0BI_ALL and additional analysis authorizations

Similar Messages

• BW-BPS and new analysis authorization concept

  We are using BW-BPS on Netweaver 2004s SP8 and the new autorization concept is switched on.
  Where do we need to pay attention?
  Which authorization objects stay the same and which are now to be maintained in analysis authorizations?
  Thanks for your suggestions.
  Anja

  In NW04S, BPS and BI IP share the same new authorization concept so you tend to have to rebuild specific profiles used for BPS.   The old BW-BPS tend to have authorization for R_* and they need to be redone using the new authorization concept and it can take some time if you have a lot of profiles.

• Autorisations : how to live with 0BI_ALL and other analysis object ?

  Hello
  we have an annoying question.
  We went live with 0bi_all in all profiles. Now we are in a production phase where our new users have restrictions (for example 0COST_ELMNT in the finance area).
  What should we do ?
  - suppress 0BI_ALL and add our new object
  - cumulate 0BI_ALL and our new object
  Does anyone know how this work ?
  We haven't been able to find the right documentation.
  Thank you
  Fabrice Rigaux

  Hi Fabrice,
  To answer your question, you will need to suppress 0BI_ALL and add the new object.
  It works as follows:
  For the same infoobject, the authorisations are considered a union. But for the whole of the authorisation, it's an intersection.
  an example to make more sense of this:
  AUTH1:
  - 0COST_ELEMT = 123456
  - 0TCAIPROV = *  (always need this one)
  - 0TCAACTVT = 03 (always need this one)
  - 0TCAVALID = * (always need this one)
  AUTH2:
  - 0COST_ELEMT = *
  - 0TCAIPROV = CUBE1 
  - 0TCAACTVT = 03
  - 0TCAVALID = *
  You run a query on CUBE1 -> you will have access for all cost elements.
  You run a query on CUBE2 -> you will only have access to cost element 123456.
  Because 0BI_ALL has * for all infoobjects it will always overrule any other authorisations you assign.
  Important note: if you are goning to set up your authorisation for 0COST_ELMNT to be valid for all infocubes, you will also need to add all authorisation-relevant infoobjects in your authorisation definition.
  Best way to get the hang of it is to play around with it. In transaction RSECADMIN, you now have a very useful option "Execute as", which allows you to run queries as a testuser and gives you a log of all authorisations checked.
  Regards,
  Pieter

• RE: Table to View Analysis authorizations of all users in BI

  Hi,
  I want to pull a report in BI that shows all the users and their analysis authorizations. does anyone know how to view this report.
  Thanks in Advance,
  SS

  Hi,
  You can refer all the RSEC* tables. Below are the tables that stores analysis authorizations information:
  RSECHIE - Status of hierarchy authorizations
  RSECTXT - Authorization text
  RSECVAL - Authorization Value Status
  RSECBIAU - Changes to Authorization (Last Changed By]
  RSECUSERAUTH - BI Analysis authorization u2013 assignment to users
  Change log tables:
  RSECUSERAUTH_CL - Assignment of users
  RSECHIE_CL - Change log of hierarchy authorizations
  RSECTXT_CL - Authorization texts
  RSECVAL_CL - Authorization Value Status
  Hope this helps!!
  Rgds,
  Raghu

• BI analysis authorization - Same info provider- diffrent access ?

  Hi Gurus,
  Designation of roles:
  1. User is having two PFCG roles (A1 & B1) assigned.
  2. Role A1 contains query name ZQRYA1 & Role B1 contains query name ZQRYB1
  3. Role A1 is linked to analysis authrozation role AR1 and Role B1 is linked to analysis auth. role BR1 (thorugh S_RS_AUTH)
  4. AR1 is having access to Company code 1000 & info proivder is ZIC_COPA
  5. BR1 is having access to Company code 2000 & info provider is same ZIC_COPA.
  Requirement :
  When user is executing ZQRYA1, he should see only 1000 company code.
  Result:
  With above design user is able to see 1000 & 2000 company code data for ZQRYA1.
  My analysis:
  1. We should use Customer exit in the Query. (SAP note referred  668520).
    2. As per SAP note 1000004 (Merging and optimizing analysis authorizations), I understand that if same info provider is there then BI analysis auth. will merge the values.
  Please correct me if I understand something wrong. Also suggest how can implement role so that values will not merge.

  Hi experts,
  I am getting confused now.
  As pe rmy practical experience for same info-proivder BI AA will merge the values. Even i got same response in SDN forums.
  But when I raised this issue to SAP (OSS message), SAP says this issue should resolve by applying SAP notes through SNOTE..
  1138708     Unauthorized data is displayed: "Not assigned" (#)     
  1158432     Too many values authorized for hierarchy with intervals     
  1234334     Authorization error for query on InfoSet     
  1229602     Error when using hierarchies: Authorization error     
  1226163     Authorization variables in workbook     
  1000004      Merging and optimizing analysis authorizations
  1150754     Authorizations for InfoSet chars. ignored in input help     
  1235049     F4 help: Unauthorized data for referencing characteristic     
  I have gone through notes but did not find relevant, but still SAP replied it should resolve the issues.
  Please suggest.

• Analysis Authorization (Role, Profile and Direct Assignments)

  <b>Analysis Authorization Question:</b>
  1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
  2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
  3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
  <b>
  Migration Options:</b>
  1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
  2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
  3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
  <b>Questions</b>
  a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
  b)     Does any one use direct assignment to Users? It is good business practice?
  c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
  d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
  Just want to check how other folks have done migration that can be supported going forward.
  Pankaj Gupta

  Hey Pankaj,
  In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
  Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
  RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

• Problem with analysis authorization- 0BI_ALL always needed

  Dear all:
  we have a serious issue on so-called "analysis authorization" now. We have auth-restricted user who only have authorization to access data on one company code. We also create a BI-authorization in analysis authorization and assign the following auth-relevant object to this authorization-
  0TCAACTVT = 01-03
  0TCAIPROV = ALL
  0TCAVALID = ALL
  0TCAKYFNM = ALL
  0COMP_CODE = A001
  And we create one query with only company code and number of employee in the row and column. But everytime we execute this query, there s always message" No Authorization". We used ST01 to trace and the result shows we need to have "0BI_ALL" in auth object S_RS_AUTH. If we added 0BI_ALL, all company code data will display, which definitely no auth restriction at all. Is there any specific authorization setting we need to do?
  We are stuck here pretty bad. Thank you all in advance if any input.
  BR
  SF

  Hi,
  I guess the Authorization profile is active , and in the Tcode PFCG -> Role name -> User tab page ( user comparision is done ).
  Check if any of the tab page shows red light .
  And assignment of 0BI_ALL is not a solution , as any user can do anything in the system.
  Also do not forget to log - off and log-in into system after changing into any of the authorization profile to see changes that had happened.
  Hope that helps.
  Regards
  Mr Kapadia
  Assigning points is the way to say thanks in SDN.

• Hierarchy Analysis Authorization in BW and BOBJ Webi Report

  Hello,
  We have a scenario wherein we have implemented Analysis Authorizations (Hierarchy) on Organizational Unit info object (0ORGUNIT) and need to report on BOBJ WEBI. Our scenario is as following
  ORGUNIT    - L0 (Overall Enterprise Level)     
  -     L1 (Enterprise - Continent Wise Split)
  -     L2 (Enterprise u2013 Country Wise Split)
  -     L3(Enterprise u2013 City Wise Split)
  E.G- 
        LO (Company ABC) MANAGER 0 will have access to the entire organization
             -L1 (ASIA) MANAGER1 will have access to ASIAN Subcontinent
                    -L2 (India) MANAGER 2 will have Access to country India
                              -L3 (New Delhi) MANAGER 2.1 will have access to city Delhi
                              -L3 (Mumbai) MANAGER 2.2 will have access to city Mumbai
                     -L2 (Malaysia) MANAGER 3 will have access to Country Malaysia
                                -L3 (Kuala Lampur)
                                -L3 (pahang)
               - L1 (Europe)
                                          u2026..
  The requirement is that the CEO of the company should be able to see the entire set of data ( L0-L4).We have continent managers who can see that data specific to their continent, similarly at L3 Level the city manageru2019s should see the data only for their specific city.
  In BI we have used analysis authorization based on hierarchies. We have created an authorization object say ZAUTH1 and have assigned the hierarchy L0 from RSECADMIN. Now, in Webi when we create a report a sample row comes as :
  L0 Org Unit     L1 Org Unit     L2 Org Unit     L3 Org Unit     SALES Key Figure
  Company ABC     Asia          India          Mumbai          1000
  Now, we have MANAGER 2.2 who has only access to the data specific to his city (Mumbai). There is an Analysis Authorization object created for him ZAUTH2, by ONLY assigning the org unit hierarchy L3 (for Mumbai). When we run the bex report with the user MANAGER 2.2 u2013 it correctly displays the result and the user is only able to see the data for L3 Org Unit (Mumbai). However when you bring this data to Webi u2013 the report comes in the below format:
  L0 Org Unit     L1 Org Unit     L2 Org Unit     L3 Org Unit     SALES Key Figure
  Mumbai                                           1000
  The L3 org unit has now got assigned to L0 Org unit , as this is the only org unit assigned to the MANAGER 2.2 user .
  In such a case we are not able to write any generic formulae for the report. Is there a way to correct this issue? u2018Mumbaiu2019 should either get assigned to the L3 OrgUnit column is webi report , or is there a workaround that is possible ?
  Thanks and Best Regards,
  Vj

  Hi Vijay,
  The problem you speak of is known and comes from the fact that the hierachy is flattened in the process of delivering it to WebI. Therefore there is no real 'solution' to the problem, just some work-arounds you can think of...
  1)
  Create a report variable that starts looking at the lowest level, if it is empty check one up, and so on until you found what you were looking for (the lowest leaf available), which by definition must be there (even if it is top level).
  Using similar logic you can also get a 'number of levels avaible' and so fill in the complete tree (duplicating the highest level).
  This is difficult to explain when end users create their own reports, though you could provide a template report with these variables in there already.
  2)
  Extend the hierarchy with duplicates below the lowest level.
  So i.e. L0 Company - L1 Continent - L2 Country - L3 City- L4 City - L5 City- L6 City.
  This will give back on the four levels for top authorization
  L0 Company - L1 Continent - L2 Country - L3 City
  For authorization on Continent:
  L0 Continent - L1 Country - L2 City- L3 City
  For autorization City
  L0 City- L1 City - L2 City- L3 City
  So in all situations the fourth level, the L3 Object will hold the City level.
  This you can then use in your report.
  Hope this helps,
  Marianne

• Analysis Authorization and relates issue

  Hello all,
  I am in the midst of designing authorizations using RSECADMIN transaction.
  We have a set of 50 different queries.
  In our cube, there are 5 different characteristics, which are authorization relevent.
  So, in RSECADMIN, i have created one analysis auth role, included all special and authorization relevent characteristics and maintained the appropriate values.
  But when i execute the queries,the desired output is not coming.
  - Do i need to create authorization varaibles and included in all my queries ?
  - Without including the auth.variabes in queries, is there any other way to restrict the users ?
  I though, by assigning the parameters in RSECADMIN, the query will automatically filter the data.
  Can you pls help ?
  We are on SP19.

  Hi,
  First of all, The query is always based on a InfoCube. Now, you have 50 different Queries which is based on this InfoCube if I am not wrong as you are not getting any authorization error.
  For a query to run, the user should have access to 1. Query, 2. Infocube and 3. Data(All Auth Relevant + 4 Special Objects)
  Authorization relevant objects are for an InfoCube which means that these objects are important or key fields for the infocube.
  You say that in your case, you have 5 Auth relevant objects which means they are important. But please note that there are more infoObjects in that InfoCube.
  Now, when you go to the query design, you can restrict on any object in the InfoCube but it makes more sense that you do it on one of those authorization relevant objects as you have to specify that in the Analysis Authorization where the system can pick up the data easily and give the output.
  Again, on the query design, if you have designed the query with processing type "Authorization", then it would automatically pick up (What you mentioned as automatic filtering) the value from the Analysis Authorization which is contained in the user's role for that query which otherwise gives a wide variety of options to chose from where the user has to choose the correct one.
  To get the desired output, all the correct variables should be included in the query and user should have access to all the three mentioned above.
  May be this gives a clear picture.
  Regards,
  Prasanna
  Edited by: Prasanna Nagaraja on Sep 11, 2009 11:40 PM

• Analysis Authorization In Dev and impact of reports and roles in prod trans

  Hello,
  We are planning to switch to analysis authorization. We plan to make that change first in Dev and we were wondering what would be the impact on roles and reports we transport from dev (which is switched to Analysis Authorization) to production( on Old authirization) ? We wont transport new things to production till we switch to new auth in Prd.
  Thanks a lot,
  BP.

  Hello
  Even if you are transporting the roles from dev to quality and production, the analysis authorization objects will not be checked until you set "current procedure..." in RSCUSTV23.
  So there is no harm in transporting the roles and auhotrization until you change the concept to analysis.
  regards,
  Payal

• Analysis Authorization and Query

  Hi everybody,
  while studying the new analysis authorization concept in BI7 I tested a little bit around. I was wondering how I can realize the following scenario:
  A user should see "0VERSION" "2" and "0DIVISION" "01" as well as "0VERSION" "5" and "0DIVISION" "02" while executing the query with BEx Analyzer.
  Am I right that I have to create two analysis authorizations?  How do I have to model the query? I always get the message that my testuser does not have enough authority.
  Thanks for your suggestions.

  Hi Anja,
  Did you ever get a resolution to the question you asked.  I am facing the same scenario now where i want to restrict a user to seeing seeing the following:
  user must see:
  Division = 001 and Area = A
  Division = 002 and Area = B
  But he must not see Division 001, Area B for example
  Creating the analysis authorizations is not a problem, the problem is modelling the query to return this result.  I always get no results due to lack of authorization as the authorization variables try to return All Division "001" and "002" and All "A" and "B"
  As i see it, you cannot model the query to return the required result.  What would be ideal is if the query would only return what the user is authorized to, rather than returning nothing and giving an auth error.
  Thanks
  Gavin

• Transport roles and analysis authorization with user assigned

  Hi expert,
  I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
  Thanks for your time,
  Luis

  Hi,
  In role administration, you have the following options for transporting roles:
  You can download the roles from one system and upload them into another  
  You can import the role from a remote system using RFC  
  You can transport the roles with the transport function.
  Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
  Transporting Roles with the Role Transport Function
         1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
         2.      Enter the role to be transported and choose Transport Role.
  The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
  You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
  For more information go thrpugh the below link
  http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
  Regards,
  Marasa.

• Role and Analysis Authorizations in BI

  Hello allo,
  Since analysis authorizations contains carateritics like infocube, queries, activities., is using role and the PFCG transaction (authorizations object)in BI obsolete ? i.e is Analysis authorizations completely replacing Authorization objects (and PFCG) in BI ?
  thanks !!

  Hatem,
  You have an option to use the old method however it's recommend to use analysis authorizations going forward.
  Take a look at the sap wiki for analysis auth for more info or search the site for other good info.
  https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bi/authorizationinSAPNWBI&
  Cheers,
  Ben

• BW BEX Queries and Analysis Authorizations

  Hello....
  Have an opportunity with BW BEX queries and Analysis Authorization...would like to see if anyone has had the same experience and if so is there a answer....
  1) given a query....
  2) given a analysis authorization with a info-object that has intervals defined to be both single values and ranged values
  the following happens...
  after the query is fired the starter screen appears...the info-object in question appears with the defined single values only....if....the window is opened....again only the single values appear...the range values do not appear...once the query is executed the only results given are those for the single values...
  also if you re-fire the query and manually enter a valid value for the info-object that falls with-in any of the range values no result is given...even if there is data for it....the reponse given is no data found....
  NOW...if the single values, for the given info-object, are removed from the Analysis Authoriization then the range values appear and work....
  Is this a problem within in the query...or...is this a "feature" of the query...and thus must be "lived" with...
  Terry
  PS...this problem currently only happens if the window for the info-object allows for multi-selection....this problem does not occurr when the window only allows for one selection...

  Hi,
  This is a known problem with analysis authorization and multi selection IO selection criteria.
  When you define the analysis authorization with ranges and when you try to enter single values on the selection critera of the query, then the system shows zero data.
  You can run the query without entering any selection values for the IO in question only.
  I have tried several combinations and still encountering the same issue.
  Ravi

• Role and Analysis Authorization Transport

  Dear Experts,
  I'm working with migration authorization project from 3.5 to 7.0. My doubt is when migrate in development enviroment enhancement each whith join S_RS_AUTH with Analysis Authorization which the role doesn't have any users assigning and transport to test enviroment where have a same role with user assigning. Do lose the user assign?
  Thank for all,
  Luis

  Hi,
  I think it will orverwrite the Role. If you want to lock the target system against import of user assignments, you can goto sm30 (Table - PRGN_CUST). Make an entry - USER_REL_IMPORT (value - NO).
  Thanks