Authorization 0BI_ALL

Hi expert.
I have a problem with the object of authorizatión 0BI_ALL, i have one object of authorization ZRLF with the characteristic 0country ("CL") in the rol for the "X" user i assign the corresponding ZRLF but only if aggregate the object of authorization 0BI_ALL in the rol the function module it shows to me values of country, when i suppress 0BI_ALL from the rol don`t appears values in the exectue function module.
i need one object authorization that it replaces 0bi_all
R.A.
BI.

Hi R.A,
And I have an object of authorization created with the values granted for that country and this object is in the roll of the user but the restriction is not working.
I suggest to :
- Check out first whether any 0BI_ALL in ur particular user/authorization since it will give full authorization. If yes, please omit it.
- Create all object authorization in RSECADMIN for all ur info-object authorization within ur info provider.
- Create authorization profile whose purpose to join between S_RS_AUTH and RSECADMIN authorization object.
- Apply that authorization profile into user profile in t-code SU01.
Hopefully it can help you a lot.
Regards,
Niel.
thanks for any points you choose to assign.

Similar Messages

Problem with analysis authorization- 0BI_ALL always needed

Dear all:
we have a serious issue on so-called "analysis authorization" now. We have auth-restricted user who only have authorization to access data on one company code. We also create a BI-authorization in analysis authorization and assign the following auth-relevant object to this authorization-
0TCAACTVT = 01-03
0TCAIPROV = ALL
0TCAVALID = ALL
0TCAKYFNM = ALL
0COMP_CODE = A001
And we create one query with only company code and number of employee in the row and column. But everytime we execute this query, there s always message" No Authorization". We used ST01 to trace and the result shows we need to have "0BI_ALL" in auth object S_RS_AUTH. If we added 0BI_ALL, all company code data will display, which definitely no auth restriction at all. Is there any specific authorization setting we need to do?
We are stuck here pretty bad. Thank you all in advance if any input.
BR
SF

Hi,
I guess the Authorization profile is active , and in the Tcode PFCG -> Role name -> User tab page ( user comparision is done ).
Check if any of the tab page shows red light .
And assignment of 0BI_ALL is not a solution , as any user can do anything in the system.
Also do not forget to log - off and log-in into system after changing into any of the authorization profile to see changes that had happened.
Hope that helps.
Regards
Mr Kapadia
Assigning points is the way to say thanks in SDN.

Roles and authorization - 0BI_ALL

hi all,
i have problem creating a proper role for our users in sem-bcs. The problem is in the transaction ucmon. They cant see the list of journals unless i give them authorization object S_RS_AUTH with 0BI_ALL. But i dont want to use 0BI_ALL because they see all data and they shouldnt.
I created two authorizations in rsecadmin and had put them into the role in S_RS_AUTH:: one with infoobject ZIOCELOK and one with ZIOICOUJ and gave them values that the user needs to see only his data. I also added But he still cant see it. I run rsecadmin analysis and found this in error logs, but i dont have a clue what does this mean.
Following Set Is Checked          Comparison with Following Authorized Set          Result
Characteristic     Content(in SQL Format)     Characteristic     Content(in SQL Format)     Not Authorized
0TCAACTVT     NOT ZIOCELOK = 'KAP10'     ZIOICOUJ     I EQ 00699021
ZIOCELOK     AND ZIOICOUJ = '00699021'          I EQ 30806101      Not Authorized
ZIOICOUJ     AND 0TCAACTVT = '03'             I EQ 31819559
                                                 I EQ 35822163
                                               0TCAACTVT       I EQ 03
                                                 ZIOCELOK I EQ KAP10
All Authorizations Tested
Message EYE007: You do not have sufficient authorization
No Sufficient Authorization for This Subselection (SUBNR)
Following CHANMIDs Are Affected:
477 ( ZIOCELOK )
478 ( ZIOICOUJ )
Authorization Check Complete
PLS help
Edited by: Martin Zluky on Jul 30, 2010 10:12 AM
Edited by: Martin Zluky on Jul 30, 2010 10:12 AM

Hi,
here is the full error log. Please take a look. ZIOCELOK is a variable in ISJUS_BCS, which is our infocube from where ucmon
is getting data.
Authorization Check Log
For a general description see the Note 1234567
Date and Execution Time (Local Server)
Execution Date: 05.08.2010
Execution Time: 08:11:24
TransactionUCWB_INT ( List of Totals Records )
Executed by User TE001019
Executed with Analysis Authorizations of Another UserTE001019
Software Component     Release     Level     Support Package
SAP_ABA     700     0019     SAPKA70019
SAP_BASIS     700     0019     SAPKB70019
SAP_BW     700     0021     SAPKW70021
InfoProvider Check
Building the Buffer...
...Buffer Built
Are there authorizations for accessing InfoProvider ISJUS_BCS with activity 03?
Authorization exists for general access to InfoProvider ISJUS_BCS with activity 03
Relevant Characteristics for Detailed Authorization Check
(Characteristics with Full Authorization Are Not Listed!)
List of Effective Authorization-Relevant Characteristics for InfoProvider ISJUS_BCS:
ZIOCELOK
ZIOICOUJ
0TCAACTVT
Authorization Check
Detail Check for InfoProvider ISJUS_BCS
Preprocessing:
Selection Checked for Consistency, Preprocessed and Supplemented As Needed
Subselection (Technical SUBNR) 1
Check Node Definitions and Value Authorizations...
Node- and Value Authorizations Are OK
End of Preprocessing
Filling the Buffer...
...Buffer Filled
Main Check:
Subselection (Technical SUBNR) 1
Supplementation of Selection for Aggregated Characteristics
No Check for Aggregation Authorization Required
Following Set Is Checked     Comparison with Following Authorized Set     Result     Remaining Set
Characteristic     Content(in SQL Format)
0TCAACTVT
ZIOCELOK
ZIOICOUJ
     ZIOICOUJ IN ('00699021','30806101','31819559','35822163')
AND 0TCAACTVT = '03'
AND ZIOCELOK LIKE *
Characteristic     Content(in SQL Format)
0TCAACTVT     I EQ 03
ZIOCELOK     I EQ KAP10
ZIOICOUJ     I EQ 00699021
I EQ 30806101
I EQ 31819559
I EQ 35822163
     Partially or Fully Authorized (Intersection) Partially or Fully Authorized (Intersection)
Characteristic     Content(in SQL Format)
0TCAACTVT
ZIOCELOK
ZIOICOUJ
     NOT ZIOCELOK = 'KAP10'
AND ZIOICOUJ IN ('00699021','30806101','31819559','35822163')
AND 0TCAACTVT = '03'
Value selection partially authorized. Check of remainder at end
Following Set Is Checked     Comparison with Following Authorized Set     Result     Remaining Set
Characteristic     Content(in SQL Format)
0TCAACTVT
ZIOCELOK
ZIOICOUJ
     NOT ZIOCELOK = 'KAP10'
AND ZIOICOUJ IN ('00699021','30806101','31819559','35822163')
AND 0TCAACTVT = '03'
Characteristic     Content(in SQL Format)
0TCAACTVT     I EQ 03
ZIOCELOK     I EQ KAP10
ZIOICOUJ     I EQ 00699021
I EQ 30806101
I EQ 31819559
I EQ 35822163
     Not Authorized Selection is not authorized
All Authorizations Tested
Message EYE007: You do not have sufficient authorization
No Sufficient Authorization for This Subselection (SUBNR)
Following CHANMIDs Are Affected:
477 ( ZIOCELOK )
478 ( ZIOICOUJ )
Authorization Check Complete

Report authorization problem 0BI_ALL

Hi Experts,
I have few days pending issue (trying to solve on my own but all the time some other error is popping out)
There are 2 reports which need to be assign to 2 users. I can log in and see the report in Analyzer (on user desktop) and in SAP directly but user while login is facing problem:
1st Analyzer was giving error "an error occurred while communicating with BI serv" I figure it out that there s value RFCH missing.. that was added... after in su53 system asked for authorization RSRT- added (but not sure if it s ok ) now it says authorization 0BI_ALL missing
So for sure I cannot give 0BI_ALL but how to fix the problem??

Hi
Your Issue was not clear as per my understanding if user getting issue when opening Bex then that is different issue because GUI.
Now user can able to login to system and when executing report if he is getting issues then issue with missing authorizations.
You have not mention abt your Authorization model if you are using RSECADMIN then login with developer id and go to RSECADMIN and under Analysis select execute as provide user id name and tick check box With log and start the trasaction provide your report once it gives error then come back to same screen chek the log it will give you clear picture abt the missing authorizations.
Regards
Jagadeesh

SAP BO WebI Report on top of BI Bex Query with Authorization Variable

Hi,
We are trying to restrict row level data using BI 7.0 analysis authorization concept. We have an authorization variable in the Bex query and is working perfect in Bex Analyzer as well as in RSRT.
Now we are trying to achieve the same thing in BO webI. We created an Universe using Authentication Mode SSO. We are on BOXI 3.1 and implemented SSO. When we try to run the query in WebI we get the error
"A database error occured. The database error text is: Error in MDDataSetBW.GetCellData..(WS 10901)"
Just for testing purpose, when we use query filter in WebI and use Values from List, it is showing only the authorized value it supposed to show and runs well with that value selected. But we have to achieve this without the query filter in WebI.
So are we missing some thing here or any patch issue? Please share if you have done this type of reports in BO.
Thanks in advance for your help.
Moorthy.

Yes I did run MDXTEST and it gives error as 'you do not have sufficient authorization'. The reason it is giving, I guess and we are debugging that to confirm, is first it looks for 0BI_ALL and throws error which is not the case in Bex. See the following trace in RSRT trace.
InfoObject Properties Defined
Reading of Directly Assigned Authorizations
Direct Assignment Does Not Include Universal Authorization 0BI_ALL
Reading the Indirect Assignments with Authorization Object S_RS_AUTH
Does user have OBI_ALL?
No, the User Does Not Have Universal Authorizion 0BI_ALL
Negative Entry in SU53 Result of Failed Check for 0BI_ALL
Indirect assignments found; no universal authorization
Reduction of Authorization Dimensions on Characteristics in InfoProvider
Reduction Successful
Thanks!
Moorthy

Hierarchy Node Authorization Issue

Hello Experts,
I am trying to restrict a user from seeing the complete hierarchy. The user should only be able to see the text node "text1" and below.
I did the following:
1) Using Tcode RSECADMIN I created an Authorization Object ZTEST2 for 0COMP_CODE hierarchy at node level "text1".
2) I have assigned user "User1" to the Authorization object ZTEST2.
Now, when I click on the "Analysis" tab and click on "Execute As" as user "User1" and then I check the "RSRT" to execute a query that has Company Code hierarchy as a variable. When I click on the prompt for variable input for hierarchy i see the hierarchy name and then when i execute the query i get to see the complete hierarchy.
I would really appreciate if somebody could point me where I am wrong.
I see the following in the error log:
Buffering the Authorization Data
Buffering for InfoProvider 0FIGL_C10 and Users ABARAPATRE
InfoObject Properties Defined
Reading of Directly Assigned Authorizations
Direct Assignment Does Not Include Universal Authorization 0BI_ALL
Reading the Indirect Assignments with Authorization Object S_RS_AUTH
Does user have OBI_ALL?
Yes, the User Has Universal Authorization 0BI_ALL
Indirect Assignment Includes Universal Authorization 0BI_ALL
All Other Assignments Will Be Ignored
The Following Value Authorizations Were Found
TCTAUTH TCTIOBJNM      TCTSIGN TCTOPTION TCTLOW TCTHIGH
0BI_ALL    0COMP_CODE I              CP                *
Thanks.
Regards,
bw_newbie

Hi,
0BI_ALL will include all the analysis authorization created on the infoobject level. So if a user have 0BI_ALL, by default he is authorized for all the analysis auth that you create, even if you donot asisgn these explicitly to the user. For your scenario, you need to remove 0BI_ALL auth.
Rgds,
Hari

Authorization issue "No authorization"

Dears gurus,
I created an analysis authorization using tx. RSECADMIN, this contains the IO 0COSTCENTER restricted with some value, and also contains the IO: 0TCAACTVT, 0TCAIPROV, 0TCAVALID. When I assigned it to a role using tx. PFCG. But when the query is executed it appears the following message: "No authorization". Using a trace tool, it appears to requiere the analysis authorization 0BI_ALL, but if I give this authorization, it doesn't restrict the IO 0COSTCENTER as wanted.
Please let me know what is missing.
Best regards,
Pilar Infantas.

Remove 0BI_ALL object fro users profile and try executing as below it should give you the authorization objects values missing ..
goto RSECADMIN >Analysis>Execution as User -->enter the user name you are executing the query
Check box -->with Log option
select RSRT option
hit start transaction button ,it should show you the authoriztion errors with authorization objects missed.
if not
again RSECADMIN>Analysis>Error Logs-->check with the latest time stamp for that particular user and analyse the authorization issues
Hope it Helps
Chetan
@CP

0Orgunit(hierarchy) and authorization object display getcell error in Webi

Hello,
         We are facing with GetCellData error in WebI to SAP BEx Query.
         This works perfectly fine in Bex for a particular test user who has access to particular org unit value.
         But in Webi we are getting this Getcelldata error.
        Tried all the options and message as recommended in sdn group.
        mdxtest returns no value.
        looked at all below messages but no luck.
GetCellData error in WebI to SAP BEx Query
Re: SAP BO WebI Report on top of BI Bex Query with Authorization Variable
in the rsecadmin, we get the same error like mentioned in below message
Hierarchy Authorization doesn't work for MDX but works for BEx Query.
Is any authorization required for this user to execute and view the authorized values in Webi?
or we have to assign any authorization ?(0BI_ALL is not assigned).
Please find below screenshots of BEx query auth log or Webi auth log (differences)
Bex auth log:
The Following Attributes Are Authorized and Thus Are Visible
0BBPPURGRPX
0BBPPURORGX
0BBP_BUYID
0BBP_ISCOMP
0BUS_AREA
0COMP_CODE
0CO_MST_AR
0CRMSALGRPX
0CRMSALOFFX
0CRMSALORGX
0CRMSRVTGRP
0CRM_SALGRP
0CRM_SALOFF
0CRM_SALORG
0CRM_SRVORG
0LEAVERS
0LOGSYS
0MAST_CCTR
0PERS_AREA
0PERS_SAREA
0PLANT
0PURCH_ORG
0PUR_GROUP
0SALESORG
0SALES_GRP
0SALES_OFF
This above log is missing for mdxtest auth log.
Is this the issue?
Any quick reponse or help really appreciated.
Regards,
Ravi
Edited by: Ravi Gadicherla on Feb 28, 2010 5:36 PM

Hi,
    Here is the log of MDXtest:
Buffering the Authorization Data
Buffering for InfoProvider 0PA_C01 and Users HRTEST93
InfoObject Properties Defined
Reading of Directly Assigned Authorizations
Direct Assignment Does Not Include Universal Authorization 0BI_ALL
Reading the Indirect Assignments with Authorization Object S_RS_AUTH
Does user have OBI_ALL?
No, the User Does Not Have Universal Authorizion 0BI_ALL
Negative Entry in SU53 Result of Failed Check for 0BI_ALL
Indirect assignments found; no universal authorization
Regards,
Ravikanth

Authorization Error BI

Dear All,
A user UABC has been assigned a role RXYZ to execute the certain queries.
The role assigned has the following auth object..
S_RFC ->To access Bex Anakyzer
S_RS_COMP ,S_RS_COMP1 -> To restrict to queries of particular Infoarea.
Currently,S_RS_AUTH -> 0BI_ALL
With the above authorization ,all works fine.
But when perform the following change S_RS_AUTH -> A_TEST ; where A_TEST is analysis Authorization ;user gets error the "Not Authorized for Infoprovider IDEC"
A_TEST has following charateristics
0PLANT --->001
0TCAACTVT--> 03
0TCAIPROV--> IDEC
0TCAVALID-->31.12.2010.
PLease let me know if anything missing in the same.
Regrads
Ajit

Dear ALL
My Error Log of RSECADMIN says
Buffering the Authorization Data
Buffering for InfoProvider ZMMIMMP01 and Users TEST_BWADMIN
InfoObject Properties Defined
Reading of Directly Assigned Authorizations
Direct Assignment Does Not Include Universal Authorization 0BI_ALL
Reading the Indirect Assignments with Authorization Object S_RS_AUTH
Does user have OBI_ALL?
No, the User Does Not Have Universal Authorizion 0BI_ALL
Negative Entry in SU53 Result of Failed Check for 0BI_ALL
Indirect assignments found; no universal authorization
Reduction of Authorization Dimensions on Characteristics in InfoProvider
Reduction Successful
Transformation of DB Data in Authorizations for the InfoCube
Check of Authorizations for Validity (Characteristic 0TCAVALID)
Alpha Exit and Interval Checks
...Interval Definitions OK
Authorization-Releveant Characteristics for Which There Is No Complete Authorization CHANM CHANMID
0PLANT 0
Buffering of Authorization Data Complete

WAD - Navigation Attribute authorization

Hello Expert,
I have created a WAD report containing analysis and two dropdown items.
One filters a characteristics (profit centrum) and the other one filters navigation attribute of the same characteristics (resp. person of PC). Both the caracteristics and the attiribute are marked as authorization relevant.
If I run the report under my account having profile SAP_ALL and analytical authorizaction 0VI_ALL the reports works as it should. But if I run it under a test account that has a role ZBI_BEX_ENDUSER that should contain all sufficient authorizations to run any report and analytical authorization 0BI_ALL then the report runs also OK, just the dropdown with the navigation attribute (responsible person) is disabled (greyed out) with a text "no data". The other dropdown (PC) works fine.
The navigation attribute is even included in the analysis and all the values are displayed there and I can even filter on it and then the filtered value is populated into the previously disabled dropdown list.
Since I do not see any difference between the two users beside the authorisation I reckon that the issue must be somehow authorization related but I cannot find how.
Can anyone help?
Regards
Jiri

Hi Haran,
You have to consider in ABAP code of user exit variable this:
In a DSO you alreay have the user name and vaules, which he is allowed to see. Just go into this DSO and read the entries from DSO with user ID as selection criteria. Example:
USERID     PLANT
XY     1000
XY     2000
YZ     3000
DSO name: ZOPLANT
iKey fields in DSO: UserID & Plant
Abap code would look like: select plant from /bic/azoplant00 where userID = sy-uname.
I hope this helps.
Aban

Error While Executing Report - "Field symbol has not yet been assigned."

Dear All,
I am using Cube 0PP_C01 which filled with data Source 2LIS_04_P_MATNR.
Based on this Cube I had developed a report.
0MRP_CONTRL characteristic filled using 0MATERIAL master data.
Authorization in this report is based on Characteristic 0MRP_CONTRL & 0PLANT.
While running report User gets error u201CField symbol has not yet been assignedu201D & Analyzer just quit.
Also getting dump in tcode ST22.
This problem occurs when limited authorization of 0MRP_CONTRL & 0PLANT assigned to user & if I provide full authorization 0BI_ALL then report runs fine.
When I will remove 0MATERIAL characteristic from report then Report runs fine & at a time when I put 0MATERIAL in the report its gives error.
Please suggest me what to do as I can not give user 0BI_ALL right in RSECADMIN.
Please help.
Regards,
Divyesh Khambhati.

Hello Shashank,
Thanks for your reply.
No material is not checked for authorization relevant.
Is it required to make 0MATERIAL to be checked as Authorization relevant ??
I had make 0MATERIAL authorization relevant & assign all material Authorization to User but still error coming..
I do not have any idea regarding this colon authorization, if possible can you explaine me how I can use this colon authorization ?
Divyesh Khambhati
Edited by: Divyesh M Khambhati on Oct 2, 2010 10:29 AM

BEx queries in BI 7.0

Hello
We have installed BI 7.0. When i try to view query in BEx, i get a message No authorizations.... In BI side i have assigned SAP_ALL and SAP_NEW profiles.
Could anybody give me advice?
Thanks in advance
Best Regards,
Arunas Stonys

Hi:
There is an option in the IMG (tx SPRO), under reporting relevant settings, where you can set the analysis authorization concept back to the 3.x type reporting authorizations. You can run in SAP NetWeaver BI 2004s using 3.x reporting authorizations.
When you are ready to go ahead with the new analysis authorizations, keep in mind that the the special authorization 0BI_ALL is the one you need to give you access to all authorization-relevant infoproviders.
It would make sense to look into concepts like report RSEC_MIGRATION, and transaction RESADMIN, but make sure you have an understanding of the authorization concept before moving ahead with it in your project plan.
Thanks for any points you choose to assign.
Best Regards -
Ron Silberstein
SAP

Problem with 0BI_ALL Authorizations

Hi,
I created a new authorization using TCODE: RSECADMIN to validates the 0PLANT characteristic, the user is only authourized to see Plant C101.
When I execute the BEX report, it needs the 0BI_ALL authorization to work correctly but the 0BI_ALL authorization allow acces to all plants.
How do I do to deactivate the 0BI_ALL of the 0PLANT characteristic?
Regards,
Mariangel Barroso

Hi,
Authorization checks enforced via authorization object S_RS_AUTH and the only valid value to get past the check is 0BI_ALL which is the equivalent to saying
"all of your authorization relevant objects" Not good if you have any, because users that were restricted will not be after giving this access. Hence kindly restrict
plants via TCTAUTH field and check with BI consultants regarding the Nodes for Hierarchy structure. Run the analysis authorization trace in Quality by giving
the necessary palnt values in TCTAUTH field. Please let me know if it helps.
Regards
Aveek.

0BI_ALL and additional analysis authorizations

Hi there
A user has two authorization objects assigned via RSECADMIN:
0BI_ALL
CO_001: limits the user to a special infoprovider 0TCAIPROV, activity 0TCAACTVT and validity 0TCAVALID.
Does 0BI_ALL overwrite the limitation of CO_001 in that way, that this user will be able to access all data? Does 0BI_ALL works similar to SAP_ALL?
thanks
BEO

Hi Beo,
Kindly have a look at below note and link,
820183 - New authorization concept in BI
http://help.sap.com/saphelp_nw70/helpdata/en/e3/fc8b41b5b3b45fe10000000a1550b0/content.htm
Special Authorization for Everything: 0BI_ALL
An authorization for all values of all authorization-relevant characteristics is created automatically in the system. It has the name 0BI_ALL. It can be viewed, but not changed. Every user that receives this authorization can access all the data at any time. Each time an InfoObject is activated and the property authorization relevant is changed for the characteristic or a navigation attribute, 0BI_ALL is changed. A user that has a profile with the authorization object S_RS_AUTH and has entered 0BI_ALL there (or has included it, for example with the pattern *) has complete access to all data.
Hope this helps.
Regards,
Mani

Error in BO Webi using Authorization analysis in Bex with hierarchy display

Hi Experts ,
When we run the WEBI report created on bex query which has 0comp_code restricted with characteristic variable of processing type Authorization and Not ready for input.
The hierarchy display is active in Bex (as we want to see L01, L02.... in webi)
The authorization analysis is working perfectly when I test in Bex analyser (at any drill down level).
But in BO webi, I get below error
The database error text is: The supplied XML is not valid. [char name & Level].
I dont get this error when I deactivate hierarchy display in Bex.
Also I dont get this error for user ids having 0BI_ALL
Please help me to resolve this.
Thanks
Savio

Hi Atul,
You can achieve this by dragging these two fields in the filter bar section of the webi. then apply variables on these fields.
hope it helps
Regards,
Rathy

Authorization 0BI_ALL

Similar Messages

Maybe you are looking for