Analysis Authorization mass maintenance

Hi All,
During the migration, due to Complexity of our complex BW 3.5 authorization setup we are end up in BI 7 New Design where we have to maintain new Cube to more than 150 Analysis Authorizations each time when we have new Cubes comes.
Do you guys know any method where you can update the new cube to large no of Analysis Authorization (for ex 150) instead of doing manually? Due to complexity of the old design itu2019s very difficult for us to change the new design.
Looking forward for expert opinion.
BR,
Deepak

Hi,
As per my knowledge, it is always recommended to maintain the Analysis authorizations individually. However, you may refer the below thread:
Analysis Authorization Mass Maintenance
and also the below link:
http://help.sap.com/saphelp_nw73/helpdata/en/c4/057a2de519451faf1819dba4092887/content.htm
Hope this helps!!
Rgds,
Raghu

Similar Messages

  • Analysis Authorization Mass Load got wrong

    Hi,
    First:
    I accidently made a rubbish CSV massupload via a 0TCA_DS04 formatted DSO and than a
    RSEC_GENERATE_AUTHORIZATIONS for Assignment of authorization to users.
    Second:
    I want to clear up this rubbish completely out  again.
    Third:
    Loading a one line one field CSV File like this:
    0TCTUSERNAME -     D_E_L_E_T_E
    ;0TCTAUTH -               <BLANK>
    ;0TCTADTO -              <BLANK>
    ;0TCTOBJNM -           <BLANK>
    ;0TCTSIGN -                <BLANK>
    ;0TCTOPTION -           <BLANK>
    ;0TCTLOW -                <BLANK> 
    ;0TCTHIGH -                <BLANK>
    ;0TCTOBJVERS -          <BLANK>
    ;0TCTADFROM -           <BLANK>
    via a 0TCA_DS01  formatted DSO
    and RSEC_GENERATE_AUTHORIZATIONS
    does not seem to work.
    Fourth;
    The rubbish Assignment of authorization to users still exist.
    Fivth:
    Something else to do ? The doc ,Generation of Analysis Authorizations - Business Intelligence - SAP Library,
    isn't to clear to this.
    Something more to do ?
    CSV wrongly formatted ?
    Assitant is appreciated.
    Thanks
    Martin

    Hi Petra,
    the message is only thrown when one of the named DataStore Objects is really empty.
    Could it be:
    1.) That you have a typo in your DataStore Object name
    2.) The message should also name a DataStore Object. Which one is it (for which authorisation generation)
    3.) Are you on a Support Package Stack level lower than 14, and try to generate hierarchy authorisation. If so, please check OSS note # 1041515.
    If none of the above is solving your issue, you might have to open a customer message.
      Cheers
         SAP NetWeaver BI Organisation

  • Restrict change authorization for MM17 (Material master mass maintenance)

    Hi,
    Apologies if I have posted this in the wrong forum. I want to know if it is possible to use the mass maintenance transaction MM17 (indus. material) to display data only istead of change/create. Is there some setting at the basis object level which can enable this? There are currently a lot of custom abap reports and queries in our system for viewing material master data, these can all be replaced by MM17. Basically we want to use MM17 as a reporting tool to display data only. Is a solution possible? Help is appreciated, thanks.
    Regards

    Have you tried the MM Information System node in the SAP Easy Access menu? There are a bunch of standard reports with navigation options there, for the user who has the correct authorization to display only.
    Alternately, you may want to take a look into transaction MASS and use the B_MASSMAIN object, depending on your requirements - but test it well.
    Cheers,
    Julius

  • Transport roles and analysis authorization with user assigned

    Hi expert,
    I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
    Thanks for your time,
    Luis

    Hi,
    In role administration, you have the following options for transporting roles:
    You can download the roles from one system and upload them into another  
    You can import the role from a remote system using RFC  
    You can transport the roles with the transport function.
    Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
    Transporting Roles with the Role Transport Function
           1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
           2.      Enter the role to be transported and choose Transport Role.
    The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
    You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
    For more information go thrpugh the below link
    http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
    Regards,
    Marasa.

  • Web Intelligence Report + BI 7.0 Analysis Authorizations

    Hello Experts,
    I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
    BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
    It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
    For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
    When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
    I have tried several settings on the universe (like filter working on LoV as well) but none helped.
    If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
    Any ideas?
    Best regards
    Giorgos

    Hi,
    has the Universe been created on the cube level or on the query level ?
    In case it is on the cube level it will fail because :
    Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
    The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
    You can then assign this authorization to one or more users.
    All characteristics flagged as authorization-relevant are checked when a query is executed.
    *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
    Ingo

  • [BO over SAP BW] Web Intelligence Report + BI 7.0 Analysis Authorizations

    Hello Experts,
    I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
    BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
    It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
    For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
    When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
    I have tried several settings on the universe (like filter working on LoV as well) but none helped.
    If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
    Any ideas?
    Best regards
    Giorgos

    Hi,
    has the Universe been created on the cube level or on the query level ?
    In case it is on the cube level it will fail because :
    Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
    The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
    You can then assign this authorization to one or more users.
    All characteristics flagged as authorization-relevant are checked when a query is executed.
    *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
    Ingo

  • Need analysis authorization help

    Hello Gurus,
    Could someone please help me out with my Analysis Authorization issue?
    We have a BW query and workbook outputting "Tcode usage" like the following:
    UserGroup| Username| Tcodename| Frequency
    This one has been running long time without any problems in reporting authorization, but now We want to get it restricted and only allow data associated group HR to display using new Analysis authorization. The scenario for this report is as follows:
    1. Rsecadmin >Maintenance> Create New authorization "Group" which consists of 4 characteristics: 0TCAACTVT, 0TCAIPROV, 0TCAVALID and 0TCTUSRGRP(which is the characteristic about group name and already authorizatio relevant). Set 0TCTUSRGRP "EQ HR".
    2.Assigned this authorization to a role using PFCG through the S_RS_AUTH. Other authorization objects in this role are:   S_BDS_D, S_BDS_DS, S_RS_MPRO, S_RSEC, S_RS_COMP, S_RS_COMP1, S_RS_HIER, S_RS_ICUBE, S_RS_ODSO.
    3.In BEx analyzer, set type: Characteristic Values and Variable filled from authorization and value "Selection Option". Unselected "ready for input". Put the characteristic associated with group name to filter windown on the top righ hand side of the Query Designer. Also compare users in PFCG.
    The question is the I still get all data about all groups. Looks like the authorization group doesn't work. I  used the "execute as " and get no errors back.
    Note: I didn't use "generation" to create the new authorization in Rsecadmin
    Thank you very much for any answers!
    Haifeng

    I guess i have found the reason why my authorization dosen't work. I don't activate infoObjects 0TCA* and 0TCT* and infoCubes 0TCA* as well. But another thing I am confused about is :
    Should I activate HR and CO businees content for authorizations 0TCA_DS02OTCA_DS05 and 0CCA_O010CCA_O03 before i get started? or should i run generation everytime i create a new authorization using Maintenance in Rsecadmin?
    Haifeng

  • Analysis Authorization Object not working

    Hi Gurus,
    I m working on BI 7.0, I have created an analysis authorization object zz_div for 0DIVISION characteristic.
    For a given report i want a given user to view only data for '32' and '33' 0DIVISION.
    I have followed the below steps but still the report shows all data instead of restricted one.
    1)RSECADMIN -> Maintenance ->zz_div ->Create
    2) Add 0DIVISION in Auth structure , and in details 
    I     EQ     32
    I     EQ     33
    3) Add 0TCAIPROV with I     EQ     0SD_C03
    4) Add 0TCAACTVT, 0TCAKYFNM, 0TCAVALID,  this having details as
    I     CP     *
    5) Then in User tab -> Assignment -> User -> Change-> Inserted ZZ_DIV-> Save
    6) In Query created a Authorization variable(with no input prompt) and restricted 0DIVISION.
    Following are the authorization object in that user's Role (Reporting Only)
    S_RFC 
    S_TCODE
    S_GUI
    S_BDS_D  
    S_BDS_DS 
    S_OC_SEND
    S_RS_AUTH - only having zz_div
    S_RS_COMP
    S_RS_COMP1
    S_RS_ICUBE
    S_RS_RSTT
    S_RS_TOOLS
    S_RS_PARAM
    I have surfed lots of thread for this issue but not getting a solution
    Tell me what i m missing in above or any additional setting need before creating analysis authorization
    Edited by: Sonal Patel on Apr 18, 2009 8:10 AM

    Hi
    Thanks a Ton for ur reply
    I have checked in SPRO : Analysis Authorization
    where the authorization mode is " OLD obsolete Concept With RSR  Authorization Objects "
    We have to do the same in Production system .Can u please how its going to effect to others authorizations if change it to New Concept
    Thanks
    Sonal....

  • Analysis Authorization (Role, Profile and Direct Assignments)

    <b>Analysis Authorization Question:</b>
    1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
    2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
    3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
    <b>
    Migration Options:</b>
    1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
    2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
    3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
    <b>Questions</b>
    a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
    b)     Does any one use direct assignment to Users? It is good business practice?
    c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
    d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
    Just want to check how other folks have done migration that can be supported going forward.
    Pankaj Gupta

    Hey Pankaj,
    In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
    Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
    RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

  • How to implement complex analysis authorizations in simple way

    Hi All,
    I need to create some analysis authorizations with long list of single values for a characteristics. For example, we have multiple set up of company codes (APAC, EAME, AMERICAS, etc) and each set contains 150 - 200 company codes in it. Now we have multiple combinations of company code set and geographies. In short, we will have multiple analysis authorizations and each will have one or two set of company codes and some geographies.
    I can create the analysis authorizations for the first time, by putting individual values in the respective characteristics. That would be a big task but can be done. But the problem is about ongoing maintenance. In future, if a new company code is added to lets say APAC companies, then we will have to update all analysis authorizations which contains APAC company code and that would be huge number of AAs due to the complexity of business architecture.
    Could anyone please suggest if it is possbile (and how) to do below or similar, or have any other better approach (using BW7.4)
    - We would create a group (or set) of company codes. Lets say would create a group APAC_Comp_Code and add all APAC related company codes in it. This would be repeated for all set of compant codes.
    - While creating analysis authorizatons, I would not assign any individual company code value in characteristic, instead put APA_Comp_Code inside the characteristic 0COMP_CODE.
    - If I need to put multiple set of company codes inside 0COMP_CODE, I will just put the corresponding group name, not the invidual values.
    The benefit would be that in future if I need to add a new company code to APAC, I would just have to update this group APAC_Comp_Code. I will not have to maintain the analysis authorizations.
    Please let me know if this is possible or if there is any other way to implement the requirement with simpler maintenance.
    Thanks
    Nitesh Gupta

    Hi Nitesh,
    From what you describe, this would be a good case to use variables in your analysis authorisations. You can specify a variable value for the BUKRS field and have a couple of options to populate the values which are picked up in the query execution.
    You will need to ensure that you activate the istep to read customer exit variables and have the query variable set as customer-exit. Once those are complete, you can create a custom table to maintain the mapping of groups to company codes, or to read the company codes directly from your ERP system (if you want to base authorisations on what the users can see in ERP) and populate the table with those values.
    However you populate the value to the variable, I think this approach will get you closer to minimal maintenance going forward. Enhancement RSR00001 should be implemented, some help documentation for this below
    http://help.sap.com/saphelp_nw70/helpdata/en/1d/ca10d858c2e949ba4a152c44f8128a/content.htm
    Hope this helps,
    Tom

  • Complex analysis authorizations.

    Hi all,
    I'm trying to model analysis authorizations given the following parameters:
    1 infoprovider (basic InfoCube)
    2 queries (TOPLEVEL & DRILLDOWN) to be accessed via a Portal
    3 Portal roles based on CC range restrictions (‘A&C but not B’, ‘B&C but not A’ & ‘AB&C’)
    The TOPLEVEL query displays values by Asset Class for <i>all</i> Cost Centers. It allows the user to select a CC Hierarchy (Budget or Actuals) at run time, via a variable. It then serves as the sender for a RRI jump target. It passes the CC hierarchy, Comp Code, Fiscal Year & Asset Class.
    The DRILDOWN receiver query displays Assets filtered by Comp Code, Fiscal Year, Asset Class and the CC Hierarchy, but it needs to restrict access to certain CC ranges based on the roles outlined above.
    Is this possible in NW2004s? If so can anyone point me towards a solution?
    Many thanks,
    M

    Hi Nitesh,
    From what you describe, this would be a good case to use variables in your analysis authorisations. You can specify a variable value for the BUKRS field and have a couple of options to populate the values which are picked up in the query execution.
    You will need to ensure that you activate the istep to read customer exit variables and have the query variable set as customer-exit. Once those are complete, you can create a custom table to maintain the mapping of groups to company codes, or to read the company codes directly from your ERP system (if you want to base authorisations on what the users can see in ERP) and populate the table with those values.
    However you populate the value to the variable, I think this approach will get you closer to minimal maintenance going forward. Enhancement RSR00001 should be implemented, some help documentation for this below
    http://help.sap.com/saphelp_nw70/helpdata/en/1d/ca10d858c2e949ba4a152c44f8128a/content.htm
    Hope this helps,
    Tom

  • Rational approach for Analysis Authorization:

    This post is regarding the implementation of Analysis Authorization.  Considering the role based approach; please let me know the optimized way to implement the analysis authorization such that there will be very low maintenance.
    For e.g. I have queries which need to be restricted at data level PLANT wise. So I mark the characteristic 0PLANT as authorization relevant. There are 150 plants so I create the 150 Analysis Authorizations and put each one of them in roles (1:1) resulting in 150 roles. In addition; 151th Role and Analysis Authorization for ALL plant access.
    Now to restrict the queries themselves, I create a Role with object S_RS_COMP , S_RS_COMP1 (For queries) ; S_USER_AGR  and S_USER_TCD( for  workbooks).
    Then I create a composite role  with above 2 single roles (one containing AA and other role for Query restriction)and assign it to user.
    Now suppose when I need to restrict data at some other level say DIVISION wise. Then I would be again creating analysis authorization for all the divisions and putting them in roles.
    Using this approach ; there would be many roles and analysis authorizations. Also during production support it may be cumbersome to debug the errors.
    Please comment if any other approach for implementing the above scenarios.
    Regards,
    Ajit
    Edited by: Ajit Nadkarni on Apr 4, 2010 5:47 PM

    Hi,
    I had a similar requirement where in we had 178 plants and each plant manager has to see their own site by default in the selection screen when they run the query.
    By defalut it should display there own site but its not restricted to only that site. Managers can also look into other sites but by default they wanted their own site to be displayed.
    So I have created DSO and did mapping with username and store. And in query I created a variable in plant of type customerexit and written exit in CMOd using I_STEP 1. This solved our requirement. But to restrict to particular site i guess we can extend the routine in cmod.
    Thanks
    Srikanth

  • GRC ERM mass maintenance

    Hi All
    Would mass Role name changes of roles possible in ERM by mass maintenance option?
    Please suggest how the roles names changes possible.
    Thanks & Regards
    Abhijeet

    Sorry to say Abhijeet, But this may not be feasible. But if you really need to change the role names for some roles, you can utilize the Copy Role functionality in ERM under Search Roles and you can copy the earlier roles into new roles with changed role names. This will reduce some of your efforts in role and authorization definition for the roles.
    If the former roles are not generated in backend system then you can delete the same from ERM and maintain the audit history for those roles which have been deleted in this process.
    All the Best,
    Aman

  • Analysis Authorization in BO 4.0 Webi report

    Hi All,
    I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
    We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
    However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
    I have tried:
    1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
    2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
    3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
    Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
    (BO 4.0 no service pack or fix pack installed on the system yet)
    Thanks - Appreciate your help !
    Prasad Rasam

    Ingo,
    1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
    >> Correct you need to setup you OLAP Connection with SSO.
    >>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
    Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
    Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
    2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
    >> The variable in the BEx query needs to be an authorization variable.
    >>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
    Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
    regards
    Ingo Hilgefort

  • Analysis Authorization Issue 7.3

    Hello Friends,
    System BW 7.3, Currently there are 80 odd analysis authorization objects
    We want to introduce a new info object (GL Account) to be authorization relevant, ( there are few objects in the system which are already authorization relevant in the system with proper analysis authorization objects and they are working fine)
    Things done, made the GL Account object authorization relevant in RSA1, Created 2 analysis authorization objects with GL Account and TCT objects and one with hierarchy restrictions and one open access.
    Added this object to the user in addition to its already existing authorization objects. Created authorization variable in BEx.
    Some how the authorization is not picked up and it gives us all the values in the report. But if I add the GL Account info object to the existing analysis authorization objects then it works fine.
    I do not want to change all the existing analysis authorization objects to add GL Account.
    Your inputs are most welcome.
    Thanks
    Ed.

    Gajesh- I have added the new analysis authorization object to the user in RSECadmin.
    Subhendu- Problem statement: What are the steps involved in making a new info object(GL Account) authorization relevant. Authorizations are given at hierarchy level. Can we create a new analysis authorization with  GL Account only or do we have to add it to every existing analysis authorization
    I have done the following steps
    1. Made the GL Account object authorization relevant in RSA1,
    2. Created 2 new analysis authorization objects with GL Account ( with hierarchy restrictions) and TCT objects and one with GL Account open access.
    3. Added this object ( which has restrictions) to the user in RSECADMIN, in addition to its already existing authorization objects.
    4. Created authorization variable in BEx.
    5. No existing analysis authorization objects have been changed.
    When I test the report, It does not restrict based on the hierarchy that I have given, it gives open access.
    But If I add GL Account with restrictions to the existing analysis authorization object, it works good.
    Guess I am missing some thing here.
    Do you need any other screen shots.
    Thanks
    Ed.

Maybe you are looking for