Analysis Authorization Migration Question

Analysis Authorization Migration Question
This is detail Question
1)     I am testing Analysis Authorization Migration in NW2004s SP9 and have applied all OSS notes that are relevant to SP09 and are coming in SP10.
2)     We have 2 Info object flagged as Authorization relevant 0COMP_CODE and 0COSTCENTER
3)     We have Object level security set-up in BW 3.x system and for a role we have specified values like 0COMP_CODE has value 1000, 1800. :. In the same role we have specified 0COSTCENTER value 130001 to 180001, : and hierarchy node.
4)     When we migrate to Analysis Authorizations, using RSEC_MIGRATION, this program creates 2 Authorizations ZCOCODE00 & ZCOSTCTRH00. Both of them have 0COMP_CODE and 0COST_CENTER Objects.
5)     ZCOCODE00 authorization gets value 0COMP_CODE values 1000, 1800. : and 0COSTCENTER Value :.
6)     On the same line ZCOSTCTRH00 gets value 130001 to 180001, : and 0COMP_CODE :.
1st Question:
1)     Why does it create 2 Authorizations?
2)     During Checking it does not pass the authorizations, because it seems to me that it fails in Optimization process.
3)     I manually merge the authorizations in ONE object then authorization check passes. In other word if I combine ZCOSTCTRH00 & ZCOCODE00 then Query authorization check passes.
Any one is struggling on this.
Please note, I am doing Migration so that it updates existing Profiles (Roles now from SP9).
Any comments will be very help full.
Pankaj Gupta

Hello Pankaj
There are some basic misunderstandings on your side.
Let me try to clarify:
First we should distinguish between migration of authorizations and of what a query does with them.
You had 2 auth objects before migration (in 3.x).
Of course, they must be migrated to 2 new analysis auths.
There is no general possibility to combine authorizations to a single one as the may appear in different roles and users. Moreover this would kill performance and finally, nobody would recognize the origin.
Only in very restricted cases one could think of a combination of auths which come out of migration. But, then people loose overview about what goes on.
Before the corrections in note "Migration IV" the : had not been inserted but now it is for good reasons.
Now, accept for the moment that you receive 2 auths.
Then, you cannnot (must not) combine the 2 resulting authorizations!
Authorization 1
COMP_CODE : 1000, 1300, :
Cost Center : :
Authorizations 2
Comp_Code :
Cost Center : 3100001-31999999; : plus a Hierarchy Node.
This means that e.g. combination
COMP_CODE 1000
COST_CENTER 3100001-31999999
is not allowed!!! Therefore, they must not be combined!
Also, the query and its optimization is comepletely independent of the migration. And here, during query run time the auths cannot be combined. It is no failure!
Moreover, the merging optimization is just a performance optimizaiton and has nothing to do with whether the query result is authorized or not.
If you combine them manually you have authorized different combinations.
Well, now you may wonder why you get 2 auths at all which leads to a "no auth" result in the query execution.
The reason is, that in 3.x where you got a result with your 2 auth objects the modeling was wrong.
If you want to authorize any combination of characteristic values, you should combine these characteritics together in one auth object, not in 2!
(In BI7.0 it works like that but not in 3.x)
But you defined 2 which may be valid even in several other InfoProviders independently and not even at the same time. Moreover, the auth objects may come from different roles and may be assigend to different users which then have completely different auth content. In general it is not possible to combine different auth objects or to find out those special situations which nevertheless allow for such optimizations. If you re-do a migration with more objects and users you could even receive different results which is also not satisfying.
Therefore, instead, the mechanism was introduced to insert a : auth to those characteristics that are auth relevant (and checked now with 7.0) but not in the currently processed auth object.
In you special case it may have made sense to combine them but not in general. And a migration can only try to work as general as possible.
For your application you may combine the 2 auths manually if you want to allow also the crossover combinations
COMP_CODE 1000
COST_CENTER 3100001-31999999
Best regards
Peter John
BI Development

Similar Messages

What is Analysis Authorizations in BI 7.0?

Hello BW Gurus,
Greetings!!!!
Please forward the relevant documents (Analysis Authorizations and also about data migration from 3.0 to 7.0 ) to the ID- [email protected]
Points will be rewarded..
Best Regards,
Priya

Hi Priya,
These would be great help to you,
Upgrading to SAP NetWeaver 7.0 BI - The Details doc.
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/10564d5c-cf00-2a10-7b87-c94e38267742
Please check these blogs for full details:
/people/prakash.darji/blog/2006/09/22/rolling-out-the-new-sap-netweaver-2004s-bi-frontend-tools?page=last&x-showcontent=off&x-order=date [original link is broken]
https://weblogs.sdn.sap.com/pub/wlg/4668?page=last&x-order=date [original link is broken] [original link is broken] [original link is broken]
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/6a19f233-0e01-0010-6593-c47af5a8df3b
Some Insights..
NW2004s Upgrade - Front-End Migration Strategy
https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=2331907
Migration of Data Sources
https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=3369391
Migration - Web Templates from 3.x to NW2004s
https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=2052465
Migration question
https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=2935414
Migration Transformation NW2004s Datasource
https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=3034054
Analysis Authorization Migration Question
https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=2537477
NW2004s Data flow
https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=3447826
Visual composer migration
https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=3775098
Rfer thez threads.. u will get good idea..
/thread/439486 [original link is broken]
/thread/377643 [original link is broken]
Migrate Transformations
/message/3034624#3034624 [original link is broken]
/thread/178564 [original link is broken]
For Data Flow:
http://help.sap.com/saphelp_nw2004s/helpdata/en/43/f00e2696d24c5fe10000000a155369/content.htm
/people/prakash.darji/blog/2006/09/22/rolling-out-the-new-sap-netweaver-2004s-bi-frontend-tools
Assign points if it helps,
Regards,
Mani

Analysis Authorization (Role, Profile and Direct Assignments)

Analysis Authorization Question:
1) In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
2) Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign Reporting Authorizations as per the process defined in BW 3.x system.
3) Customer sometime have 100 + Roles to have 3.X Reporting Authorizations. This is Managed, assigned, approved using role concept.

Migration Options:
1) New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned Like Company code 1100 not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
2) Analysis Migration Tool - RSEC_MIGRATION does not update ROLES. It creates or changes PROFILES.
3) Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
Questions
a) This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
b) Does any one use direct assignment to Users? It is good business practice?
c) Is Profiles recommended method of Authorization Maintenance?
d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
Just want to check how other folks have done migration that can be supported going forward.
Pankaj Gupta

Hey Pankaj,
In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

Scenario in Analysis Authorization to check

Hi Gurus,
I am doing a POC for Migration of Analysis Authorization Migration. In which there isone scenario that we want to check.
The Scenario is for Single user.
User having access to 2 different Cubes:-
Cube 1                                                   Cube 2
Company Code:- XYZ                           Company Code :- *
Now How can we acheive this scenario in Analysis Authorization.Please guide.
Regards,
Amit

Try this
AA #1
0TCAACTVT                                               03
0TCAIPROV                                                 Cube1
0TCAVALID                                                 *
0COMP_CODE                                             XYZ
All other objects auth-relevant for Cube1   :
AA #1
0TCAACTVT                                               03
0TCAIPROV                                                 Cube2
0TCAVALID                                                 *
0COMP_CODE                                             *
All other objects auth-relevant for Cube2   :

Migration from BW 3.x to BI v7.0 Analysis Authorizations

Hi All!
We are converting our security from BW 3.x Reporting Authorizations to BI v7.0 Analysis Authorizations. My questions are as follows:
We you make the IMG change in BI v7.0 in IMG transaction RSCUSTV23, does your old BW Reporting security disappear from roles or is it still there?
Are there any other IMG settings, etc that need to be done in order for the new BI v7.0 Analysis Authotizations to work?
If I ran a test query on a role that only had the old reporting authorizations after I switch the IMG transaction RSCUSTV23 to the new Analysis Authorizations, will it still run or should it just error out?
thanks in advance for your help!

Hi,
Here are the answeres for your questions
1) We you make the IMG change in BI v7.0 in IMG transaction RSCUSTV23, does your old BW Reporting security disappear from roles or is it still there?
The old Reporting security disappears but the objects are still exists. If need you can switch back to the old concept
2) Are there any other IMG settings, etc that need to be done in order for the new BI v7.0 Analysis Authotizations to work?
RSCUSTV23 is the only setting need to be set to choose the authorization method
3) If I ran a test query on a role that only had the old reporting authorizations after I switch the IMG transaction RSCUSTV23 to the new Analysis Authorizations, will it still run or should it just error out?
Unless you create the Analysys authorizations (or do migrate) the authorizations are not affective.

Analysis Authorization questions

How does Analysis Authorizations work in below cases
1)Infoobject "A" set as Authorization relevant (In Bex explorer tab)
2)Infoobject "B" which is ATTRIBUTE of infooobject "A" set as Authorization relevant
3)Infoobject "A" and "B" both set as Authorization relevant
How to design query in each of the cases above with or without authorization variables and what parameters to be set in the RSECADMIN for infoobject "A" and "B" in each case like ":", "*" and what would be the behaviour after setting the above behaviour .
can any one give example above with demonstration please

Hi John,
please search first the forum and read the online documentation before posting these kind of questions. You should find more than enough information via the above mentioned channels. You save time and effort of your peers.
To answer your questions briefly:
1. 0COUNTRY is in the free characteristics (not in the drilldown) without any selections
==> You need the ':' value, since whenever you ommit a characteristic you basically see want to see the summary value (you summarize / accumulate over the specific characteristics). Nevertheless, as soon as you drilldown on the characteristic you need the specfic values of the drilldown.
- or-
2. 0COUNTRY is not used in the query.
==> You need ':', too.
Cheers
SAP NetWeaver BI Organisation

How to Move Migrated Analysis Authorization across the landscape?

Hi,
we have migrated existing 3.x obsolete authorization concept to 7.x Analysis Authorization with the SAP delivered program RSEC_MIGRATION. Unit test is completed in the Development. What is the process to move the changes to quality.
Any help is greatly appreciated.
Thanks!

Hi Tony,
what about the roles that are updated during the migration process. How do I identify them and Do I need to collect them and transport too? Is there a way I can use the tables you mentioned in the above discussion for this.
First you should decide on whether you wish to use direct AA assignment or use S_RS_AUTH authorization object (This is referred as indirect AA assignment).
If you wish to assign AA directly, you doesn't require the roles to be transported and just need to transport the AA, since the AA works independently.
If you with to implement indirect AA assignment, you should identify the roles (from the tables I've provided in my last post) and findout the roles based on query's. Further the AA that were related to the queries should be added using S_RS_AUTH and these roles require a transport.
Hope this helps!!
@Arpan - Those tables are required to quickly find out the roles Vs queries Vs InfoAreas/InfoCubes information to work on the AA.
Regards,
Raghu

Manual migration to analysis authorization-4

hello BI experts,
When authorizing InfoProvider via analysis authorization by using 0TCAIPROV with *. Is it still possible to authorize correctly and sharp data via authorization relevant InfoObjects?
regards
Imberaureus

Its possible considering the user will be able to look in to the data of all data targets.

Impact of Analysis Authorization on Users using old Authorization

Hi All,
I have question regarding Analysis Authorization. Our system has old authorization concept and as part of our project we decided to go for Analysis authorization for Cost Center object. We activated analysis authorization for cost center, assigned it to test user id and found that its working fine in Dev. But it has impacted other users in the system. They are not able to access any other reports and data providers which were not even referring cost center. What is the proper way to activate analysis authorization without impacting access to existing users.
- Som

Hello Andreas,
Sorry to ask you directly here, I didn't get answer from this forum. We will migrate to the new analysis authorization from old reporting concept. I have read the book "An Expert guide to new SAP BI security features" by SAP Lavs, but still confused with some parts. My questions is:
Are there two ways to create authorizations as follows?
1. we can type tcode rsecadmin>Maintence button>create a new authorization.
2. the following part taken from the book:
Steps for Generating Authorizations
1. Activate Business content
2. Load Datastore objects
3. Generate Authorizations
4. View Generation Log.
In the first step, OTCA_DS01 to OTCA_DS05 and OCCA_O01 to OCCA_O03 are Datastore objects required to be activated.
In the second step, tcode rsecadmin-->generation button --> type OTCA_SDS01 to OTCA_DS05 into respective filed. Should we always type these 5 objects everytime when we create authorization?
When we should use the second way to create authorizations? and what is the diffrence between them?
Any answers will be appreciated. Thank you very much in advance!
Haifeng

Analysis Authorization with SEM-BPS

Hi,
We have performed technical upgrade from BW 3.5 to BI 7.0. We want to migrate to BI 7.0 functionality phase wise.
We have SEM-BPS and now we want to migrate to Analysis Authorization of BI 7.0.
Once we have igrated to Analysis Authorization, will there be any impact on SEM-BPS? Can we still use SEM-BPS with New Analysis Authorizations? We do not want to move to BI-IP in near future?.
Please advise.
Best Regards,
UR

Dear UR,
Iu2019m going to try helping you,
In difference of reporting functionality, in planning, the data of an InfoCube is not just read; it is also changed or created.
There are two planning tools in BI: BW-BPS (Business Planning and Simulation), and BI Integrated Planning.
There are two main tcode: BPS0 and RSPLAN
There are three authorization objects to manage Integrated Planning:
S_RS_PL_ADMIN - Planning Administrator
S_RS_PL_PLANNER u2013 Planner
S_RS_PL_PLANMOD_D u2013 Planning Modeler (Development System)
The main object in the planning scenario is InfoCube real-time, where can available writing in small package that arrive in parallel. In some cases the security requirements for reporting and planning can be merging. In this case you need authorization object for checking planning, as authorization object above, and you need authorization object for using a query for planning requires as S_RS_COMP.
In addition to authorization for displaying data, the authorizations for changing data you need analysis authorization (the analysis authorization focus in the InfoProvider, no in Aggregation Level).
In your analysis authorization design for reporting stuff, you should use in 0TCAACTVT characteristic 03 value. In the planning stuff, you should use in 0TCAACTVT characteristic 03 and 02 values. As explain following:
Using the characteristics 0TCAACTVT (activity), you can restrict the authorization to different activities. Read (03) is set as the default activity; you must also assign the activity Change (02) for integrated planning.
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/b1/0c9441b8972e7be10000000a1550b0/frameset.htm
I hope this suggestion can help you answer question,
Luis

Analysis Authorizations - Aggregation Level ( ':' )

Dear BW Gurus,
Greetings!!!
I have a scenario of migrating the Authorizations from BW 3.5 to BI 7.0 Analysis Authorizations.
There is a report based on InfoSet. There are about 8 authorization relevant objects among which the user is authorized for 3 Authorization relevant characteristic fields. In the previous version, It was working fine when tested.
In BI 7.0 Analysis Authorization Concept, I have created the Authorization Object with these 3 Auth relevant fields and assigned to the Role using S_RS_AUTH and then assigned it to a user. When I test the query with that particular user ID, the result was NO SUFFICIENT AUTHORIZATION.
When I checked the log, there it displayed the other authorization relevant fields for Aggregation level. So, my question is whether I must include the other Authorization relevant fields and restrict them for aggregation level (Value ':') and is it mandatory?
please guide me in this regard as early as possible.
Best Regards,
Priya

Hello,
Check st01 and su53 for missing objects then assign objects accordingly in the role or in analyse authorisation .
Thanks.
With regards,
Anand Kumar

RSEC_MIGRATION (Analysis Authrization Migration) AUFEX Error

Hi,
When I try to migrate using RSEC_MIGRATION, the following error appears.
AUFEX is not a name for an InfoObject of an InfoSet (not found)
I have tried selecting few users ans still no sucess.
Best Regards,
UR

Dear UR,
Iu2019m going to try helping you,
In my experience in the migration authorization process, I have haven some problem with the program RSEC_MIGRATION. One of them, was you have to select all user; some of reporting authorization object are links through deferent role; ect.
I suggestion look at the following thread:
Error execute report RSEC_MIGRATION
Owe college Andreas suggest one link and set of OSS note.
In my opinion, in the last project we go forward with process migration by manually way.
The strategic was:
u2022     Group the roles by family, create one layout role by each family and the rest make it derivate role.
u2022     Have done BIAUTH as Organizational Level.
u2022     Created analysis authorization by each reporting authorization role.
u2022     Be careful with characteristic and attribute navigational relevant authorization, both are manager like object. (Unlike in 3.X, where the navigational attribute take the setting of characteristic)
u2022     Join each analysis authorization with each role.
u2022     Regenerate all
u2022     Go forward with the test.
I hope these suggestions can help you in your question,
Luis

Analysis Authorization in BO 4.0 Webi report

Hi All,
I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
I have tried:
1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
(BO 4.0 no service pack or fix pack installed on the system yet)
Thanks - Appreciate your help !
Prasad Rasam

Ingo,
1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
>> Correct you need to setup you OLAP Connection with SSO.
>>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
>> The variable in the BEx query needs to be an authorization variable.
>>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
regards
Ingo Hilgefort

Analysis Authorization Issue

Hi:
I created an analysis authorization ZCO_CODE to trstrict it by a company code.
I added following objects in authorization with values.
0COMP_CODE = 1000
0TCAACTVT = 03
0TCAIFAREA = *
0TCAIPROV = *
0TCAVALID = *
Then I created a role Z:00:BW_REPORT, where I added following authorization objects S_RS_AUTH and restricted it by value ZCO_CODE. Then I assigned this role to a user test01.
When I execute a program RSEC_MIGRATION for this specific user, I do not see authorization object ZCO_CODE on 2nd step of this program. Any Idea Why? I think this object should show up as I want to migrate this specific object.
Help will be appreciated.

Hi Sachin:
Okay here is my issue.
I have a Reporting authorization Object created earlier which is ZCOCODE. I though I'll have to create a new Analysis authorization object e.g. ZCO_CODE and then restrict it with other chars. as mentioned in Marc Bernards presentation and then you have to migrate it.
In selection list I can see old Reporting authorization object. If I select it and use option "Enhance existing profile" then It will update profile and not role? right....
How can I see whether it has updated existing profile?????
Do I need to create new Analysis Auth. for Company code or I can use old Reporting authorization for company code?
For testing purpose, I created a test user and assigned all reporting roles but It will not show up in RSEC_MIGRATION step???

Need analysis authorization help

Hello Gurus,
Could someone please help me out with my Analysis Authorization issue?
We have a BW query and workbook outputting "Tcode usage" like the following:
UserGroup| Username| Tcodename| Frequency
This one has been running long time without any problems in reporting authorization, but now We want to get it restricted and only allow data associated group HR to display using new Analysis authorization. The scenario for this report is as follows:
1. Rsecadmin >Maintenance> Create New authorization "Group" which consists of 4 characteristics: 0TCAACTVT, 0TCAIPROV, 0TCAVALID and 0TCTUSRGRP(which is the characteristic about group name and already authorizatio relevant). Set 0TCTUSRGRP "EQ HR".
2.Assigned this authorization to a role using PFCG through the S_RS_AUTH. Other authorization objects in this role are: S_BDS_D, S_BDS_DS, S_RS_MPRO, S_RSEC, S_RS_COMP, S_RS_COMP1, S_RS_HIER, S_RS_ICUBE, S_RS_ODSO.
3.In BEx analyzer, set type: Characteristic Values and Variable filled from authorization and value "Selection Option". Unselected "ready for input". Put the characteristic associated with group name to filter windown on the top righ hand side of the Query Designer. Also compare users in PFCG.
The question is the I still get all data about all groups. Looks like the authorization group doesn't work. I used the "execute as " and get no errors back.
Note: I didn't use "generation" to create the new authorization in Rsecadmin
Thank you very much for any answers!
Haifeng

I guess i have found the reason why my authorization dosen't work. I don't activate infoObjects 0TCA* and 0TCT* and infoCubes 0TCA* as well. But another thing I am confused about is :
Should I activate HR and CO businees content for authorizations 0TCA_DS02OTCA_DS05 and 0CCA_O010CCA_O03 before i get started? or should i run generation everytime i create a new authorization using Maintenance in Rsecadmin?
Haifeng

Analysis Authorization Migration Question

Similar Messages

Maybe you are looking for