Analysis Authorization - Strange behaviour clarification

Similar Messages

• Analysis Authorization for nav Attr Issue

  Hello:
  I have a 0COMP_CODE as an attribute of 0SALSORG and it is marked as authorization relevant. i.e 0SALESORG_0COMP_CODE is authorization relevant.
  I created an analysis authorization Object ZCOMPCODE_1000 by adding following in it.
  InfoObject           Value
  0COMP_CODE  = 1000
  0SALESORG = *
  0SALESORG_0COMP_CODE = 1000
  0TCAACTVT = *
  0TCAIPROV - *
  0TCAKYFNM = *
  0TCAVALID = *
  Now I have a report on a cube which has 0SALESORG as char and also 0SALESORG as a variable on selection.
  When I run a query for sales org = 1000, I can see rsults as sales org 1000 is assigned to company code 1000.
  If I run report for sales org 2000, I should get not authorized message as 2000 is not assigned to company code 1000 and I only have a role assigned to me which has analysis authorization object ZCOMPCODE_1000. But Still I am getting report results.
  Please explain Why and How can I overcome this issue.
  Thanks

  First of all it is strange that we see two appearances of sales org.
  0SALESORG = *
  0SALESORG_0COMP_CODE = 1000
  Probably the star value overrides the setting in the second one.
  Besides did you create the variable in the query as authorization relevant or you will have problems there.

• Strange behaviour of Adobe Forms

  Hi Experts,
  I am using webdynpro Java with AIF on  NW2004s SP9, Adobe Reader 7.0.9 with NWDS 7.0.09.
  AIF is working fine when I access using Local area network and I am facing strange behaviour of AIF using dial-up access. I am not able to retrieve the parameters of Adobe forms when I access using dial-up connecting through VPN to portal server. whatever values I entered in Adobe UI fields where not showing up in webdynpro application. Same application is working fine with LAN and able to retrieve all parameter values of Adobe UI elements.
  Dial-up is connecting at 50kbps speed and Adobe forms size is around 300kb.
  Grab your points with correct answers.
  Regards,
  Madhan

  hi,
  you should have administration authorization on local PC ( IE activeX should be enabled.)
  check below sap note
  834573  -
  766191
  Regards
  Shridhar Gowda

• Analysis Authorization questions

  How does Analysis Authorizations work in below cases
  1)Infoobject "A" set as Authorization relevant (In Bex explorer tab)
  2)Infoobject "B" which is ATTRIBUTE of infooobject "A" set as Authorization relevant
  3)Infoobject "A" and "B" both set as Authorization relevant
  How to design query in each of the cases above with or without authorization variables and what parameters to be set in the RSECADMIN for infoobject "A" and "B" in each case like ":", "*" and what would be the behaviour after setting the above behaviour .
  can any one give example above with demonstration please

  Hi John,
  please search first the forum and read the online documentation before posting these kind of questions. You should find more than enough information via the above mentioned channels. You save time and effort of your peers.
  To answer your questions briefly:
  1. 0COUNTRY is in the free characteristics (not in the drilldown) without any selections
  ==> You need the ':' value, since whenever you ommit a characteristic you basically see want to see the summary value (you summarize / accumulate over the specific characteristics). Nevertheless, as soon as you drilldown on the characteristic you need the specfic values of the drilldown.
  - or-
  2. 0COUNTRY is not used in the query.
  ==> You need ':', too.
    Cheers
      SAP NetWeaver BI Organisation

• Strange behaviour with HTTP RFC Connection

  Hi Experts,
  today I investigated a strange behaviour in our SAP environment. I tried to create a HTTP RFC connection (SM59) from our integration server to a locale integration engine in our test environment.
  http:<server>:<port>/sap/xi/engine?type=entry
  A few days ago I do the same for the development environment and all works fine.
  For test purposes I used my user for the connection but when I tried to test the connection (test button) the authentification fails. After a few attempts my user was locked on the target server. (I called a admin to unlock my user).
  My first idea was that there is problem with the URL or something in this way. So I do a test within the browser and type in my user again. The result was - as aspect - a soap message that an empty message can not be processed.
  My second idea was that there are troubles with the authorization so I used a system user for the connection. I test the connection and received a message that the user has not enough rights to send messages to the locale integration server.
  So I came to the result that I mistyped my password due the first attempt. I try again and I was really very carefully by typing my password. I press the test button and it fails with the message that I could not logged on to the system. I try it many times and it always fails.
  Finally I use the system user and attach the required roles to the user.
  But has anybody an idea why it was not possible to use my user? I really don't understand it since it works fine in the development environment.
  Björn

  what is the version of SAP system in dev and test environments.......
  Some older version SAP systems(4.6 version) require passwords in CAPITALs....
  Edited by: Praveen Gujjeti on Mar 17, 2009 5:05 PM

• Analysis Authorization in BO 4.0 Webi report

  Hi All,
  I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
  We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
  However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
  I have tried:
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
  Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
  (BO 4.0 no service pack or fix pack installed on the system yet)
  Thanks - Appreciate your help !
  Prasad Rasam

  Ingo,
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  >> Correct you need to setup you OLAP Connection with SSO.
  >>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
  Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
  Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  >> The variable in the BEx query needs to be an authorization variable.
  >>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
  Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
  regards
  Ingo Hilgefort

• Analysis Authorization Issue 7.3

  Hello Friends,
  System BW 7.3, Currently there are 80 odd analysis authorization objects
  We want to introduce a new info object (GL Account) to be authorization relevant, ( there are few objects in the system which are already authorization relevant in the system with proper analysis authorization objects and they are working fine)
  Things done, made the GL Account object authorization relevant in RSA1, Created 2 analysis authorization objects with GL Account and TCT objects and one with hierarchy restrictions and one open access.
  Added this object to the user in addition to its already existing authorization objects. Created authorization variable in BEx.
  Some how the authorization is not picked up and it gives us all the values in the report. But if I add the GL Account info object to the existing analysis authorization objects then it works fine.
  I do not want to change all the existing analysis authorization objects to add GL Account.
  Your inputs are most welcome.
  Thanks
  Ed.

  Gajesh- I have added the new analysis authorization object to the user in RSECadmin.
  Subhendu- Problem statement: What are the steps involved in making a new info object(GL Account) authorization relevant. Authorizations are given at hierarchy level. Can we create a new analysis authorization with  GL Account only or do we have to add it to every existing analysis authorization
  I have done the following steps
  1. Made the GL Account object authorization relevant in RSA1,
  2. Created 2 new analysis authorization objects with GL Account ( with hierarchy restrictions) and TCT objects and one with GL Account open access.
  3. Added this object ( which has restrictions) to the user in RSECADMIN, in addition to its already existing authorization objects.
  4. Created authorization variable in BEx.
  5. No existing analysis authorization objects have been changed.
  When I test the report, It does not restrict based on the hierarchy that I have given, it gives open access.
  But If I add GL Account with restrictions to the existing analysis authorization object, it works good.
  Guess I am missing some thing here.
  Do you need any other screen shots.
  Thanks
  Ed.

• Analysis Authorization Issue

  Hi:
  I created an analysis authorization ZCO_CODE to trstrict it by a company code.
  I added following objects in authorization with values.
  0COMP_CODE = 1000
  0TCAACTVT = 03
  0TCAIFAREA = *
  0TCAIPROV = *
  0TCAVALID = *
  Then I created a role Z:00:BW_REPORT, where I added following authorization objects S_RS_AUTH and restricted it by value ZCO_CODE. Then I assigned this role to a user test01.
  When I execute a program RSEC_MIGRATION for this specific user, I do not see authorization object ZCO_CODE on 2nd step of this program. Any Idea Why? I think this object should show up as I want to migrate this specific object.
  Help will be appreciated.

  Hi Sachin:
  Okay here is my issue.
  I have a Reporting authorization Object created earlier which is ZCOCODE. I though I'll have to create a new Analysis authorization object e.g. ZCO_CODE and then restrict it with other chars. as mentioned in Marc Bernards presentation and then you have to migrate it.
  In selection list I can see old Reporting authorization object. If I select it and use option "Enhance existing profile" then It will update profile and not role? right....
  How can I see whether it has updated existing profile?????
  Do I need to create new Analysis Auth. for Company code or I can use old Reporting authorization for company code?
  For testing purpose, I created a test user and assigned all reporting roles but It will not show up in RSEC_MIGRATION step???

• BW Analysis authorization issue on cost center range

  Hello BIW security experts
  I have a problem where I created an analysis authorization on a cost center range and it looks like the interval is not working. The report is just a list of cost centers (demo to users to prove that analysis authorizations work in order to skip 2 managerial cost centers.
  . Cost centers are numeric. Example:  2000100. In the drop down list they appear as such.
  . I want to have the following cost center range: 1000000 to 1000771, 1000773 to 2000771, 2000773 to 9999999.
  Thereofore 1000772  and 2000772 should not appear in the list.
  . In the analysis authorization I have put the 3 ranges above on 3 separate lines. 'BT' is the operator. The cost centers have been selected from the drop down list.
  Results:  I get only 1 record from the report....  2000772. (which is one I want to exclude..
  Steps tried to debug:
  . When I put a list of cost centers in the analysis authorization on separate line with the 'EQ' operator, then the report works.
  . I tried putting ' ' delimiters since cost center is a char field but it fails.
  . I tried adding leading and trailing zeros to fill up the char(10) but no luck.
  . I tried creating a hierarchy with the interval and put it in the hierachy auth. tab and it does not work either. It gives the same number of records than the first step.
  . A hierarchy with single values work.
  I do not know what else to try..
  Thanks.
  YB.

  Good morning
  Here it is from RSECVAL
  ZCC_TEST     0COSTCENTER                    I       BT        1000000                                                      1000771
  ZCC_TEST     0COSTCENTER                    I       BT        1000773                                                      2000771
  ZCC_TEST     0COSTCENTER                    I       BT        2000773                                                      9999999
  ZCC_TEST     0COSTCENTER                    I       EQ        #
  ZCC_TEST     0COSTCENTER                    I       EQ        :
  ZCC_TEST     0INFOPROV                         I       CP        *
  ZCC_TEST     0TCAACTVT                        I       EQ        03
  ZCC_TEST     0TCAIPROV                         I       CP        *
  ZCC_TEST     0TCAKYFNM                       I       CP        *
  Thank you for your help.

• BW Analysis authorization issue... need help urgently....

  We have one BW query which is pulling data from Contract Division info-object. Now this report does not variable selection object so it is pulling data from all values of Contract Division. Values of  Contract Division are CNC, CNS, CNE and CNL.
  Now we have created an analysis auth. object called z_es_3 and added Contract division info-object. Now we have added that z_es_3 into role and given value to CNS. now when we are running report, we are getting No Authorization error. When we are giving * value in z_es_3, it is running fine.
  Now we have to restrict report to contract division. please help.
  Thanks in advance

  Are you running unrestricted search on Contract division in your queries? You should restrict it to value which is maintained in the authorization for the InfoObject.
  Also please run the analysis authorization trace from RSECADMIN. That will give you a clearer picture of what is wrong.

• Analysis Authorization based on Hier node with multiple display hierarchies

  Hi guys - I've got a problem where s.o. might have an idea of how to switch on the light at the end of the tunnel, I am currently standing in:
  Requirement:
  Cost Center Authorization should be given through RSECADMIN, reporting should be possible for any hierarchy that exists for the authorization relevant info object.
  Preferred solution:
  The Cost Center Analysis Authorization should be given through RSECADMIN - Hierarchy node assignment.
  u2022     A dedicated Authorization Cost Center Hierarchy will be maintained in ECC6 as an alternative cost center hierarchy and extracted into BW.
  u2022     The RSECADMIN Hierarchy node assignment should be based on a particular node (Type 2).
  u2022     The display level will be specified as required (here: Level 7)
  u2022     The Authorization granted should be independent of hierarchy name and version (validity 3).
  Reporting Scenario and technical impact:
  As mentioned above, when designing and running a query the user should be able to freely select other (i.e. than the authorization) display hierarchies for the authorization relevant reporting object 'Cost Center' as well. The technical names of the semantically relevant hierarchy nodes could therefore vary. E.g. cost centers 1, 2 and 3, being assigned under hierarchy node u2018Au2019 of the RSECADMIN relevant authorization hierarchy, could be subsumed by hierarchy node u2018Bu2019 in another display hierarchy, which the user may want to display in accordance to his reporting needs. Ideally, the alternative display hierarchy should therefore display node u2018Bu2019.
  My findings so far (based on prototyping) turn out that this is not possible as long u2018Bu2019 (and its hierarchy) is not authorized in RSECADMIN. Can these findings be confirmed? And if not, would anyone have an idea of how to facilitate the reporting scenario?
  Would there be any other way to grant access, possibly based on RSECADMIN single values, and also enable the user to flexibly display hierarchies with only those hierarchy nodes whose single cost center values the user has been given access to?
  Thanks everyone for your input...
  Claus
  Edited by: Claus64 on Jul 13, 2009 4:10 AM

  HI CLause,
  On Jul 14 2009, you wrote in SDN and said:
  FYI: Found a solution...
  The hierarchy analysis authorization will be based on a navigational attribute of cost center.
  With analysis authorizations it is possible to declare the Auth object (e.g. 0COSTCENTER__RACCAUT0) as authorization relevant and leave the superior object 0COSTCENTER auth irrelevant.
  The auth will be given for 0COSTCENTER__RACCAUT0. This object will be placed as a filter of the query, being restricted by an Authorization variable for hierarchy nodes.
  Due to the concept of Analysis Authorizations, this variable will automatically pick up the nodes granted as part of RSECADMIN Hierarchy based Authorization.
  As mentioned above, 0COSTCENTER as the regular reporting characteristic remains auth irrelevant and can therefore take any hierarchy thatu2019s available. Reporting on single values will be possible, too. Only those nodes show up that hold the authorized cost centers in accordance to the authorization.
  If the auth relevant 0COSTCENTER__RACCAUT0 is not used in the query definition by either not taking it in as a filter or skipping the Auth variable, the query will launch the message that the authorization is missing. No data show up at all.
  Claus
  See this thread:
  Analysis Authorization based on Hier node with multiple display hierarchies
  I am also in the same situation as you and need to understadn your solution. I understand that you created a Nav Attr on 0COSTCENTER and made this auth relevant whilst ensuring that 0COSTCENTER is NOT auth relevant. This is all fine. The issue was you have multiple hierachies for 0COSTCENTER, how did the new Nav Attr help you solve your issue. When loading 0COSTCENTER what values did you load ino the new Nav Attribute and how did that link to the hierachies? Also, in RSECADMIN you created hiearchy nodes based on the Nav Attribute but I am confused as to what values you have in the Nav Attr.
  I appreciate if you can share your solution from the past in more details.
  many thanks

• APEX Listener and EPG - strange behaviour

  Hi
  For some years, I've used EPG for APEX but have struggled with performance particularly as I can have up to 150 student developers using at any one time.
  I do a fair amount of work using ORDImage and have successfully developed APEX applications to upload image files and display full-size and thumbnail images.
  After upgrading to APEX 4.1 (from 4.0), I decided to install APEX Listener standalone.
  Before I did so I checked that my applications still worked in 4.1 and they did.
  However, just installing APEX Listener but not configuring it (yet) has meant that my image display in a report using a procedure based on wpg_docload.download_file( l_ordimage_image.source.localData ) no longer works in EPG - the images are not displayed.
  Configuring APEX Listener and running the same application through that DOES display the images.
  So this part of the application works under APEX Listener but not under EPG.
  My application also allows users to upload images from APEX_APPLICATION_FILES using standard code. Under APEX Listener after uploading, I'm left with a blank page with a wwv_flow.accept URL although the image does indeed upload. Under EPG it works as expected and I get a success confirmation.
  So this part of the application works under EPG but not under APEX Listener.
  Has anyone else come across different behaviour depending on the mode of connection?
  Thanks
  Brian
  [Oracle EE 11gR2, Windows Server 2008R2, APEX 4.1, APEX Listener 1.1.3]

  Hi Brian,
  it sounds like you have both EPG and APEX Listener running on the same machine, so your problem might result from a port conflict. Note that both services use TCP port 8080 as default.
  At least a port conflict would explain the strange behaviour in your case, some things working on one web server and some on the other.
  Some parts of your initial post hint to that direction, e.g.
  However, just installing APEX Listener but not configuring it (yet) has meant that my image display in a report using a procedure based on >wpg_docload.download_file( l_ordimage_image.source.localData ) no longer works in EPG - the images are not displayed.... because the APEX Listener only interfere with the EPG if it is at least running on the same machine as your database and furthermore, if it is unconfigured in terms of ist database connection, a port conflict might be the only way it could cause anything like that.
  However, if you are sure that's not the issue, please check if you see any error in the APEX Listener's log for the following action you performed:
  My application also allows users to upload images from APEX_APPLICATION_FILES using standard code. Under APEX Listener after uploading, I'm left with a blank >page with a wwv_flow.accept URL although the image does indeed uploadIf you actually see just a blank screen, something very bad must have happened and you should see some kind of stack trace there.
  For further investigations, if necessary, it would be helpful to know how you deployed or started your APEX Listener and which JDK version you use.
  For the moment, I still think the port conflict is my best guess.
  You could avoid it by either changing the port for EPG (I'd not recommend that if you have other users still using it) or by changing the port for your APEX Listener.
  -Udo

• Strange behaviour of Runtime.getRuntime().exec(command)

  hello guys,
  i wrote a program which executes some commands in commandline (actually tried multiple stuff.)
  what did i try?
  open "cmd.exe" manually (administrator)
  type "echo %PROCESSOR_ARCHITECTURE%" and hit enter, which returns me
  "AMD64"
  type "java -version" and hit enter, which returns me:
  "java version "1.6.0_10-beta"
  Java(TM) SE Runtime Environment (build 1.6.0_10-beta-b25)
  Java HotSpot(TM) 64-Bit Server VM (build 11.0-b12, mixed mode)"
  type "reg query "HKLM\SOFTWARE\7-zip"" returns me:
  HKEY_LOCAL_MACHINE\SOFTWARE\7-zip
  Path REG_SZ C:\Program Files\7-Zip\
  i wrote two functions to execute an command
  1) simply calls exec and reads errin and stdout from the process started:
  public static String execute(String command) {
            String result = "";
            try {
                 // Execute a command
                 Process child = Runtime.getRuntime().exec(command);
                 // Read from an input stream
                 InputStream in = child.getInputStream();
                 int c;
                 while ((c = in.read()) != -1) {
                      result += ((char) c);
                 in.close();
                 in = child.getErrorStream();
                 while ((c = in.read()) != -1) {
                      result += ((char) c);
                 in.close();
            } catch (IOException e) {
            return result;
       }the second function allows me to send multiple commands to the cmd
  public static String exec(String[] commands) {
            String line;
            String result = "";
            OutputStream stdin = null;
            InputStream stderr = null;
            InputStream stdout = null;
            // launch EXE and grab stdin/stdout and stderr
            try {
                 Process process;
                 process = Runtime.getRuntime().exec("cmd.exe");
                 stdin = process.getOutputStream();
                 stderr = process.getErrorStream();
                 stdout = process.getInputStream();
                 // "write" the parms into stdin
                 for (int i = 0; i < commands.length; i++) {
                      line = commands[i] + "\n";
                      stdin.write(line.getBytes());
                      stdin.flush();
                 stdin.close();
                 // clean up if any output in stdout
                 BufferedReader brCleanUp = new BufferedReader(
                           new InputStreamReader(stdout));
                 while ((line = brCleanUp.readLine()) != null) {
                      result += line + "\n";
                 brCleanUp.close();
                 // clean up if any output in stderr
                 brCleanUp = new BufferedReader(new InputStreamReader(stderr));
                 while ((line = brCleanUp.readLine()) != null) {
                      result += "ERR: " + line + "\n";
                 brCleanUp.close();
            } catch (IOException e) {
                 // TODO Auto-generated catch block
                 e.printStackTrace();
            return result;
       }so i try to execute the commands from above (yes, i am using \\ and \" in java)
  (1) "echo %PROCESSOR_ARCHITECTURE%"
  (2) "java -version"
  (3) "reg query "HKLM\SOFTWARE\7-zip""
  the first function returns me (note that ALL results are different from the stuff above!):
  (1) "" <-- empty ?!
  (2) java version "1.6.0_11"
  Java(TM) SE Runtime Environment (build 1.6.0_11-b03)
  Java HotSpot(TM) Client VM (build 11.0-b16, mixed mode, sharing)
  (3) ERROR: The system was unable to find the specified registry key or value.
  the second function returns me:
  (1) x86 <-- huh? i have AMD64
  (2) java version "1.6.0_11"
  Java(TM) SE Runtime Environment (build 1.6.0_11-b03)
  Java HotSpot(TM) Client VM (build 11.0-b16, mixed mode, sharing)
  (3) ERROR: The system was unable to find the specified registry key or value.
  horray! in this version the java version is correct! processor architecture is not empty but totally incorrect and the reg query is still err.
  any help is wellcome
  note: i only put stuff here, which returns me strange behaviour, most things are working correct with my functions (using the Runtime.getRuntime().exec(command); code)
  note2: "reg query "HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /t REG_SZ" IS working, so why are "some" queries result in ERR, while they are working if typed by hand in cmd.exe?

  ok, i exported a jar file and execute it from cmd:
  java -jar myjar.jar
  now the output is:
  (1) "" if called by version 1, possible to retrieve by version 2 (no clue why!)
  (2) "java version "1.6.0_10-beta"
  Java(TM) SE Runtime Environment (build 1.6.0_10-beta-b25)
  Java HotSpot(TM) 64-Bit Server VM (build 11.0-b12, mixed mode)"
  (3) C:\Program Files\7-Zip\
  so all three problems are gone! (but its a hard way, as i need both functions and parse a lot of text... :/ )
  thanks for the tip, that eclipse changes variables (i really did not knew this one...)

• Web Intelligence Report + BI 7.0 Analysis Authorizations

  Hello Experts,
  I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
  BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
  It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
  For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
  When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
  I have tried several settings on the universe (like filter working on LoV as well) but none helped.
  If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
  Any ideas?
  Best regards
  Giorgos

  Hi,
  has the Universe been created on the cube level or on the query level ?
  In case it is on the cube level it will fail because :
  Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
  The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
  You can then assign this authorization to one or more users.
  All characteristics flagged as authorization-relevant are checked when a query is executed.
  *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
  Ingo

• [BO over SAP BW] Web Intelligence Report + BI 7.0 Analysis Authorizations

  Hello Experts,
  I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
  BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
  It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
  For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
  When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
  I have tried several settings on the universe (like filter working on LoV as well) but none helped.
  If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
  Any ideas?
  Best regards
  Giorgos

  Hi,
  has the Universe been created on the cube level or on the query level ?
  In case it is on the cube level it will fail because :
  Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
  The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
  You can then assign this authorization to one or more users.
  All characteristics flagged as authorization-relevant are checked when a query is executed.
  *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
  Ingo