Analysis Authorization & its compaitbility with BW 3.5 Query

Similar Messages

• Table for Analysis authorization along with values for authorization fields

  Hi,
  I am looking for table that contains the Analysis Authorization name along with values for all the authorization fields within this Analysis Authorization. Individually i can go to PFCG or Rsecadmin but since i need all the Analysis auth objects, i need to get this info into excel, so need a table.

  Hi Prashanth
    You can check RSECVAL that is appropriate for your requirement please let us know if any further help is needed.
  Thanks & Regards
  Santosh Varada

• Need analysis authorization help

  Hello Gurus,
  Could someone please help me out with my Analysis Authorization issue?
  We have a BW query and workbook outputting "Tcode usage" like the following:
  UserGroup| Username| Tcodename| Frequency
  This one has been running long time without any problems in reporting authorization, but now We want to get it restricted and only allow data associated group HR to display using new Analysis authorization. The scenario for this report is as follows:
  1. Rsecadmin >Maintenance> Create New authorization "Group" which consists of 4 characteristics: 0TCAACTVT, 0TCAIPROV, 0TCAVALID and 0TCTUSRGRP(which is the characteristic about group name and already authorizatio relevant). Set 0TCTUSRGRP "EQ HR".
  2.Assigned this authorization to a role using PFCG through the S_RS_AUTH. Other authorization objects in this role are:   S_BDS_D, S_BDS_DS, S_RS_MPRO, S_RSEC, S_RS_COMP, S_RS_COMP1, S_RS_HIER, S_RS_ICUBE, S_RS_ODSO.
  3.In BEx analyzer, set type: Characteristic Values and Variable filled from authorization and value "Selection Option". Unselected "ready for input". Put the characteristic associated with group name to filter windown on the top righ hand side of the Query Designer. Also compare users in PFCG.
  The question is the I still get all data about all groups. Looks like the authorization group doesn't work. I  used the "execute as " and get no errors back.
  Note: I didn't use "generation" to create the new authorization in Rsecadmin
  Thank you very much for any answers!
  Haifeng

  I guess i have found the reason why my authorization dosen't work. I don't activate infoObjects 0TCA* and 0TCT* and infoCubes 0TCA* as well. But another thing I am confused about is :
  Should I activate HR and CO businees content for authorizations 0TCA_DS02OTCA_DS05 and 0CCA_O010CCA_O03 before i get started? or should i run generation everytime i create a new authorization using Maintenance in Rsecadmin?
  Haifeng

• Analysis Authorization not working - Empty demarcation

  Can someone help me on this Analysis Authorization? I read many threads in SDN, it seems that I followed the correct steps. The restriction on S_RS_COMP is working well but the restriction on the Analysis Authorization is not working. Surely I'm making some mistake, but can't find what's wrong.
  I'm a User (say USER_00) in a test system, assigned to a Role (say Z:BI_USER). This is a broad role:
  - S_RS_COMP and S_RS_COMP1 have full authorization (*) to all the fields,
  - S_RS_AUTH has the BIAUTH field with Name of Authorization = *.
  Also I have an InfoArea (ZIA_TEST) and an InfoCube (ZIC_TEST). The IC has some characteristics and key figures. The only authorization relevant characteristic is ZCA_CLI (client). The IC has only 5 lines, one for each client ("CLI_01" to "CLI_05").
  Also there's a query (ZQR_TEST) on this IC, with an Authorization Variable (VAR_AUTH_CLI) restricting the characteristic ZCA_CLI.
  I'm trying to create a new User and restrict him to this IC and only to the data of client "CLI_01". If it works I'll apply to a production system.
  What I did:
  1) With tcode SU01 created a new User (USER_01) with no Role neither Analysis Authorization.
  2) With tcode PFCG copied the Role Z:BI_USER as Z:ROLE_TEST then made some changes:
  a) S_RS_COMP
  - Activity = 03 and 16
  - InfoArea = ZIA_TEST
  - InfoCube = ZIC_TEST
  - Type of report component = *
  - Name of report component = *.
  b) S_RS_COMP1
  - Kept * to all fields.
  c) S_RS_AUTH
  - I inactivated and deleted this Authorization Object.
  (I don't want to keep characteristic values restriction inside the role. The idea is to associate different users to the same role, allowing them to see the same ICs and execute the same queries. And differentiate wich characteristic values each one can see by manually associating different analysis authorization to each one.).
  3) With tcode RSECAUTH I created an Analysis Authorization (Z_AA_CLI_01) to restrict access only to client "CLI_01":
  - ZCA_CLI = "CLI_01"
  - 0TCAACTVT = "03"
  - 0TCAIPROV = "ZIC_TEST"
  - 0TCAVALID = "*".
  4) With tcode PFCG I assigned User "USER_01" to the Role " Z:ROLE_TEST" and made Complete Comparison.
  5) With tcode RSU01 I manually assigned Analysis Authorization " Z_AA_CLI_01" to User "USER_01".
  It seems to me that these steps are enough. But:
  a) When I log as USER_00 and go to tcode RSRT2, searching by InfoAreas I can see all the InfoAreas and all the InfoCubes, select and execute the query. That's OK.
  b) When I log as USER_01 and go to RSRT2, searching by InfoAreas I can see only ZIA_TEST and under it I can see only ZIC_TEST. That's OK. Then I select and execute the query.
  Wich means that S_RS_COMP is OK and each user is assigned to the correct Role.
  c) The problem is that in both cases the query brings data from all Clients.
  Under Information and Variable Values (when I run with HTML display) the message is "Empty demarcation".
  I changed the variable to be Ready for Input, just to see wich values it brings. In both cases (as USER_00 and as USER_01) in the Variable Screen it brings all the 5 Clients from the IC and I can select and execute any value.
  So the problem is with the Analysis Authorization or with the Variable, but I can't find what's wrong.
  Any help will be very appreciated.
  César

  OK Marc, it worked.
  Sorry for not answering earlier, but I could get back to this front only some days ago, then began testing your suggestions.
  1) Security Concept
  Authorization Mode was set to "Obsolete Concept with RSR Authorization Objects" (it would never work with this setting).
  I changed to "Current Procedure with Analysis Authorizations".
  Anyway, what's the function of this setting? Do old Reporting Authorizations work with "Current Procedure with Analysis Authorizations" setting?
  2) Variable Representation
  With "Multiple Single Values" it really led to problems.
  With "Selection Option" it worked well.
  3) 0TCAKYFNM
  I don't understand why, but if the AA doesn't have the char/dimension 0TCAKYFNM, when the User tries to run the query (tcode RSRT2) it accuses "You do not have sufficient authorization".
  Info Cube ZIC_VE95 has two KFs (ZKF_QTL95 and ZKF_VLT95). These KFs are used only on this IC (also in the KF Catalog, but it doesn't impact). This IC is used only on Query ZQR_VE95 (also in Transformation and DTP, wich doesn't impact).
  Well, I inserted 0TCAKYFNM and it worked, either with CP, "*" or with EQ, the two KFs.
  4) Authorization Policy Definition
  The situation I'm working on is very typical. Ex.: Some users are Administrators, Managers, Operator 1, Operator 2 and so on. Each Role needs authorization to access some queries. At the same time, they can access information only of the Cost Centers to wich they are related.
  There are many ways to implement it (I tested some of them and they worked well). My point is to define a most practical way, easy to understand and to maintain.
  I'm now sympathetic to this way:
  a) Create functional Roles (ex.: "Administrator", "Manager", "Operator 1", "Operator 2" and so on) defining only the Queries (or Info Areas, Info Providers, etc) each Role needs. No S_RS_AUTH definition.
  b) Create Char Value Roles (ex.: "CC_100_to_199", "CC_200_to_299", etc), only with S_RS_AUTH definition, each one associated with a corresponding AA (ex.: AA for CC 100 to 199, AA for CC 200 to 299 and so on).
  c) Create Composite Roles associating functional and char value Roles. Ex. Composite Role "Administrator for CC 100 to 199", composed of the Roles "Administrator" and "CC_100_to_199".
  d) Associate Users to the Composite Roles.
  Anyway, I'd appreciate if you could indicate some literature (blogs, articles, etc) on this theme.
  Well, thank you very much for your answers. Now I can go on with my studies on this subject.
  César Menezes

• Analysis Authorization Problem

  Hy, i have create a Analysis Authorization object ZCOMPCODE with 0COMPCODE as characteristic.
  So i assign this object to a users and i create a variable to filter 0COMPCODE with processing type "authorization".
  The problem is that when execute the BEx query i receive the message : No authorization.
  When assign 0BI_ALL to user the ZCOMPCODE has not effect but the query run correctly.
  How can i resolve this serious problem?
  Regards,
  Andrea Maraviglia

  Dear Andrea,
  When you have a problem with authorization data access, may be you need check the following stuff:
  1 All InfoObjects are relevant authorization (see Business Explorer the check box authorization relevant for each InfoObject Tcode RSD1) which these are part of InfoProvider where query request data. It is very important, because you have to include all of this InfoObject (Characteristic) in your analysis authorization.
  2. Remember add the standard characteristic. 0TCAACTVT (3 value), 0TCAIPROV (InfoProvider Tech Name), 0TCAVALID (* value).
  3. In each characteristic relevant authorization, I suggest that add the colon “:” value to avoid problem with variable authorization in the query.
  4. Furthermore, the user need one role for standard object authorization: 
  . S_RS_COMP (Activities 03, 16)
  . S_RS_COMP1 (Query owner)
  . S_RFC (BEx Analyzer or BEx Browser only)
  . S_TCODE (RRMX for BEx Analyzer)
  I hope that can help you!
  Luis

• Analysis Authorization based on Hier node with multiple display hierarchies

  Hi guys - I've got a problem where s.o. might have an idea of how to switch on the light at the end of the tunnel, I am currently standing in:
  Requirement:
  Cost Center Authorization should be given through RSECADMIN, reporting should be possible for any hierarchy that exists for the authorization relevant info object.
  Preferred solution:
  The Cost Center Analysis Authorization should be given through RSECADMIN - Hierarchy node assignment.
  u2022     A dedicated Authorization Cost Center Hierarchy will be maintained in ECC6 as an alternative cost center hierarchy and extracted into BW.
  u2022     The RSECADMIN Hierarchy node assignment should be based on a particular node (Type 2).
  u2022     The display level will be specified as required (here: Level 7)
  u2022     The Authorization granted should be independent of hierarchy name and version (validity 3).
  Reporting Scenario and technical impact:
  As mentioned above, when designing and running a query the user should be able to freely select other (i.e. than the authorization) display hierarchies for the authorization relevant reporting object 'Cost Center' as well. The technical names of the semantically relevant hierarchy nodes could therefore vary. E.g. cost centers 1, 2 and 3, being assigned under hierarchy node u2018Au2019 of the RSECADMIN relevant authorization hierarchy, could be subsumed by hierarchy node u2018Bu2019 in another display hierarchy, which the user may want to display in accordance to his reporting needs. Ideally, the alternative display hierarchy should therefore display node u2018Bu2019.
  My findings so far (based on prototyping) turn out that this is not possible as long u2018Bu2019 (and its hierarchy) is not authorized in RSECADMIN. Can these findings be confirmed? And if not, would anyone have an idea of how to facilitate the reporting scenario?
  Would there be any other way to grant access, possibly based on RSECADMIN single values, and also enable the user to flexibly display hierarchies with only those hierarchy nodes whose single cost center values the user has been given access to?
  Thanks everyone for your input...
  Claus
  Edited by: Claus64 on Jul 13, 2009 4:10 AM

  HI CLause,
  On Jul 14 2009, you wrote in SDN and said:
  FYI: Found a solution...
  The hierarchy analysis authorization will be based on a navigational attribute of cost center.
  With analysis authorizations it is possible to declare the Auth object (e.g. 0COSTCENTER__RACCAUT0) as authorization relevant and leave the superior object 0COSTCENTER auth irrelevant.
  The auth will be given for 0COSTCENTER__RACCAUT0. This object will be placed as a filter of the query, being restricted by an Authorization variable for hierarchy nodes.
  Due to the concept of Analysis Authorizations, this variable will automatically pick up the nodes granted as part of RSECADMIN Hierarchy based Authorization.
  As mentioned above, 0COSTCENTER as the regular reporting characteristic remains auth irrelevant and can therefore take any hierarchy thatu2019s available. Reporting on single values will be possible, too. Only those nodes show up that hold the authorized cost centers in accordance to the authorization.
  If the auth relevant 0COSTCENTER__RACCAUT0 is not used in the query definition by either not taking it in as a filter or skipping the Auth variable, the query will launch the message that the authorization is missing. No data show up at all.
  Claus
  See this thread:
  Analysis Authorization based on Hier node with multiple display hierarchies
  I am also in the same situation as you and need to understadn your solution. I understand that you created a Nav Attr on 0COSTCENTER and made this auth relevant whilst ensuring that 0COSTCENTER is NOT auth relevant. This is all fine. The issue was you have multiple hierachies for 0COSTCENTER, how did the new Nav Attr help you solve your issue. When loading 0COSTCENTER what values did you load ino the new Nav Attribute and how did that link to the hierachies? Also, in RSECADMIN you created hiearchy nodes based on the Nav Attribute but I am confused as to what values you have in the Nav Attr.
  I appreciate if you can share your solution from the past in more details.
  many thanks

• [CUA] Compatibility with Analysis Authorizations (RSECADMIN)

  Hello,
  I have two questions for you, BI experts :
  1) Could someone please confirm that it is not possible to centrally maintain Analysis Authorizations (trx RSECADMIN) from the CUA ?
  2) Does it make sense to start a CUA project now with the Identity Management solution coming soon ? What are the pros & cons of each ?
  Thanks in advance.
  Best regards,
  Guillaume

  Hi,
  I had a look at the Roles and Profiles tables used by CUA.
  I found that it uses special tables such as :
  USRSYSACT     CUA: Roles in Distributed Systems
  USRSYSACTT     CUA: Roles in Distributed Systems
  USRSYSPRF     CUA: Profiles in Distributed Systems
  USRSYSPRFT     CUA: Profile Text in Distributed Systems
  USLA04          CUA: Assignment of Users to Local  Roles
  USL04          CUA: Assignment of Users to Local Profiles
  There is no analogous table for RSECADMIN tables such as :
  RSECAUTHGENERATD     BI AS Authorization Reporting: Generated Authorizations
  RSECLOG               Storage for Authorizations Logs xml
  RSECTXT               Authorization Texts
  RSECUSERAUTH          BI AS Authorizations: Assignment of User Auth
  RSECVAL               Authorization Value Status
  This, I conclude that it is not possible to maintain BI analysis authorizations from the CUA central system.
  This kind of authorizations has to be performed in the child system directly.
  Unless, SAP has something to draw out of its pocket soon... 
  I indeed read that some development was done on the CUA, parallel to the SAP NW Identity Management solution.
  Best regards,
  Guillaume

• Issues with Analysis Authorization on Infoset

  Hi all
  We are facing an issue with Analysis Authorization on Infoset, it doesnt seem to throw authorization error when we access a record that is outside the authorization. We tried to use the same authorization set up from the same user we try to access the a record that is outside the authorization it behaves correctly.
  Here is my setup
  0CRM_MKTELM__0CRMCAMPTYP = ZA11
  0TCAACTVT = *
  0TCAIPROV = *
  0TCAVALID = *
  When I tried to access ZA12 it should throw an authorization error but for infoset it doesnt seem to work. Is there anything that we should take note for Infoset?

  Hi Chee,
  I am getting similar issue.
  I believe navigational attribute was already a authorization relevant in your case.
  What and where did you set it as authorization relevant to make it work on infosets.
  Regards,
  Ramz

• Problem with analysis authorization- 0BI_ALL always needed

  Dear all:
  we have a serious issue on so-called "analysis authorization" now. We have auth-restricted user who only have authorization to access data on one company code. We also create a BI-authorization in analysis authorization and assign the following auth-relevant object to this authorization-
  0TCAACTVT = 01-03
  0TCAIPROV = ALL
  0TCAVALID = ALL
  0TCAKYFNM = ALL
  0COMP_CODE = A001
  And we create one query with only company code and number of employee in the row and column. But everytime we execute this query, there s always message" No Authorization". We used ST01 to trace and the result shows we need to have "0BI_ALL" in auth object S_RS_AUTH. If we added 0BI_ALL, all company code data will display, which definitely no auth restriction at all. Is there any specific authorization setting we need to do?
  We are stuck here pretty bad. Thank you all in advance if any input.
  BR
  SF

  Hi,
  I guess the Authorization profile is active , and in the Tcode PFCG -> Role name -> User tab page ( user comparision is done ).
  Check if any of the tab page shows red light .
  And assignment of 0BI_ALL is not a solution , as any user can do anything in the system.
  Also do not forget to log - off and log-in into system after changing into any of the authorization profile to see changes that had happened.
  Hope that helps.
  Regards
  Mr Kapadia
  Assigning points is the way to say thanks in SDN.

• Issues with Analysis Authorization checks in APO

  Hi Friends,
  I am facing an issue with Analysis authorization checks in APO.
  We have setup user access based on Management Entity (Analysis authorization - AGMMGTENT and 0TCAACTVT) and core APO authorizations (based on the work profile - e.g: Demand Planner).
  Scenario: Consider User A has access to India and Australia Management Entities with 0TCAACTVT - *
  This user also has display access to all management Entities (AGMMGTENT - * and 0TCAACTVT - 03). This scenario works very well in Quality where the RSECADMIN trace shows check on both Characteristics. However in Production the RSECADMIN trace shows up only against AGMMGTENT (*) and by default takes 0TCAACTVT as (*).
  In Quality the Characteristics that get checked are as below : and it works as expected. Display access for Management Entities that are supposed to be displayed only and change access to only the Management Entities that it should.
  However the Trace for Production shows the following : As a result it is allowing the user to change access to all management Entities. Which is not desirable..
  Resultant trace results are as below: This should not happen..
  I have compared all Analysis Authorizations and it is same across both Instances. The Demand planner access is consistent too..
  Will it be possible for you to advise on what could I be missing.

  Hi All,
  If it helps, in Quality: the Authorization checks are listed as: Subselection (Technical SUBNR) 1
  while in Production it checks Subselection (Technical SUBNR) 1 in one place, however where it fails - the check happens as Subselection (Technical SUBNR) 0.
  Is there a way we can change this to SUBNR 1. Is there any table entry that I can look at to check if the Authorization check is functioning incorrectly..
  Please advise.. Thanks..
  Regards,
  Prakash

• Analysis Authorization with SEM-BPS

  Hi,
  We have performed technical upgrade from BW 3.5 to BI 7.0. We want to migrate to BI 7.0 functionality phase wise.
  We have SEM-BPS and now we want to migrate to Analysis Authorization of BI 7.0.
  Once we have igrated to Analysis Authorization, will there be any impact on SEM-BPS? Can we still use SEM-BPS with New Analysis Authorizations? We do not want to move to BI-IP in near future?.
  Please advise.
  Best Regards,
  UR

  Dear UR,
  Iu2019m going to try helping you,
  In difference of reporting functionality, in planning, the data of an InfoCube is not just read; it is also changed or created.
  There are two planning tools in BI: BW-BPS (Business Planning and Simulation), and BI Integrated Planning.
  There are two main tcode: BPS0 and RSPLAN
  There are three authorization objects to manage Integrated Planning:
  S_RS_PL_ADMIN - Planning Administrator
  S_RS_PL_PLANNER u2013 Planner
  S_RS_PL_PLANMOD_D u2013 Planning Modeler (Development System)
  The main object in the planning scenario is InfoCube real-time, where can available writing in small package that arrive in parallel. In some cases the security requirements for reporting and planning can be merging. In this case you need authorization object for checking planning, as authorization object above, and you need authorization object for using a query for planning requires as S_RS_COMP.
  In addition to authorization for displaying data, the authorizations for changing data you need analysis authorization (the analysis authorization focus in the InfoProvider, no in Aggregation Level).
  In your analysis authorization design for reporting stuff, you should use in 0TCAACTVT characteristic 03 value. In the planning stuff, you should use in 0TCAACTVT characteristic 03 and 02 values. As explain following:
  Using the characteristics 0TCAACTVT (activity), you can restrict the authorization to different activities. Read (03) is set as the default activity; you must also assign the activity Change (02) for integrated planning.
  http://help.sap.com/saphelp_nw70ehp1/helpdata/en/b1/0c9441b8972e7be10000000a1550b0/frameset.htm
  I hope this suggestion can help you answer question,
  Luis

• Transport roles and analysis authorization with user assigned

  Hi expert,
  I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
  Thanks for your time,
  Luis

  Hi,
  In role administration, you have the following options for transporting roles:
  You can download the roles from one system and upload them into another  
  You can import the role from a remote system using RFC  
  You can transport the roles with the transport function.
  Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
  Transporting Roles with the Role Transport Function
         1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
         2.      Enter the role to be transported and choose Transport Role.
  The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
  You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
  For more information go thrpugh the below link
  http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
  Regards,
  Marasa.

• Analysis Authorization Issue 7.3

  Hello Friends,
  System BW 7.3, Currently there are 80 odd analysis authorization objects
  We want to introduce a new info object (GL Account) to be authorization relevant, ( there are few objects in the system which are already authorization relevant in the system with proper analysis authorization objects and they are working fine)
  Things done, made the GL Account object authorization relevant in RSA1, Created 2 analysis authorization objects with GL Account and TCT objects and one with hierarchy restrictions and one open access.
  Added this object to the user in addition to its already existing authorization objects. Created authorization variable in BEx.
  Some how the authorization is not picked up and it gives us all the values in the report. But if I add the GL Account info object to the existing analysis authorization objects then it works fine.
  I do not want to change all the existing analysis authorization objects to add GL Account.
  Your inputs are most welcome.
  Thanks
  Ed.

  Gajesh- I have added the new analysis authorization object to the user in RSECadmin.
  Subhendu- Problem statement: What are the steps involved in making a new info object(GL Account) authorization relevant. Authorizations are given at hierarchy level. Can we create a new analysis authorization with  GL Account only or do we have to add it to every existing analysis authorization
  I have done the following steps
  1. Made the GL Account object authorization relevant in RSA1,
  2. Created 2 new analysis authorization objects with GL Account ( with hierarchy restrictions) and TCT objects and one with GL Account open access.
  3. Added this object ( which has restrictions) to the user in RSECADMIN, in addition to its already existing authorization objects.
  4. Created authorization variable in BEx.
  5. No existing analysis authorization objects have been changed.
  When I test the report, It does not restrict based on the hierarchy that I have given, it gives open access.
  But If I add GL Account with restrictions to the existing analysis authorization object, it works good.
  Guess I am missing some thing here.
  Do you need any other screen shots.
  Thanks
  Ed.

• BW Analysis Authorization on two charcteristics issue

  I am familiar with analysis authorizations in BW 7.0 and worked on it.
  Today we have blanket authorization (RSECADMIN) for 0TAX_NUMB = *. Meaning user who has this auth/role can see values (from where ever 0TAX_NUMB is used, all company codes etc). And as you might know 0TAX_NUMB is used in 0VENDOR & 0CUSTOMER master data (as an attribute). This works well, because its easy
  Now, new requirement is to create more strict analysis authorizations for 0TAX_NUMB based on other characteristic values.
  Auth1 (should apply to 0TAX_NUMB used in 0VENDOR):
  0TAX_NUMB = all values and only for vendor account group = XXX
  Auth2 (should apply to 0TAX_NUMB used in 0VENDOR):
  0TAX_NUMB = all values and only for vendor account group = yyy
  Auth3 (should apply to 0TAX_NUMB used in 0VENDOR):
  0TAX_NUMB = all values and only for vendor account group = zzz
  Auth4 (should apply to 0TAX_NUMB used anywhere other than 0VENDOR, for example, as I said above its also used in 0CUSTOMER and may be used elsewhere in future):
  0TAX_NUMB = all values
  Do I also need to add 0CUSTOMER here? unable to visualize!!!
  Also, 0TAX_NUMB and Vendor account group will have colon authorization.
  So, at this time I am not sure how this will impact other queries with following scenario(s):
  User1 has auth1:
  Here, User1 can see tax_numb values for vendor act grp XXX, thats good, so far.
  But can user see query results where tax_numb is not used but would like to see all vendor account group related data (or other than value XXX)?
  User2 has auth4:
  Since this auth has blanket tax_numb, can user2 see all values for tax_numb used in 0CUSTOMER (which he/she should) and also in 0VENDOR (he/she should not)...
  And what about queries that do not have 0TAX_NUMB (but infoprovider has)? Colon auth on TAX_NUMB & Vendor act grp would resolve this?
  I appreciate your thoughts on this. We are BW 7.01 (Ehp1), SPS10.
  Regards
  -Bala
  Edited by: Bala Shetty on Dec 15, 2011 12:02 AM
  Edited by: Bala Shetty on Dec 15, 2011 12:04 AM
  Edited by: Bala Shetty on Dec 15, 2011 12:05 AM
  Edited by: Bala Shetty on Dec 15, 2011 12:09 AM

  Thank you Sushant.
  I am aware of these notes and provide basic information and also usage of value restrictions. I am looking for usage of different combinations for multiple characteristics (especially the attributes of master data)....
  Regards
  -Bala

• How to get Query Results based on Analysis Authorization Ranges????

  Hi Experts,
  I have gone through the lot of SDN Links, however not able to find the answer to my question.
  I have an Authorization Issue, “NO Authorization “
  Error : EYE 007 ( Insufficient Authorizations )
  <b>Here is the issue:</b>
  Need to see the complete query result when I gave the range in Analysis Authorization for Controlling Area 001-005. Controlling Area is auth relevant and right now a variable is inserted in the query for it. If I select Controlling Area 001, the result for Controlling Area 001 is displayed in query. If 002 then also displayed. If I do not enter anything, then I get the <b>Eye 007 error message</b>.
  I am not sure how do I display/authorize the entire result in the query for all the Controlling Areas, I have authorized user to see??
  <b>Its really urgent, please help..!</b>
  Here are the logs:
  Authorization Check Log
  Date and Execution Time (Local Server)
  Execution Date: 06.09.2007
  Execution Time: 14:48:41
  Executed Query: 0CCA_C11/GBCCA_MP01_Q0002_AP
  Executed by User ZBI_TEST_001
  Executed with Analysis Authorizations of Another User ZBI_TEST_001
    InfoProvider Check  
  Building the Buffer...
  ...Buffer Built
  Are there authorizations for accessing InfoProvider 0CCA_C11 with activity 03?
  Authorization exists for general access to InfoProvider 0CCA_C11 with activity 03 
    InfoProvider Check  
  Authorization exists for general access to InfoProvider 0CCA_C11 with activity 03 
    Relevant Characteristics for Detailed Authorization Check  
  (Characteristics with Full Authorization Are Not Listed!)
    List of Effective Authorization-Relevant Characteristics for InfoProvider 0CCA_C11:  
  0CO_AREA 
  0TCAACTVT 
    Relevant Characteristics for Detailed Authorization Check  
  (Characteristics with Full Authorization Are Not Listed!)
    List of Effective Authorization-Relevant Characteristics for InfoProvider :  
  List Is Empty:
    There Are No Characteristics That Have to Be Checked in Detail  
    Authorization Check  
    Detail Check for InfoProvider 0CCA_C11  
    Preprocessing:  
  Selection Checked for Consistency, Preprocessed and Supplemented As Needed
  Subselection (Technical SUBNR) 1
  Check Node Definitions and Value Authorizations...
  Node- and Value Authorizations Are OK
  End of Preprocessing
  Filling the Buffer...
  ...Buffer Filled
    Main Check:  
    Subselection (Technical SUBNR) 1  
  Supplementation of Selection for Aggregated Characteristics
    No Check for Aggregation Authorization Required  
  Following Set Is Checked  Comparison with Following Authorized Set  Result  Remaining Set 
  Characteristic  Contents 
  0CO_AREA
  0TCAACTVT
  SQL Format:
  CO_AREA = '0003'
  AND TCAACTVT = '03'
  Characteristic  Contents 
  0CO_AREA  I BT 0001 0005
  0TCAACTVT  I EQ 03
  I EQ 16
  Authorized   
    Subselection (SUBNR) Is Authorized  
    Authorization Check Complete  
    Authorization Check  
    Detail Check for InfoProvider 0CCA_C11  
    Preprocessing:  
  Selection Checked for Consistency, Preprocessed and Supplemented As Needed
  Subselection (Technical SUBNR) 1
  Check Node Definitions and Value Authorizations...
  Node- and Value Authorizations Are OK
  End of Preprocessing
  Filling the Buffer...
  ...Buffer Filled
    Main Check:  
    Subselection (Technical SUBNR) 1  
  Supplementation of Selection for Aggregated Characteristics
    No Check for Aggregation Authorization Required  
  Following Set Is Checked  Comparison with Following Authorized Set  Result  Remaining Set 
  Characteristic  Contents 
  0CO_AREA
  0TCAACTVT
  SQL Format:
  TCAACTVT = '03'
  Characteristic  Contents 
  0CO_AREA  I BT 0001 0005
  0TCAACTVT  I EQ 03
  I EQ 16
  Partially or Fully Authorized (Intersection)   Characteristic  Contents 
  0CO_AREA
  0TCAACTVT
  SQL Format:
  ( CO_AREA < '0001'
  OR CO_AREA > '0005' )
  AND TCAACTVT = '03'
  Value selection partially authorized. Check of remainder at end
  Following Set Is Checked  Comparison with Following Authorized Set  Result  Remaining Set 
  Characteristic  Contents 
  0CO_AREA
  0TCAACTVT
  SQL Format:
  ( CO_AREA < '0001'
  OR CO_AREA > '0005' )
  AND TCAACTVT = '03'
  Characteristic  Contents 
  0CO_AREA  I BT 0001 0005
  0TCAACTVT  I EQ 03
  I EQ 16
  Not Authorized   
  All Authorizations Tested
    Message EYE007: You do not have sufficient authorization  
    No Sufficient Authorization for This Subselection (SUBNR)  
  Following CHANMIDs Are Affected:
  184 ( 0CO_AREA )
    Authorization Check Complete  

  Hi,
      Have you defined the vaule for 0CO_AREA as BT 001-005 in you Authorization for 0CO_AREA.Also how have you defined your Authorization Variable on the query? Have you define as select options or interval? I thing you need to define it as interval or select options.
  Hope it helps,
  Cheers,
  Balaji