Combination of analysis authorizations (BI 7.0)

Hello,
authorizations should be set up in BI 7.0 in the following way:
There are users that have limited access to data for parts of the organization (several plants identified by hierarchy or attribute). For these they are allowed to see every product.
On the same time they are allowed to see for some of the products (identified by product group) all plants.
If you draw this in a 2-dimensional (with plant and product on the sides) the data area with access looks like a cross.
In BW 3.5 this was realized and now we want to upgrade to the new concept using navigational attributes rather than using booked values for plant group and product group.
That is why we prefer not to use some kind of compound characteristic joining the plant group and product group values
into one and then restricting access to ABCD* and *WXYZ (which has been proposed by some consultants).
Any idea?
Kind regards

I do not know, whether i understood your question correctly or not.
If this is your case
Organization ,                Product
Plant 1         ,                A, B
Plant 2          ,               C, D
The Plant1 guy should be able to access both 'A' and 'B'. And also he should have access to 'C'.
Then you should create two analysis authorizations.
Organization = Plant1   and Product = *
Organization = Plant 2 and product = 'C'.
Hope this is clear.
Ravi

Similar Messages

BW Analysis Authorization on two charcteristics issue

I am familiar with analysis authorizations in BW 7.0 and worked on it.
Today we have blanket authorization (RSECADMIN) for 0TAX_NUMB = *. Meaning user who has this auth/role can see values (from where ever 0TAX_NUMB is used, all company codes etc). And as you might know 0TAX_NUMB is used in 0VENDOR & 0CUSTOMER master data (as an attribute). This works well, because its easy
Now, new requirement is to create more strict analysis authorizations for 0TAX_NUMB based on other characteristic values.
Auth1 (should apply to 0TAX_NUMB used in 0VENDOR):
0TAX_NUMB = all values and only for vendor account group = XXX
Auth2 (should apply to 0TAX_NUMB used in 0VENDOR):
0TAX_NUMB = all values and only for vendor account group = yyy
Auth3 (should apply to 0TAX_NUMB used in 0VENDOR):
0TAX_NUMB = all values and only for vendor account group = zzz
Auth4 (should apply to 0TAX_NUMB used anywhere other than 0VENDOR, for example, as I said above its also used in 0CUSTOMER and may be used elsewhere in future):
0TAX_NUMB = all values
Do I also need to add 0CUSTOMER here? unable to visualize!!!
Also, 0TAX_NUMB and Vendor account group will have colon authorization.
So, at this time I am not sure how this will impact other queries with following scenario(s):
User1 has auth1:
Here, User1 can see tax_numb values for vendor act grp XXX, thats good, so far.
But can user see query results where tax_numb is not used but would like to see all vendor account group related data (or other than value XXX)?
User2 has auth4:
Since this auth has blanket tax_numb, can user2 see all values for tax_numb used in 0CUSTOMER (which he/she should) and also in 0VENDOR (he/she should not)...
And what about queries that do not have 0TAX_NUMB (but infoprovider has)? Colon auth on TAX_NUMB & Vendor act grp would resolve this?
I appreciate your thoughts on this. We are BW 7.01 (Ehp1), SPS10.
Regards
-Bala
Edited by: Bala Shetty on Dec 15, 2011 12:02 AM
Edited by: Bala Shetty on Dec 15, 2011 12:04 AM
Edited by: Bala Shetty on Dec 15, 2011 12:05 AM
Edited by: Bala Shetty on Dec 15, 2011 12:09 AM

Thank you Sushant.
I am aware of these notes and provide basic information and also usage of value restrictions. I am looking for usage of different combinations for multiple characteristics (especially the attributes of master data)....
Regards
-Bala

Analysis Authorization

We have a need to restrict the majority of our users from seeing transactions of few business accounts. The restricted accounts can be based on a specific gl account, fund range, or they can be a combination of a fund and cost center (or fund and fund center). Until we become more familiar with this process, we are only concerned with 0FUND and it's restricted ranges, so below my question is just about 0FUND..
We need to explore and understand what abilities analysis authorizations give us. I have done a lot of reading, but so far all of the pieces are not falling into place. I am on the BW team and working with the security team to get this accomplished. At this time whereever 0FUND is located in an existing authorization, it has a "*" to indicate the user gets all values. We have already gone live; will every authorization currently in use with 0FUND have to be changed? Is there a detailed How-To located somewhere?
thank you in advance for your help.
LLK

Hi Linda,
SUIM - User Information System is a TRANSACTION CODE. (Its not SUM)
Execute SUIM and follow the path mentioned below:
SUIM -> User -> Users by complex selection criteria -> Users by complex selection criteria. In the Authorization object field mention S_RS_AUTH and in the field mention the name of the analysis authorization which you want to search for.
The output would be users who have access to the analysis authorization that you gave in the search criteria.
Since in your case there would be a lot of analysis authorizations with * in 0FUND, it would be better to identify the roles first and then the users assigned to these roles.
You can identify the roles by browsing the table SE16. Just give the object name and all the analysis authorizations in the multiple selection on appropriate fields. Then use SUIM to identify the users who have access to these roles.
SUIM -> User -> Users by complex selection criteria -> By Roles.
You can also display the roles in this report by pressing the Roles button at the top. Apply filter to restrict the roles to your identified roles.
Thats it !
Regards
Sachin

Analysis Authorization Migration Question

Analysis Authorization Migration Question
This is detail Question
1) I am testing Analysis Authorization Migration in NW2004s SP9 and have applied all OSS notes that are relevant to SP09 and are coming in SP10.
2) We have 2 Info object flagged as Authorization relevant 0COMP_CODE and 0COSTCENTER
3) We have Object level security set-up in BW 3.x system and for a role we have specified values like 0COMP_CODE has value 1000, 1800. :. In the same role we have specified 0COSTCENTER value 130001 to 180001, : and hierarchy node.
4) When we migrate to Analysis Authorizations, using RSEC_MIGRATION, this program creates 2 Authorizations ZCOCODE00 & ZCOSTCTRH00. Both of them have 0COMP_CODE and 0COST_CENTER Objects.
5) ZCOCODE00 authorization gets value 0COMP_CODE values 1000, 1800. : and 0COSTCENTER Value :.
6) On the same line ZCOSTCTRH00 gets value 130001 to 180001, : and 0COMP_CODE :.
1st Question:
1) Why does it create 2 Authorizations?
2) During Checking it does not pass the authorizations, because it seems to me that it fails in Optimization process.
3) I manually merge the authorizations in ONE object then authorization check passes. In other word if I combine ZCOSTCTRH00 & ZCOCODE00 then Query authorization check passes.
Any one is struggling on this.
Please note, I am doing Migration so that it updates existing Profiles (Roles now from SP9).
Any comments will be very help full.
Pankaj Gupta

Hello Pankaj
There are some basic misunderstandings on your side.
Let me try to clarify:
First we should distinguish between migration of authorizations and of what a query does with them.
You had 2 auth objects before migration (in 3.x).
Of course, they must be migrated to 2 new analysis auths.
There is no general possibility to combine authorizations to a single one as the may appear in different roles and users. Moreover this would kill performance and finally, nobody would recognize the origin.
Only in very restricted cases one could think of a combination of auths which come out of migration. But, then people loose overview about what goes on.
Before the corrections in note "Migration IV" the : had not been inserted but now it is for good reasons.
Now, accept for the moment that you receive 2 auths.
Then, you cannnot (must not) combine the 2 resulting authorizations!
Authorization 1
COMP_CODE : 1000, 1300, :
Cost Center : :
Authorizations 2
Comp_Code :
Cost Center : 3100001-31999999; : plus a Hierarchy Node.
This means that e.g. combination
COMP_CODE 1000
COST_CENTER 3100001-31999999
is not allowed!!! Therefore, they must not be combined!
Also, the query and its optimization is comepletely independent of the migration. And here, during query run time the auths cannot be combined. It is no failure!
Moreover, the merging optimization is just a performance optimizaiton and has nothing to do with whether the query result is authorized or not.
If you combine them manually you have authorized different combinations.
Well, now you may wonder why you get 2 auths at all which leads to a "no auth" result in the query execution.
The reason is, that in 3.x where you got a result with your 2 auth objects the modeling was wrong.
If you want to authorize any combination of characteristic values, you should combine these characteritics together in one auth object, not in 2!
(In BI7.0 it works like that but not in 3.x)
But you defined 2 which may be valid even in several other InfoProviders independently and not even at the same time. Moreover, the auth objects may come from different roles and may be assigend to different users which then have completely different auth content. In general it is not possible to combine different auth objects or to find out those special situations which nevertheless allow for such optimizations. If you re-do a migration with more objects and users you could even receive different results which is also not satisfying.
Therefore, instead, the mechanism was introduced to insert a : auth to those characteristics that are auth relevant (and checked now with 7.0) but not in the currently processed auth object.
In you special case it may have made sense to combine them but not in general. And a migration can only try to work as general as possible.
For your application you may combine the 2 auths manually if you want to allow also the crossover combinations
COMP_CODE 1000
COST_CENTER 3100001-31999999
Best regards
Peter John
BI Development

Analysis Authorization (Role, Profile and Direct Assignments)

Analysis Authorization Question:
1) In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
2) Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign Reporting Authorizations as per the process defined in BW 3.x system.
3) Customer sometime have 100 + Roles to have 3.X Reporting Authorizations. This is Managed, assigned, approved using role concept.

Migration Options:
1) New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned Like Company code 1100 not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
2) Analysis Migration Tool - RSEC_MIGRATION does not update ROLES. It creates or changes PROFILES.
3) Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
Questions
a) This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
b) Does any one use direct assignment to Users? It is good business practice?
c) Is Profiles recommended method of Authorization Maintenance?
d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
Just want to check how other folks have done migration that can be supported going forward.
Pankaj Gupta

Hey Pankaj,
In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

Analysis Authorizations Issue (BI 7.0)

Dear Colleagues,
I have a question regarding BI 7.0 Authorizations. What happens when a cube is created from an Infoprovider in which Company Code (to use an example) is marked as authorizations relevant, but that infobject is not used. That is, the cube gets data from that Infoprovider, but the data retrieved has nothing to do with Company Code. When a query is created from this cube, will the user be required to have authorizations for the company code of the information he's retrieving or will she/he be able to see all the information?
Thanks in advance for your help.
Best regards,
CMPT

Hello,
I think I understand your question?
If you have characteristic company code marked as authorization relevant...
You have two basic info cubes, one with company code A and one without company code B.
You have a multi cube combining characteristics from both basic cubes (including company code).
If you execute a query written against the multi cube but extracts data only from basic cube B (without company code), will you need to have an analysis authorization with company code defined?
If this is your question, then Yes, you do need to define company code in the authorization (assigning value # should be sufficient).
KR
Andy

Problem wih analysis authorization for two scenarios on same data provider

Dear all,
I am looking for a solution on the following authorization scenario (using the new analysis authorization). Unfortunately everything that I tried did not work out as expected:
User A is allowed to manually access query 1 (based on cube A) with authorization on all sites A-Z
The same user A shall get an email distribution automatically (derivation of the filter in the query out of the authorization) for query 2, which is as well based on cube A, but this time the authorization shall be limited only to site A.
As both queries are based on the same infoobject (0PLANT) and the same infoprovider (0TCAIPROV) I always get the result for all sites A-Z. The 0TCAACTVT is in both cases 03 (display), so I have no chance to distinguish between reporting and email distribution.
Probably the only chance would be to derive the values for the email distribution scenario not from the authorization directly, but using a customer exit to fill the filter - but I would prefer a "standard" solution...
Any ideas??
Thanks,
Andreas

Dear Andreas,
Before give you an alternative for you problem, Iu2019d like to comment the combining authorization concept:
http://help.sap.com/saphelp_nw70/helpdata/EN/46/98cd87f37d19ace10000000a11466f/frameset.htm
For this reason I suggest you which combing restriction through authorization and query filter. For query 2 try to use in 0PLANT characteristic the single value u201Csite Au201D, this restriction give you only authorization for see this value.
Otherwise, you have to use customer exit.
I hope that alternative help you to find a solution,
Luis

How to implement complex analysis authorizations in simple way

Hi All,
I need to create some analysis authorizations with long list of single values for a characteristics. For example, we have multiple set up of company codes (APAC, EAME, AMERICAS, etc) and each set contains 150 - 200 company codes in it. Now we have multiple combinations of company code set and geographies. In short, we will have multiple analysis authorizations and each will have one or two set of company codes and some geographies.
I can create the analysis authorizations for the first time, by putting individual values in the respective characteristics. That would be a big task but can be done. But the problem is about ongoing maintenance. In future, if a new company code is added to lets say APAC companies, then we will have to update all analysis authorizations which contains APAC company code and that would be huge number of AAs due to the complexity of business architecture.
Could anyone please suggest if it is possbile (and how) to do below or similar, or have any other better approach (using BW7.4)
- We would create a group (or set) of company codes. Lets say would create a group APAC_Comp_Code and add all APAC related company codes in it. This would be repeated for all set of compant codes.
- While creating analysis authorizatons, I would not assign any individual company code value in characteristic, instead put APA_Comp_Code inside the characteristic 0COMP_CODE.
- If I need to put multiple set of company codes inside 0COMP_CODE, I will just put the corresponding group name, not the invidual values.
The benefit would be that in future if I need to add a new company code to APAC, I would just have to update this group APAC_Comp_Code. I will not have to maintain the analysis authorizations.
Please let me know if this is possible or if there is any other way to implement the requirement with simpler maintenance.
Thanks
Nitesh Gupta

Hi Nitesh,
From what you describe, this would be a good case to use variables in your analysis authorisations. You can specify a variable value for the BUKRS field and have a couple of options to populate the values which are picked up in the query execution.
You will need to ensure that you activate the istep to read customer exit variables and have the query variable set as customer-exit. Once those are complete, you can create a custom table to maintain the mapping of groups to company codes, or to read the company codes directly from your ERP system (if you want to base authorisations on what the users can see in ERP) and populate the table with those values.
However you populate the value to the variable, I think this approach will get you closer to minimal maintenance going forward. Enhancement RSR00001 should be implemented, some help documentation for this below
http://help.sap.com/saphelp_nw70/helpdata/en/1d/ca10d858c2e949ba4a152c44f8128a/content.htm
Hope this helps,
Tom

BW BEX Queries and Analysis Authorizations

Hello....
Have an opportunity with BW BEX queries and Analysis Authorization...would like to see if anyone has had the same experience and if so is there a answer....
1) given a query....
2) given a analysis authorization with a info-object that has intervals defined to be both single values and ranged values
the following happens...
after the query is fired the starter screen appears...the info-object in question appears with the defined single values only....if....the window is opened....again only the single values appear...the range values do not appear...once the query is executed the only results given are those for the single values...
also if you re-fire the query and manually enter a valid value for the info-object that falls with-in any of the range values no result is given...even if there is data for it....the reponse given is no data found....
NOW...if the single values, for the given info-object, are removed from the Analysis Authoriization then the range values appear and work....
Is this a problem within in the query...or...is this a "feature" of the query...and thus must be "lived" with...
Terry
PS...this problem currently only happens if the window for the info-object allows for multi-selection....this problem does not occurr when the window only allows for one selection...

Hi,
This is a known problem with analysis authorization and multi selection IO selection criteria.
When you define the analysis authorization with ranges and when you try to enter single values on the selection critera of the query, then the system shows zero data.
You can run the query without entering any selection values for the IO in question only.
I have tried several combinations and still encountering the same issue.
Ravi

Analysis Authorization in BO 4.0 Webi report

Hi All,
I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
I have tried:
1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
(BO 4.0 no service pack or fix pack installed on the system yet)
Thanks - Appreciate your help !
Prasad Rasam

Ingo,
1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
>> Correct you need to setup you OLAP Connection with SSO.
>>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
>> The variable in the BEx query needs to be an authorization variable.
>>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
regards
Ingo Hilgefort

Analysis Authorization Issue 7.3

Hello Friends,
System BW 7.3, Currently there are 80 odd analysis authorization objects
We want to introduce a new info object (GL Account) to be authorization relevant, ( there are few objects in the system which are already authorization relevant in the system with proper analysis authorization objects and they are working fine)
Things done, made the GL Account object authorization relevant in RSA1, Created 2 analysis authorization objects with GL Account and TCT objects and one with hierarchy restrictions and one open access.
Added this object to the user in addition to its already existing authorization objects. Created authorization variable in BEx.
Some how the authorization is not picked up and it gives us all the values in the report. But if I add the GL Account info object to the existing analysis authorization objects then it works fine.
I do not want to change all the existing analysis authorization objects to add GL Account.
Your inputs are most welcome.
Thanks
Ed.

Gajesh- I have added the new analysis authorization object to the user in RSECadmin.
Subhendu- Problem statement: What are the steps involved in making a new info object(GL Account) authorization relevant. Authorizations are given at hierarchy level. Can we create a new analysis authorization with GL Account only or do we have to add it to every existing analysis authorization
I have done the following steps
1. Made the GL Account object authorization relevant in RSA1,
2. Created 2 new analysis authorization objects with GL Account ( with hierarchy restrictions) and TCT objects and one with GL Account open access.
3. Added this object ( which has restrictions) to the user in RSECADMIN, in addition to its already existing authorization objects.
4. Created authorization variable in BEx.
5. No existing analysis authorization objects have been changed.
When I test the report, It does not restrict based on the hierarchy that I have given, it gives open access.
But If I add GL Account with restrictions to the existing analysis authorization object, it works good.
Guess I am missing some thing here.
Do you need any other screen shots.
Thanks
Ed.

Analysis Authorization Issue

Hi:
I created an analysis authorization ZCO_CODE to trstrict it by a company code.
I added following objects in authorization with values.
0COMP_CODE = 1000
0TCAACTVT = 03
0TCAIFAREA = *
0TCAIPROV = *
0TCAVALID = *
Then I created a role Z:00:BW_REPORT, where I added following authorization objects S_RS_AUTH and restricted it by value ZCO_CODE. Then I assigned this role to a user test01.
When I execute a program RSEC_MIGRATION for this specific user, I do not see authorization object ZCO_CODE on 2nd step of this program. Any Idea Why? I think this object should show up as I want to migrate this specific object.
Help will be appreciated.

Hi Sachin:
Okay here is my issue.
I have a Reporting authorization Object created earlier which is ZCOCODE. I though I'll have to create a new Analysis authorization object e.g. ZCO_CODE and then restrict it with other chars. as mentioned in Marc Bernards presentation and then you have to migrate it.
In selection list I can see old Reporting authorization object. If I select it and use option "Enhance existing profile" then It will update profile and not role? right....
How can I see whether it has updated existing profile?????
Do I need to create new Analysis Auth. for Company code or I can use old Reporting authorization for company code?
For testing purpose, I created a test user and assigned all reporting roles but It will not show up in RSEC_MIGRATION step???

BW Analysis authorization issue on cost center range

Hello BIW security experts
I have a problem where I created an analysis authorization on a cost center range and it looks like the interval is not working. The report is just a list of cost centers (demo to users to prove that analysis authorizations work in order to skip 2 managerial cost centers.
. Cost centers are numeric. Example: 2000100. In the drop down list they appear as such.
. I want to have the following cost center range: 1000000 to 1000771, 1000773 to 2000771, 2000773 to 9999999.
Thereofore 1000772 and 2000772 should not appear in the list.
. In the analysis authorization I have put the 3 ranges above on 3 separate lines. 'BT' is the operator. The cost centers have been selected from the drop down list.
Results: I get only 1 record from the report.... 2000772. (which is one I want to exclude..
Steps tried to debug:
. When I put a list of cost centers in the analysis authorization on separate line with the 'EQ' operator, then the report works.
. I tried putting ' ' delimiters since cost center is a char field but it fails.
. I tried adding leading and trailing zeros to fill up the char(10) but no luck.
. I tried creating a hierarchy with the interval and put it in the hierachy auth. tab and it does not work either. It gives the same number of records than the first step.
. A hierarchy with single values work.
I do not know what else to try..
Thanks.
YB.

Good morning
Here it is from RSECVAL
ZCC_TEST     0COSTCENTER                    I       BT        1000000                                                      1000771
ZCC_TEST     0COSTCENTER                    I       BT        1000773                                                      2000771
ZCC_TEST     0COSTCENTER                    I       BT        2000773                                                      9999999
ZCC_TEST     0COSTCENTER                    I       EQ        #
ZCC_TEST     0COSTCENTER                    I       EQ        :
ZCC_TEST     0INFOPROV                         I       CP        *
ZCC_TEST     0TCAACTVT                        I       EQ        03
ZCC_TEST     0TCAIPROV                         I       CP        *
ZCC_TEST     0TCAKYFNM                       I       CP        *
Thank you for your help.

BW Analysis authorization issue... need help urgently....

We have one BW query which is pulling data from Contract Division info-object. Now this report does not variable selection object so it is pulling data from all values of Contract Division. Values of Contract Division are CNC, CNS, CNE and CNL.
Now we have created an analysis auth. object called z_es_3 and added Contract division info-object. Now we have added that z_es_3 into role and given value to CNS. now when we are running report, we are getting No Authorization error. When we are giving * value in z_es_3, it is running fine.
Now we have to restrict report to contract division. please help.
Thanks in advance

Are you running unrestricted search on Contract division in your queries? You should restrict it to value which is maintained in the authorization for the InfoObject.
Also please run the analysis authorization trace from RSECADMIN. That will give you a clearer picture of what is wrong.

Analysis Authorization based on Hier node with multiple display hierarchies

Hi guys - I've got a problem where s.o. might have an idea of how to switch on the light at the end of the tunnel, I am currently standing in:
Requirement:
Cost Center Authorization should be given through RSECADMIN, reporting should be possible for any hierarchy that exists for the authorization relevant info object.
Preferred solution:
The Cost Center Analysis Authorization should be given through RSECADMIN - Hierarchy node assignment.
u2022     A dedicated Authorization Cost Center Hierarchy will be maintained in ECC6 as an alternative cost center hierarchy and extracted into BW.
u2022     The RSECADMIN Hierarchy node assignment should be based on a particular node (Type 2).
u2022     The display level will be specified as required (here: Level 7)
u2022     The Authorization granted should be independent of hierarchy name and version (validity 3).
Reporting Scenario and technical impact:
As mentioned above, when designing and running a query the user should be able to freely select other (i.e. than the authorization) display hierarchies for the authorization relevant reporting object 'Cost Center' as well. The technical names of the semantically relevant hierarchy nodes could therefore vary. E.g. cost centers 1, 2 and 3, being assigned under hierarchy node u2018Au2019 of the RSECADMIN relevant authorization hierarchy, could be subsumed by hierarchy node u2018Bu2019 in another display hierarchy, which the user may want to display in accordance to his reporting needs. Ideally, the alternative display hierarchy should therefore display node u2018Bu2019.
My findings so far (based on prototyping) turn out that this is not possible as long u2018Bu2019 (and its hierarchy) is not authorized in RSECADMIN. Can these findings be confirmed? And if not, would anyone have an idea of how to facilitate the reporting scenario?
Would there be any other way to grant access, possibly based on RSECADMIN single values, and also enable the user to flexibly display hierarchies with only those hierarchy nodes whose single cost center values the user has been given access to?
Thanks everyone for your input...
Claus
Edited by: Claus64 on Jul 13, 2009 4:10 AM

HI CLause,
On Jul 14 2009, you wrote in SDN and said:
FYI: Found a solution...
The hierarchy analysis authorization will be based on a navigational attribute of cost center.
With analysis authorizations it is possible to declare the Auth object (e.g. 0COSTCENTER__RACCAUT0) as authorization relevant and leave the superior object 0COSTCENTER auth irrelevant.
The auth will be given for 0COSTCENTER__RACCAUT0. This object will be placed as a filter of the query, being restricted by an Authorization variable for hierarchy nodes.
Due to the concept of Analysis Authorizations, this variable will automatically pick up the nodes granted as part of RSECADMIN Hierarchy based Authorization.
As mentioned above, 0COSTCENTER as the regular reporting characteristic remains auth irrelevant and can therefore take any hierarchy thatu2019s available. Reporting on single values will be possible, too. Only those nodes show up that hold the authorized cost centers in accordance to the authorization.
If the auth relevant 0COSTCENTER__RACCAUT0 is not used in the query definition by either not taking it in as a filter or skipping the Auth variable, the query will launch the message that the authorization is missing. No data show up at all.
Claus
See this thread:
Analysis Authorization based on Hier node with multiple display hierarchies
I am also in the same situation as you and need to understadn your solution. I understand that you created a Nav Attr on 0COSTCENTER and made this auth relevant whilst ensuring that 0COSTCENTER is NOT auth relevant. This is all fine. The issue was you have multiple hierachies for 0COSTCENTER, how did the new Nav Attr help you solve your issue. When loading 0COSTCENTER what values did you load ino the new Nav Attribute and how did that link to the hierachies? Also, in RSECADMIN you created hiearchy nodes based on the Nav Attribute but I am confused as to what values you have in the Nav Attr.
I appreciate if you can share your solution from the past in more details.
many thanks

Combination of analysis authorizations (BI 7.0)

Similar Messages

Maybe you are looking for