Analysis Authorization for nav Attr Issue

Hello:
I have a 0COMP_CODE as an attribute of 0SALSORG and it is marked as authorization relevant. i.e 0SALESORG_0COMP_CODE is authorization relevant.
I created an analysis authorization Object ZCOMPCODE_1000 by adding following in it.
InfoObject Value
0COMP_CODE = 1000
0SALESORG = *
0SALESORG_0COMP_CODE = 1000
0TCAACTVT = *
0TCAIPROV - *
0TCAKYFNM = *
0TCAVALID = *
Now I have a report on a cube which has 0SALESORG as char and also 0SALESORG as a variable on selection.
When I run a query for sales org = 1000, I can see rsults as sales org 1000 is assigned to company code 1000.
If I run report for sales org 2000, I should get not authorized message as 2000 is not assigned to company code 1000 and I only have a role assigned to me which has analysis authorization object ZCOMPCODE_1000. But Still I am getting report results.
Please explain Why and How can I overcome this issue.
Thanks

First of all it is strange that we see two appearances of sales org.
0SALESORG = *
0SALESORG_0COMP_CODE = 1000
Probably the star value overrides the setting in the second one.
Besides did you create the variable in the query as authorization relevant or you will have problems there.

Similar Messages

BW Analysis Authorization on two charcteristics issue

I am familiar with analysis authorizations in BW 7.0 and worked on it.
Today we have blanket authorization (RSECADMIN) for 0TAX_NUMB = *. Meaning user who has this auth/role can see values (from where ever 0TAX_NUMB is used, all company codes etc). And as you might know 0TAX_NUMB is used in 0VENDOR & 0CUSTOMER master data (as an attribute). This works well, because its easy
Now, new requirement is to create more strict analysis authorizations for 0TAX_NUMB based on other characteristic values.
Auth1 (should apply to 0TAX_NUMB used in 0VENDOR):
0TAX_NUMB = all values and only for vendor account group = XXX
Auth2 (should apply to 0TAX_NUMB used in 0VENDOR):
0TAX_NUMB = all values and only for vendor account group = yyy
Auth3 (should apply to 0TAX_NUMB used in 0VENDOR):
0TAX_NUMB = all values and only for vendor account group = zzz
Auth4 (should apply to 0TAX_NUMB used anywhere other than 0VENDOR, for example, as I said above its also used in 0CUSTOMER and may be used elsewhere in future):
0TAX_NUMB = all values
Do I also need to add 0CUSTOMER here? unable to visualize!!!
Also, 0TAX_NUMB and Vendor account group will have colon authorization.
So, at this time I am not sure how this will impact other queries with following scenario(s):
User1 has auth1:
Here, User1 can see tax_numb values for vendor act grp XXX, thats good, so far.
But can user see query results where tax_numb is not used but would like to see all vendor account group related data (or other than value XXX)?
User2 has auth4:
Since this auth has blanket tax_numb, can user2 see all values for tax_numb used in 0CUSTOMER (which he/she should) and also in 0VENDOR (he/she should not)...
And what about queries that do not have 0TAX_NUMB (but infoprovider has)? Colon auth on TAX_NUMB & Vendor act grp would resolve this?
I appreciate your thoughts on this. We are BW 7.01 (Ehp1), SPS10.
Regards
-Bala
Edited by: Bala Shetty on Dec 15, 2011 12:02 AM
Edited by: Bala Shetty on Dec 15, 2011 12:04 AM
Edited by: Bala Shetty on Dec 15, 2011 12:05 AM
Edited by: Bala Shetty on Dec 15, 2011 12:09 AM

Thank you Sushant.
I am aware of these notes and provide basic information and also usage of value restrictions. I am looking for usage of different combinations for multiple characteristics (especially the attributes of master data)....
Regards
-Bala

Problem wih analysis authorization for two scenarios on same data provider

Dear all,
I am looking for a solution on the following authorization scenario (using the new analysis authorization). Unfortunately everything that I tried did not work out as expected:
User A is allowed to manually access query 1 (based on cube A) with authorization on all sites A-Z
The same user A shall get an email distribution automatically (derivation of the filter in the query out of the authorization) for query 2, which is as well based on cube A, but this time the authorization shall be limited only to site A.
As both queries are based on the same infoobject (0PLANT) and the same infoprovider (0TCAIPROV) I always get the result for all sites A-Z. The 0TCAACTVT is in both cases 03 (display), so I have no chance to distinguish between reporting and email distribution.
Probably the only chance would be to derive the values for the email distribution scenario not from the authorization directly, but using a customer exit to fill the filter - but I would prefer a "standard" solution...
Any ideas??
Thanks,
Andreas

Dear Andreas,
Before give you an alternative for you problem, Iu2019d like to comment the combining authorization concept:
http://help.sap.com/saphelp_nw70/helpdata/EN/46/98cd87f37d19ace10000000a11466f/frameset.htm
For this reason I suggest you which combing restriction through authorization and query filter. For query 2 try to use in 0PLANT characteristic the single value u201Csite Au201D, this restriction give you only authorization for see this value.
Otherwise, you have to use customer exit.
I hope that alternative help you to find a solution,
Luis

Analysis Authorization failed for Multiprovider

Hi all,
We are facing an issue pertaining to the Analysis Authorization for a multiprovider. When we attempt to access a query base on a multiprovider, the program complains that it has insufficient authorization. So we did debugging in the customer exit and we realise it fails to populate the rest of the authorization variables in I_step = 0. Base on our initial investigation this only happens on queries on multiprovider, so is there anything I need to set or do to curb this error?
Many thanks!

Best solution is to trace the authorization for your issue in ST01.
Switch on the trace in ST01 and start your work. if you face authoirzation check failed. look into the trace there you will find the logs and authorization failed for your userid.
And one more thing, have you got anything in SU53 as authorization check failed?
Hope this would help you.

Rational approach for Analysis Authorization:

This post is regarding the implementation of Analysis Authorization. Considering the role based approach; please let me know the optimized way to implement the analysis authorization such that there will be very low maintenance.
For e.g. I have queries which need to be restricted at data level PLANT wise. So I mark the characteristic 0PLANT as authorization relevant. There are 150 plants so I create the 150 Analysis Authorizations and put each one of them in roles (1:1) resulting in 150 roles. In addition; 151th Role and Analysis Authorization for ALL plant access.
Now to restrict the queries themselves, I create a Role with object S_RS_COMP , S_RS_COMP1 (For queries) ; S_USER_AGR and S_USER_TCD( for workbooks).
Then I create a composite role with above 2 single roles (one containing AA and other role for Query restriction)and assign it to user.
Now suppose when I need to restrict data at some other level say DIVISION wise. Then I would be again creating analysis authorization for all the divisions and putting them in roles.
Using this approach ; there would be many roles and analysis authorizations. Also during production support it may be cumbersome to debug the errors.
Please comment if any other approach for implementing the above scenarios.
Regards,
Ajit
Edited by: Ajit Nadkarni on Apr 4, 2010 5:47 PM

Hi,
I had a similar requirement where in we had 178 plants and each plant manager has to see their own site by default in the selection screen when they run the query.
By defalut it should display there own site but its not restricted to only that site. Managers can also look into other sites but by default they wanted their own site to be displayed.
So I have created DSO and did mapping with username and store. And in query I created a variable in plant of type customerexit and written exit in CMOd using I_STEP 1. This solved our requirement. But to restrict to particular site i guess we can extend the routine in cmod.
Thanks
Srikanth

How to get Query Results based on Analysis Authorization Ranges????

Hi Experts,
I have gone through the lot of SDN Links, however not able to find the answer to my question.
I have an Authorization Issue, NO Authorization
Error : EYE 007 ( Insufficient Authorizations )
Here is the issue:
Need to see the complete query result when I gave the range in Analysis Authorization for Controlling Area 001-005. Controlling Area is auth relevant and right now a variable is inserted in the query for it. If I select Controlling Area 001, the result for Controlling Area 001 is displayed in query. If 002 then also displayed. If I do not enter anything, then I get the Eye 007 error message.
I am not sure how do I display/authorize the entire result in the query for all the Controlling Areas, I have authorized user to see??
Its really urgent, please help..!
Here are the logs:
Authorization Check Log
Date and Execution Time (Local Server)
Execution Date: 06.09.2007
Execution Time: 14:48:41
Executed Query: 0CCA_C11/GBCCA_MP01_Q0002_AP
Executed by User ZBI_TEST_001
Executed with Analysis Authorizations of Another User ZBI_TEST_001
InfoProvider Check
Building the Buffer...
...Buffer Built
Are there authorizations for accessing InfoProvider 0CCA_C11 with activity 03?
Authorization exists for general access to InfoProvider 0CCA_C11 with activity 03
InfoProvider Check
Authorization exists for general access to InfoProvider 0CCA_C11 with activity 03
Relevant Characteristics for Detailed Authorization Check
(Characteristics with Full Authorization Are Not Listed!)
List of Effective Authorization-Relevant Characteristics for InfoProvider 0CCA_C11:
0CO_AREA
0TCAACTVT
Relevant Characteristics for Detailed Authorization Check
(Characteristics with Full Authorization Are Not Listed!)
List of Effective Authorization-Relevant Characteristics for InfoProvider :
List Is Empty:
There Are No Characteristics That Have to Be Checked in Detail
Authorization Check
Detail Check for InfoProvider 0CCA_C11
Preprocessing:
Selection Checked for Consistency, Preprocessed and Supplemented As Needed
Subselection (Technical SUBNR) 1
Check Node Definitions and Value Authorizations...
Node- and Value Authorizations Are OK
End of Preprocessing
Filling the Buffer...
...Buffer Filled
Main Check:
Subselection (Technical SUBNR) 1
Supplementation of Selection for Aggregated Characteristics
No Check for Aggregation Authorization Required
Following Set Is Checked Comparison with Following Authorized Set Result Remaining Set
Characteristic Contents
0CO_AREA
0TCAACTVT
SQL Format:
CO_AREA = '0003'
AND TCAACTVT = '03'
Characteristic Contents
0CO_AREA I BT 0001 0005
0TCAACTVT I EQ 03
I EQ 16
Authorized
Subselection (SUBNR) Is Authorized
Authorization Check Complete
Authorization Check
Detail Check for InfoProvider 0CCA_C11
Preprocessing:
Selection Checked for Consistency, Preprocessed and Supplemented As Needed
Subselection (Technical SUBNR) 1
Check Node Definitions and Value Authorizations...
Node- and Value Authorizations Are OK
End of Preprocessing
Filling the Buffer...
...Buffer Filled
Main Check:
Subselection (Technical SUBNR) 1
Supplementation of Selection for Aggregated Characteristics
No Check for Aggregation Authorization Required
Following Set Is Checked Comparison with Following Authorized Set Result Remaining Set
Characteristic Contents
0CO_AREA
0TCAACTVT
SQL Format:
TCAACTVT = '03'
Characteristic Contents
0CO_AREA I BT 0001 0005
0TCAACTVT I EQ 03
I EQ 16
Partially or Fully Authorized (Intersection) Characteristic Contents
0CO_AREA
0TCAACTVT
SQL Format:
( CO_AREA < '0001'
OR CO_AREA > '0005' )
AND TCAACTVT = '03'
Value selection partially authorized. Check of remainder at end
Following Set Is Checked Comparison with Following Authorized Set Result Remaining Set
Characteristic Contents
0CO_AREA
0TCAACTVT
SQL Format:
( CO_AREA < '0001'
OR CO_AREA > '0005' )
AND TCAACTVT = '03'
Characteristic Contents
0CO_AREA I BT 0001 0005
0TCAACTVT I EQ 03
I EQ 16
Not Authorized
All Authorizations Tested
Message EYE007: You do not have sufficient authorization
No Sufficient Authorization for This Subselection (SUBNR)
Following CHANMIDs Are Affected:
184 ( 0CO_AREA )
Authorization Check Complete

Hi,
 Have you defined the vaule for 0CO_AREA as BT 001-005 in you Authorization for 0CO_AREA.Also how have you defined your Authorization Variable on the query? Have you define as select options or interval? I thing you need to define it as interval or select options.
Hope it helps,
Cheers,
Balaji

BW authorizations for universe connections

Hello experts,
Is it possible to use a universe without giving the user 0BI_ALL authorization? We want the same user to connect via BICS and universe and if we use 0BI_ALL for universe connections, the analysis authorizations for BICS doesn't work.
Any idea on how to have row security levels on both connections at same time?
We are using BW 7.0 and BO 4.0 SP5.
Many thanks in advance.

Hello David,
using BI Authorizations in BW and then adding data level security in the Universe on top of that will only lead to situations like you have now.
Data Level security goes into BW alone or into the Universe alone, mixing both will lead to issues and remember that the Universe has far less capabilities in this area.
0BI_ALL is only related to data level security, so the fact that you see the request for 0BI_ALL in the trace clearly shows that your defined data level security entries contradict each other somehow and that BW then requires 0BI_ALL for the user to give the data that was requested.
like I said above, not a good idea to mix those data level security concepts. all data level security should be in BW already.
Also - why even use the Universe inbetween ?
regards
Ingo Hilgefort, SAP

Aggregation authorization within analysis authorizations

Hello,
The BW developers have created several queries that use aggregated data. When testing the queries with the end user ID (assigned to an end user role and analysis authorization), it is failing due to missing authorizations, particularly b/c of the following:
Supplementation of Selection for Aggregated
Characteristics
Check Added for Aggregation Authorization:     0COMP_CODE
Check Added for Aggregation Authorization:     0PLANT
All Authorizations Tested
Message EYE007: You Do Not Have Sufficient Authorization
No Sufficient Authorization for This Subselection (SUBNR)
Following CHANMIDs Are Affected:
142 ( 0COMP_CODE )
189 ( 0PLANT )
192 ( 0SALESORG )
In the BI documentation, it specifies that : (colon): allows only aggregated access to data (e.g. allows information on all sales areas only on aggregated level not on particular countries). Is this ( specified as a value within the particular characteristics? I also tried to select the "aggregation authorization" icon within txn code RSECADMIN and this did not help.
Any help would be GREATLY appreciated.

Updated: For the analysis authorization, for these characteristics, in addition to the specific values, there is an entry for ":" and this did not resolve the issue.
Authorization Check
Detail Check for InfoProvider ZBL_13IT
Preprocessing:
Selection Checked for Consistency, Preprocessed and Supplemented As Needed
Subselection (Technical SUBNR) 1
Check Node Definitions and Value Authorizations...
Node- and Value Authorizations Are OK
End of Preprocessing
Main Check:
Subselection (Technical SUBNR) 1
Supplementation of Selection for Aggregated Characteristics
Check Added for Aggregation Authorization:     0COMP_CODE
Check Added for Aggregation Authorization:     0PLANT
Following Set Is Checked Comparison with Following Authorized Set Result Restmenge
Characteristic Contents
0PLANT
0SALESORG
0TCAACTVT
0COMP_CODE
SQL Format:
COMP_CODE = ':'
AND PLANT = ':'
AND SALES
ORG = '0403'
AND TCAACTVT = '03'
Characteristic Contents
0PLANT I EQ IC01
I EQ IC02
I EQ IC03
I EQ IE02
I EQ IE04
I EQ IZ01
I EQ MC01
I EQ ME01
I EQ :
0SALESORG I EQ 0301
I EQ 0341
I EQ :
0TCAACTVT I EQ 03
I EQ :
0COMP_CODE I EQ 0327
I EQ 0341
I EQ :
Not Authorized
All Authorizations Tested
Message EYE007: You Do Not Have Sufficient Authorization
No Sufficient Authorization for This Subselection (SUBNR)
Following CHANMIDs Are Affected:
142 ( 0COMP_CODE )
189 ( 0PLANT )
192 ( 0SALESORG )
Authorization Check Complete

Impact of Analysis Authorization on Users using old Authorization

Hi All,
I have question regarding Analysis Authorization. Our system has old authorization concept and as part of our project we decided to go for Analysis authorization for Cost Center object. We activated analysis authorization for cost center, assigned it to test user id and found that its working fine in Dev. But it has impacted other users in the system. They are not able to access any other reports and data providers which were not even referring cost center. What is the proper way to activate analysis authorization without impacting access to existing users.
- Som

Hello Andreas,
Sorry to ask you directly here, I didn't get answer from this forum. We will migrate to the new analysis authorization from old reporting concept. I have read the book "An Expert guide to new SAP BI security features" by SAP Lavs, but still confused with some parts. My questions is:
Are there two ways to create authorizations as follows?
1. we can type tcode rsecadmin>Maintence button>create a new authorization.
2. the following part taken from the book:
Steps for Generating Authorizations
1. Activate Business content
2. Load Datastore objects
3. Generate Authorizations
4. View Generation Log.
In the first step, OTCA_DS01 to OTCA_DS05 and OCCA_O01 to OCCA_O03 are Datastore objects required to be activated.
In the second step, tcode rsecadmin-->generation button --> type OTCA_SDS01 to OTCA_DS05 into respective filed. Should we always type these 5 objects everytime when we create authorization?
When we should use the second way to create authorizations? and what is the diffrence between them?
Any answers will be appreciated. Thank you very much in advance!
Haifeng

Analysis Authorization problem (new BI auth concept)

Hi,
I am trying to implement a analysis authorization for controlling the sales organization characteristic.
I am working in a APO system.... when I set a * in the value list for the sales organization ..... I can select characteristic in demanding Planing without problem....
but when I create a whole list of all possible values (selecting from a pop up list) in the analysis authorization like this
I EQ 2000
I EQ 2001
I get a message :
You do not have authorization for all the
characteristic values selected
I will appreciate any idea
Thanks
FedeX

Hi,
I was able to trace the problem...and now I do not understand why I get as Result : "Not Authorized"
here the last part of that trace log:
Value selection partially authorized. Check of remainder at end
Following Set Is Checked
Contents
SQL Format:
NOT /BIC/YWSO_S
ORG IN ('#','0605','0624','0625','0707','0807','2000','2001','707','807',':')
AND TCAACTVT = '03'
Comparison with Following Authorized Set
Characteristic Contents
0TCAACTVT I CP *
I EQ #
I EQ 0605
I EQ 0624
I EQ 0625
I EQ 0707
I EQ 0807
I EQ 2000
I EQ 2001
I EQ 707
I EQ 807
I EQ :
Result
Not Authorized
All Authorizations Tested
Message EYE007: You do not have sufficient authorization
No Sufficient Authorization for This Subselection (SUBNR)
Following CHANMIDs Are Affected:
103 ( <charac name> )
Remaining Set
<no info in this column>
I really not identify any difference between the data in Following Set Is Checked and Comparison with Following Authorized Set
well if someone has some idea... I will appreciate it.
Thanks
FedeX
Edited by: FedeX on Apr 1, 2009 4:33 PM

Analysis Authorization mass maintenance

Hi All,
During the migration, due to Complexity of our complex BW 3.5 authorization setup we are end up in BI 7 New Design where we have to maintain new Cube to more than 150 Analysis Authorizations each time when we have new Cubes comes.
Do you guys know any method where you can update the new cube to large no of Analysis Authorization (for ex 150) instead of doing manually? Due to complexity of the old design itu2019s very difficult for us to change the new design.
Looking forward for expert opinion.
BR,
Deepak

Hi,
As per my knowledge, it is always recommended to maintain the Analysis authorizations individually. However, you may refer the below thread:
Analysis Authorization Mass Maintenance
and also the below link:
http://help.sap.com/saphelp_nw73/helpdata/en/c4/057a2de519451faf1819dba4092887/content.htm
Hope this helps!!
Rgds,
Raghu

How to implement complex analysis authorizations in simple way

Hi All,
I need to create some analysis authorizations with long list of single values for a characteristics. For example, we have multiple set up of company codes (APAC, EAME, AMERICAS, etc) and each set contains 150 - 200 company codes in it. Now we have multiple combinations of company code set and geographies. In short, we will have multiple analysis authorizations and each will have one or two set of company codes and some geographies.
I can create the analysis authorizations for the first time, by putting individual values in the respective characteristics. That would be a big task but can be done. But the problem is about ongoing maintenance. In future, if a new company code is added to lets say APAC companies, then we will have to update all analysis authorizations which contains APAC company code and that would be huge number of AAs due to the complexity of business architecture.
Could anyone please suggest if it is possbile (and how) to do below or similar, or have any other better approach (using BW7.4)
- We would create a group (or set) of company codes. Lets say would create a group APAC_Comp_Code and add all APAC related company codes in it. This would be repeated for all set of compant codes.
- While creating analysis authorizatons, I would not assign any individual company code value in characteristic, instead put APA_Comp_Code inside the characteristic 0COMP_CODE.
- If I need to put multiple set of company codes inside 0COMP_CODE, I will just put the corresponding group name, not the invidual values.
The benefit would be that in future if I need to add a new company code to APAC, I would just have to update this group APAC_Comp_Code. I will not have to maintain the analysis authorizations.
Please let me know if this is possible or if there is any other way to implement the requirement with simpler maintenance.
Thanks
Nitesh Gupta

Hi Nitesh,
From what you describe, this would be a good case to use variables in your analysis authorisations. You can specify a variable value for the BUKRS field and have a couple of options to populate the values which are picked up in the query execution.
You will need to ensure that you activate the istep to read customer exit variables and have the query variable set as customer-exit. Once those are complete, you can create a custom table to maintain the mapping of groups to company codes, or to read the company codes directly from your ERP system (if you want to base authorisations on what the users can see in ERP) and populate the table with those values.
However you populate the value to the variable, I think this approach will get you closer to minimal maintenance going forward. Enhancement RSR00001 should be implemented, some help documentation for this below
http://help.sap.com/saphelp_nw70/helpdata/en/1d/ca10d858c2e949ba4a152c44f8128a/content.htm
Hope this helps,
Tom

Table that stores Analysis authorization values

Hi all,
       We generated analysis authorizations for users on Profit centers. In RSECADMIN for each user we see an automatic authorization object being assigned with a name like RSR_000234 so on. We can see the values (profit centers) for this object when we double click on it. I would like to create a list of all users and the assigned profit centers. Can you please tell me if a table is available to get this list.
Thanks,
Ram.

Chetan,
         We are loading authorizations values to 0PROFIT_CTR from ECC and flatfile into the Authorization DSO's and generating authorizations to assing the profit centers to users. I would like to see the profit centers assigned to a user. For example suppose if a user is assigned a particular region. I would like to see all the values of the profit centers assigned to the user from a table rather than going to the hierarchy and getting the list for each region.
        The tables that you specified give the userid and the technical name of the authorization(RSR_000234..) but I would like to see the actual values in the authorization.
      Hope I am clear. Thank you for your assistance.
Ram.

Standard authorization concept versus analysis authorizations

Hi
I am bit confused about the necessity of maintaining both.
Example:
I have designed an analysis authorizations for CO (Controlling), named CO_001:
InfoProvider: 0COOM_C02
Thereafter I have put the authorization object S_RS_AUTH into a role (standard authorization object) with CO_001 as value in BIAUTH.
Is there still a need to maintain authorization objects for Business Explorer or Business Planning, like:
S_RS_COMP (limiting to the InfoProvider mentioned in the analysis authorization)
S_RS_PLSE (limiting to a special aggregation level of the appropriate InfoProvider mentioned in the analysis authorization)
What happens when there is no limitations maintained in the role for these auth objects, "*"?
Which concepts dominates the other one?
Thanks
BEO

Hi BEOplanet,
S_RS_COMP will give you access to the Infoprovidor in BEx so this will be access level security.
Then Analysis authorization will give you the data level security within the infoprovidor (like what data you can see within the infoprovidor)
There fore you need to maintain both S_RS_COMP and Analysis Authorizations.
To your question ,if you have maintained the cube 0COOM_C02 in Analysis Authorization and S_RS_COMP has only 0PA_01 then the Query will fail since you dont have access to the cube 0COOM_C02 in S_RS_COMP.
Regards,
Karthik.

APO - Demand Planning: Tracing Analysis Authorizations

Hi,
I was wondering if there is a way to trace analysis authorizations for demand planning?
I have an APO concept that uses analysis authorizations. A user gets blocked in transaction /SAPAPO/SDP94
If I run ST01, the missing value is in S_RS_AUTH, meaning Analysis Authorizations are missing.
However,
I can't seem to find a way to trace transaction /SAPAPO/SDP94 as another user with RSECADMIN.
Any advice?
FYI - I do NOT want to assign 0BI_ALL.
Thanks for your help

Hello Mariano,
ST01 and SU53 tells me it's Analysis Authorizations that are missing.
It's asking for S_RS_AUTH object 0BI_ALL. If I assign 0BI_ALL everything works; but that is NOT what I want to do.
Hence I know it's related to Analysis Authorizations and I would like to know HOW to trace WHAT analysis authorizations are missing.
Best regards,
Tom

Analysis Authorization for nav Attr Issue

Similar Messages

Maybe you are looking for