Analysis Authorization Mass Load got wrong

Similar Messages

• Analysis Authorization mass maintenance

  Hi All,
  During the migration, due to Complexity of our complex BW 3.5 authorization setup we are end up in BI 7 New Design where we have to maintain new Cube to more than 150 Analysis Authorizations each time when we have new Cubes comes.
  Do you guys know any method where you can update the new cube to large no of Analysis Authorization (for ex 150) instead of doing manually? Due to complexity of the old design itu2019s very difficult for us to change the new design.
  Looking forward for expert opinion.
  BR,
  Deepak

  Hi,
  As per my knowledge, it is always recommended to maintain the Analysis authorizations individually. However, you may refer the below thread:
  Analysis Authorization Mass Maintenance
  and also the below link:
  http://help.sap.com/saphelp_nw73/helpdata/en/c4/057a2de519451faf1819dba4092887/content.htm
  Hope this helps!!
  Rgds,
  Raghu

• Analysis Authorization based on Hier node with multiple display hierarchies

  Hi guys - I've got a problem where s.o. might have an idea of how to switch on the light at the end of the tunnel, I am currently standing in:
  Requirement:
  Cost Center Authorization should be given through RSECADMIN, reporting should be possible for any hierarchy that exists for the authorization relevant info object.
  Preferred solution:
  The Cost Center Analysis Authorization should be given through RSECADMIN - Hierarchy node assignment.
  u2022     A dedicated Authorization Cost Center Hierarchy will be maintained in ECC6 as an alternative cost center hierarchy and extracted into BW.
  u2022     The RSECADMIN Hierarchy node assignment should be based on a particular node (Type 2).
  u2022     The display level will be specified as required (here: Level 7)
  u2022     The Authorization granted should be independent of hierarchy name and version (validity 3).
  Reporting Scenario and technical impact:
  As mentioned above, when designing and running a query the user should be able to freely select other (i.e. than the authorization) display hierarchies for the authorization relevant reporting object 'Cost Center' as well. The technical names of the semantically relevant hierarchy nodes could therefore vary. E.g. cost centers 1, 2 and 3, being assigned under hierarchy node u2018Au2019 of the RSECADMIN relevant authorization hierarchy, could be subsumed by hierarchy node u2018Bu2019 in another display hierarchy, which the user may want to display in accordance to his reporting needs. Ideally, the alternative display hierarchy should therefore display node u2018Bu2019.
  My findings so far (based on prototyping) turn out that this is not possible as long u2018Bu2019 (and its hierarchy) is not authorized in RSECADMIN. Can these findings be confirmed? And if not, would anyone have an idea of how to facilitate the reporting scenario?
  Would there be any other way to grant access, possibly based on RSECADMIN single values, and also enable the user to flexibly display hierarchies with only those hierarchy nodes whose single cost center values the user has been given access to?
  Thanks everyone for your input...
  Claus
  Edited by: Claus64 on Jul 13, 2009 4:10 AM

  HI CLause,
  On Jul 14 2009, you wrote in SDN and said:
  FYI: Found a solution...
  The hierarchy analysis authorization will be based on a navigational attribute of cost center.
  With analysis authorizations it is possible to declare the Auth object (e.g. 0COSTCENTER__RACCAUT0) as authorization relevant and leave the superior object 0COSTCENTER auth irrelevant.
  The auth will be given for 0COSTCENTER__RACCAUT0. This object will be placed as a filter of the query, being restricted by an Authorization variable for hierarchy nodes.
  Due to the concept of Analysis Authorizations, this variable will automatically pick up the nodes granted as part of RSECADMIN Hierarchy based Authorization.
  As mentioned above, 0COSTCENTER as the regular reporting characteristic remains auth irrelevant and can therefore take any hierarchy thatu2019s available. Reporting on single values will be possible, too. Only those nodes show up that hold the authorized cost centers in accordance to the authorization.
  If the auth relevant 0COSTCENTER__RACCAUT0 is not used in the query definition by either not taking it in as a filter or skipping the Auth variable, the query will launch the message that the authorization is missing. No data show up at all.
  Claus
  See this thread:
  Analysis Authorization based on Hier node with multiple display hierarchies
  I am also in the same situation as you and need to understadn your solution. I understand that you created a Nav Attr on 0COSTCENTER and made this auth relevant whilst ensuring that 0COSTCENTER is NOT auth relevant. This is all fine. The issue was you have multiple hierachies for 0COSTCENTER, how did the new Nav Attr help you solve your issue. When loading 0COSTCENTER what values did you load ino the new Nav Attribute and how did that link to the hierachies? Also, in RSECADMIN you created hiearchy nodes based on the Nav Attribute but I am confused as to what values you have in the Nav Attr.
  I appreciate if you can share your solution from the past in more details.
  many thanks

• Analysis Authorization Migration Question

  Analysis Authorization Migration Question
  This is detail Question
  1)     I am testing Analysis Authorization Migration in NW2004s SP9 and have applied all OSS notes that are relevant to SP09 and are coming in SP10.
  2)     We have 2 Info object flagged as Authorization relevant 0COMP_CODE and 0COSTCENTER
  3)     We have Object level security set-up in BW 3.x system and for a role we have specified values like 0COMP_CODE has value 1000, 1800. “:”. In the same role we have specified 0COSTCENTER value 130001 to 180001, “:”  and hierarchy node.
  4)     When we migrate to Analysis Authorizations, using RSEC_MIGRATION, this program creates 2 Authorizations ZCOCODE00 & ZCOSTCTRH00. Both of them have 0COMP_CODE and 0COST_CENTER Objects.
  5)     ZCOCODE00 authorization gets value 0COMP_CODE values 1000, 1800. “:” and 0COSTCENTER Value “:”.
  6)     On the same line ZCOSTCTRH00 gets value 130001 to 180001, “:”  and 0COMP_CODE “:”.
  1st Question:
  1)     Why does it create 2 Authorizations?
  2)     During Checking it does not pass the authorizations, because it seems to me that it fails in Optimization process.
  3)     I manually merge the authorizations in “ONE” object then authorization check passes.  In other word if I combine ZCOSTCTRH00 & ZCOCODE00 then Query authorization check passes.
  Any one is struggling on this.
  Please note, I am doing Migration so that it updates existing Profiles (Roles now from SP9).
  Any comments will be very help full.
  Pankaj Gupta

  Hello Pankaj
  There are some basic misunderstandings on your side.
  Let me try to clarify:
  First we should distinguish between migration of authorizations and of what a query does with them.
  You had 2 auth objects before migration (in 3.x).
  Of course, they must be migrated to 2 new analysis auths.
  There is no general possibility to combine authorizations to a single one as the may appear in different roles and users. Moreover this would kill performance and finally, nobody would recognize the origin.
  Only in very restricted cases one could think of a combination of auths which come out of migration. But, then people loose overview about what goes on.
  Before the corrections in note "Migration IV" the : had not been inserted but now it is for good reasons.
  Now, accept for the moment that you receive 2 auths.
  Then, you cannnot (must not) combine the 2 resulting authorizations!
  <b>Authorization 1</b>
  COMP_CODE : 1000, 1300, “:”
  Cost Center : “:”
  <b>Authorizations 2</b>
  Comp_Code “:”
  Cost Center : 3100001-31999999; “:” plus a Hierarchy Node.
  This means that e.g. combination
  COMP_CODE 1000
  COST_CENTER 3100001-31999999
  <u>is not allowed!!!</u> Therefore, they must not be combined!
  Also, the query and its optimization is comepletely independent of the migration. And here, during query run time the auths cannot be combined. It is no failure!
  Moreover, the merging optimization is just a performance optimizaiton and has nothing to do with whether the query result is authorized or not.
  If you combine them manually you have authorized different combinations.
  Well, now you may wonder why you get 2 auths at all which leads to a "no auth" result in the query execution.
  The reason is, that in 3.x where you got a result with your 2 auth objects the modeling was wrong.
  If you want to authorize any combination of characteristic values, you should combine these characteritics together in one auth object, not in 2!
  (In BI7.0 it works like that but not in 3.x)
  But you defined 2 which may be valid even in several other InfoProviders independently and not even at the same time. Moreover, the auth objects may come from different roles and may be assigend to different users which then have completely different auth content. In general it is not possible to combine different auth objects or to find out those special situations which nevertheless allow for such optimizations. If you re-do a migration with more objects and users you could even receive different results which is also not satisfying.
  Therefore, instead, the mechanism was introduced to insert a : auth to those characteristics that are auth relevant (and checked now with 7.0) but not in the currently processed auth object.
  In you special case it may have made sense to combine them but not in general. And a migration can only try to work as general as possible.
  For your application you may combine the 2 auths manually if you want to allow also the crossover combinations
  COMP_CODE 1000
  COST_CENTER 3100001-31999999
  Best regards
  Peter John
  BI Development

• Transport roles and analysis authorization with user assigned

  Hi expert,
  I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
  Thanks for your time,
  Luis

  Hi,
  In role administration, you have the following options for transporting roles:
  You can download the roles from one system and upload them into another  
  You can import the role from a remote system using RFC  
  You can transport the roles with the transport function.
  Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
  Transporting Roles with the Role Transport Function
         1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
         2.      Enter the role to be transported and choose Transport Role.
  The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
  You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
  For more information go thrpugh the below link
  http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
  Regards,
  Marasa.

• Generated analysis authorization cannot be changed

  Hello all,
  did someone manage to edit/delete generated (from DSO) analysis authorizations? When I want to correct a typo in one of the generated analysis authorizations it is not possible although the system is telling that it should be possible to do so. I did not find any note or thread yet.
  Message number RSEC292:
  Diagnosis text
  A generated authorization can be changed (this message is only a warning ), but one should be sure that this authorization is not generated again. Then it will be removed from the user, created again (perhaps with different content), and if there no fixed name was generated, it is renamed.
  Thanks in advance for your inputs

  Hello Lana,
  this is how SAP solved the problem
  Bye Petra
  Spezifikation: Message RSEC292: Generierte Analyseberechtigungen können nic
  Short text:
  Message RSEC292: Generierte Analyseberechtigungen können nic Langtext
  It is not possible to change from DSOs generated analysis
  authorizations although the system is telling that it should be
  possible to do so. Authorizations are sufficient (SU53; SAP_ALL)
  Message number RSEC292:
  Diagnosis text
  A generated authorization can be changed (this message is only a
  warning ), but one should be sure that this authorization is not
  generated again. Then it will be removed from the user, created again
  (perhaps with different content), and if there no fixed name was
  generated, it is renamed.
  Here is the communication path (please read from below):
  09.07.2007 - 09:03:36 CET Petra King Info für SAP
  Hello Ms. ,
  I always was telling about one issue:
  Change of generated analysis authorization is not possible.
  Since BI 7.0 we are talking about analysis authorizations so the
  transaction code used is obvious.
  There is no need for furhter information because it is only this single
  issue: I guess that it should be an error message and not a warning
  message and SAP made a mistake here by using the wron message category.
  I was never talking about users and xxxxxx is not an user but an
  analysis authorization.
  Please consider the call a solved - in the meantime I got
  professional support from the SDN platform.
  Regards,
  Petra King
  05.07.2007 - 09:14:22 CET SAP Antwort
  Hello Ms King,
  I must say that I find this message quite incomprehensible. First you
  write that you are irritated because my colleague asked you which
  transaction is being used to generate authorizations. This information
  is necessary so that the message can be assigned to the appropriate
  area. Indeed, the message was incorrectly sent to BC-SEC. Next you
  write that you are angry when I give you a consulting note regarding
  generation of analysis authorizations. I am mystified as to how such
  information from customers should help us in solving a technical or
  procedural probem. I have read the message from the beginning and
  there is very little technical and procedural information. Moreover, itis not clear what the "error" is here. The message RSEC292 is a warning(as clearly stated in the long text of the message) and this should not
  hinder the process. Lastly, in your last info you refer to a specific
  user, xxxxxxxx, as an example of a generated authorization. This is
  separate issue than the original:
  It is not possible to change from DSOs generated analysis
  authorizations although the system is telling that it should be
  possible to do so. Authorizations are sufficient (SU53; SAP_ALL)
  So in response to the original inquiry regarding RSEC292. The answer,
  as I have already mentioned and as stated in the text, is that this
  is just for information purposes. Please continue with the process.
  If you have a separate inquiry regarding the authorizations of
  particular users, please open a second message. We request that
  customer log one issue per message. Please read note 375196:
  Separate message for new problem/subsequent problem
  Regards,
  Senior Support Consultant
  SAP Active Global Support
  Netweaver Business Intelligence
  03.07.2007 - 15:14:39 CET Petra King Info für SAP
  Hello ,
  can you please contact the Basis Administrator xxx via phone
  (+xxxxx) so he can open the line and provide you with the
  user and password for system xxxxx.
  Please note that the error occurs on xxxx and you can have a look at the
  analysis auth. xxxxxxxx as representive for one of the generated
  authorizations.
  03.07.2007 - 15:08:43 CET Petra King Info für SAP
  Hello ,
  I am getting angry because note 1052242 is a documentation and I
  executed everything besides the fact that the analysis auths cannot be
  changed. Please read the error message from the beginning.
  Regards,
  Petra King
  28.06.2007 - 14:52:09 CET SAP Antwort
  Hello Ms King,
  Please excuse the delay in the processing of your message.
  Please read note 1052242 if you have not already done so. If this note
  does not help you to solve the problem, I would like to have a look at
  the situation on your system. Please open the R/3 Support connection
  provide me with a user and password. This information can be stored
  in the log on information of this message.
  Regards,
  Senior Support Consultant
  SAP Active Global Support
  Netweaver Business Intelligence
  25.06.2007 - 08:48:03 CET Petra King Info für SAP
  Hello ,
  if this is in the wrong queue, yes please forward it to the appropriate
  queue and please let the question be answered asap.
  Thanks,
  Petra King
  21.06.2007 - 07:47:29 CET SAP Info für Kunde
  Hello Petra,
  it is possible to generate authorizations in PFCG too. As RSECADMIN
  belongs to BW-BEX-OT-OLAP-AUT, I forward your message accordingly.
  Best regards
  Support Consultant
  Global Support Center Austria
  Netweaver Web Application Server ABAP
  20.06.2007 - 09:54:47 CET Petra King Info für SAP
  Hello ,
  sorry to let you know so late but there was a typo in my email address
  xxxxxinstead of xxxxxxxxx
  Your question is a little bit irritating. Generation of analysis
  authorizations in 7.0 is usually done only with transaction code
  RSECADMIN - correct me if there is another possibility. Generation
  works fine but the authorizations cannot be edited after then.
  Bye,
  Petra
  23.05.2007 - 11:53:16 CET SAP Antwort
  Dear Ms. King,
  please let me know which transaction code do you use or in which
  transaction do you get this message.
  Best Regards
  Support Consultant
  SAP Active Global Support - Netweaver Web Application Server

• BI analysis authorization - Same info provider- diffrent access ?

  Hi Gurus,
  Designation of roles:
  1. User is having two PFCG roles (A1 & B1) assigned.
  2. Role A1 contains query name ZQRYA1 & Role B1 contains query name ZQRYB1
  3. Role A1 is linked to analysis authrozation role AR1 and Role B1 is linked to analysis auth. role BR1 (thorugh S_RS_AUTH)
  4. AR1 is having access to Company code 1000 & info proivder is ZIC_COPA
  5. BR1 is having access to Company code 2000 & info provider is same ZIC_COPA.
  Requirement :
  When user is executing ZQRYA1, he should see only 1000 company code.
  Result:
  With above design user is able to see 1000 & 2000 company code data for ZQRYA1.
  My analysis:
  1. We should use Customer exit in the Query. (SAP note referred  668520).
    2. As per SAP note 1000004 (Merging and optimizing analysis authorizations), I understand that if same info provider is there then BI analysis auth. will merge the values.
  Please correct me if I understand something wrong. Also suggest how can implement role so that values will not merge.

  Hi experts,
  I am getting confused now.
  As pe rmy practical experience for same info-proivder BI AA will merge the values. Even i got same response in SDN forums.
  But when I raised this issue to SAP (OSS message), SAP says this issue should resolve by applying SAP notes through SNOTE..
  1138708     Unauthorized data is displayed: "Not assigned" (#)     
  1158432     Too many values authorized for hierarchy with intervals     
  1234334     Authorization error for query on InfoSet     
  1229602     Error when using hierarchies: Authorization error     
  1226163     Authorization variables in workbook     
  1000004      Merging and optimizing analysis authorizations
  1150754     Authorizations for InfoSet chars. ignored in input help     
  1235049     F4 help: Unauthorized data for referencing characteristic     
  I have gone through notes but did not find relevant, but still SAP replied it should resolve the issues.
  Please suggest.

• BW Analysis authorization issue... need help urgently....

  We have one BW query which is pulling data from Contract Division info-object. Now this report does not variable selection object so it is pulling data from all values of Contract Division. Values of  Contract Division are CNC, CNS, CNE and CNL.
  Now we have created an analysis auth. object called z_es_3 and added Contract division info-object. Now we have added that z_es_3 into role and given value to CNS. now when we are running report, we are getting No Authorization error. When we are giving * value in z_es_3, it is running fine.
  Now we have to restrict report to contract division. please help.
  Thanks in advance

  Are you running unrestricted search on Contract division in your queries? You should restrict it to value which is maintained in the authorization for the InfoObject.
  Also please run the analysis authorization trace from RSECADMIN. That will give you a clearer picture of what is wrong.

• Web Intelligence Report + BI 7.0 Analysis Authorizations

  Hello Experts,
  I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
  BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
  It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
  For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
  When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
  I have tried several settings on the universe (like filter working on LoV as well) but none helped.
  If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
  Any ideas?
  Best regards
  Giorgos

  Hi,
  has the Universe been created on the cube level or on the query level ?
  In case it is on the cube level it will fail because :
  Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
  The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
  You can then assign this authorization to one or more users.
  All characteristics flagged as authorization-relevant are checked when a query is executed.
  *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
  Ingo

• [BO over SAP BW] Web Intelligence Report + BI 7.0 Analysis Authorizations

  Hello Experts,
  I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
  BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
  It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
  For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
  When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
  I have tried several settings on the universe (like filter working on LoV as well) but none helped.
  If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
  Any ideas?
  Best regards
  Giorgos

  Hi,
  has the Universe been created on the cube level or on the query level ?
  In case it is on the cube level it will fail because :
  Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
  The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
  You can then assign this authorization to one or more users.
  All characteristics flagged as authorization-relevant are checked when a query is executed.
  *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
  Ingo

• Hierarchy Analysis Authorization in BW and BOBJ Webi Report

  Hello,
  We have a scenario wherein we have implemented Analysis Authorizations (Hierarchy) on Organizational Unit info object (0ORGUNIT) and need to report on BOBJ WEBI. Our scenario is as following
  ORGUNIT    - L0 (Overall Enterprise Level)     
  -     L1 (Enterprise - Continent Wise Split)
  -     L2 (Enterprise u2013 Country Wise Split)
  -     L3(Enterprise u2013 City Wise Split)
  E.G- 
        LO (Company ABC) MANAGER 0 will have access to the entire organization
             -L1 (ASIA) MANAGER1 will have access to ASIAN Subcontinent
                    -L2 (India) MANAGER 2 will have Access to country India
                              -L3 (New Delhi) MANAGER 2.1 will have access to city Delhi
                              -L3 (Mumbai) MANAGER 2.2 will have access to city Mumbai
                     -L2 (Malaysia) MANAGER 3 will have access to Country Malaysia
                                -L3 (Kuala Lampur)
                                -L3 (pahang)
               - L1 (Europe)
                                          u2026..
  The requirement is that the CEO of the company should be able to see the entire set of data ( L0-L4).We have continent managers who can see that data specific to their continent, similarly at L3 Level the city manageru2019s should see the data only for their specific city.
  In BI we have used analysis authorization based on hierarchies. We have created an authorization object say ZAUTH1 and have assigned the hierarchy L0 from RSECADMIN. Now, in Webi when we create a report a sample row comes as :
  L0 Org Unit     L1 Org Unit     L2 Org Unit     L3 Org Unit     SALES Key Figure
  Company ABC     Asia          India          Mumbai          1000
  Now, we have MANAGER 2.2 who has only access to the data specific to his city (Mumbai). There is an Analysis Authorization object created for him ZAUTH2, by ONLY assigning the org unit hierarchy L3 (for Mumbai). When we run the bex report with the user MANAGER 2.2 u2013 it correctly displays the result and the user is only able to see the data for L3 Org Unit (Mumbai). However when you bring this data to Webi u2013 the report comes in the below format:
  L0 Org Unit     L1 Org Unit     L2 Org Unit     L3 Org Unit     SALES Key Figure
  Mumbai                                           1000
  The L3 org unit has now got assigned to L0 Org unit , as this is the only org unit assigned to the MANAGER 2.2 user .
  In such a case we are not able to write any generic formulae for the report. Is there a way to correct this issue? u2018Mumbaiu2019 should either get assigned to the L3 OrgUnit column is webi report , or is there a workaround that is possible ?
  Thanks and Best Regards,
  Vj

  Hi Vijay,
  The problem you speak of is known and comes from the fact that the hierachy is flattened in the process of delivering it to WebI. Therefore there is no real 'solution' to the problem, just some work-arounds you can think of...
  1)
  Create a report variable that starts looking at the lowest level, if it is empty check one up, and so on until you found what you were looking for (the lowest leaf available), which by definition must be there (even if it is top level).
  Using similar logic you can also get a 'number of levels avaible' and so fill in the complete tree (duplicating the highest level).
  This is difficult to explain when end users create their own reports, though you could provide a template report with these variables in there already.
  2)
  Extend the hierarchy with duplicates below the lowest level.
  So i.e. L0 Company - L1 Continent - L2 Country - L3 City- L4 City - L5 City- L6 City.
  This will give back on the four levels for top authorization
  L0 Company - L1 Continent - L2 Country - L3 City
  For authorization on Continent:
  L0 Continent - L1 Country - L2 City- L3 City
  For autorization City
  L0 City- L1 City - L2 City- L3 City
  So in all situations the fourth level, the L3 Object will hold the City level.
  This you can then use in your report.
  Hope this helps,
  Marianne

• Impact of Analysis Authorization on Users using old Authorization

  Hi All,
  I have question regarding Analysis Authorization. Our system has old authorization concept and as part of our project we decided to go for Analysis authorization for Cost Center object. We activated analysis authorization for cost center, assigned it to test user id and found that its working fine in Dev. But it has impacted other users in the system. They are not able to access any other reports and data providers which were not even referring cost center. What is the proper way to activate analysis authorization without impacting access to existing users.
  - Som

  Hello Andreas,
  Sorry to ask you directly here, I didn't get answer from this forum. We will migrate to the new analysis authorization from old reporting concept. I have read the book "An Expert guide to new SAP BI security features" by SAP Lavs, but still confused with some parts. My questions is:
  Are there two ways to create authorizations as follows?
  1. we can type tcode rsecadmin>Maintence button>create a new authorization.
  2. the following part taken from the book:
  Steps for Generating Authorizations
  1. Activate Business content
  2. Load Datastore objects
  3. Generate Authorizations
  4. View Generation Log.
  In the first step, OTCA_DS01 to OTCA_DS05 and OCCA_O01 to OCCA_O03 are Datastore objects required to be activated.
  In the second step, tcode rsecadmin-->generation button --> type OTCA_SDS01 to OTCA_DS05 into respective filed. Should we always type these 5 objects everytime when we create authorization?
  When we should use the second way to create authorizations? and what is the diffrence between them?
  Any answers will be appreciated. Thank you very much in advance!
  Haifeng

• Analysis Authorization and relates issue

  Hello all,
  I am in the midst of designing authorizations using RSECADMIN transaction.
  We have a set of 50 different queries.
  In our cube, there are 5 different characteristics, which are authorization relevent.
  So, in RSECADMIN, i have created one analysis auth role, included all special and authorization relevent characteristics and maintained the appropriate values.
  But when i execute the queries,the desired output is not coming.
  - Do i need to create authorization varaibles and included in all my queries ?
  - Without including the auth.variabes in queries, is there any other way to restrict the users ?
  I though, by assigning the parameters in RSECADMIN, the query will automatically filter the data.
  Can you pls help ?
  We are on SP19.

  Hi,
  First of all, The query is always based on a InfoCube. Now, you have 50 different Queries which is based on this InfoCube if I am not wrong as you are not getting any authorization error.
  For a query to run, the user should have access to 1. Query, 2. Infocube and 3. Data(All Auth Relevant + 4 Special Objects)
  Authorization relevant objects are for an InfoCube which means that these objects are important or key fields for the infocube.
  You say that in your case, you have 5 Auth relevant objects which means they are important. But please note that there are more infoObjects in that InfoCube.
  Now, when you go to the query design, you can restrict on any object in the InfoCube but it makes more sense that you do it on one of those authorization relevant objects as you have to specify that in the Analysis Authorization where the system can pick up the data easily and give the output.
  Again, on the query design, if you have designed the query with processing type "Authorization", then it would automatically pick up (What you mentioned as automatic filtering) the value from the Analysis Authorization which is contained in the user's role for that query which otherwise gives a wide variety of options to chose from where the user has to choose the correct one.
  To get the desired output, all the correct variables should be included in the query and user should have access to all the three mentioned above.
  May be this gives a clear picture.
  Regards,
  Prasanna
  Edited by: Prasanna Nagaraja on Sep 11, 2009 11:40 PM

• Analysis Authorization not working - Empty demarcation

  Can someone help me on this Analysis Authorization? I read many threads in SDN, it seems that I followed the correct steps. The restriction on S_RS_COMP is working well but the restriction on the Analysis Authorization is not working. Surely I'm making some mistake, but can't find what's wrong.
  I'm a User (say USER_00) in a test system, assigned to a Role (say Z:BI_USER). This is a broad role:
  - S_RS_COMP and S_RS_COMP1 have full authorization (*) to all the fields,
  - S_RS_AUTH has the BIAUTH field with Name of Authorization = *.
  Also I have an InfoArea (ZIA_TEST) and an InfoCube (ZIC_TEST). The IC has some characteristics and key figures. The only authorization relevant characteristic is ZCA_CLI (client). The IC has only 5 lines, one for each client ("CLI_01" to "CLI_05").
  Also there's a query (ZQR_TEST) on this IC, with an Authorization Variable (VAR_AUTH_CLI) restricting the characteristic ZCA_CLI.
  I'm trying to create a new User and restrict him to this IC and only to the data of client "CLI_01". If it works I'll apply to a production system.
  What I did:
  1) With tcode SU01 created a new User (USER_01) with no Role neither Analysis Authorization.
  2) With tcode PFCG copied the Role Z:BI_USER as Z:ROLE_TEST then made some changes:
  a) S_RS_COMP
  - Activity = 03 and 16
  - InfoArea = ZIA_TEST
  - InfoCube = ZIC_TEST
  - Type of report component = *
  - Name of report component = *.
  b) S_RS_COMP1
  - Kept * to all fields.
  c) S_RS_AUTH
  - I inactivated and deleted this Authorization Object.
  (I don't want to keep characteristic values restriction inside the role. The idea is to associate different users to the same role, allowing them to see the same ICs and execute the same queries. And differentiate wich characteristic values each one can see by manually associating different analysis authorization to each one.).
  3) With tcode RSECAUTH I created an Analysis Authorization (Z_AA_CLI_01) to restrict access only to client "CLI_01":
  - ZCA_CLI = "CLI_01"
  - 0TCAACTVT = "03"
  - 0TCAIPROV = "ZIC_TEST"
  - 0TCAVALID = "*".
  4) With tcode PFCG I assigned User "USER_01" to the Role " Z:ROLE_TEST" and made Complete Comparison.
  5) With tcode RSU01 I manually assigned Analysis Authorization " Z_AA_CLI_01" to User "USER_01".
  It seems to me that these steps are enough. But:
  a) When I log as USER_00 and go to tcode RSRT2, searching by InfoAreas I can see all the InfoAreas and all the InfoCubes, select and execute the query. That's OK.
  b) When I log as USER_01 and go to RSRT2, searching by InfoAreas I can see only ZIA_TEST and under it I can see only ZIC_TEST. That's OK. Then I select and execute the query.
  Wich means that S_RS_COMP is OK and each user is assigned to the correct Role.
  c) The problem is that in both cases the query brings data from all Clients.
  Under Information and Variable Values (when I run with HTML display) the message is "Empty demarcation".
  I changed the variable to be Ready for Input, just to see wich values it brings. In both cases (as USER_00 and as USER_01) in the Variable Screen it brings all the 5 Clients from the IC and I can select and execute any value.
  So the problem is with the Analysis Authorization or with the Variable, but I can't find what's wrong.
  Any help will be very appreciated.
  César

  OK Marc, it worked.
  Sorry for not answering earlier, but I could get back to this front only some days ago, then began testing your suggestions.
  1) Security Concept
  Authorization Mode was set to "Obsolete Concept with RSR Authorization Objects" (it would never work with this setting).
  I changed to "Current Procedure with Analysis Authorizations".
  Anyway, what's the function of this setting? Do old Reporting Authorizations work with "Current Procedure with Analysis Authorizations" setting?
  2) Variable Representation
  With "Multiple Single Values" it really led to problems.
  With "Selection Option" it worked well.
  3) 0TCAKYFNM
  I don't understand why, but if the AA doesn't have the char/dimension 0TCAKYFNM, when the User tries to run the query (tcode RSRT2) it accuses "You do not have sufficient authorization".
  Info Cube ZIC_VE95 has two KFs (ZKF_QTL95 and ZKF_VLT95). These KFs are used only on this IC (also in the KF Catalog, but it doesn't impact). This IC is used only on Query ZQR_VE95 (also in Transformation and DTP, wich doesn't impact).
  Well, I inserted 0TCAKYFNM and it worked, either with CP, "*" or with EQ, the two KFs.
  4) Authorization Policy Definition
  The situation I'm working on is very typical. Ex.: Some users are Administrators, Managers, Operator 1, Operator 2 and so on. Each Role needs authorization to access some queries. At the same time, they can access information only of the Cost Centers to wich they are related.
  There are many ways to implement it (I tested some of them and they worked well). My point is to define a most practical way, easy to understand and to maintain.
  I'm now sympathetic to this way:
  a) Create functional Roles (ex.: "Administrator", "Manager", "Operator 1", "Operator 2" and so on) defining only the Queries (or Info Areas, Info Providers, etc) each Role needs. No S_RS_AUTH definition.
  b) Create Char Value Roles (ex.: "CC_100_to_199", "CC_200_to_299", etc), only with S_RS_AUTH definition, each one associated with a corresponding AA (ex.: AA for CC 100 to 199, AA for CC 200 to 299 and so on).
  c) Create Composite Roles associating functional and char value Roles. Ex. Composite Role "Administrator for CC 100 to 199", composed of the Roles "Administrator" and "CC_100_to_199".
  d) Associate Users to the Composite Roles.
  Anyway, I'd appreciate if you could indicate some literature (blogs, articles, etc) on this theme.
  Well, thank you very much for your answers. Now I can go on with my studies on this subject.
  César Menezes

• Analysis Authorization failed for Multiprovider

  Hi all,
  We are facing an issue pertaining to the Analysis Authorization for a multiprovider. When we attempt to access a query base on a multiprovider, the program complains that it has insufficient authorization. So we did debugging in the customer exit and we realise it fails to populate the rest of the authorization variables in I_step = 0. Base on our initial investigation this only happens on queries on multiprovider, so is there anything I need to set or do to curb this error?
  Many thanks!

  Best solution is to trace the authorization for your issue in ST01.
  Switch on the trace in ST01 and start your work. if you face authoirzation check failed. look into the trace there you will find the logs and authorization failed for your userid.
  And one more thing, have you got anything in SU53 as authorization check failed?
  Hope this would help you.