BI Security: Hierarchy reporting authorizations

Hi Guys,
  I have created hierarchy authorization object in RSECADMIN. Included this object in role and assigned
  this role to user. I have four reports in FI. In this four reports this heirarchy authorization is working for
  three reports as per the requirement but the one report is not working. It is showing the message
  " Need authorization". This report also has to show the required hierarchy node.
    Today  I have included one DSO in the same multi provider. Now all reports are not working for the
authorized users. It is showing the message "No authorization". Till now I haven't generated the
authorizations in RSECADMIN. Is this the problem? I tried to generate the authorizations in
RSECADMIN it is showing below error messages.
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTUSERNM
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTAUTH
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTADTO
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTIOBJNM
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTHIENM
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTHIEVERS
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTHIEDATE
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTNIOBJNM
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTNODE
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTATYPE
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTACOMPM
InfoProvider ZM_FIAM01 does not contain the required characteristic 0TCTTLEVEL
Please suggest me if I messed any thing.
Thanks
Prasad

Hi Zaheer,
Hi Aduri,
Thanks for your response.
I tried to execute the user with logs in RSECADMIN. Here it is showing the error
message "Authorizations missing for aggregation (":")".
I have included 0TCAACTVT, 0TCAIPROV, 0TCAVALID, 0PROFIT_CTR, 0CO_AREA and
0ASSET__0PROFIT_CTR in authorization object.
I checked the relevent SAP not " Note 1140831 - Colon authorization during query execution ". In is
saying to Restrict the characteristic in the query to a certain selection (single value, interval, hierarchy
node, and so on) and authorize this selection explicitly.
Thanks
Prasad

Similar Messages

  • Security:   use of authorizations

    We have several fields that we secure on and they are used in multiple cubes but the security is not checked in each cube.  For example, company code is in HR cubes and financial cubes.  The main HR security is on country grouping/personnel area and the financial cubes are secured by company code.  The old solution allowed us to configure the system so the HR cubes are not secured by company code and the financial cubes are.  How do we do that with the new solution?

    hi Eric,
    check if nw security guide doc helps, seems old authorization still can be used, recommend switch to new concept
    http://help.sap.com/saphelp_nw04s/helpdata/en/41/845cdb9c548b419ee4e089841f1b6c/frameset.htm
    new concept 'anaylis authorization'
    http://help.sap.com/saphelp_nw04s/helpdata/en/66/019441b8972e7be10000000a1550b0/content.htm
    If you have done an upgrade to SAP NetWeaver 2004s, you can decide whether you want to continue to use the current reporting authorization concept or switch to the new, more user-friendly concept for analysis authorizations.
    SAP recommends that you switch to the new concept so that you can benefit from the new options and easier administration.
    By default, the new concept is active and support will no longer be provided for the old concept.
    Complete compatibility between the two concepts is not possible. For this reason, existing authorization concepts have to be converted. Migration has to be completed manually or using a tool. In any case, it requires manually reworking afterwards.
    Prerequisites
    You indicate characteristics that you wish to protect as authorization relevant in InfoObject maintenance.
    In principle, all authorization-relevant characteristics are checked for existing authorizations when they occur in a query. For this reason, you should avoid designating too many characteristics as authorization relevant so that you can keep the administrative efforts to a minimum and keep performance good.
    Features
    Analysis authorizations are not based on authorization objects. Instead you create authorizations that include a group of characteristics. You restrict values for these characteristics.
    The authorizations can include any authorization-relevant characteristics and treat single values, intervals and hierarchy authorizations the same. Navigation attributes as well can be indicated as authorization relevant in the attribute maintenance for characteristics and can be transferred into authorizations as characteristics.
    You can then assign this authorization to one or more users.
    All characteristics indicated as authorization relevant are checked when a query is executed:
    A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise you will receive an error message indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule include hierarchies in the drilldown and variables that are filled by authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled by authorizations act like filters for the authorized values for the affected characteristic.

  • Webi 4.0 using SAP BW old security model (old authorization concept in BW)

    Hi experts,
    we are facing a problem with a new customer, using SAP BO 4.0 - Webintellingence on top of a SAP BW 7.0 EHP1.
    The customer is still running the old security concept in BW. The hint to upgrade SAP BW to the new reporting authorization will be done, but not within the next half year.
    Could that be a major problem to run this combination (BO 4.0 (Webi) and the old security concept) particularily on hierarchie authorization.
    Thanks in advance for a quick answer.
    Thomas

    (1) BEx queries already in use by the business users are from the BWP and those same queries may or may not exist in BWD or BWT as some business users create BEx queries directly in the BWP.
    1). As I told you earlier, design is purely  based on Requirement and Process also needs to be followed.
    Bex can be created directly in the production, but if query goes wrong or fetches wrong data, don't you think business people will get frustrated. If you or team can explain the process, then Yes you can directly work on Production (just my view)
    (2) Even if those queries do exist in entire BW landscape, including BWD, BWT, and BWP, only BWP has the data that business user can count on. BWD has no data and BWT has only sample data where as BWP has actual and complete data.
    Running the query is BWD or BWT is just for testing, example incase of BOBJ upgrade, you need to do in 577 and test before prod rite.
    3). I can create reports in 577 in connection with BWD to maintain consistency in the schema for both the environments. Upon approval and migration to 578 I know that I can change the underlying connection from BWD to BWP and that would work just fine, however, according to the business users, the auditors would not like the idea in light of SOX compliance and may not approve the methodology.
    You have answer in your question (SOX) and Business also like to follow the process (atleast in the companies, I have seen)
    Just my view...

  • HT2204 I don't remember the answers to the security question to authorize my new laptop to use iTunes. How to sort this problem?

    iTunes requires me to answer to a couple of security questions to authorize me to use it on my new mac book pro, but I don't rimember the answer to them. I can I sort out this problem?
    Thank you for helping...
    Danila63

     Account Security Team (AST) 
    Check the AppleCare number for your country here:
    http://support.apple.com/kb/HE57
    Call them up, and let them know you would like to be transferred to the Account Security Team.

  • BW report authorization for restrict cost center

    dear all,
    i have problem on BW report authorization for restrict cost center.....when i execute the query, after selection screen, appear error message 'you cannot change zv_cctr for characteristic 0COSTCENTER during query'.
    note : zv_cctr is variable restriction for costcenter, type processing = customer exit.
    below the customer exit :
    WHEN 'ZV_CCTR'.
        IF i_step = 2.
          DATA : gt_mstuidvscc TYPE TABLE OF  ztbw_mstuidvscc,
                 gs_mstuidvscc TYPE  ztbw_mstuidvscc,
                 wa_final2(10) TYPE c.
          SELECT * FROM ztbw_mstuidvscc INTO CORRESPONDING FIELDS OF TABLE gt_mstuidvscc
            WHERE userid = 'sy-uname'.
          LOOP AT gt_mstuidvscc INTO gs_mstuidvscc.
            wa_final2 = gs_mstuidvscc-kostl.
            l_s_range-opt = 'EQ'.
            l_s_range-high = wa_final2.
            APPEND l_s_range TO e_t_range.
          ENDLOOP.
        ENDIF.
    Regards,
    Tony

    i defined variable as ready for input and mandatory.
    regards,
    Tony

  • Hierarchy Analysis Authorization does not work after transport

    Hi Gurus,
    I am facing a issue in hierarchy analysis authorization in quality system but the same authorization works perfectly fine in development.
    All hierarchy authorizations works in Quality except for this one. I found one old sap note describing this as program error but this note is not applicable in BW 7.3.
    I have checked the table RSECVAL, RSECHIER and authorization is active so everything looks good. Please advise if anyone faced this issue after transporting hierarchy auths to other systems
    Regards,
    Salman

    Salman,
    What I understood from your description is that you have same role+AA in Dev and QA, which provides access in Dev for all the nodes for said hierarchy but in QA, same role+AA provides access to the same hierarchy for all the nodes but one. Try to create a ZTEST analysis authorization in QA itself with access for the problematic hierarchy node and see if it works ? This will rule out the case if there is a difference in hierarchy in DEV & QA.
    Regards,
    Shivraj Singh

  • Custom secure views report is not restricting the data

    Hi,
    I have created few custom secure views reports and in which I have used the per_people_f , per_assignments_f secure views but when I am running this report from different responsibilities like (US Resp, UK Resp) it is producing the same number of records. From US resp it should produce the US employees and from UK it should produce the UK employees but this is not happening currently.it is a simple sql script which I registered as sql*plus executable.
    Can any one suggest if I am missing some thing? Urgent help would be appreciated.
    Thanks,
    Ashish

    Pl post details of OS, database and EBS versions. How have you implemented security ? What kind of concurrent program are you using ? Pl provide details. Also see these MOS Docs
    How To Enable Hr Security on Custom Reports?          (Doc ID 369345.1)
    Understanding and Using HRMS Security in Oracle HRMS          (Doc ID 394083.1)
    Need Custom Security Profile To Restrict Based On Employees Organization          (Doc ID 445142.1)
    HTH
    Srini

  • Reporting authorization issue after BI 701 05 EHP1 upgrade

    Hello,
    We have recently upgraded our BI 7.0 to BI 701 EHP1 with 05 patch level. After this we had a problem with reporting authorizations for a report (query), which has created under Virtual Infoprovider.
    Earlier the report use to be execute perfectly with authorizations S_RS_ICUBE object with Act 03, Subobject DATA, but after upgrade to EHP1, while executing report its throwing a error pasted below.
    =============================================================================================
    "Diagnosis
    Errors occured while reading a VirtualProvider outside the BI system. Check whether the previous error messages contains any information about the possible cause of this error.
    It is possible that the error message can not be displayed because the error message class does not exist in the BI system. If this is the case, only the name of the error class and the message number are displayed. View the error class in the source system of the VirtualProvider.
    System Response
    Procedure
    Since the error is not necessarily in the BI system, there is no specific procedure for resolving it. With VirtualProviders, problems often occure with the connection to the system; these can lead to system termination. If the code for the VirtualProvider is not from the SAP, contact the relevant person to help resolve the issue.
    If an SQL error is listed in the previous message, see the procedure for SQL errors."
    ===============================================================================================
    After running st01 trace we identified the missing authorization is S_RS_ICUBE with Act 03, subobject DEFINATION.
    Here please tell why is the subobject check is performed to execute a report (query), as this is happening after EHP1 upgrade, so let me know if anyone had any clue on this ...
    Thanks

    Hi Martin,
    Thanks for reply.
    The assumption what you made are correct, but these are the possible reasons only. Is there any specific note or any info from sap that these changes came due to the new release change, so that i can tell my manager clearly.
    And I am not sure whether this is impacting the reports which using the VirtualProviders (Virtual CUBE) in place. If you could get bit more information that will be helpful...Thanks in advance.
    Sridhar

  • Function Security Menu Report in Oracle 11i -- URGENT NEED!

    Is there a way that I can run the Function Security Menu report in Oracle 11.5.10 for all responsibilities at the same time? We currently have 175 active responsibilities in the system.
    We also have to provide this info to auditors on a quarterly basis, and it would be great if I didn't have to run this report for each active responsibility. Is there any SQL Script avaliable for this?
    Any help would be very much appreciated?
    Thanks!
    FZ
    Edited by: 993391 on Mar 12, 2013 10:28 AM

    993391 wrote:
    Is there a way that I can run the Function Security Menu report in Oracle 11.5.10 for all responsibilities at the same time? We currently have 175 active responsibilities in the system.
    We also have to provide this info to auditors on a quarterly basis, and it would be great if I didn't have to run this report for each active responsibility. Did anyone wrote any custom queries to pull this information out for all responsibilities or any help would be very much appreciated? Have you checked the code in (Checking Functions Associated with a User Menu or a Responsibility [ID 948512.1])?
    Thanks,
    Hussein

  • Abt Hierarchy Reporting

    Hi ALL,
                We have uploaded data from Flat file to hierarchy using IDOC transfer method , data transfered successfully to hierarchy.
    The hierarchy contains following structure ,
    SALES REGION----->> SALES OFFFICE -
    >>SALES REP ID .
    While Creating Hierarchy Report , in query designer we drag the SALES REP ID to rows and right click the
    SALES REP ID -
    >>Properties -
    >> Hierarchy -
    >>Expand Level=10---->ok ... Given
    Note: Hierarchy is active...
    But Still Query  doesnt contain any data in output .
    What is the Reason ??
    Thanks n Advance

    Hi,
             Thanks for the Answers...
           1). The Sales Rep ID is available at infoprovider level ..
           2). We have removed the hierarchy in the query properties , and use Sales rep id alone  in rows and reported but the report doesnt fetch any data ...
            3). In RSH1 we have seen Our Hierarchy Structure presented ...
    need further answers ......
    thanks ....

  • Reporting authorization in BW 3.5: use of colon ":"

    Hello,
    we are using in our BW 3.5 system a reporting  authorization object ZAUTHOBJ. ZAUTHOBJ is defined on exactly one InfoObject ZINFOBJ (e.g. country).
    Some of our users have the following authorization
       ZINFOBJ = :
    so that they  view the values of an KYF aggregated with the characteristic ZINFOBJ. They cannot drill down to a certain value of ZINFOBJ, e.g. by filtering to a specific value.
    We are facing the following problem:
    If the user with the ":" authorization defines a query with an excluding filter on ZINFOBJ, e.g. excluding certain values, the query aggregates the KYF on the remaining values of the characteristic ZINFOBJ.
    So by this "backdoor" the user can find out the KYF of specific ZINFOBJ values.
    Is this a feature or a bug of SAP BW?
    Best regards
    Lothar

    Hi,
    We can think it as Back door or we can say We are misusing the concept of : in authorization.
    If we have to use ZAUTHOBJ = :, in any case we are not going to give Country as the free characterstic , Part of rows, and filter area.
    That means noware we use the country in the query.
    With rgds,
    Anil Kumar Sharma .P

  • ALV HIERARCHIAL REPORT

    Dear Experts,
    Can anyone tell me how to create a ALV Hierarchial report with one HEADER table and multiple ITEM(child) tables.
    thanks & regards,
    gautam

    Hi you can tray review this code for a example i found in the web and help me:
    REPORT Z_TEST_HIESEQ_REPORT.
    TABLES: ekko,ekpo.
    * selection option
    SELECT-OPTIONS s_ebeln FOR ekko-ebeln.
    TYPE-POOLS:slis.
        * define header table and item table
    DATA: BEGIN OF headertab OCCURS 0,
              ebeln LIKE ekko-ebeln,
              bstyp LIKE ekko-bstyp,
             bsart LIKE ekko-bsart,
             statu LIKE ekko-statu,
             END OF headertab.
        DATA: BEGIN OF itemtab OCCURS 0,
        ebeln LIKE ekpo-ebeln,
        ebelp LIKE ekpo-ebelp,
        matnr LIKE ekpo-matnr,
        werks LIKE ekpo-werks,
        menge LIKE ekpo-menge,
        netpr LIKE ekpo-netpr,
        peinh LIKE ekpo-peinh,
        netwr LIKE ekpo-netwr,
        END OF itemtab.
        DATA: i_fieldcat TYPE slis_t_fieldcat_alv.
        DATA: v_repid LIKE sy-repid.u201Ccurrent program name
        DATA: g_tabname_header TYPE slis_tabname,
        g_tabname_item TYPE slis_tabname.
        * data connect header table and item table
        * we can set 5 field as foreign key at same time
        DATA: gs_keyinfo TYPE slis_keyinfo_alv.
        INITIALIZATION.
        v_repid = sy-repid.
        START-OF-SELECTION.
        PERFORM get_data.
        END-OF-SELECTION.
        * get field catalog of header table
        CALL FUNCTION 'REUSE_ALV_FIELDCATALOG_MERGE'
        EXPORTING
        i_program_name = v_repid
        i_internal_tabname = 'HEADERTAB'
        i_inclname = v_repid
        i_bypassing_buffer = 'X'
        i_buffer_active = "
        CHANGING
        ct_fieldcat = i_fieldcat
        EXCEPTIONS
        inconsistent_interface = 1
        program_error = 2
        OTHERS = 3.
        IF sy-subrc <;>; 0.
        MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno WITH sy-msgv1
        sy-msgv2 sy-msgv3 sy-msgv4.
        ENDIF.
        * get field catalog of item table
        CALL FUNCTION 'REUSE_ALV_FIELDCATALOG_MERGE'
        EXPORTING
        i_program_name = sy-repid
        i_internal_tabname = 'ITEMTAB'
        i_inclname = v_repid
        i_bypassing_buffer = 'X'
        i_buffer_active = "
        CHANGING
        ct_fieldcat = i_fieldcat
        EXCEPTIONS
        inconsistent_interface = 1
        program_error = 2
        OTHERS = 3.
        IF sy-subrc <;>; 0.
        MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno WITH sy-msgv1
        sy-msgv2 sy-msgv3 sy-msgv4.
        ENDIF.
        * set the header and item table are connected by pur doc number
        gs_keyinfo-header01 = 'EBELN'.
        gs_keyinfo-item01 = 'EBELN'.
        g_tabname_header = 'HEADERTAB'.
        g_tabname_item = 'ITEMTAB'.
        CALL FUNCTION 'REUSE_ALV_HIERSEQ_LIST_DISPLAY'
        EXPORTING
        i_callback_program = v_repid
        it_fieldcat = i_fieldcat
        i_save = 'A'
        i_tabname_header = g_tabname_header
        i_tabname_item = g_tabname_item
        is_keyinfo = gs_keyinfo
        i_bypassing_buffer = 'X'
        i_buffer_active = ' '
        TABLES
        t_outtab_header = headertab
        t_outtab_item = itemtab
        EXCEPTIONS
        program_error = 1
        OTHERS = 2.
        IF sy-subrc <;>; 0.
        MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
        WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
        ENDIF.
        FORM get_data.
        SELECT ebeln bstyp bsart statu
        INTO TABLE headertab
        FROM ekko
        UP TO 100 ROWS
        WHERE ebeln IN s_ebeln.
        IF NOT headertab[] IS INITIAL.
        SELECT ebeln ebelp matnr werks menge netpr peinh netwr
        INTO TABLE itemtab
        FROM ekpo
        FOR ALL ENTRIES IN headertab
        WHERE ebeln = headertab-ebeln.
        ENDIF.
        ENDFORM. "get_data
    Edited by: Juan Manuel Garcia on Aug 17, 2010 11:29 PM
    Edited by: Juan Manuel Garcia on Aug 17, 2010 11:36 PM

  • How to secure my report i published on the web

    Hi All -
    I installed Oracle10g Reports and forms standalone on my server and successfully published all my reports on it.
    Question:
    Can someone pls tell me how can I secure my reports on the web. looks like anyone can just copy my link and paste it on the web broswer and can open it.
    i.e. http://<server_name>:7778/reports/rwservlet?report=<report_name>.rdf&destype=cache&desformat=html&userid=<user_name>/<password>@<dbname>&paramform=yes
    Also, I did save the user id and password in cgicmd.dat file. But is it possible to have the web page prompt for a user id and password for the database or something everytime i try to open the link...Please respond ASAP..it required...
    Thanks in advance..
    Anuj Sharma

    It is possible to show web page where userid has to be entered before running the report. Please specify "userid=" in the URL or in the command file (cgicmd.dat) to get db prompt. For example,
    http://<server_name>:7778/reports/rwservlet?report=<report_name>.rdf&destype=cache&desformat=html&userid=&paramform=yes
    Other option secure it is either to use OracleAS Single Sign-On or security plugin. For more information on security plugin, refer to Chapter 10, "Securing OracleAS Reports of the Oracle Reports Publishing Reports to the Web" manual, available on OTN: Serviceshttp://www.oracle.com/technology/documentation/appserver101202.html

  • Function Security Menu Report under SYSADMIN responsibility

    Friends -
    Using "Function Security Menu Report" i can able to find out what functions and menus are under particular responsibility.
    But we have nearly 100 responsibilities where i need to submit this requests more than 100 times.
    Is there any SQL Script avaliable for this.
    Please advise on this.
    Regards
    Satish

    Hussein -
    Thank you very much for quick response.
    I am looking for both Menu and Function is there is any SQL Query where i can execute in one report.
    Regards
    Satish

  • Department / Org. unit Hierarchy report

    Hi Team,
    I am trying to pull a department / org. unit hierarchy report that rolls-up, for example if I am an IT analyst, under Service mgmt, ultimately rolling up to IT (org. unit) similiar to PPOME view.
    I did try a FM (RH_STRUC_GET), but could not get the req. details.
    Let me know if there is something like this, that I can use.
    Thanks
    RL

    Hi,
    Please try evaluation path O-O-S-P in report RHSTRU00 as mentioned by semvladigo.
    Regards,
    Dilek

Maybe you are looking for