Analysis Authorization created in RSECADMIN

Hi
I created an alaysis authorization using the transaction RSECADMIN following the steps
Step 1:
Activate all business content related to authorizations before you get started:* InfoObjects: 0TCA* and 0TCT*
InfoCubes: 0TCA*
Set the following InfoObjects as "authorization relevant":* 0TCAACTVT
0TCAIPROV
0TCAVALID
0TCAKYFNM (optional, if key figure restriction needed)
Add 0TCAIFAREA as an external hierarchy characteristic to 0INFOPROV (optional)
Step2 :
RSA1 -> InfoObjects -> Business Explorer Tab -> Flag 'Authorization relevant
RSA1 -> InfoObjects -> Attribute Tab -> Flag 'AuthorizRelevant'
Step 3 : Created a role in PFCG and inserted the above authorization value in S_RS_AUTH
Step 4: Maintained the following values in the role
S_RS_COMP : Query Accessibility
Activity: 03,16
InfoArea: '*'
InfoCube:*
Name (ID) of a reporting component:*
But still we are not able to restricted the data that is displayed when the query is executed.(It is displaying all the data without checking for the authorization created above)
Below is the error that is displayed in the trace for this user in RSECADMIN
There Are No Characteristics That Have to Be Checked in Detail

Sai,
Have u restricted authorization relevant characteristic to some values in authorization object in RSECADMIN?If so, at query level u have to create a variable with processing type "authorization variable" and variable represents option "multiple single values" or "selection options" either is fine and also u have to uncheck option "Input ready" on ur authorization relevant characteristic and drag that variable in global filter.Try to login again and check the query.
Chandu

Similar Messages

  • BW Analysis authorization issue... need help urgently....

    We have one BW query which is pulling data from Contract Division info-object. Now this report does not variable selection object so it is pulling data from all values of Contract Division. Values of  Contract Division are CNC, CNS, CNE and CNL.
    Now we have created an analysis auth. object called z_es_3 and added Contract division info-object. Now we have added that z_es_3 into role and given value to CNS. now when we are running report, we are getting No Authorization error. When we are giving * value in z_es_3, it is running fine.
    Now we have to restrict report to contract division. please help.
    Thanks in advance

    Are you running unrestricted search on Contract division in your queries? You should restrict it to value which is maintained in the authorization for the InfoObject.
    Also please run the analysis authorization trace from RSECADMIN. That will give you a clearer picture of what is wrong.

  • Different Analysis Authorization on same infoprovider

    Hi All,
    I want to setup authorization for the below scenario. I have tried different options but not able to achieve it. Request your inputs.
    Query 1: Z_REPORT1_NOCUST (Only Aggregate authorization-no customer wise drill down)
    Query 2: Z_REPORT2_CUST (Customer wise drill down possible)
    Above both query is from Same info provider. Hence i have tried creating 2 analysis authorization one is for Aggregate authorization for customer I/O and another is for Full authorization on customer. And created 2 different PFCG roles one for each analysis authorization created and assigned both role to a user.
    But when the report is executed both the query was able to drill down with customer. Itseems analysis authorization created for aggregate quthorizaiton is not working and full authoization is over rulling.
    How to resolve this, need your valuable inputs.
    Thanks in advance
    Prem

    You cannot give both roles to the same user that give authorization to the same info provider. This is your problem.
    The security system assembles the user's rights from all of his roles. If two roles provide rights to infoprovider "A", and one gives ":" (Aggregate) rights to 0CUSTOMER, and the other gives "" (All) rights to 0CUSTOMER, then the rights used for the query will be the "" (all) rights for 0CUSTOMER, and the Aggregate rights will be ignored.
    If you truly wish to have two separate reports, one that reports 0CUSTOMER at an aggregate level only (for example, by customer group), and the other by 0CUSTOMER drilldown, then simply remove 0CUSTOMER from the aggregate query.

  • BI analysis authorizations/ RSECADMIN/  Tables

    Hello,
    Does anybody know which tables are used with RSECADMIN.
    In which tables are the values of the authorizations created in the RSECADMIN stored ?
    Thanks in advance.
    Kind Regards,
    Vincent

    Vincent,
    The tables are:
    RSECAUTHTRUSER - Shows the users that will be log
    RSECVAL - shows analysis authorizations values
    RSECUSERAUTH - Shows analysis authorizations added to users manually.
    You can also check the following page for more information
    https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bi/authorization%2bin%2bsap%2bnw%2bbi
    Regards, Jose

  • Analysis Authorization - RSECADMIN

    Hello everybody,
    I have created an auth object (in RSECADMIN) and added appropriate values to 0PROFIT_CTR and 0TCAACTVT. I have assigned this auth object to a user, everything works fine so far.
    Question: We have about 100+ profit centers and hundreds of users, I need to give access to all these users to different set of profit centers, what would be the best way to accomplish this ?
    Any help would be highly appreciated.
    Thanks,
    Anil

    You may wish to check with LSMW tcode.
    Steps -
    1)Maintain excel file with the mapping of user ID's and authorization object values in the proper format/structure you gonna upload via LSMW.
    2)LSMW
    Here you can record the script or the activity you want to do ,say for example asigning authorization object using RSECADMIN to a user  with values 0PROFIT_CTR and )TCAACTVT.
    Follow the steps of LSMW and Run the batch input session for whole file mapped earlier.
    LSMW - Step by Step
    Hope it Helps
    Chetan
    @CP..

  • [CUA] Compatibility with Analysis Authorizations (RSECADMIN)

    Hello,
    I have two questions for you, BI experts :
    1) Could someone please confirm that it is not possible to centrally maintain Analysis Authorizations (trx RSECADMIN) from the CUA ?
    2) Does it make sense to start a CUA project now with the Identity Management solution coming soon ? What are the pros & cons of each ?
    Thanks in advance.
    Best regards,
    Guillaume

    Hi,
    I had a look at the Roles and Profiles tables used by CUA.
    I found that it uses special tables such as :
    USRSYSACT     CUA: Roles in Distributed Systems
    USRSYSACTT     CUA: Roles in Distributed Systems
    USRSYSPRF     CUA: Profiles in Distributed Systems
    USRSYSPRFT     CUA: Profile Text in Distributed Systems
    USLA04          CUA: Assignment of Users to Local  Roles
    USL04          CUA: Assignment of Users to Local Profiles
    There is no analogous table for RSECADMIN tables such as :
    RSECAUTHGENERATD     BI AS Authorization Reporting: Generated Authorizations
    RSECLOG               Storage for Authorizations Logs xml
    RSECTXT               Authorization Texts
    RSECUSERAUTH          BI AS Authorizations: Assignment of User Auth
    RSECVAL               Authorization Value Status
    This, I conclude that it is not possible to maintain BI analysis authorizations from the CUA central system.
    This kind of authorizations has to be performed in the child system directly.
    Unless, SAP has something to draw out of its pocket soon... 
    I indeed read that some development was done on the CUA, parallel to the SAP NW Identity Management solution.
    Best regards,
    Guillaume

  • Analysis Authorization Issue 7.3

    Hello Friends,
    System BW 7.3, Currently there are 80 odd analysis authorization objects
    We want to introduce a new info object (GL Account) to be authorization relevant, ( there are few objects in the system which are already authorization relevant in the system with proper analysis authorization objects and they are working fine)
    Things done, made the GL Account object authorization relevant in RSA1, Created 2 analysis authorization objects with GL Account and TCT objects and one with hierarchy restrictions and one open access.
    Added this object to the user in addition to its already existing authorization objects. Created authorization variable in BEx.
    Some how the authorization is not picked up and it gives us all the values in the report. But if I add the GL Account info object to the existing analysis authorization objects then it works fine.
    I do not want to change all the existing analysis authorization objects to add GL Account.
    Your inputs are most welcome.
    Thanks
    Ed.

    Gajesh- I have added the new analysis authorization object to the user in RSECadmin.
    Subhendu- Problem statement: What are the steps involved in making a new info object(GL Account) authorization relevant. Authorizations are given at hierarchy level. Can we create a new analysis authorization with  GL Account only or do we have to add it to every existing analysis authorization
    I have done the following steps
    1. Made the GL Account object authorization relevant in RSA1,
    2. Created 2 new analysis authorization objects with GL Account ( with hierarchy restrictions) and TCT objects and one with GL Account open access.
    3. Added this object ( which has restrictions) to the user in RSECADMIN, in addition to its already existing authorization objects.
    4. Created authorization variable in BEx.
    5. No existing analysis authorization objects have been changed.
    When I test the report, It does not restrict based on the hierarchy that I have given, it gives open access.
    But If I add GL Account with restrictions to the existing analysis authorization object, it works good.
    Guess I am missing some thing here.
    Do you need any other screen shots.
    Thanks
    Ed.

  • Analysis Authorization based on Hier node with multiple display hierarchies

    Hi guys - I've got a problem where s.o. might have an idea of how to switch on the light at the end of the tunnel, I am currently standing in:
    Requirement:
    Cost Center Authorization should be given through RSECADMIN, reporting should be possible for any hierarchy that exists for the authorization relevant info object.
    Preferred solution:
    The Cost Center Analysis Authorization should be given through RSECADMIN - Hierarchy node assignment.
    u2022     A dedicated Authorization Cost Center Hierarchy will be maintained in ECC6 as an alternative cost center hierarchy and extracted into BW.
    u2022     The RSECADMIN Hierarchy node assignment should be based on a particular node (Type 2).
    u2022     The display level will be specified as required (here: Level 7)
    u2022     The Authorization granted should be independent of hierarchy name and version (validity 3).
    Reporting Scenario and technical impact:
    As mentioned above, when designing and running a query the user should be able to freely select other (i.e. than the authorization) display hierarchies for the authorization relevant reporting object 'Cost Center' as well. The technical names of the semantically relevant hierarchy nodes could therefore vary. E.g. cost centers 1, 2 and 3, being assigned under hierarchy node u2018Au2019 of the RSECADMIN relevant authorization hierarchy, could be subsumed by hierarchy node u2018Bu2019 in another display hierarchy, which the user may want to display in accordance to his reporting needs. Ideally, the alternative display hierarchy should therefore display node u2018Bu2019.
    My findings so far (based on prototyping) turn out that this is not possible as long u2018Bu2019 (and its hierarchy) is not authorized in RSECADMIN. Can these findings be confirmed? And if not, would anyone have an idea of how to facilitate the reporting scenario?
    Would there be any other way to grant access, possibly based on RSECADMIN single values, and also enable the user to flexibly display hierarchies with only those hierarchy nodes whose single cost center values the user has been given access to?
    Thanks everyone for your input...
    Claus
    Edited by: Claus64 on Jul 13, 2009 4:10 AM

    HI CLause,
    On Jul 14 2009, you wrote in SDN and said:
    FYI: Found a solution...
    The hierarchy analysis authorization will be based on a navigational attribute of cost center.
    With analysis authorizations it is possible to declare the Auth object (e.g. 0COSTCENTER__RACCAUT0) as authorization relevant and leave the superior object 0COSTCENTER auth irrelevant.
    The auth will be given for 0COSTCENTER__RACCAUT0. This object will be placed as a filter of the query, being restricted by an Authorization variable for hierarchy nodes.
    Due to the concept of Analysis Authorizations, this variable will automatically pick up the nodes granted as part of RSECADMIN Hierarchy based Authorization.
    As mentioned above, 0COSTCENTER as the regular reporting characteristic remains auth irrelevant and can therefore take any hierarchy thatu2019s available. Reporting on single values will be possible, too. Only those nodes show up that hold the authorized cost centers in accordance to the authorization.
    If the auth relevant 0COSTCENTER__RACCAUT0 is not used in the query definition by either not taking it in as a filter or skipping the Auth variable, the query will launch the message that the authorization is missing. No data show up at all.
    Claus
    See this thread:
    Analysis Authorization based on Hier node with multiple display hierarchies
    I am also in the same situation as you and need to understadn your solution. I understand that you created a Nav Attr on 0COSTCENTER and made this auth relevant whilst ensuring that 0COSTCENTER is NOT auth relevant. This is all fine. The issue was you have multiple hierachies for 0COSTCENTER, how did the new Nav Attr help you solve your issue. When loading 0COSTCENTER what values did you load ino the new Nav Attribute and how did that link to the hierachies? Also, in RSECADMIN you created hiearchy nodes based on the Nav Attribute but I am confused as to what values you have in the Nav Attr.
    I appreciate if you can share your solution from the past in more details.
    many thanks

  • Web Intelligence Report + BI 7.0 Analysis Authorizations

    Hello Experts,
    I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
    BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
    It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
    For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
    When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
    I have tried several settings on the universe (like filter working on LoV as well) but none helped.
    If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
    Any ideas?
    Best regards
    Giorgos

    Hi,
    has the Universe been created on the cube level or on the query level ?
    In case it is on the cube level it will fail because :
    Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
    The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
    You can then assign this authorization to one or more users.
    All characteristics flagged as authorization-relevant are checked when a query is executed.
    *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
    Ingo

  • [BO over SAP BW] Web Intelligence Report + BI 7.0 Analysis Authorizations

    Hello Experts,
    I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
    BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
    It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
    For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
    When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
    I have tried several settings on the universe (like filter working on LoV as well) but none helped.
    If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
    Any ideas?
    Best regards
    Giorgos

    Hi,
    has the Universe been created on the cube level or on the query level ?
    In case it is on the cube level it will fail because :
    Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
    The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
    You can then assign this authorization to one or more users.
    All characteristics flagged as authorization-relevant are checked when a query is executed.
    *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
    Ingo

  • Need analysis authorization help

    Hello Gurus,
    Could someone please help me out with my Analysis Authorization issue?
    We have a BW query and workbook outputting "Tcode usage" like the following:
    UserGroup| Username| Tcodename| Frequency
    This one has been running long time without any problems in reporting authorization, but now We want to get it restricted and only allow data associated group HR to display using new Analysis authorization. The scenario for this report is as follows:
    1. Rsecadmin >Maintenance> Create New authorization "Group" which consists of 4 characteristics: 0TCAACTVT, 0TCAIPROV, 0TCAVALID and 0TCTUSRGRP(which is the characteristic about group name and already authorizatio relevant). Set 0TCTUSRGRP "EQ HR".
    2.Assigned this authorization to a role using PFCG through the S_RS_AUTH. Other authorization objects in this role are:   S_BDS_D, S_BDS_DS, S_RS_MPRO, S_RSEC, S_RS_COMP, S_RS_COMP1, S_RS_HIER, S_RS_ICUBE, S_RS_ODSO.
    3.In BEx analyzer, set type: Characteristic Values and Variable filled from authorization and value "Selection Option". Unselected "ready for input". Put the characteristic associated with group name to filter windown on the top righ hand side of the Query Designer. Also compare users in PFCG.
    The question is the I still get all data about all groups. Looks like the authorization group doesn't work. I  used the "execute as " and get no errors back.
    Note: I didn't use "generation" to create the new authorization in Rsecadmin
    Thank you very much for any answers!
    Haifeng

    I guess i have found the reason why my authorization dosen't work. I don't activate infoObjects 0TCA* and 0TCT* and infoCubes 0TCA* as well. But another thing I am confused about is :
    Should I activate HR and CO businees content for authorizations 0TCA_DS02OTCA_DS05 and 0CCA_O010CCA_O03 before i get started? or should i run generation everytime i create a new authorization using Maintenance in Rsecadmin?
    Haifeng

  • BI 7.0 Analysis Authorization issue: some reports displaying a blank page.

    Hi All,
    This is regarding BI 7.0 Analysis Authorization issue.
    Overview:
    we have restricted some queries at infoobject level.
    Issue:
    a. For some of the queries, we can see the selection screen but when we try to execute the query by clicking on the execute button (Queries WAD) we get a blank page, meaning nothing is displayed on the output (white/Blank screen).
    b. When we execute the same query through RSRT, we get a message which says "Disconnecting from BW server..".
    c. Let me explain further on this. Basically we are doing this in order to have limited access to Auditors at the client side. At the same time normal users should not get impacted due to this, hence we created two roles. One for normal users and other for Auditors.
    d.  Now the thing is that we execute the same report with normal user ID's the report executes properly and displays the output. it does not show the blank page.
    e. But when we execute the same report with Auditors ID then we get a blank page.
    Any idea why this is so?

    Hi Neha,
    I tried the below also,
    GL Acnt
    I EQ 0000134010
    I EQ :
    but still it didn't work.
    No Infoobject is missing in Authorization Object.
    For your point, "rsecadmin - > analysis -> execute as -> check for the desired user & analyze the log" it didnu2019t allow me to analyze, since as soon as click on execute button a pop-up comes up saying "Disconnecting from the BW server..."
    As mentioned earlier also it is giving me the below message,
    ""I>> Row: 103 Inc: AUTHORITY_02 Prog: CL_RSR_RRK0_AUTHORIZATION                                                                       RS_EXCEPTION        301CL_RSR_RRK0_AUTHORIZATION                         AUTHORITY_02"
    Kindly suggest, since this is a show-stopper for us!
    Thanks,
    Ishdeep Kohli.

  • BW Analysis Authorization on two charcteristics issue

    I am familiar with analysis authorizations in BW 7.0 and worked on it.
    Today we have blanket authorization (RSECADMIN) for 0TAX_NUMB = *. Meaning user who has this auth/role can see values (from where ever 0TAX_NUMB is used, all company codes etc). And as you might know 0TAX_NUMB is used in 0VENDOR & 0CUSTOMER master data (as an attribute). This works well, because its easy
    Now, new requirement is to create more strict analysis authorizations for 0TAX_NUMB based on other characteristic values.
    Auth1 (should apply to 0TAX_NUMB used in 0VENDOR):
    0TAX_NUMB = all values and only for vendor account group = XXX
    Auth2 (should apply to 0TAX_NUMB used in 0VENDOR):
    0TAX_NUMB = all values and only for vendor account group = yyy
    Auth3 (should apply to 0TAX_NUMB used in 0VENDOR):
    0TAX_NUMB = all values and only for vendor account group = zzz
    Auth4 (should apply to 0TAX_NUMB used anywhere other than 0VENDOR, for example, as I said above its also used in 0CUSTOMER and may be used elsewhere in future):
    0TAX_NUMB = all values
    Do I also need to add 0CUSTOMER here? unable to visualize!!!
    Also, 0TAX_NUMB and Vendor account group will have colon authorization.
    So, at this time I am not sure how this will impact other queries with following scenario(s):
    User1 has auth1:
    Here, User1 can see tax_numb values for vendor act grp XXX, thats good, so far.
    But can user see query results where tax_numb is not used but would like to see all vendor account group related data (or other than value XXX)?
    User2 has auth4:
    Since this auth has blanket tax_numb, can user2 see all values for tax_numb used in 0CUSTOMER (which he/she should) and also in 0VENDOR (he/she should not)...
    And what about queries that do not have 0TAX_NUMB (but infoprovider has)? Colon auth on TAX_NUMB & Vendor act grp would resolve this?
    I appreciate your thoughts on this. We are BW 7.01 (Ehp1), SPS10.
    Regards
    -Bala
    Edited by: Bala Shetty on Dec 15, 2011 12:02 AM
    Edited by: Bala Shetty on Dec 15, 2011 12:04 AM
    Edited by: Bala Shetty on Dec 15, 2011 12:05 AM
    Edited by: Bala Shetty on Dec 15, 2011 12:09 AM

    Thank you Sushant.
    I am aware of these notes and provide basic information and also usage of value restrictions. I am looking for usage of different combinations for multiple characteristics (especially the attributes of master data)....
    Regards
    -Bala

  • Hierarchy Analysis Authorization in BW and BOBJ Webi Report

    Hello,
    We have a scenario wherein we have implemented Analysis Authorizations (Hierarchy) on Organizational Unit info object (0ORGUNIT) and need to report on BOBJ WEBI. Our scenario is as following
    ORGUNIT    - L0 (Overall Enterprise Level)     
    -     L1 (Enterprise - Continent Wise Split)
    -     L2 (Enterprise u2013 Country Wise Split)
    -     L3(Enterprise u2013 City Wise Split)
    E.G- 
          LO (Company ABC) MANAGER 0 will have access to the entire organization
               -L1 (ASIA) MANAGER1 will have access to ASIAN Subcontinent
                      -L2 (India) MANAGER 2 will have Access to country India
                                -L3 (New Delhi) MANAGER 2.1 will have access to city Delhi
                                -L3 (Mumbai) MANAGER 2.2 will have access to city Mumbai
                       -L2 (Malaysia) MANAGER 3 will have access to Country Malaysia
                                  -L3 (Kuala Lampur)
                                  -L3 (pahang)
                 - L1 (Europe)
                                            u2026..
    The requirement is that the CEO of the company should be able to see the entire set of data ( L0-L4).We have continent managers who can see that data specific to their continent, similarly at L3 Level the city manageru2019s should see the data only for their specific city.
    In BI we have used analysis authorization based on hierarchies. We have created an authorization object say ZAUTH1 and have assigned the hierarchy L0 from RSECADMIN. Now, in Webi when we create a report a sample row comes as :
    L0 Org Unit     L1 Org Unit     L2 Org Unit     L3 Org Unit     SALES Key Figure
    Company ABC     Asia          India          Mumbai          1000
    Now, we have MANAGER 2.2 who has only access to the data specific to his city (Mumbai). There is an Analysis Authorization object created for him ZAUTH2, by ONLY assigning the org unit hierarchy L3 (for Mumbai). When we run the bex report with the user MANAGER 2.2 u2013 it correctly displays the result and the user is only able to see the data for L3 Org Unit (Mumbai). However when you bring this data to Webi u2013 the report comes in the below format:
    L0 Org Unit     L1 Org Unit     L2 Org Unit     L3 Org Unit     SALES Key Figure
    Mumbai                                           1000
    The L3 org unit has now got assigned to L0 Org unit , as this is the only org unit assigned to the MANAGER 2.2 user .
    In such a case we are not able to write any generic formulae for the report. Is there a way to correct this issue? u2018Mumbaiu2019 should either get assigned to the L3 OrgUnit column is webi report , or is there a workaround that is possible ?
    Thanks and Best Regards,
    Vj

    Hi Vijay,
    The problem you speak of is known and comes from the fact that the hierachy is flattened in the process of delivering it to WebI. Therefore there is no real 'solution' to the problem, just some work-arounds you can think of...
    1)
    Create a report variable that starts looking at the lowest level, if it is empty check one up, and so on until you found what you were looking for (the lowest leaf available), which by definition must be there (even if it is top level).
    Using similar logic you can also get a 'number of levels avaible' and so fill in the complete tree (duplicating the highest level).
    This is difficult to explain when end users create their own reports, though you could provide a template report with these variables in there already.
    2)
    Extend the hierarchy with duplicates below the lowest level.
    So i.e. L0 Company - L1 Continent - L2 Country - L3 City- L4 City - L5 City- L6 City.
    This will give back on the four levels for top authorization
    L0 Company - L1 Continent - L2 Country - L3 City
    For authorization on Continent:
    L0 Continent - L1 Country - L2 City- L3 City
    For autorization City
    L0 City- L1 City - L2 City- L3 City
    So in all situations the fourth level, the L3 Object will hold the City level.
    This you can then use in your report.
    Hope this helps,
    Marianne

  • Impact of Analysis Authorization on Users using old Authorization

    Hi All,
    I have question regarding Analysis Authorization. Our system has old authorization concept and as part of our project we decided to go for Analysis authorization for Cost Center object. We activated analysis authorization for cost center, assigned it to test user id and found that its working fine in Dev. But it has impacted other users in the system. They are not able to access any other reports and data providers which were not even referring cost center. What is the proper way to activate analysis authorization without impacting access to existing users.
    - Som

    Hello Andreas,
    Sorry to ask you directly here, I didn't get answer from this forum. We will migrate to the new analysis authorization from old reporting concept. I have read the book "An Expert guide to new SAP BI security features" by SAP Lavs, but still confused with some parts. My questions is:
    Are there two ways to create authorizations as follows?
    1. we can type tcode rsecadmin>Maintence button>create a new authorization.
    2. the following part taken from the book:
    Steps for Generating Authorizations
    1. Activate Business content
    2. Load Datastore objects
    3. Generate Authorizations
    4. View Generation Log.
    In the first step, OTCA_DS01 to OTCA_DS05 and OCCA_O01 to OCCA_O03 are Datastore objects required to be activated.
    In the second step, tcode rsecadmin-->generation button --> type OTCA_SDS01 to OTCA_DS05 into respective filed. Should we always type these 5 objects everytime when we create authorization?
    When we should use the second way to create authorizations? and what is the diffrence between them?
    Any answers will be appreciated. Thank you very much in advance!
    Haifeng

Maybe you are looking for