Analysis auth obj assigment

Similar Messages

• Analysis auth issue

  Hi,
  We have a scenario where we have 2 user IDs:
  X
  Y
  We have a report R1 which has values for an infoobject IO as 1,2,3,4,5
  Now User X is restricted to see only data for values 1,2,3 and Y is restricted for 4,5
  We have created Analysis auth object and assigned it to users. Then we added an auth variable in the report which will restrict data as per user authorization.
  Now the issue is that when we execute the report for User X, only values for 1 is displaying and data for 2 and 3 are not showing up inspite of data being avalable in the underlying Infoprovider.
  Same is the case with User Y where the data is only visible or 4.
  What can be the issue?

  Hi Debanshu,
  Though I could not understand the exact issue, I would rather suggest you to check the authorizations checked while executing the report in Transaction RSECADMIN. In the Transaction goto Analysis tab ->Log Administration. there in the Configure Log recording provide the userid for which you want to test the authorizations And save it.
  When that perticular user runs the report will will be able to see the logs for it using the option "Authorization Logs" screen. And this log will have a detailed information regarding the entire authorization trace for that user for that report.
  Regards,
  Pratap Sone

• Creation of Analysis Auth from SU21

  Hi All,
  I gave a try to one auth. Just wanted anyone of you to clarify this.
  I created one customised object from SU21, and created the field, which we have used in the Analysis Auth (rsecadmin)  like, Compcode, salesorg, co area, etc.
  I have entered the field values and generated. Now included this in a role for a reporting user which contains the objects s_rs_comp and s_rs_comp1 for which Comp1 given full *.
  Now the test user is able to create the queries based on the restrictions assinged, like company code. But he is not able to execute his own query, where he was given full access. SU53 shows that he doesn't have the access to Execute in S_rs_comp1, where I have maintained * for that.
  Does this mean that, the Charateristics for Analysis Auth will not work if assigned through the objects created from SU21. / or do i need to do something more.
  Can anybody help please.
  Thanks for the help.
  Regards,
  Venkat

  Hi JC,
  The idea given by you is good. I tried, it. But its not working securely.
  I created one analysis auth for all common characteristics. and dvarious for different company codes and controlling areas.
  like grouped the following as one
  Company Code, Controlling Area, Keyfigues.
  I assigned a user a role like this. Take for example ODS A and B. Comp Codes, CC1 and CC2, Controling areas CA1 and CA2.
  assigned the Reporting roles like this. where
  1) ODS A > CC1 (CA ) (KF)
  2) ODS B > CA2 (CC) (KF)
  when checked user is able to see all the controlling areas on ODS B,where i gave him only CA2.
  That is the problem..

• What auth obj to use for allowing user to create and save workbook?

  Hi all,
  We are on BI 7.0, we have requirement which will allow users to develop and save workbooks (NOT BEX query) via BEx Analyzer. I have examined the auth obj S_RS_WKBK but it is obsolete auth obj and there is nothing similar obj in BI 7.0.
  i then looked at the S_BDS_D, is this all i need in order to allow user to save workbook on to the backend system?
  pls note, user can only save workbook NOT BEx query.
  regards,
  Joe

  Hi,
  Actually there is no direct away to do it
  First use the Authorisation s_user_agr , here in the activity field assign01,02,03 and 06 , in the role name assign a specific role name.
  In s_user_tcd in transaction asssign - RRMX.
  Got to PFCG, maintain the role.
  Hopr this will be expedite.
  ThaX and Regards
  Vaibhave Sharma

• Changing the AUTH OBJ in table

  hi experts,
  I am creating the Z* table, when i am creating the the AUTH obj under the table maintenance generator, it is coming as
  S_TABU_DIS, but i want to change this AUTH obj to S_TABU_NAM.
  looking forward for your valuable answers.

  First read [Note 1516880 - Authorization check for generic table access (S_TABU_NAM)|https://service.sap.com/sap/support/notes/1516880]
  The authorization concept for the generic table access using such standard transactions as SE16, SE17, SM30, SM31 or SM34 (or their "proxy" transactions) was previously only bound to the authorization object S_TABU_DIS.
  With Note 1481950, the authorization concept
  was enhanced with the authorization object S_TABU_NAM that checks the access at table name level:
             If a user does not have any S_TAB_DIS authorization for a certain table, the system also checks whether he has an S_TABU_NAM authorization. The access is permitted if the user has an S_TABU_NAM authorization...
  Regards,
  Raymond

• ':' in SQL Format causes analysis auth failure

  Hi,
  When running a SEM-BPS planning folder it fails due to analysis authorisation errors. On doing a trace it fails as the SQL Format has PLANT = ':' and SALESORG = ':'. These values are not within the analysis auths set-up.
  Talking to the SEM-BPS person here they don't know how those got into the query.
  Any ideas how we can get round this?
  Thanks,
  Nick.

  hello,
  does oracle showing any errors in user_scheduler_job_run_details for this job ? I would advise try inserting some debug statement to identify where exactly its stuck. Also please check sample configurations syntax for user_scheduler_jobs.
  Cheers
  Sush

• Auth obj for Tax number 1 and Tax number 2 in fk02

  In tocde FK02 and FK03 we want to restrict some of the fields i.e Tax number 1 and Tax number 2 i.e field stdc1 & stdc2 ,to be visible to some users only ,Is there any auth obj for these fields which we could restict to specific users.

  Hi,
  You can give the authorization for tab wise Genaral data/accounting data/Payment transaction
  Check the auth. objects:
  F_LFA1_BUK     Vendor: Authorization for Company Codes
  F_LFA1_BEK     Vendor: Account Authorization
  F_LFA1_APP     Vendor: Application Authorization
  F_LFA1_AEN     Vendor: Change Authorization for Certain Fields
  Regards,
  Kishore K

• BI Role with Analysis Auth Object

  Hi
  How can i use Authorisation Object created in RECADMIN with all the list of Infoproviders in S_RS_COMP and S_RS_COMP1
  So that user can perform mentioned action on the data providers mentioned in analysis authorization object.
  As i need one place to list all the data targets user can access insted of maintaining in S_RS_COMP and S_RS_COMP1 and in Analysis Authorization object
  Thanks in advance

  Thanks Everybody for giving suggestions; I really appreciate alll your efforts.
  I followed step by step book of kamaljeet and findout that , I was missing to add related info objects of the inforprovider .added those info objects to auth analysis object.
  Now query is working fine without errors;
  problem is i am not able to restict the query since it showing all the data ; i am trying to put only few values in "0wbs_elemt "  .
  I added 0wbs_elemt in my analysis auth object;
  Clicked on 0wbs_elemt and kept values in value authorizations and also kept wbsh in hierarchy name , selected type 1, HI 0.
  still i am unable to restrict the data;
  Functinal consultants build WBSE  set up on a hierarchy. like
  18ICT-07/2011
        18ICT-07/2011-1
              18ICT-07/2011-1-AUDTM
                    18ICT-07/2011-1-AUDTM-01
              18ICT-07/2011-1-CETX_
                    18ICT-07/2011-1-CETX_-01
  they want to restrict like if we are giving 181ct-07 then they want to access every thing under it;
  same way like 181ct-08  etc etc..
  looks like they want to restrict the date very granuler level like  restriction on " Attribute Navigation   "
  Can anybody please do let me know how can we achieve  Navigation Restriction.
  Thanks.

• RE: Transport of Auth Obj Maintained in SU24

  Hi all,
  I went in to SU24 and maintianed fields in an auth object of a transaction, then after saving it asked me to create a transport and i did that.
  Now i regenerated the role and it pushed the new auth obj/fields in role.
  what happens if dont create a transport for the modifications that i did in SU24 for a particular Auth Obj and if i transport that role to TST.
  will this automatically update the auth object in SU24 in TST ? or will it just be in role because of the role transport?
  thanks,
  Sun

  Hi,
  what happens if dont create a transport for the modifications that i did in SU24 for a particular Auth Obj and if i transport that role to TST.
  The changes will reflect in the ROLE in TST ( i guess its the SID of Quality server), however the SU24 in TST won't get updated to reflect whatever you in did in Development System.
  will this automatically update the auth object in SU24 in TST ? or will it just be in role because of the role transport?
  Yes, it will only be the role transport.
  The role will work fine, however this would break the relationship of Auth Objects & Tcode in TST, (when you click on the "Where-Used List" in TST you won't be able to find which Tcode brought that particular auth object in the role.
  Regards,
  Zaheer

• BI Analysis Auth Error

  Hi Have two analysis auths
  1)
  0TCAACTVT        02 03
  0TCAIPROV          X
  0TCAKYFNM       *
  0TCAVALID          *
  ZOBJ1                    A
  ZOBJ2                     B
  ZOBJ3                 1
  2)
  0TCAACTVT        02 03
  0TCAIPROV          X
  0TCAKYFNM       *
  0TCAVALID          *
  ZOBJ1                    *
  ZOBJ2                     *
  ZOBJ3                 2
  Both Auths will go together to same user.
  I want to restrict access to A and B for  ZOBJ1 & ZOBJ2 for value 1 (ZOBJ3)
  but I want to give * access for ZOBJ1 & ZOBJ2 for value 2.
  When I assign both auths user get * access for ZOBJ1 & ZOBJ2 for for 1 also.
  Is there any way I can limit this access.

  Closing so that I can post new quesiton

• SU10   -  Search by Auth Obj Values

  Hi,
  I have a audit requirement, where in which I need to use more than <b>3 Auth objs selection by values</b> as a search criteria. I could see SU10 / S_BCE_68001400 permits(shows) only 3 possible entries for "by values".
  Would appreciate your expertise..
  Thanks,
  Sam

  Another idea for you which might help:
  Run the report (rsusr002) for your first 3 objects -> fields -> values. Then highlight the "user name" column of the result and copy it to your clipboard and restart the report again fresh. Go to the "multiple selection by user" button (yellow arrow) and select the little clip-board button. It will insert the list of users. Then run the report again with your further objects -> fields -> values including this restraint.
  (You can also download the list to a file and import it using the green colour clipboard).
  You would get the same (potentially inaccurate) result as if you could select more than 3 at the same time.

• Auth obj - Maintainence status change

  Hi,
  would like to change the Maintainance status of Auth obj from "Changed" or "Maintained" to --> "Manual" . Is it possible, without adding the same manually.
  planning to do this as during merging, "Manual" auth objs are not disturbed.
  Thanks,
  Sam
  Message was edited by: Sam

  Hi Sam,
  It sounds like you are planning to "merge" your roles by inserting
  the profiles of the selected roles. While this will accomplish your goal
  of getting access for your users - it will be a nightmare to maintain.
  As already mentioned, you will be bypassing the functions of profile generator in
  the way it was intended to function. If you want to merge 2 roles, then you
  should only merge the menu sections of the roles and then allow PG to
  select your authorization objects. If you only have profiles, then look
  at the values in S_TCODE and insert these into the role menu section.
  Regards,
  JC

• Analysis Auth issue - multiple objects

  Currently we have different roles define for each separate section of our business with Comp code and Profit center (along with Hierarchy on PC).
  For e.g.
  Section 1
            Company Code u2013 1010,1050,1500,1520,1700,1800
            Profit Center u2013 150000 u2013 159999 and Profit Center hierarchy u2013 ZPROFIT_CTR_GROUP/99991231/G_15
  Section 2
            Company Code u2013 1110,1150,1500,1520,1700,1800,1980,2050
            Profit Center u2013 190000 u2013 199999 and Profit Center hierarchy u2013 ZPROFIT_CTR_GROUP/99991231/G_19
  Currently there are 30 such roles define, we have quite a segregation within the business. So each BW user generally has one of the 30 roles assign to them. This is working perfectly fine.
  Now because of the consolidations, there are some users who would manage information from different section. So now a user can have access to Section 1 as well as Section 2. Whenever we tried giving access to 2 roles directly to any user, the results of the query comes back as u201CNo Authorizationu201D
  If you notice in the difference between section 1 and 2 is additional company code and some matching company codes along with that is complete different Profit center range and profit center hierarchy node. I am not sure where exactly it is failing.
  Now one more thing for you information is that we have defined Auth variables on Company code (input/Auth/multiple Values) and Profit Center (Input/Authorization/Selection) and Profit Center hierarchy (hierarchy node variable / Authorization)
  I am just trying to understand where the No Auth error msg is coming. Is there some intersection which is killing the query result itself?
  Please let me know if any of you have any suggestion.

  A common problem when authorizing using two different Characteristics is how the authorization variables are filled.
  If a user has access to both section 1 and section 2, a authorization varible for Company Code will contain the values
  1010,1050,1500,1520,1700,1800, 1110,1150,1980,2050
  and the authorization variable for Profit Cetre will contain
  150000 u2013 159999  and 190000 u2013 199999
  If the user doesn't restrict the query further, the system will issue a correct authorization error since the user is not authorized for the selection CC=2050 PC=150000 and all the other "cross-combinations".
  Try creating variants of the selection screen for section 1 and section 2 respectively and force the user to select one of these when executing the query.
  Regards,
  Lars

• How to know Which T-Code belongs to which auth.obj?

  Hello Friends,
  <b>Lets say a user has got authorization to execute SU01.
  Now I want to know to which auth.object this t-code belongs to and which activity the user is having for that t-code?
  can u explain it step by step how to check this?</b>

  Hi Rakesh,
  Basically every T-Code is made up of auth.objects. To know what objects are used for the T-code use Tcode SU24.
  In the initial screen enter the T-code SU01 (execute (f8) or click on clock icon)
  In the second screen you will have three buttons.
  1.Check indicator (display)
  2. Check Indicator (change pencil icon)
  3. Value list
  Click on 1st button Check Indicator (only Display)
  You will be promted with list of objects.
  U  N  C  CM Check ID       Object     Object name
  Now check for the objects which are CM (checked and maintianed)
  The same objects will be displayed in the roles where you have assigned the T-code SU01.
  To Display the field values for each object which are maintained click on the button Field Values.
  You will be prompted with (default /maintained) values assigned for each object.
  But..
  To know exact values (activity values) you need to check in the role.
  Make a list of all the objects availabe in the SU24 check for the same in the role.
  Hope now its clear
  If you need more info let me know
  cheers
  Soma

• BI analysis auths and traces don't work after client copy

  Hello,
  We recently moved our BI Development to a new server.  Now, the analysis authorizations I created and assigned to the S_RS_AUTH object are no longer working.  And, the 'Execute as User' feature in rsecadmin transaction to trace a user is no longer working.
  Do I need to regenerate something or reconfigure something?
  I inherited this system and was not the original person to set up BI authorizations and traces so I do not know what steps may need to be repeated after a client copy.
  Thanks, in advance, for any advice.

  Thank you Juilius.
  It was actually our Developer who made changes to the reports I was testing and really didn't have anything to do with the client copy.
  However, the trace functionaly was weird.  I had to change a parameter on my user id to get it to work.  So, actually, the client copy did change that setting.
  Thanks much.
  Penny