Analysis Authorization with SEM-BPS

Similar Messages

• Transport roles and analysis authorization with user assigned

  Hi expert,
  I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
  Thanks for your time,
  Luis

  Hi,
  In role administration, you have the following options for transporting roles:
  You can download the roles from one system and upload them into another  
  You can import the role from a remote system using RFC  
  You can transport the roles with the transport function.
  Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
  Transporting Roles with the Role Transport Function
         1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
         2.      Enter the role to be transported and choose Transport Role.
  The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
  You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
  For more information go thrpugh the below link
  http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
  Regards,
  Marasa.

• Authorizations in SEM-BPS (Web Layouts)

  Hi all,
  I have a question that hopefully somebody can help me in solving it.
  We have a bps application, with authorizations maintained in the sap normal way: pfcg, rssm, etc.
  The question is that we started to build some web (alv) layouts, and need to maintain the same authorization schema.However, the authorizations are not verified in the web layouts.
  Can somebody provide some hint in solving this problem ?
  Best Regards,
  Ricardo

  Hi Raman,
  Sorry but your tip doesn't work
  That's precisely our problem: the authorization scheme we implemented in the "SAP GUI side" doesn't work in the web side". Using web layouts, I still can acess some layouts I shouldn't be allowed to (user dependent)
  Thank you anyway
  Regards,
  Ricardo

• Analysis Authorizations with two infoobjects in a infocube

  Dear Experts,
  I have a infoprovider which is
  having two infoobjects Z1 and Z2 both are auth relavant
  i have two queries Q1 and Q2, Q1 has Z1 only and Q2 has Z2 only.
  if i have two sets of users, one group have access to only query Q1 and second group
  has access to Q2.
  my doubts
  1. do i have to give both the group users authorization for two info objects Z1 and Z2 eventhough they both together
  are not in one query but only one at a time in a query.Becuase all the queries are on th same infocube.
  2 or else can i create one authorizatio and include both the info objects in it and then assign it two all the users irrespective of the group.
  Thanks and Regards
  Neel
  Edited by: Neel Kamal on Apr 12, 2009 1:34 PM

  Hi Neel,
  Answers to your questions in bold.
  1. do i have to give both the group users authorization for two info objects Z1 and Z2 eventhough they both together
  are not in one query but only one at a time in a query.Becuase all the queries are on th same infocube.
  Answer - Yes, I think you would need to give both user groups, authorization to both the infoobjects.
  You may need to check in RSSM, that both authorization objects are marked for authorization check for infoprovider. If both have been checked, then I guess you need to give authorization for both infoobjects. In RSSM, in infoprovider , give the infocube name on which the query is created and check the authorization objects checked for this infoprovider. Check the definition of the authorization objects in the same transaction.
  2 or else can i create one authorizatio and include both the info objects in it and then assign it two all the users irrespective of the group.
  Answer - Yes, you could do it this way as well. But this means that all the users in the two user groups will be authorized to see the same authorized dataset.
  Hope this helps,
  Best regards,
  Sunmit.

• Analysis Authorization Issue 7.3

  Hello Friends,
  System BW 7.3, Currently there are 80 odd analysis authorization objects
  We want to introduce a new info object (GL Account) to be authorization relevant, ( there are few objects in the system which are already authorization relevant in the system with proper analysis authorization objects and they are working fine)
  Things done, made the GL Account object authorization relevant in RSA1, Created 2 analysis authorization objects with GL Account and TCT objects and one with hierarchy restrictions and one open access.
  Added this object to the user in addition to its already existing authorization objects. Created authorization variable in BEx.
  Some how the authorization is not picked up and it gives us all the values in the report. But if I add the GL Account info object to the existing analysis authorization objects then it works fine.
  I do not want to change all the existing analysis authorization objects to add GL Account.
  Your inputs are most welcome.
  Thanks
  Ed.

  Gajesh- I have added the new analysis authorization object to the user in RSECadmin.
  Subhendu- Problem statement: What are the steps involved in making a new info object(GL Account) authorization relevant. Authorizations are given at hierarchy level. Can we create a new analysis authorization with  GL Account only or do we have to add it to every existing analysis authorization
  I have done the following steps
  1. Made the GL Account object authorization relevant in RSA1,
  2. Created 2 new analysis authorization objects with GL Account ( with hierarchy restrictions) and TCT objects and one with GL Account open access.
  3. Added this object ( which has restrictions) to the user in RSECADMIN, in addition to its already existing authorization objects.
  4. Created authorization variable in BEx.
  5. No existing analysis authorization objects have been changed.
  When I test the report, It does not restrict based on the hierarchy that I have given, it gives open access.
  But If I add GL Account with restrictions to the existing analysis authorization object, it works good.
  Guess I am missing some thing here.
  Do you need any other screen shots.
  Thanks
  Ed.

• Web Intelligence Report + BI 7.0 Analysis Authorizations

  Hello Experts,
  I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
  BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
  It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
  For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
  When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
  I have tried several settings on the universe (like filter working on LoV as well) but none helped.
  If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
  Any ideas?
  Best regards
  Giorgos

  Hi,
  has the Universe been created on the cube level or on the query level ?
  In case it is on the cube level it will fail because :
  Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
  The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
  You can then assign this authorization to one or more users.
  All characteristics flagged as authorization-relevant are checked when a query is executed.
  *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
  Ingo

• [BO over SAP BW] Web Intelligence Report + BI 7.0 Analysis Authorizations

  Hello Experts,
  I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
  BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
  It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
  For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
  When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
  I have tried several settings on the universe (like filter working on LoV as well) but none helped.
  If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
  Any ideas?
  Best regards
  Giorgos

  Hi,
  has the Universe been created on the cube level or on the query level ?
  In case it is on the cube level it will fail because :
  Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
  The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
  You can then assign this authorization to one or more users.
  All characteristics flagged as authorization-relevant are checked when a query is executed.
  *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
  Ingo

• Analysis Authorization

  We have a need to restrict the majority of our users from seeing transactions of few business accounts.  The restricted accounts can be based on a specific gl account, fund range, or they can be a combination of a fund and cost center (or fund and fund center).  Until we become more familiar with this process, we are only concerned with 0FUND and it's restricted ranges, so below my question is just about 0FUND.. 
  We need to explore and understand what abilities analysis authorizations give us. I have done a lot of reading, but so far all of the pieces are not falling into place.  I am on the BW team and working with the security team to get this accomplished.  At this time whereever 0FUND is located in an existing authorization, it has a "*" to indicate the user gets all values.  We have already gone live; will every authorization currently in use with 0FUND have to be changed?  Is there a detailed How-To located somewhere?
  thank you in advance for your help.
  LLK

  Hi Linda,
  SUIM - User Information System is a TRANSACTION CODE. (Its not SUM)
  Execute SUIM and follow the path mentioned below:
  SUIM -> User -> Users by complex selection criteria -> Users by complex selection criteria. In the Authorization object field mention S_RS_AUTH and in the field mention the name of the analysis authorization which you want to search for.
  The output would be users who have access to the analysis authorization that you gave in the search criteria.
  Since in your case there would be a lot of analysis authorizations with * in 0FUND,  it would be better to identify the roles first and then the users assigned to these roles.
  You can identify the roles by browsing the table SE16. Just give the object name and all the analysis authorizations in the multiple selection on appropriate fields. Then use SUIM to identify the users who have access to these roles.
  SUIM -> User -> Users by complex selection criteria -> By Roles.
  You can also display the roles in this report by pressing the Roles button at the top. Apply filter to restrict the roles to your identified roles.
  Thats it !
  Regards
  Sachin

• Analysis Authorizations Issue (BI 7.0)

  Dear Colleagues,
  I have a question regarding BI 7.0 Authorizations. What happens when a cube is created from an Infoprovider in which Company Code (to use an example) is marked as authorizations relevant, but that infobject is not used. That is, the cube gets data from that Infoprovider, but the data retrieved has nothing to do with Company Code. When a query is created from this cube, will the user be required to have authorizations for the company code of the information he's retrieving or will she/he be able to see all the information?
  Thanks in advance for your help.
  Best regards,
  CMPT

  Hello,
  I think I understand your question?
  If you have characteristic company code marked as authorization relevant...
  You have two basic info cubes, one with company code A and one without company code B.
  You have a multi cube combining characteristics from both basic cubes (including company code).
  If you execute a query written against the multi cube but extracts data only from basic cube B (without company code), will you need to have an analysis authorization with company code defined?
  If this is your question, then Yes, you do need to define company code in the authorization (assigning value # should be sufficient).
  KR
  Andy

• How to implement complex analysis authorizations in simple way

  Hi All,
  I need to create some analysis authorizations with long list of single values for a characteristics. For example, we have multiple set up of company codes (APAC, EAME, AMERICAS, etc) and each set contains 150 - 200 company codes in it. Now we have multiple combinations of company code set and geographies. In short, we will have multiple analysis authorizations and each will have one or two set of company codes and some geographies.
  I can create the analysis authorizations for the first time, by putting individual values in the respective characteristics. That would be a big task but can be done. But the problem is about ongoing maintenance. In future, if a new company code is added to lets say APAC companies, then we will have to update all analysis authorizations which contains APAC company code and that would be huge number of AAs due to the complexity of business architecture.
  Could anyone please suggest if it is possbile (and how) to do below or similar, or have any other better approach (using BW7.4)
  - We would create a group (or set) of company codes. Lets say would create a group APAC_Comp_Code and add all APAC related company codes in it. This would be repeated for all set of compant codes.
  - While creating analysis authorizatons, I would not assign any individual company code value in characteristic, instead put APA_Comp_Code inside the characteristic 0COMP_CODE.
  - If I need to put multiple set of company codes inside 0COMP_CODE, I will just put the corresponding group name, not the invidual values.
  The benefit would be that in future if I need to add a new company code to APAC, I would just have to update this group APAC_Comp_Code. I will not have to maintain the analysis authorizations.
  Please let me know if this is possible or if there is any other way to implement the requirement with simpler maintenance.
  Thanks
  Nitesh Gupta

  Hi Nitesh,
  From what you describe, this would be a good case to use variables in your analysis authorisations. You can specify a variable value for the BUKRS field and have a couple of options to populate the values which are picked up in the query execution.
  You will need to ensure that you activate the istep to read customer exit variables and have the query variable set as customer-exit. Once those are complete, you can create a custom table to maintain the mapping of groups to company codes, or to read the company codes directly from your ERP system (if you want to base authorisations on what the users can see in ERP) and populate the table with those values.
  However you populate the value to the variable, I think this approach will get you closer to minimal maintenance going forward. Enhancement RSR00001 should be implemented, some help documentation for this below
  http://help.sap.com/saphelp_nw70/helpdata/en/1d/ca10d858c2e949ba4a152c44f8128a/content.htm
  Hope this helps,
  Tom

• BW BEX Queries and Analysis Authorizations

  Hello....
  Have an opportunity with BW BEX queries and Analysis Authorization...would like to see if anyone has had the same experience and if so is there a answer....
  1) given a query....
  2) given a analysis authorization with a info-object that has intervals defined to be both single values and ranged values
  the following happens...
  after the query is fired the starter screen appears...the info-object in question appears with the defined single values only....if....the window is opened....again only the single values appear...the range values do not appear...once the query is executed the only results given are those for the single values...
  also if you re-fire the query and manually enter a valid value for the info-object that falls with-in any of the range values no result is given...even if there is data for it....the reponse given is no data found....
  NOW...if the single values, for the given info-object, are removed from the Analysis Authoriization then the range values appear and work....
  Is this a problem within in the query...or...is this a "feature" of the query...and thus must be "lived" with...
  Terry
  PS...this problem currently only happens if the window for the info-object allows for multi-selection....this problem does not occurr when the window only allows for one selection...

  Hi,
  This is a known problem with analysis authorization and multi selection IO selection criteria.
  When you define the analysis authorization with ranges and when you try to enter single values on the selection critera of the query, then the system shows zero data.
  You can run the query without entering any selection values for the IO in question only.
  I have tried several combinations and still encountering the same issue.
  Ravi

• Data in aggregates not updated after planning in SEM-BPS cubes

  We are running BW 3.0B SP27 with SEM-BPS. Our database is DB/2. When users modify plan data on planning layouts, the data in the cube and the aggregates can become inconsistent.
  For example, when a user runs a report that uses an aggregate, they get one number, but when they add a drilldown that causes the report to bypass the aggregate and hit the cube directly, the number will be different. The only way to fix this is to deactivate and then reactivate the aggregate that has stale data.
  We've tried opening an OSS message, but that hasn't been helpful, since we aren't able to reliably reproduce the problem. Sometimes the aggregates are fine, other times the data will be stale.
  We roll up aggregates in the SEM cubes at the end of each business day. We include a request ID filter for "most current data" (0S_RQMRC) in all our SEM queries, so the queries should be bringing in data from the latest open request in addition to the data in the relevant aggregate.
  What causes this, and how can we fix it without manually reactivating aggregates?
  Thanks,
  Jason
  Message was edited by: Jason Kraft

  is the request still open. close the request and then probably the aggregates will start..
  Regards,
  BWer
  Assign points if helpful.

• How to Move Migrated Analysis Authorization across the landscape?

  Hi,
  we have migrated existing 3.x obsolete authorization concept to 7.x Analysis Authorization with the SAP delivered program RSEC_MIGRATION. Unit test is completed in the Development. What is the process to move the changes to quality.
  Any help is greatly appreciated.
  Thanks!

  Hi Tony,
  what about the roles that are updated during the migration process. How do I identify them and Do I need to collect them and transport too? Is there a way I can use the tables you mentioned in the above discussion for this.
  First you should decide on whether you wish to use direct AA assignment or use S_RS_AUTH authorization object (This is referred as indirect AA assignment).
  If you wish to assign AA directly, you doesn't require the roles to be transported and just need to transport the AA, since the AA works independently.
  If you with to implement indirect AA assignment, you should identify the roles (from the tables I've provided in my last post) and findout the roles based on query's. Further the AA that were related to the queries should be added using S_RS_AUTH and these roles require a transport.
  Hope this helps!!
  @Arpan - Those tables are required to quickly find out the roles Vs queries Vs InfoAreas/InfoCubes information to work on the AA.
  Regards,
  Raghu

• Sizing SEM-BPS

  Hello Sirs,
  I have to make a BI sizing with SEM-BPS module. The problem I have is that in quicksizer there is no way neither no guide to size SEM-BPS module.
  Could you please help me on how to make SEM-BPS sizing? Is there any guide to make it?
  thanks.
  regards,
  Filipe Vasconcelos

  Hi Filipe,
  when you maintain your quicksizer project, there is a link called "Help" on the top right side. This will give you a more detailed explanation on how to fill out the section for Business Planning. Otherwise the sizing is the same as for BI/BW.
  Regards,
  Marc
  SAP NetWeaver RIG

• How SEM BPS works with SAP BW

  Hi,
  How SEM BPS works with SAP BW.
  how to save planned in SAP BW.
  how to work with the data in Basic cubes and Transaction cubes.
  what is the relation between these two cubes.
  Thanks,
  cheta.

  hi,
  chk the link for BPS
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/7c85d590-0201-0010-20b5-f9d0aa10c53f
  Can any body send the material for BPS?
  Authorization for BPS
  Ramesh