Analysis Authorization (Role, Profile and Direct Assignments)

<b>Analysis Authorization Question:</b>
1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
<b>
Migration Options:</b>
1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
<b>Questions</b>
a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
b)     Does any one use direct assignment to Users? It is good business practice?
c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
Just want to check how other folks have done migration that can be supported going forward.
Pankaj Gupta

Hey Pankaj,
In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

Similar Messages

  • Comparison of analysis authorization roles ?

    Hello Experts,
    I am using BI7.0 new analysis authorization concept.
    I know how to compare pfcg role across systems but does anybody know how we can compare analysis authorization roles across systems?
    Thanks and Regards
    Imran

    Hi,
    Easy comparison of roles (PFUD):
    Many times the Role Comparison (Profile match up) is required after the transport of roles. One usually does it from PFCG for each role individually. For a quick solution to this problem, use transaction code PFUD.
    Please check the below link :
    http://help.sap.com/saphelp_bw21c/helpdata/en/5c/deaa7dd3d411d3970a0000e82de14a/content.htm
    http://help.sap.com/saphelp_nw04/Helpdata/EN/5c/deaa7dd3d411d3970a0000e82de14a/content.htm
    http://help.sap.com/saphelp_nw70/helpdata/EN/c1/db3fc2fd3111d5997a00508b6b8b11/content.htm
    http://help.sap.com/saphelp_mic10/helpdata/en/69/1810a4c51144dc833353183155ec88/content.htm
    Regards
    Sreedhar Reddy

  • Authorization,roles,profiles

    i want to know how authorization and roles and profiles will be created...
    and the hirearchy of above 3 (authorization,roles,profiles)
    can anyone help me in getting the documens

    Hi,
    The common used t-code for the above is
    PFCG to create the Role.Here we can assign the role to user also.
    You can see the same in SU01 t-code.
    IN PFCG we create the role and it will ask for profile name.
    Basically it contain the  authorization object.
    In BW we hade rssm t-code,now we have RSECADMIN in BI.
    RSECADMIN is basically used to create the auth object.
    For Example: If you want to restrict the user to see their
    company code data then you need to crete auth object for company code
    and give access to user according to therir requirement ie
    you need to add this auth object to their respetive role.
    Thanks,
    Saveen Kumar
    Edited by: saveen kumar on Jan 10, 2011 7:47 AM

  • How to upload authorization role & profile to PFCG

    I have downlaod the authorization role & profile from PFCG at client 100.
    How to upload the authorization role & profile to SAP client 200?

    check with ur basis guys once
    generally it will be dont by them check with them once

  • Analysis Authorization In Dev and impact of reports and roles in prod trans

    Hello,
    We are planning to switch to analysis authorization. We plan to make that change first in Dev and we were wondering what would be the impact on roles and reports we transport from dev (which is switched to Analysis Authorization) to production( on Old authirization) ? We wont transport new things to production till we switch to new auth in Prd.
    Thanks a lot,
    BP.

    Hello
    Even if you are transporting the roles from dev to quality and production, the analysis authorization objects will not be checked until you set "current procedure..." in RSCUSTV23.
    So there is no harm in transporting the roles and auhotrization until you change the concept to analysis.
    regards,
    Payal

  • Structural authorization : role, profile, user group

    Dear All,
    I am working in OM in Structural authorization, can anyone tell me difference among Roles, profile, user group.
    I am mainly concerned with roles and profiles, What exactly is role and what is profile.
    Pl give me practical example....
    Regards,
    Kumar

    Hi kumar,
    Roles: It is divided in to single role and Composite Role. It is used to maintain your list of allowed transactions and reports as a menu. Once you assigned this role to the user, he / she can access only those transactions, what you maintained in the menu.
    Profile: It is based on the authorization object. Unless untill, you generate the profile, the system will not consider the authorization for the assigned menu. You can provide the authorization based on various objects like infotype, transaction code, master record, org key,..
    User Group: Used to set the unique set of rules for the specific user. How system should react in case of specific user group.
    Good Luck
    Om
    Reward it, if u feel helpful.

  • Hierarchy Analysis Authorization in BW and BOBJ Webi Report

    Hello,
    We have a scenario wherein we have implemented Analysis Authorizations (Hierarchy) on Organizational Unit info object (0ORGUNIT) and need to report on BOBJ WEBI. Our scenario is as following
    ORGUNIT    - L0 (Overall Enterprise Level)     
    -     L1 (Enterprise - Continent Wise Split)
    -     L2 (Enterprise u2013 Country Wise Split)
    -     L3(Enterprise u2013 City Wise Split)
    E.G- 
          LO (Company ABC) MANAGER 0 will have access to the entire organization
               -L1 (ASIA) MANAGER1 will have access to ASIAN Subcontinent
                      -L2 (India) MANAGER 2 will have Access to country India
                                -L3 (New Delhi) MANAGER 2.1 will have access to city Delhi
                                -L3 (Mumbai) MANAGER 2.2 will have access to city Mumbai
                       -L2 (Malaysia) MANAGER 3 will have access to Country Malaysia
                                  -L3 (Kuala Lampur)
                                  -L3 (pahang)
                 - L1 (Europe)
                                            u2026..
    The requirement is that the CEO of the company should be able to see the entire set of data ( L0-L4).We have continent managers who can see that data specific to their continent, similarly at L3 Level the city manageru2019s should see the data only for their specific city.
    In BI we have used analysis authorization based on hierarchies. We have created an authorization object say ZAUTH1 and have assigned the hierarchy L0 from RSECADMIN. Now, in Webi when we create a report a sample row comes as :
    L0 Org Unit     L1 Org Unit     L2 Org Unit     L3 Org Unit     SALES Key Figure
    Company ABC     Asia          India          Mumbai          1000
    Now, we have MANAGER 2.2 who has only access to the data specific to his city (Mumbai). There is an Analysis Authorization object created for him ZAUTH2, by ONLY assigning the org unit hierarchy L3 (for Mumbai). When we run the bex report with the user MANAGER 2.2 u2013 it correctly displays the result and the user is only able to see the data for L3 Org Unit (Mumbai). However when you bring this data to Webi u2013 the report comes in the below format:
    L0 Org Unit     L1 Org Unit     L2 Org Unit     L3 Org Unit     SALES Key Figure
    Mumbai                                           1000
    The L3 org unit has now got assigned to L0 Org unit , as this is the only org unit assigned to the MANAGER 2.2 user .
    In such a case we are not able to write any generic formulae for the report. Is there a way to correct this issue? u2018Mumbaiu2019 should either get assigned to the L3 OrgUnit column is webi report , or is there a workaround that is possible ?
    Thanks and Best Regards,
    Vj

    Hi Vijay,
    The problem you speak of is known and comes from the fact that the hierachy is flattened in the process of delivering it to WebI. Therefore there is no real 'solution' to the problem, just some work-arounds you can think of...
    1)
    Create a report variable that starts looking at the lowest level, if it is empty check one up, and so on until you found what you were looking for (the lowest leaf available), which by definition must be there (even if it is top level).
    Using similar logic you can also get a 'number of levels avaible' and so fill in the complete tree (duplicating the highest level).
    This is difficult to explain when end users create their own reports, though you could provide a template report with these variables in there already.
    2)
    Extend the hierarchy with duplicates below the lowest level.
    So i.e. L0 Company - L1 Continent - L2 Country - L3 City- L4 City - L5 City- L6 City.
    This will give back on the four levels for top authorization
    L0 Company - L1 Continent - L2 Country - L3 City
    For authorization on Continent:
    L0 Continent - L1 Country - L2 City- L3 City
    For autorization City
    L0 City- L1 City - L2 City- L3 City
    So in all situations the fourth level, the L3 Object will hold the City level.
    This you can then use in your report.
    Hope this helps,
    Marianne

  • Differences between authorization role display and display change document?

    Dear All,
    I want to know what are the differences between activity authorization between display and display document change?
    Regards
    Aishah

    Dear Mr Robert,
    thanks for replying me. actually, it is to prevent user from other dept to change the PO even print/message. when i check inside authorization the configuration is only for their own dept by putting dept code at pur org field of change. but still can change. it is because of the me22 layout screen?

  • BW BEX Queries and Analysis Authorizations

    Hello....
    Have an opportunity with BW BEX queries and Analysis Authorization...would like to see if anyone has had the same experience and if so is there a answer....
    1) given a query....
    2) given a analysis authorization with a info-object that has intervals defined to be both single values and ranged values
    the following happens...
    after the query is fired the starter screen appears...the info-object in question appears with the defined single values only....if....the window is opened....again only the single values appear...the range values do not appear...once the query is executed the only results given are those for the single values...
    also if you re-fire the query and manually enter a valid value for the info-object that falls with-in any of the range values no result is given...even if there is data for it....the reponse given is no data found....
    NOW...if the single values, for the given info-object, are removed from the Analysis Authoriization then the range values appear and work....
    Is this a problem within in the query...or...is this a "feature" of the query...and thus must be "lived" with...
    Terry
    PS...this problem currently only happens if the window for the info-object allows for multi-selection....this problem does not occurr when the window only allows for one selection...

    Hi,
    This is a known problem with analysis authorization and multi selection IO selection criteria.
    When you define the analysis authorization with ranges and when you try to enter single values on the selection critera of the query, then the system shows zero data.
    You can run the query without entering any selection values for the IO in question only.
    I have tried several combinations and still encountering the same issue.
    Ravi

  • Comparing analysis authorization

    Hello BI fans,
    is there any tool or transaction to compare 2 analysis authorizations?
    Maybe similar to transaction S_BCE_68001777 (comparisons of roles).
    I have to compare many analysis authorization. And it takes a long time to double click on every characteristic of the analysis authorization to check the values.
    Thanks in advance!

    Hello,
    There is no special transaction/report to compare authorisations. The best option available is described in the last 2 posts of this thread:
    Comparison of analysis authorization roles ?
    Regards,
    Michael

  • BI analysis authorization - Same info provider- diffrent access ?

    Hi Gurus,
    Designation of roles:
    1. User is having two PFCG roles (A1 & B1) assigned.
    2. Role A1 contains query name ZQRYA1 & Role B1 contains query name ZQRYB1
    3. Role A1 is linked to analysis authrozation role AR1 and Role B1 is linked to analysis auth. role BR1 (thorugh S_RS_AUTH)
    4. AR1 is having access to Company code 1000 & info proivder is ZIC_COPA
    5. BR1 is having access to Company code 2000 & info provider is same ZIC_COPA.
    Requirement :
    When user is executing ZQRYA1, he should see only 1000 company code.
    Result:
    With above design user is able to see 1000 & 2000 company code data for ZQRYA1.
    My analysis:
    1. We should use Customer exit in the Query. (SAP note referred  668520).
      2. As per SAP note 1000004 (Merging and optimizing analysis authorizations), I understand that if same info provider is there then BI analysis auth. will merge the values.
    Please correct me if I understand something wrong. Also suggest how can implement role so that values will not merge.

    Hi experts,
    I am getting confused now.
    As pe rmy practical experience for same info-proivder BI AA will merge the values. Even i got same response in SDN forums.
    But when I raised this issue to SAP (OSS message), SAP says this issue should resolve by applying SAP notes through SNOTE..
    1138708     Unauthorized data is displayed: "Not assigned" (#)     
    1158432     Too many values authorized for hierarchy with intervals     
    1234334     Authorization error for query on InfoSet     
    1229602     Error when using hierarchies: Authorization error     
    1226163     Authorization variables in workbook     
    1000004      Merging and optimizing analysis authorizations
    1150754     Authorizations for InfoSet chars. ignored in input help     
    1235049     F4 help: Unauthorized data for referencing characteristic     
    I have gone through notes but did not find relevant, but still SAP replied it should resolve the issues.
    Please suggest.

  • Analysis Authorization mass maintenance

    Hi All,
    During the migration, due to Complexity of our complex BW 3.5 authorization setup we are end up in BI 7 New Design where we have to maintain new Cube to more than 150 Analysis Authorizations each time when we have new Cubes comes.
    Do you guys know any method where you can update the new cube to large no of Analysis Authorization (for ex 150) instead of doing manually? Due to complexity of the old design itu2019s very difficult for us to change the new design.
    Looking forward for expert opinion.
    BR,
    Deepak

    Hi,
    As per my knowledge, it is always recommended to maintain the Analysis authorizations individually. However, you may refer the below thread:
    Analysis Authorization Mass Maintenance
    and also the below link:
    http://help.sap.com/saphelp_nw73/helpdata/en/c4/057a2de519451faf1819dba4092887/content.htm
    Hope this helps!!
    Rgds,
    Raghu

  • Run a workflow with a low security role profile

    Hello,
    I created a workflow that is sending an email to the administrator when a certain action has to be done. To make sure this workflow has actually been running, I ended it with a step that update a two option field as 'Email sent'. 
    I would like to lock this field for users because I only want them to read it but not change its data. So I enabled security role. 
    The problem is that since I made that, the workflow cannot be run because users don't have the security role to change this field. 
    I found out while browsing thrgough the internet that I had to check 'Execute as the owner of the workflow', but this didn't help. 
    So does anyone has a response to my problem or another way to manage it? A solution that does not involve any code because I'm not working in IT at all, we're a small company and so I'm a salesman. 
    Thanks for your help.
    Sylvain

    Hi,
         Create these 2 fields as non-searchable fields so users cannot search them.  If the user does not need to change these fields, make the fields read-only on the form. There is no need to use security role profile and play with
    security roles for this.
    Hope this helps.
    Minal Dahiya
    blog : http://minaldahiya.blogspot.com.au/
    If this post answers your question, please click "Mark As Answer" on the post and "Vote as Helpful"

  • Transport roles and analysis authorization with user assigned

    Hi expert,
    I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
    Thanks for your time,
    Luis

    Hi,
    In role administration, you have the following options for transporting roles:
    You can download the roles from one system and upload them into another  
    You can import the role from a remote system using RFC  
    You can transport the roles with the transport function.
    Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
    Transporting Roles with the Role Transport Function
           1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
           2.      Enter the role to be transported and choose Transport Role.
    The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
    You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
    For more information go thrpugh the below link
    http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
    Regards,
    Marasa.

  • Role and Analysis Authorization Transport

    Dear Experts,
    I'm working with migration authorization project from 3.5 to 7.0. My doubt is when migrate in development enviroment enhancement each whith join S_RS_AUTH with Analysis Authorization which the role doesn't have any users assigning and transport to test enviroment where have a same role with user assigning. Do lose the user assign?
    Thank for all,
    Luis

    Hi,
    I think it will orverwrite the Role. If you want to lock the target system against import of user assignments, you can goto sm30 (Table - PRGN_CUST). Make an entry - USER_REL_IMPORT (value - NO).
    Thanks

Maybe you are looking for

  • Skype is not working on my phone

    My skype to go number is not working on my cell phone. I call it and it doesn't ring, the skype menu options do not show up. Its completely without sound, but I can see that the call is going on because its connecting. I try to call other phones ever

  • There's an error on the website

    http://www.apple.com/kr/macosx/whats-new/ Really? When you scroll down untill Air-Drop section, It says Wii - Fi And when i checked American site, it says Wi - Fi Lol Apple Korea needs to fix this

  • Problem in tranfering simulation project to operative project-CJV4

    hi all, I am able to transfer operative project to simulation project but after making changes in the simulation project, I am not able to transfer the simulation project back to the operative project. on clicking the transfer icon ,it gives a messag

  • Is it necessary to disable the internal DVD drive to connect an external DVD drive?

    Isit necssary to disable an internal DVDdriver to use an external DVD driver?  I have permanently jammed a CD into an iMac (mid 2007) DVD / CD drive and purchased an external LG Mac compatable (at the apple reps advice), but the external is not recog

  • Question on LaCie 1TB drive selection

    I thought I was being smart by buying a USB 2.0 version of the 1 TB drive.  $70 off the shelf instead or more expensive ones that also support Friewire or USB 3.0 (Macs do not do 3.0, as I understand). But the drive comes with only an "Install LaCie"