Analysis Authorization problem (new BI auth concept)

Similar Messages

• Analysis Authorization Problem

  Hy, i have create a Analysis Authorization object ZCOMPCODE with 0COMPCODE as characteristic.
  So i assign this object to a users and i create a variable to filter 0COMPCODE with processing type "authorization".
  The problem is that when execute the BEx query i receive the message : No authorization.
  When assign 0BI_ALL to user the ZCOMPCODE has not effect but the query run correctly.
  How can i resolve this serious problem?
  Regards,
  Andrea Maraviglia

  Dear Andrea,
  When you have a problem with authorization data access, may be you need check the following stuff:
  1 All InfoObjects are relevant authorization (see Business Explorer the check box authorization relevant for each InfoObject Tcode RSD1) which these are part of InfoProvider where query request data. It is very important, because you have to include all of this InfoObject (Characteristic) in your analysis authorization.
  2. Remember add the standard characteristic. 0TCAACTVT (3 value), 0TCAIPROV (InfoProvider Tech Name), 0TCAVALID (* value).
  3. In each characteristic relevant authorization, I suggest that add the colon “:” value to avoid problem with variable authorization in the query.
  4. Furthermore, the user need one role for standard object authorization: 
  . S_RS_COMP (Activities 03, 16)
  . S_RS_COMP1 (Query owner)
  . S_RFC (BEx Analyzer or BEx Browser only)
  . S_TCODE (RRMX for BEx Analyzer)
  I hope that can help you!
  Luis

• BW Analysis Authorization Problem when no selection is done

  Hi Everybody,
  I am facing the following problem with the implemented authorization concept.
  We have marked 2 IOs as Authorization relevant: company and costcenter. We have defined an authorization object where the values are assigned through two variables $ZCompany and $ZCostcenter. The values are picked up from 2 Ztables where the User/Usergroup/Values assignement is done. Eveything seems to work fine.
  We have a problem when using an optional variable built on Company or Costcenter in our queries and no selection is done.
  If no selection is done, the variables ZCompay and ZCostcenter both are given values equals *. It si the same as every value. Since the user ZTESTUSER is authorized only for some comapnies and some costcenters,  the match between the * selection and the authorization set is not sucessful and the user doesn´t get any authorization. this is what we can when executing the display error log:
  Following Set Is Checked  Comparison with Following Authorized Set  Result  Remaining Set 
  Characteristic  Content in SQL Format 
  0TCAACTVT
  ZIFCM004
  ZIFCM014
  0TCAACTVT = '03'
  AND ZIFCM004 LIKE *
  AND ZIFCM014 LIKE *
  Characteristic  Content in SQL Format 
  0TCAACTVT  I EQ 03
  ZIFCM004  I EQ $Z1PME009
  ZIFCM014  I EQ $Z1PME004
  Partially or Fully Authorized (Intersection)   Characteristic  Content in SQL Format 
  0TCAACTVT
  ZIFCM004
  ZIFCM014
  NOT ZIFCM004 IN ('0012','0015')
  AND 0TCAACTVT = '03'
  OR ZIFCM004 IN ('0012','0015')
  AND NOT ZIFCM014 IN ('00000000000000012100','00000000000000012300')
  AND 0TCAACTVT = '03'
  Value selection partially authorized. Check of remainder at end
  Following Set Is Checked  Comparison with Following Authorized Set  Result  Remaining Set 
  Characteristic  Content in SQL Format 
  0TCAACTVT
  ZIFCM004
  ZIFCM014
  NOT ZIFCM004 IN ('0012','0015')
  AND 0TCAACTVT = '03'
  OR ZIFCM004 IN ('0012','0015')
  AND NOT ZIFCM014 IN ('00000000000000012100','00000000000000012300')
  AND 0TCAACTVT = '03'
  Characteristic  Content in SQL Format 
  0TCAACTVT  I EQ 03
  ZIFCM004  I EQ $Z1PME009
  ZIFCM014  I EQ $Z1PME004
  Not Authorized   
  What i don´t really understand is why the user doesn´t get any authorization only for the values subset for which he is authorized for. Is that normal according to your experience?
  How can we get rid of it obtaining that for such selection the user gets authorizations for the subset?
  Thanks in advance
  Best regards
  Enrico
  Edited by: Dottblabla on May 3, 2010 12:13 PM

  Hi,
  thank you both for the answers.
  Since the user is authorized for some certain values rappresenting a subset of * (all values) I dont really understand why he receives an error message as if he hasn´t any authorization at all. According to my logic, a partial dispaly of the data should be possible.. according to my logic, I repeat
  Using a mandatory variable would force the user to give a value. The problem is that we have users who are authorized for a large number of costcenters. In this case the best solution would be to define the mandatory variable as a selection option, allowing the user to define intervals of values as well. BUT in this case we would have the same problem described above as soon as the user pick up an interval of values containing also single costcenters for which he has no authorization. I hope, it is clear what i mean.
  Using an Authorization variable has the only charme that we get a kind of preselection of values. If the user wants to modify the selection and to define an interval, then we face the same issue again.
  It seems to me that BW Authorization concept doesn´t work with "subset" of values. Am i right? Any suggestion?
  Best regards
  Enrico

• BW-BPS and new analysis authorization concept

  We are using BW-BPS on Netweaver 2004s SP8 and the new autorization concept is switched on.
  Where do we need to pay attention?
  Which authorization objects stay the same and which are now to be maintained in analysis authorizations?
  Thanks for your suggestions.
  Anja

  In NW04S, BPS and BI IP share the same new authorization concept so you tend to have to rebuild specific profiles used for BPS.   The old BW-BPS tend to have authorization for R_* and they need to be redone using the new authorization concept and it can take some time if you have a lot of profiles.

• Problem wih analysis authorization for two scenarios on same data provider

  Dear all,
  I am looking for a solution on the following authorization scenario (using the new analysis authorization). Unfortunately everything that I tried did not work out as expected:
  User A is allowed to manually access query 1 (based on cube A) with authorization on all sites A-Z
  The same user A shall get an email distribution automatically (derivation of the filter in the query out of the authorization) for query 2, which is as well based on cube A, but this time the authorization shall be limited only to site A.
  As both queries are based on the same infoobject (0PLANT) and the same infoprovider (0TCAIPROV) I always get the result for all sites A-Z. The 0TCAACTVT is in both cases 03 (display), so I have no chance to distinguish between reporting and email distribution.
  Probably the only chance would be to derive the values for the email distribution scenario not from the authorization directly, but using a customer exit to fill the filter - but I would prefer a "standard" solution...
  Any ideas??
  Thanks,
  Andreas

  Dear Andreas,
  Before give you an alternative for you problem, Iu2019d like to comment the combining authorization concept:
  http://help.sap.com/saphelp_nw70/helpdata/EN/46/98cd87f37d19ace10000000a11466f/frameset.htm
  For this reason I suggest you which combing restriction through authorization and query filter. For query 2 try to use in 0PLANT characteristic the single value u201Csite Au201D, this restriction give you only authorization for see this value.
  Otherwise, you have to use customer exit.
  I hope that alternative help you to find a solution,
  Luis

• Standard authorization concept versus analysis authorizations

  Hi
  I am bit confused about the necessity of maintaining both.
  Example:
  I have designed an analysis authorizations for CO (Controlling), named CO_001:
  InfoProvider: 0COOM_C02
  Thereafter I have put the authorization object S_RS_AUTH into a role (standard authorization object) with CO_001 as value in BIAUTH.
  Is there still a need to maintain authorization objects for Business Explorer or Business Planning, like:
  S_RS_COMP (limiting to the InfoProvider mentioned in the analysis authorization)
  S_RS_PLSE (limiting to a special aggregation level of the appropriate InfoProvider mentioned in the analysis authorization)
  What happens when there is no limitations maintained in the role for these auth objects, "*"?
  Which concepts dominates the other one?
  Thanks
  BEO

  Hi BEOplanet,
  S_RS_COMP will give you access to the Infoprovidor in BEx so this will be access level security.
  Then Analysis authorization will give you the data level security within the infoprovidor (like what data you can see within the infoprovidor)
  There fore you need to maintain both S_RS_COMP and Analysis Authorizations.
  To your question ,if you have maintained the cube 0COOM_C02 in Analysis Authorization and S_RS_COMP has only 0PA_01 then the Query will fail since you dont have access to the cube 0COOM_C02 in S_RS_COMP.
  Regards,
  Karthik.

• Problem with analysis authorization- 0BI_ALL always needed

  Dear all:
  we have a serious issue on so-called "analysis authorization" now. We have auth-restricted user who only have authorization to access data on one company code. We also create a BI-authorization in analysis authorization and assign the following auth-relevant object to this authorization-
  0TCAACTVT = 01-03
  0TCAIPROV = ALL
  0TCAVALID = ALL
  0TCAKYFNM = ALL
  0COMP_CODE = A001
  And we create one query with only company code and number of employee in the row and column. But everytime we execute this query, there s always message" No Authorization". We used ST01 to trace and the result shows we need to have "0BI_ALL" in auth object S_RS_AUTH. If we added 0BI_ALL, all company code data will display, which definitely no auth restriction at all. Is there any specific authorization setting we need to do?
  We are stuck here pretty bad. Thank you all in advance if any input.
  BR
  SF

  Hi,
  I guess the Authorization profile is active , and in the Tcode PFCG -> Role name -> User tab page ( user comparision is done ).
  Check if any of the tab page shows red light .
  And assignment of 0BI_ALL is not a solution , as any user can do anything in the system.
  Also do not forget to log - off and log-in into system after changing into any of the authorization profile to see changes that had happened.
  Hope that helps.
  Regards
  Mr Kapadia
  Assigning points is the way to say thanks in SDN.

• HT4913 New computer authorization problem

  I have 3 authorized computers with my Apple ID.  Want to authorize a new computer for iTunes Match but when I click "authorize" and then sign into my itunes account, I get a new warning saying, "You cannot authorize more than 5 computers...".  Checked my account, and confirmed that I only have 3 authorized devices.  Have logged out, waited for next day, and tried to authorized again the new computer and still gives me the same problem that I already have 5 devices authorized!!!
  Any insights?
  Thanks

  hi Shelsta!
  your issue is beyond my competence to fix ... but i did some asking around on your problem. it's plausible that you might have accidentally ended up creating two different ITMS accounts.
  whatever the underlying cause of the problem, it's worth emailing ITMS Customer Support and outlining your situation to them. there's a contact form at the bottom of this FAQ:
  iTunes Music Store Customer Service: authorizing your computer
  love, b

• Concept of Analysis Authorization

  Hi experts,
    I am wonderous about the concept of analysis authorization. I have one infoobject Z_COMPANY that contains the following data:
  XXXX
  YYYY
  ZZZZ
    User A is granted an authorization to view only the company XXXX.
  In the authroization dimension, I maintained the following data.
  Z_COMPANY  : I  EQ  XXXX
  (I also maintain other special authorization with full authorization)
  <b>  The question is that which scenario will happen if this user runs the query created from this infoobject Z_COMPANY.
  1) The user will see only the company XXXX (other companies YYYY, ZZZZ are hiden)
  2) The user will see the message (You do have sufficient authorization)</b>

  Hi,
  If you use Authorization variables in the query defination .Then the user will see see only the company XXXX.
  If you donot use Authorization variables in the query defination .Then the user will see the message (You do have sufficient authorization) 
  See the Explannation given under <i>Features </i>heading in the below link:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/66/019441b8972e7be10000000a1550b0/frameset.htm
  With rgds,
  Anil Kumar Sharma .P
  Message was edited by:
          Anil Kumar Sharma

• HT5312 I cannot authorize my new Macbook Pro, I can't deauthorize my old computer; I don't have the authorize/deauthorize button on my account. I created a new Apple ID hoping this would fix the problem, but didn't realize I now do not have access to my m

  So, I bought a new Macbook Pro which i cannot authorize my itunes for. I don't even have the button indicated in the support section to authorize or deauthorize. I only have one device authorized to my account. I cant remember my security questions and cannot figure out how to change them; I think this might be the reason why i can't authorize my new device. The only way to access my itunes from my Mac is to have my iphone plugged in. Someone please help! I am a complete tard and would like to avoid a trip to the actual Apple store.

  Call Apple Care for your country and request that they assist you in resetting the security questions.
  To authorize/deauthorize a computer, go to the Store dropdown menu in the iTunes app.

• Analysis Authorization based on Hier node with multiple display hierarchies

  Hi guys - I've got a problem where s.o. might have an idea of how to switch on the light at the end of the tunnel, I am currently standing in:
  Requirement:
  Cost Center Authorization should be given through RSECADMIN, reporting should be possible for any hierarchy that exists for the authorization relevant info object.
  Preferred solution:
  The Cost Center Analysis Authorization should be given through RSECADMIN - Hierarchy node assignment.
  u2022     A dedicated Authorization Cost Center Hierarchy will be maintained in ECC6 as an alternative cost center hierarchy and extracted into BW.
  u2022     The RSECADMIN Hierarchy node assignment should be based on a particular node (Type 2).
  u2022     The display level will be specified as required (here: Level 7)
  u2022     The Authorization granted should be independent of hierarchy name and version (validity 3).
  Reporting Scenario and technical impact:
  As mentioned above, when designing and running a query the user should be able to freely select other (i.e. than the authorization) display hierarchies for the authorization relevant reporting object 'Cost Center' as well. The technical names of the semantically relevant hierarchy nodes could therefore vary. E.g. cost centers 1, 2 and 3, being assigned under hierarchy node u2018Au2019 of the RSECADMIN relevant authorization hierarchy, could be subsumed by hierarchy node u2018Bu2019 in another display hierarchy, which the user may want to display in accordance to his reporting needs. Ideally, the alternative display hierarchy should therefore display node u2018Bu2019.
  My findings so far (based on prototyping) turn out that this is not possible as long u2018Bu2019 (and its hierarchy) is not authorized in RSECADMIN. Can these findings be confirmed? And if not, would anyone have an idea of how to facilitate the reporting scenario?
  Would there be any other way to grant access, possibly based on RSECADMIN single values, and also enable the user to flexibly display hierarchies with only those hierarchy nodes whose single cost center values the user has been given access to?
  Thanks everyone for your input...
  Claus
  Edited by: Claus64 on Jul 13, 2009 4:10 AM

  HI CLause,
  On Jul 14 2009, you wrote in SDN and said:
  FYI: Found a solution...
  The hierarchy analysis authorization will be based on a navigational attribute of cost center.
  With analysis authorizations it is possible to declare the Auth object (e.g. 0COSTCENTER__RACCAUT0) as authorization relevant and leave the superior object 0COSTCENTER auth irrelevant.
  The auth will be given for 0COSTCENTER__RACCAUT0. This object will be placed as a filter of the query, being restricted by an Authorization variable for hierarchy nodes.
  Due to the concept of Analysis Authorizations, this variable will automatically pick up the nodes granted as part of RSECADMIN Hierarchy based Authorization.
  As mentioned above, 0COSTCENTER as the regular reporting characteristic remains auth irrelevant and can therefore take any hierarchy thatu2019s available. Reporting on single values will be possible, too. Only those nodes show up that hold the authorized cost centers in accordance to the authorization.
  If the auth relevant 0COSTCENTER__RACCAUT0 is not used in the query definition by either not taking it in as a filter or skipping the Auth variable, the query will launch the message that the authorization is missing. No data show up at all.
  Claus
  See this thread:
  Analysis Authorization based on Hier node with multiple display hierarchies
  I am also in the same situation as you and need to understadn your solution. I understand that you created a Nav Attr on 0COSTCENTER and made this auth relevant whilst ensuring that 0COSTCENTER is NOT auth relevant. This is all fine. The issue was you have multiple hierachies for 0COSTCENTER, how did the new Nav Attr help you solve your issue. When loading 0COSTCENTER what values did you load ino the new Nav Attribute and how did that link to the hierachies? Also, in RSECADMIN you created hiearchy nodes based on the Nav Attribute but I am confused as to what values you have in the Nav Attr.
  I appreciate if you can share your solution from the past in more details.
  many thanks

• Analysis Authorization and Query

  Hi everybody,
  while studying the new analysis authorization concept in BI7 I tested a little bit around. I was wondering how I can realize the following scenario:
  A user should see "0VERSION" "2" and "0DIVISION" "01" as well as "0VERSION" "5" and "0DIVISION" "02" while executing the query with BEx Analyzer.
  Am I right that I have to create two analysis authorizations?  How do I have to model the query? I always get the message that my testuser does not have enough authority.
  Thanks for your suggestions.

  Hi Anja,
  Did you ever get a resolution to the question you asked.  I am facing the same scenario now where i want to restrict a user to seeing seeing the following:
  user must see:
  Division = 001 and Area = A
  Division = 002 and Area = B
  But he must not see Division 001, Area B for example
  Creating the analysis authorizations is not a problem, the problem is modelling the query to return this result.  I always get no results due to lack of authorization as the authorization variables try to return All Division "001" and "002" and All "A" and "B"
  As i see it, you cannot model the query to return the required result.  What would be ideal is if the query would only return what the user is authorized to, rather than returning nothing and giving an auth error.
  Thanks
  Gavin

• Analysis Authorization In Dev and impact of reports and roles in prod trans

  Hello,
  We are planning to switch to analysis authorization. We plan to make that change first in Dev and we were wondering what would be the impact on roles and reports we transport from dev (which is switched to Analysis Authorization) to production( on Old authirization) ? We wont transport new things to production till we switch to new auth in Prd.
  Thanks a lot,
  BP.

  Hello
  Even if you are transporting the roles from dev to quality and production, the analysis authorization objects will not be checked until you set "current procedure..." in RSCUSTV23.
  So there is no harm in transporting the roles and auhotrization until you change the concept to analysis.
  regards,
  Payal

• Analysis Authorization Object not working

  Hi Gurus,
  I m working on BI 7.0, I have created an analysis authorization object zz_div for 0DIVISION characteristic.
  For a given report i want a given user to view only data for '32' and '33' 0DIVISION.
  I have followed the below steps but still the report shows all data instead of restricted one.
  1)RSECADMIN -> Maintenance ->zz_div ->Create
  2) Add 0DIVISION in Auth structure , and in details 
  I     EQ     32
  I     EQ     33
  3) Add 0TCAIPROV with I     EQ     0SD_C03
  4) Add 0TCAACTVT, 0TCAKYFNM, 0TCAVALID,  this having details as
  I     CP     *
  5) Then in User tab -> Assignment -> User -> Change-> Inserted ZZ_DIV-> Save
  6) In Query created a Authorization variable(with no input prompt) and restricted 0DIVISION.
  Following are the authorization object in that user's Role (Reporting Only)
  S_RFC 
  S_TCODE
  S_GUI
  S_BDS_D  
  S_BDS_DS 
  S_OC_SEND
  S_RS_AUTH - only having zz_div
  S_RS_COMP
  S_RS_COMP1
  S_RS_ICUBE
  S_RS_RSTT
  S_RS_TOOLS
  S_RS_PARAM
  I have surfed lots of thread for this issue but not getting a solution
  Tell me what i m missing in above or any additional setting need before creating analysis authorization
  Edited by: Sonal Patel on Apr 18, 2009 8:10 AM

  Hi
  Thanks a Ton for ur reply
  I have checked in SPRO : Analysis Authorization
  where the authorization mode is " OLD obsolete Concept With RSR  Authorization Objects "
  We have to do the same in Production system .Can u please how its going to effect to others authorizations if change it to New Concept
  Thanks
  Sonal....

• Analysis Authorization not working - Empty demarcation

  Can someone help me on this Analysis Authorization? I read many threads in SDN, it seems that I followed the correct steps. The restriction on S_RS_COMP is working well but the restriction on the Analysis Authorization is not working. Surely I'm making some mistake, but can't find what's wrong.
  I'm a User (say USER_00) in a test system, assigned to a Role (say Z:BI_USER). This is a broad role:
  - S_RS_COMP and S_RS_COMP1 have full authorization (*) to all the fields,
  - S_RS_AUTH has the BIAUTH field with Name of Authorization = *.
  Also I have an InfoArea (ZIA_TEST) and an InfoCube (ZIC_TEST). The IC has some characteristics and key figures. The only authorization relevant characteristic is ZCA_CLI (client). The IC has only 5 lines, one for each client ("CLI_01" to "CLI_05").
  Also there's a query (ZQR_TEST) on this IC, with an Authorization Variable (VAR_AUTH_CLI) restricting the characteristic ZCA_CLI.
  I'm trying to create a new User and restrict him to this IC and only to the data of client "CLI_01". If it works I'll apply to a production system.
  What I did:
  1) With tcode SU01 created a new User (USER_01) with no Role neither Analysis Authorization.
  2) With tcode PFCG copied the Role Z:BI_USER as Z:ROLE_TEST then made some changes:
  a) S_RS_COMP
  - Activity = 03 and 16
  - InfoArea = ZIA_TEST
  - InfoCube = ZIC_TEST
  - Type of report component = *
  - Name of report component = *.
  b) S_RS_COMP1
  - Kept * to all fields.
  c) S_RS_AUTH
  - I inactivated and deleted this Authorization Object.
  (I don't want to keep characteristic values restriction inside the role. The idea is to associate different users to the same role, allowing them to see the same ICs and execute the same queries. And differentiate wich characteristic values each one can see by manually associating different analysis authorization to each one.).
  3) With tcode RSECAUTH I created an Analysis Authorization (Z_AA_CLI_01) to restrict access only to client "CLI_01":
  - ZCA_CLI = "CLI_01"
  - 0TCAACTVT = "03"
  - 0TCAIPROV = "ZIC_TEST"
  - 0TCAVALID = "*".
  4) With tcode PFCG I assigned User "USER_01" to the Role " Z:ROLE_TEST" and made Complete Comparison.
  5) With tcode RSU01 I manually assigned Analysis Authorization " Z_AA_CLI_01" to User "USER_01".
  It seems to me that these steps are enough. But:
  a) When I log as USER_00 and go to tcode RSRT2, searching by InfoAreas I can see all the InfoAreas and all the InfoCubes, select and execute the query. That's OK.
  b) When I log as USER_01 and go to RSRT2, searching by InfoAreas I can see only ZIA_TEST and under it I can see only ZIC_TEST. That's OK. Then I select and execute the query.
  Wich means that S_RS_COMP is OK and each user is assigned to the correct Role.
  c) The problem is that in both cases the query brings data from all Clients.
  Under Information and Variable Values (when I run with HTML display) the message is "Empty demarcation".
  I changed the variable to be Ready for Input, just to see wich values it brings. In both cases (as USER_00 and as USER_01) in the Variable Screen it brings all the 5 Clients from the IC and I can select and execute any value.
  So the problem is with the Analysis Authorization or with the Variable, but I can't find what's wrong.
  Any help will be very appreciated.
  César

  OK Marc, it worked.
  Sorry for not answering earlier, but I could get back to this front only some days ago, then began testing your suggestions.
  1) Security Concept
  Authorization Mode was set to "Obsolete Concept with RSR Authorization Objects" (it would never work with this setting).
  I changed to "Current Procedure with Analysis Authorizations".
  Anyway, what's the function of this setting? Do old Reporting Authorizations work with "Current Procedure with Analysis Authorizations" setting?
  2) Variable Representation
  With "Multiple Single Values" it really led to problems.
  With "Selection Option" it worked well.
  3) 0TCAKYFNM
  I don't understand why, but if the AA doesn't have the char/dimension 0TCAKYFNM, when the User tries to run the query (tcode RSRT2) it accuses "You do not have sufficient authorization".
  Info Cube ZIC_VE95 has two KFs (ZKF_QTL95 and ZKF_VLT95). These KFs are used only on this IC (also in the KF Catalog, but it doesn't impact). This IC is used only on Query ZQR_VE95 (also in Transformation and DTP, wich doesn't impact).
  Well, I inserted 0TCAKYFNM and it worked, either with CP, "*" or with EQ, the two KFs.
  4) Authorization Policy Definition
  The situation I'm working on is very typical. Ex.: Some users are Administrators, Managers, Operator 1, Operator 2 and so on. Each Role needs authorization to access some queries. At the same time, they can access information only of the Cost Centers to wich they are related.
  There are many ways to implement it (I tested some of them and they worked well). My point is to define a most practical way, easy to understand and to maintain.
  I'm now sympathetic to this way:
  a) Create functional Roles (ex.: "Administrator", "Manager", "Operator 1", "Operator 2" and so on) defining only the Queries (or Info Areas, Info Providers, etc) each Role needs. No S_RS_AUTH definition.
  b) Create Char Value Roles (ex.: "CC_100_to_199", "CC_200_to_299", etc), only with S_RS_AUTH definition, each one associated with a corresponding AA (ex.: AA for CC 100 to 199, AA for CC 200 to 299 and so on).
  c) Create Composite Roles associating functional and char value Roles. Ex. Composite Role "Administrator for CC 100 to 199", composed of the Roles "Administrator" and "CC_100_to_199".
  d) Associate Users to the Composite Roles.
  Anyway, I'd appreciate if you could indicate some literature (blogs, articles, etc) on this theme.
  Well, thank you very much for your answers. Now I can go on with my studies on this subject.
  César Menezes