Analysis Authorization Issue

Similar Messages

• BI 7.0 Analysis Authorization issue: some reports displaying a blank page.

  Hi All,
  This is regarding BI 7.0 Analysis Authorization issue.
  Overview:
  we have restricted some queries at infoobject level.
  Issue:
  a. For some of the queries, we can see the selection screen but when we try to execute the query by clicking on the execute button (Queries WAD) we get a blank page, meaning nothing is displayed on the output (white/Blank screen).
  b. When we execute the same query through RSRT, we get a message which says "Disconnecting from BW server..".
  c. Let me explain further on this. Basically we are doing this in order to have limited access to Auditors at the client side. At the same time normal users should not get impacted due to this, hence we created two roles. One for normal users and other for Auditors.
  d.  Now the thing is that we execute the same report with normal user ID's the report executes properly and displays the output. it does not show the blank page.
  e. But when we execute the same report with Auditors ID then we get a blank page.
  Any idea why this is so?

  Hi Neha,
  I tried the below also,
  GL Acnt
  I EQ 0000134010
  I EQ :
  but still it didn't work.
  No Infoobject is missing in Authorization Object.
  For your point, "rsecadmin - > analysis -> execute as -> check for the desired user & analyze the log" it didnu2019t allow me to analyze, since as soon as click on execute button a pop-up comes up saying "Disconnecting from the BW server..."
  As mentioned earlier also it is giving me the below message,
  ""I>> Row: 103 Inc: AUTHORITY_02 Prog: CL_RSR_RRK0_AUTHORIZATION                                                                       RS_EXCEPTION        301CL_RSR_RRK0_AUTHORIZATION                         AUTHORITY_02"
  Kindly suggest, since this is a show-stopper for us!
  Thanks,
  Ishdeep Kohli.

• Analysis Authorization Issue 7.3

  Hello Friends,
  System BW 7.3, Currently there are 80 odd analysis authorization objects
  We want to introduce a new info object (GL Account) to be authorization relevant, ( there are few objects in the system which are already authorization relevant in the system with proper analysis authorization objects and they are working fine)
  Things done, made the GL Account object authorization relevant in RSA1, Created 2 analysis authorization objects with GL Account and TCT objects and one with hierarchy restrictions and one open access.
  Added this object to the user in addition to its already existing authorization objects. Created authorization variable in BEx.
  Some how the authorization is not picked up and it gives us all the values in the report. But if I add the GL Account info object to the existing analysis authorization objects then it works fine.
  I do not want to change all the existing analysis authorization objects to add GL Account.
  Your inputs are most welcome.
  Thanks
  Ed.

  Gajesh- I have added the new analysis authorization object to the user in RSECadmin.
  Subhendu- Problem statement: What are the steps involved in making a new info object(GL Account) authorization relevant. Authorizations are given at hierarchy level. Can we create a new analysis authorization with  GL Account only or do we have to add it to every existing analysis authorization
  I have done the following steps
  1. Made the GL Account object authorization relevant in RSA1,
  2. Created 2 new analysis authorization objects with GL Account ( with hierarchy restrictions) and TCT objects and one with GL Account open access.
  3. Added this object ( which has restrictions) to the user in RSECADMIN, in addition to its already existing authorization objects.
  4. Created authorization variable in BEx.
  5. No existing analysis authorization objects have been changed.
  When I test the report, It does not restrict based on the hierarchy that I have given, it gives open access.
  But If I add GL Account with restrictions to the existing analysis authorization object, it works good.
  Guess I am missing some thing here.
  Do you need any other screen shots.
  Thanks
  Ed.

• BW Analysis authorization issue on cost center range

  Hello BIW security experts
  I have a problem where I created an analysis authorization on a cost center range and it looks like the interval is not working. The report is just a list of cost centers (demo to users to prove that analysis authorizations work in order to skip 2 managerial cost centers.
  . Cost centers are numeric. Example:  2000100. In the drop down list they appear as such.
  . I want to have the following cost center range: 1000000 to 1000771, 1000773 to 2000771, 2000773 to 9999999.
  Thereofore 1000772  and 2000772 should not appear in the list.
  . In the analysis authorization I have put the 3 ranges above on 3 separate lines. 'BT' is the operator. The cost centers have been selected from the drop down list.
  Results:  I get only 1 record from the report....  2000772. (which is one I want to exclude..
  Steps tried to debug:
  . When I put a list of cost centers in the analysis authorization on separate line with the 'EQ' operator, then the report works.
  . I tried putting ' ' delimiters since cost center is a char field but it fails.
  . I tried adding leading and trailing zeros to fill up the char(10) but no luck.
  . I tried creating a hierarchy with the interval and put it in the hierachy auth. tab and it does not work either. It gives the same number of records than the first step.
  . A hierarchy with single values work.
  I do not know what else to try..
  Thanks.
  YB.

  Good morning
  Here it is from RSECVAL
  ZCC_TEST     0COSTCENTER                    I       BT        1000000                                                      1000771
  ZCC_TEST     0COSTCENTER                    I       BT        1000773                                                      2000771
  ZCC_TEST     0COSTCENTER                    I       BT        2000773                                                      9999999
  ZCC_TEST     0COSTCENTER                    I       EQ        #
  ZCC_TEST     0COSTCENTER                    I       EQ        :
  ZCC_TEST     0INFOPROV                         I       CP        *
  ZCC_TEST     0TCAACTVT                        I       EQ        03
  ZCC_TEST     0TCAIPROV                         I       CP        *
  ZCC_TEST     0TCAKYFNM                       I       CP        *
  Thank you for your help.

• BW Analysis authorization issue... need help urgently....

  We have one BW query which is pulling data from Contract Division info-object. Now this report does not variable selection object so it is pulling data from all values of Contract Division. Values of  Contract Division are CNC, CNS, CNE and CNL.
  Now we have created an analysis auth. object called z_es_3 and added Contract division info-object. Now we have added that z_es_3 into role and given value to CNS. now when we are running report, we are getting No Authorization error. When we are giving * value in z_es_3, it is running fine.
  Now we have to restrict report to contract division. please help.
  Thanks in advance

  Are you running unrestricted search on Contract division in your queries? You should restrict it to value which is maintained in the authorization for the InfoObject.
  Also please run the analysis authorization trace from RSECADMIN. That will give you a clearer picture of what is wrong.

• Analysis Authorizations Issue (BI 7.0)

  Dear Colleagues,
  I have a question regarding BI 7.0 Authorizations. What happens when a cube is created from an Infoprovider in which Company Code (to use an example) is marked as authorizations relevant, but that infobject is not used. That is, the cube gets data from that Infoprovider, but the data retrieved has nothing to do with Company Code. When a query is created from this cube, will the user be required to have authorizations for the company code of the information he's retrieving or will she/he be able to see all the information?
  Thanks in advance for your help.
  Best regards,
  CMPT

  Hello,
  I think I understand your question?
  If you have characteristic company code marked as authorization relevant...
  You have two basic info cubes, one with company code A and one without company code B.
  You have a multi cube combining characteristics from both basic cubes (including company code).
  If you execute a query written against the multi cube but extracts data only from basic cube B (without company code), will you need to have an analysis authorization with company code defined?
  If this is your question, then Yes, you do need to define company code in the authorization (assigning value # should be sufficient).
  KR
  Andy

• BW Analysis authorizations issue in BO Webi Report

  Dear All,
  I have one webi report which is on BEx Query-universe.
  Query has 6 authorization variables with ready for input(optional).
  User has authorizations for all 6 fields.
  But when we execute the webi report it is throwing error message  like" query do not retrive data"
  One of the  6 authorization fields has only few values , when we give " * " to this field the user can able to execute the report.
  Could  anybody tell me what is need be done here
  regards
  mhreddy

  Hi!
  Probabily the combination of authoriztions funcions are executing considering "and".
  See your configuration to considerer "or".
  Test one by one.
  bye

• Need analysis authorization help

  Hello Gurus,
  Could someone please help me out with my Analysis Authorization issue?
  We have a BW query and workbook outputting "Tcode usage" like the following:
  UserGroup| Username| Tcodename| Frequency
  This one has been running long time without any problems in reporting authorization, but now We want to get it restricted and only allow data associated group HR to display using new Analysis authorization. The scenario for this report is as follows:
  1. Rsecadmin >Maintenance> Create New authorization "Group" which consists of 4 characteristics: 0TCAACTVT, 0TCAIPROV, 0TCAVALID and 0TCTUSRGRP(which is the characteristic about group name and already authorizatio relevant). Set 0TCTUSRGRP "EQ HR".
  2.Assigned this authorization to a role using PFCG through the S_RS_AUTH. Other authorization objects in this role are:   S_BDS_D, S_BDS_DS, S_RS_MPRO, S_RSEC, S_RS_COMP, S_RS_COMP1, S_RS_HIER, S_RS_ICUBE, S_RS_ODSO.
  3.In BEx analyzer, set type: Characteristic Values and Variable filled from authorization and value "Selection Option". Unselected "ready for input". Put the characteristic associated with group name to filter windown on the top righ hand side of the Query Designer. Also compare users in PFCG.
  The question is the I still get all data about all groups. Looks like the authorization group doesn't work. I  used the "execute as " and get no errors back.
  Note: I didn't use "generation" to create the new authorization in Rsecadmin
  Thank you very much for any answers!
  Haifeng

  I guess i have found the reason why my authorization dosen't work. I don't activate infoObjects 0TCA* and 0TCT* and infoCubes 0TCA* as well. But another thing I am confused about is :
  Should I activate HR and CO businees content for authorizations 0TCA_DS02OTCA_DS05 and 0CCA_O010CCA_O03 before i get started? or should i run generation everytime i create a new authorization using Maintenance in Rsecadmin?
  Haifeng

• Issues with Analysis Authorization on Infoset

  Hi all
  We are facing an issue with Analysis Authorization on Infoset, it doesnt seem to throw authorization error when we access a record that is outside the authorization. We tried to use the same authorization set up from the same user we try to access the a record that is outside the authorization it behaves correctly.
  Here is my setup
  0CRM_MKTELM__0CRMCAMPTYP = ZA11
  0TCAACTVT = *
  0TCAIPROV = *
  0TCAVALID = *
  When I tried to access ZA12 it should throw an authorization error but for infoset it doesnt seem to work. Is there anything that we should take note for Infoset?

  Hi Chee,
  I am getting similar issue.
  I believe navigational attribute was already a authorization relevant in your case.
  What and where did you set it as authorization relevant to make it work on infosets.
  Regards,
  Ramz

• Issues with Analysis Authorization checks in APO

  Hi Friends,
  I am facing an issue with Analysis authorization checks in APO.
  We have setup user access based on Management Entity (Analysis authorization - AGMMGTENT and 0TCAACTVT) and core APO authorizations (based on the work profile - e.g: Demand Planner).
  Scenario: Consider User A has access to India and Australia Management Entities with 0TCAACTVT - *
  This user also has display access to all management Entities (AGMMGTENT - * and 0TCAACTVT - 03). This scenario works very well in Quality where the RSECADMIN trace shows check on both Characteristics. However in Production the RSECADMIN trace shows up only against AGMMGTENT (*) and by default takes 0TCAACTVT as (*).
  In Quality the Characteristics that get checked are as below : and it works as expected. Display access for Management Entities that are supposed to be displayed only and change access to only the Management Entities that it should.
  However the Trace for Production shows the following : As a result it is allowing the user to change access to all management Entities. Which is not desirable..
  Resultant trace results are as below: This should not happen..
  I have compared all Analysis Authorizations and it is same across both Instances. The Demand planner access is consistent too..
  Will it be possible for you to advise on what could I be missing.

  Hi All,
  If it helps, in Quality: the Authorization checks are listed as: Subselection (Technical SUBNR) 1
  while in Production it checks Subselection (Technical SUBNR) 1 in one place, however where it fails - the check happens as Subselection (Technical SUBNR) 0.
  Is there a way we can change this to SUBNR 1. Is there any table entry that I can look at to check if the Authorization check is functioning incorrectly..
  Please advise.. Thanks..
  Regards,
  Prakash

• Analysis Authorization for nav Attr Issue

  Hello:
  I have a 0COMP_CODE as an attribute of 0SALSORG and it is marked as authorization relevant. i.e 0SALESORG_0COMP_CODE is authorization relevant.
  I created an analysis authorization Object ZCOMPCODE_1000 by adding following in it.
  InfoObject           Value
  0COMP_CODE  = 1000
  0SALESORG = *
  0SALESORG_0COMP_CODE = 1000
  0TCAACTVT = *
  0TCAIPROV - *
  0TCAKYFNM = *
  0TCAVALID = *
  Now I have a report on a cube which has 0SALESORG as char and also 0SALESORG as a variable on selection.
  When I run a query for sales org = 1000, I can see rsults as sales org 1000 is assigned to company code 1000.
  If I run report for sales org 2000, I should get not authorized message as 2000 is not assigned to company code 1000 and I only have a role assigned to me which has analysis authorization object ZCOMPCODE_1000. But Still I am getting report results.
  Please explain Why and How can I overcome this issue.
  Thanks

  First of all it is strange that we see two appearances of sales org.
  0SALESORG = *
  0SALESORG_0COMP_CODE = 1000
  Probably the star value overrides the setting in the second one.
  Besides did you create the variable in the query as authorization relevant or you will have problems there.

• BW Analysis Authorization on two charcteristics issue

  I am familiar with analysis authorizations in BW 7.0 and worked on it.
  Today we have blanket authorization (RSECADMIN) for 0TAX_NUMB = *. Meaning user who has this auth/role can see values (from where ever 0TAX_NUMB is used, all company codes etc). And as you might know 0TAX_NUMB is used in 0VENDOR & 0CUSTOMER master data (as an attribute). This works well, because its easy
  Now, new requirement is to create more strict analysis authorizations for 0TAX_NUMB based on other characteristic values.
  Auth1 (should apply to 0TAX_NUMB used in 0VENDOR):
  0TAX_NUMB = all values and only for vendor account group = XXX
  Auth2 (should apply to 0TAX_NUMB used in 0VENDOR):
  0TAX_NUMB = all values and only for vendor account group = yyy
  Auth3 (should apply to 0TAX_NUMB used in 0VENDOR):
  0TAX_NUMB = all values and only for vendor account group = zzz
  Auth4 (should apply to 0TAX_NUMB used anywhere other than 0VENDOR, for example, as I said above its also used in 0CUSTOMER and may be used elsewhere in future):
  0TAX_NUMB = all values
  Do I also need to add 0CUSTOMER here? unable to visualize!!!
  Also, 0TAX_NUMB and Vendor account group will have colon authorization.
  So, at this time I am not sure how this will impact other queries with following scenario(s):
  User1 has auth1:
  Here, User1 can see tax_numb values for vendor act grp XXX, thats good, so far.
  But can user see query results where tax_numb is not used but would like to see all vendor account group related data (or other than value XXX)?
  User2 has auth4:
  Since this auth has blanket tax_numb, can user2 see all values for tax_numb used in 0CUSTOMER (which he/she should) and also in 0VENDOR (he/she should not)...
  And what about queries that do not have 0TAX_NUMB (but infoprovider has)? Colon auth on TAX_NUMB & Vendor act grp would resolve this?
  I appreciate your thoughts on this. We are BW 7.01 (Ehp1), SPS10.
  Regards
  -Bala
  Edited by: Bala Shetty on Dec 15, 2011 12:02 AM
  Edited by: Bala Shetty on Dec 15, 2011 12:04 AM
  Edited by: Bala Shetty on Dec 15, 2011 12:05 AM
  Edited by: Bala Shetty on Dec 15, 2011 12:09 AM

  Thank you Sushant.
  I am aware of these notes and provide basic information and also usage of value restrictions. I am looking for usage of different combinations for multiple characteristics (especially the attributes of master data)....
  Regards
  -Bala

• Analysis Authorization and relates issue

  Hello all,
  I am in the midst of designing authorizations using RSECADMIN transaction.
  We have a set of 50 different queries.
  In our cube, there are 5 different characteristics, which are authorization relevent.
  So, in RSECADMIN, i have created one analysis auth role, included all special and authorization relevent characteristics and maintained the appropriate values.
  But when i execute the queries,the desired output is not coming.
  - Do i need to create authorization varaibles and included in all my queries ?
  - Without including the auth.variabes in queries, is there any other way to restrict the users ?
  I though, by assigning the parameters in RSECADMIN, the query will automatically filter the data.
  Can you pls help ?
  We are on SP19.

  Hi,
  First of all, The query is always based on a InfoCube. Now, you have 50 different Queries which is based on this InfoCube if I am not wrong as you are not getting any authorization error.
  For a query to run, the user should have access to 1. Query, 2. Infocube and 3. Data(All Auth Relevant + 4 Special Objects)
  Authorization relevant objects are for an InfoCube which means that these objects are important or key fields for the infocube.
  You say that in your case, you have 5 Auth relevant objects which means they are important. But please note that there are more infoObjects in that InfoCube.
  Now, when you go to the query design, you can restrict on any object in the InfoCube but it makes more sense that you do it on one of those authorization relevant objects as you have to specify that in the Analysis Authorization where the system can pick up the data easily and give the output.
  Again, on the query design, if you have designed the query with processing type "Authorization", then it would automatically pick up (What you mentioned as automatic filtering) the value from the Analysis Authorization which is contained in the user's role for that query which otherwise gives a wide variety of options to chose from where the user has to choose the correct one.
  To get the desired output, all the correct variables should be included in the query and user should have access to all the three mentioned above.
  May be this gives a clear picture.
  Regards,
  Prasanna
  Edited by: Prasanna Nagaraja on Sep 11, 2009 11:40 PM

• BI 7.0 Analysis authorization creation issue

  Hi,
  We are prototyping the new analysis authorization concept have a question regarding the build.
  We've had the BI execute the pre-implementation tasks (activate the business related content and OTCT* and OTCTA* infocbues and and OCTA* infoCubes).
  There aren't any custom reporting objects to carry over since the queries were previously just secured by the S_RS_ICUBE Administrator Workbench - InfoCube with specific values for the Infocube. Since this object is no longer checked in query processing, is it a correct statement that the characteristic 0TCAIPROV (InfoProvider) should be populated with whatever values were listed in the S_RS_ICUBE object for the InfoCube field?
  We built an anslysis authorization via RSECADMIN per the requirements below and executed it with a test user ID assigned the regular reporting roles (with access to the queries).
  0TCAIPROV     InfoProvider     EQ          "Value 1"     
  0TCAACTVT     Activity                     EQ     03
  0TCAVALID     Validty Date          
  0TCAIFAREA     InfoArea          *
  However, when executing the query as this test user, we received a "you are not authorized messsage".  The trace didn't show detailed information, so we executed the same query with another user ID that was assigned 0b1_all and obviously could execute successfully.
  Is it correct assume that all the characteristics that were checked in the trace are authorization relevant for the query? we added the characteristics with full authorization and still couldn't execute. In addition, when checking these characteristics via RSD1, they weren't makred as authorization relevant, yet they still appeared in the trace.
  Is there something else that is misisng in the analysis authorization? I checked the characterics for variables and none were defined.
  Any troubleshooting tips would be appreciated.
  Thanks in advance

  Hi Julie,
  0TCAIPROV should have values of infoprovidors ( infocubes) that you want the user to have access. If you dont want to restrict it by infoprovidors then you can give a  ' * ' for 0TCAIPROV  CP value ' * '.
  Also make sure when you run the query it is not looking for any other infoobjects which have been made Auth relevant.
  You can actually see the error log for queries
  Go to RSECADMIN --> Analysis tab  --> click error logs --> click configure log recording --> enter the test id and save. Now you do the test using the test id for query. Then come back and see the log for the test user and it will tell you what went wrong. Please let me know if you have any questions.
  Thanks,
  Karthik Kiran

• Issue w RSCUSTV23 Analysis Authorization System after upg from BW3.5 to BI7

  We set it to "Obsolete Concept with RSR Authorization Objects" and we do no understand why from the suddenly changes to
  "Current Procedure with Analysis Authorization" from no where - any ideas why from the sudden this changes by itself?
  still were not not migrating our security to the new version...we will do it around april...but in the meanwhile i would like ot understand why is happening by itself.
  thanks,

  Note that the logging will probably only help you if you activate it in the transport tool profiles (STMS) as it sounds to me as if imports of the customizing are making this setting.
  Did you set the value in DEV and transport it through or did you use one of the "BW utility reports" to change it (in which case you do not always have change documents and inconsistent customizing is "by design"...).
  Cheers,
  Julius