently trying to setup all authorizations in BI4 for my key-users and I'm getting some issues with my WebI authorizations.
  Each time I logon to the WebI rich client, I get for all data sources which I can choose as the basis for my WebI reports the following error:
  Your security profile does not include permission to create documents. (Error: ERR_WIS_30263) (WIS 30263)
  I already checked again and again all available authorizations in my access level, but I can not get it to work.
  Any ideas, which authorization right might be missing?
  Thanks,
  Andreas

  Hi,
  As advised in previous answer, check the users access via the CMC.
  Central Management Console > Users and Groups > User Lists
  Double click on user concerned and check the Group the user belongs to. Maintain accordinlgy :
  Try the following
  Member Of > Join Group > Universe Designer Users
  Hope this helps,
  Hecham

• Authorization Hierachy Node Variable in Web Report

  Hi friends,
  I have a Authorization Hierachy Node Variable on 0COMPANY and this is placed in Free Characteristics in BEx Query.
  Now i want to catch the value of this Company in Web Template either using Text Element web Item or etc. and then pass this value to the Print Layout of the same report.
  Could some body help me on this.
  Thank you very much advance.

  Hello Aneesh,
  these is how i have BUT NOT WORKING.
  i am thinking, if it in free characteristics, then it wont give values !!..
  var COMPNM  = '<object>
           <param name="OWNER" value="SAP_BW"/>
           <param name="CMD" value="GET_ITEM"/>
           <param name="NAME" value="TEXTELEMENTS_5"/>
           <param name="ITEM_CLASS" value="CL_RSR_WWW_ITEM_TEXT_ELEMENTS"/>
           <param name="DATA_PROVIDER" value="DP"/>
           <param name="GENERATE_CAPTION" value=""/>
           <param name="WIDTH" value="453"/>
           <param name="BORDER_STYLE" value="NO_BORDER"/>
           <param name="SHOW_COMMON_ELEMENTS" value=""/>
           <param name="SHOW_FILTERS" value=""/>
           <param name="SHOW_VARIABLES" value="X"/>
           <param name="ELEMENT_TYPE_1" value="VARIABLE"/>
           <param name="ELEMENT_NAME_1" value="IVCMP_H"/>
           <param name="ONLY_VALUES" value=""/>
           ITEM:            TEXTELEMENTS_5
  </object>';

• Need analysis authorization help

  Hello Gurus,
  Could someone please help me out with my Analysis Authorization issue?
  We have a BW query and workbook outputting "Tcode usage" like the following:
  UserGroup| Username| Tcodename| Frequency
  This one has been running long time without any problems in reporting authorization, but now We want to get it restricted and only allow data associated group HR to display using new Analysis authorization. The scenario for this report is as follows:
  1. Rsecadmin >Maintenance> Create New authorization "Group" which consists of 4 characteristics: 0TCAACTVT, 0TCAIPROV, 0TCAVALID and 0TCTUSRGRP(which is the characteristic about group name and already authorizatio relevant). Set 0TCTUSRGRP "EQ HR".
  2.Assigned this authorization to a role using PFCG through the S_RS_AUTH. Other authorization objects in this role are:   S_BDS_D, S_BDS_DS, S_RS_MPRO, S_RSEC, S_RS_COMP, S_RS_COMP1, S_RS_HIER, S_RS_ICUBE, S_RS_ODSO.
  3.In BEx analyzer, set type: Characteristic Values and Variable filled from authorization and value "Selection Option". Unselected "ready for input". Put the characteristic associated with group name to filter windown on the top righ hand side of the Query Designer. Also compare users in PFCG.
  The question is the I still get all data about all groups. Looks like the authorization group doesn't work. I  used the "execute as " and get no errors back.
  Note: I didn't use "generation" to create the new authorization in Rsecadmin
  Thank you very much for any answers!
  Haifeng

  I guess i have found the reason why my authorization dosen't work. I don't activate infoObjects 0TCA* and 0TCT* and infoCubes 0TCA* as well. But another thing I am confused about is :
  Should I activate HR and CO businees content for authorizations 0TCA_DS02OTCA_DS05 and 0CCA_O010CCA_O03 before i get started? or should i run generation everytime i create a new authorization using Maintenance in Rsecadmin?
  Haifeng

• Analysis Authorization Pre Filtered Values

  Hi all Gurus,
  I am currently using Analysis Authorization setup and when I run report with no values input in the variable input screen it seems to display ALL the records in the info provider BUT not by what I am able to see based on my authorization defined.
  Example:
  I am authorized to see Personnel Area = A but when i run the report it hits authorization error and I understand that it is displaying ALL the records.
  So my question is is it possible that this filter is automatically for Analysis Authorization handled by the system like how the OLD Authorization handle this?
  Thanks

  Hello Julie,
  It is not necessary to use Hierarchy or customer exit inorder to restrict the access based on company code.
  1. First of all make, Company code as authorization relevent in IO settings
  2. In RSECADMIN, create one authorization object. It is a good practice to include all SAP Technical objects also. Just click on Inster special characts.
  3. For the company code assign required value.
  4. Assign this authorization to user in USER tab
  5. In the report, If you want to defualt the value of company code, create one authorization relevent variable for company code. You can make this variable as ready for input/Not ready for input.
  6. Execute the report.
  The user will only get data related to authorized company code.
  Regards,
  Ravindra

• Web Intelligence Report + BI 7.0 Analysis Authorizations

  Hello Experts,
  I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
  BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
  It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
  For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
  When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
  I have tried several settings on the universe (like filter working on LoV as well) but none helped.
  If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
  Any ideas?
  Best regards
  Giorgos

  Hi,
  has the Universe been created on the cube level or on the query level ?
  In case it is on the cube level it will fail because :
  Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
  The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
  You can then assign this authorization to one or more users.
  All characteristics flagged as authorization-relevant are checked when a query is executed.
  *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
  Ingo

• [BO over SAP BW] Web Intelligence Report + BI 7.0 Analysis Authorizations

  Hello Experts,
  I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
  BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
  It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
  For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
  When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
  I have tried several settings on the universe (like filter working on LoV as well) but none helped.
  If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
  Any ideas?
  Best regards
  Giorgos

  Hi,
  has the Universe been created on the cube level or on the query level ?
  In case it is on the cube level it will fail because :
  Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
  The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
  You can then assign this authorization to one or more users.
  All characteristics flagged as authorization-relevant are checked when a query is executed.
  *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
  Ingo

• BW Analysis authorizations issue in BO Webi Report

  Dear All,
  I have one webi report which is on BEx Query-universe.
  Query has 6 authorization variables with ready for input(optional).
  User has authorizations for all 6 fields.
  But when we execute the webi report it is throwing error message  like" query do not retrive data"
  One of the  6 authorization fields has only few values , when we give " * " to this field the user can able to execute the report.
  Could  anybody tell me what is need be done here
  regards
  mhreddy

  Hi!
  Probabily the combination of authoriztions funcions are executing considering "and".
  See your configuration to considerer "or".
  Test one by one.
  bye

• SAP BO WebI Report on top of BI Bex Query with Authorization Variable

  Hi,
       We are trying to restrict row level data using BI 7.0 analysis authorization concept. We have an authorization variable in the Bex query and is working perfect in Bex Analyzer as well as in RSRT.
  Now we are trying to achieve the same thing in BO webI. We created an Universe using Authentication Mode SSO. We are on BOXI 3.1 and implemented SSO. When we try to run the query in WebI we get the error
     "A database error occured. The database error text is: Error in MDDataSetBW.GetCellData..(WS 10901)"
  Just for testing purpose, when we use query filter in WebI and use Values from List, it is showing only the authorized value it supposed to show and runs well with that value selected. But we have to achieve this without the query filter in WebI.
  So are we missing some thing here or any patch issue? Please share if you have done this type of reports in BO.
  Thanks in advance for your help.
  Moorthy.

  Yes I did run MDXTEST and it gives error as 'you do not have sufficient authorization'. The reason it is giving, I guess and we are debugging that to confirm, is first it looks for 0BI_ALL and throws error which is not the case in Bex. See the following trace in RSRT trace.
  InfoObject Properties Defined
  Reading of Directly Assigned Authorizations
  Direct Assignment Does Not Include Universal Authorization 0BI_ALL
  Reading the Indirect Assignments with Authorization Object S_RS_AUTH
  Does user have OBI_ALL?
  No, the User Does Not Have Universal Authorizion 0BI_ALL
  Negative Entry in SU53 Result of Failed Check for 0BI_ALL
  Indirect assignments found; no universal authorization
  Reduction of Authorization Dimensions on Characteristics in InfoProvider
  Reduction Successful
  Thanks!
  Moorthy

• Weird issue - BEX analyser vs Web report

  Hi,
  In BEX analyser variant screen, I could not find a particular cost center, but I could see it if I use web report.
  this is really stange since I am running same report.
  thanks in advance

  solved it

• BI 7.0 Analysis Authorization issue: some reports displaying a blank page.

  Hi All,
  This is regarding BI 7.0 Analysis Authorization issue.
  Overview:
  we have restricted some queries at infoobject level.
  Issue:
  a. For some of the queries, we can see the selection screen but when we try to execute the query by clicking on the execute button (Queries WAD) we get a blank page, meaning nothing is displayed on the output (white/Blank screen).
  b. When we execute the same query through RSRT, we get a message which says "Disconnecting from BW server..".
  c. Let me explain further on this. Basically we are doing this in order to have limited access to Auditors at the client side. At the same time normal users should not get impacted due to this, hence we created two roles. One for normal users and other for Auditors.
  d.  Now the thing is that we execute the same report with normal user ID's the report executes properly and displays the output. it does not show the blank page.
  e. But when we execute the same report with Auditors ID then we get a blank page.
  Any idea why this is so?

  Hi Neha,
  I tried the below also,
  GL Acnt
  I EQ 0000134010
  I EQ :
  but still it didn't work.
  No Infoobject is missing in Authorization Object.
  For your point, "rsecadmin - > analysis -> execute as -> check for the desired user & analyze the log" it didnu2019t allow me to analyze, since as soon as click on execute button a pop-up comes up saying "Disconnecting from the BW server..."
  As mentioned earlier also it is giving me the below message,
  ""I>> Row: 103 Inc: AUTHORITY_02 Prog: CL_RSR_RRK0_AUTHORIZATION                                                                       RS_EXCEPTION        301CL_RSR_RRK0_AUTHORIZATION                         AUTHORITY_02"
  Kindly suggest, since this is a show-stopper for us!
  Thanks,
  Ishdeep Kohli.

• Analysis Office vs Webi report ---Bex query Data mismatch

  I have one Bex query.
  I insterted the query in Analysis office for Microsoft edition, and its pulling 985 records, but when i inserted the bex query in Webi report its pulling only 27 records. Any body faced similar problem, explain the solution..?
  Using BICS connction for webi report development.
  Environment: BI 4.1 SP5
  Anlaysis office version :  1.4 SP10

  Hi Ingo,
          If we make it database delegated then the Webi query returns no results. (Blank results). Moreover there is no exception aggregation
  We have tried the following and getting the result correctly,
  In the Bex Query We had a Time variable which was based on SAP exit. We removed the SAP exit variable from Bex Query and restricted the period for atime range.
  Then created a Prompt in Webi report for the time
  The result is matching.
  But still failed to undrstand this because other queries which have SAP exit variables works fine.
  Still working around for a convincing solution for this.. Will let you know
  Thanks and Regards
  Rajesh

• Crystal Report not showing details when analysis authorizations are used

  We have a crystal report that is filter by company code. Analysis authorizations have been created for each company code as well as one for all (* access). In bex the report runs fine with the analysis authorizations. In crystal if the test user has the * analysis authorization the report runs correctly. If the test user has a specific company code the details section of the report does not display

  I may be a little slow here but if the user does not have the access he should not be able to see the details or am I missing something here?