Authorization 0BI_ALL
Hi expert.
I have a problem with the object of authorizatión 0BI_ALL, i have one object of authorization ZRLF with the characteristic 0country ("CL") in the rol for the "X" user i assign the corresponding ZRLF but only if aggregate the object of authorization 0BI_ALL in the rol the function module it shows to me values of country, when i suppress 0BI_ALL from the rol don`t appears values in the exectue function module.
i need one object authorization that it replaces 0bi_all
R.A.
BI.
Hi R.A,
And I have an object of authorization created with the values granted for that country and this object is in the roll of the user but the restriction is not working.
I suggest to :
- Check out first whether any 0BI_ALL in ur particular user/authorization since it will give full authorization. If yes, please omit it.
- Create all object authorization in RSECADMIN for all ur info-object authorization within ur info provider.
- Create authorization profile whose purpose to join between S_RS_AUTH and RSECADMIN authorization object.
- Apply that authorization profile into user profile in t-code SU01.
Hopefully it can help you a lot.
Regards,
Niel.
thanks for any points you choose to assign.
Similar Messages
-
Problem with analysis authorization- 0BI_ALL always needed
Dear all:
we have a serious issue on so-called "analysis authorization" now. We have auth-restricted user who only have authorization to access data on one company code. We also create a BI-authorization in analysis authorization and assign the following auth-relevant object to this authorization-
0TCAACTVT = 01-03
0TCAIPROV = ALL
0TCAVALID = ALL
0TCAKYFNM = ALL
0COMP_CODE = A001
And we create one query with only company code and number of employee in the row and column. But everytime we execute this query, there s always message" No Authorization". We used ST01 to trace and the result shows we need to have "0BI_ALL" in auth object S_RS_AUTH. If we added 0BI_ALL, all company code data will display, which definitely no auth restriction at all. Is there any specific authorization setting we need to do?
We are stuck here pretty bad. Thank you all in advance if any input.
BR
SFHi,
I guess the Authorization profile is active , and in the Tcode PFCG -> Role name -> User tab page ( user comparision is done ).
Check if any of the tab page shows red light .
And assignment of 0BI_ALL is not a solution , as any user can do anything in the system.
Also do not forget to log - off and log-in into system after changing into any of the authorization profile to see changes that had happened.
Hope that helps.
Regards
Mr Kapadia
Assigning points is the way to say thanks in SDN. -
Roles and authorization - 0BI_ALL
hi all,
i have problem creating a proper role for our users in sem-bcs. The problem is in the transaction ucmon. They cant see the list of journals unless i give them authorization object S_RS_AUTH with 0BI_ALL. But i dont want to use 0BI_ALL because they see all data and they shouldnt.
I created two authorizations in rsecadmin and had put them into the role in S_RS_AUTH:: one with infoobject ZIOCELOK and one with ZIOICOUJ and gave them values that the user needs to see only his data. I also added But he still cant see it. I run rsecadmin analysis and found this in error logs, but i dont have a clue what does this mean.
Following Set Is Checked Comparison with Following Authorized Set Result
Characteristic Content(in SQL Format) Characteristic Content(in SQL Format) Not Authorized
0TCAACTVT NOT ZIOCELOK = 'KAP10' ZIOICOUJ I EQ 00699021
ZIOCELOK AND ZIOICOUJ = '00699021' I EQ 30806101 Not Authorized
ZIOICOUJ AND 0TCAACTVT = '03' I EQ 31819559
I EQ 35822163
0TCAACTVT I EQ 03
ZIOCELOK I EQ KAP10
All Authorizations Tested
Message EYE007: You do not have sufficient authorization
No Sufficient Authorization for This Subselection (SUBNR)
Following CHANMIDs Are Affected:
477 ( ZIOCELOK )
478 ( ZIOICOUJ )
Authorization Check Complete
PLS help
Edited by: Martin Zluky on Jul 30, 2010 10:12 AM
Edited by: Martin Zluky on Jul 30, 2010 10:12 AMHi,
here is the full error log. Please take a look. ZIOCELOK is a variable in ISJUS_BCS, which is our infocube from where ucmon
is getting data.
Authorization Check Log
For a general description see the Note 1234567
Date and Execution Time (Local Server)
Execution Date: 05.08.2010
Execution Time: 08:11:24
TransactionUCWB_INT ( List of Totals Records )
Executed by User TE001019
Executed with Analysis Authorizations of Another UserTE001019
Software Component Release Level Support Package
SAP_ABA 700 0019 SAPKA70019
SAP_BASIS 700 0019 SAPKB70019
SAP_BW 700 0021 SAPKW70021
InfoProvider Check
Building the Buffer...
...Buffer Built
Are there authorizations for accessing InfoProvider ISJUS_BCS with activity 03?
Authorization exists for general access to InfoProvider ISJUS_BCS with activity 03
Relevant Characteristics for Detailed Authorization Check
(Characteristics with Full Authorization Are Not Listed!)
List of Effective Authorization-Relevant Characteristics for InfoProvider ISJUS_BCS:
ZIOCELOK
ZIOICOUJ
0TCAACTVT
Authorization Check
Detail Check for InfoProvider ISJUS_BCS
Preprocessing:
Selection Checked for Consistency, Preprocessed and Supplemented As Needed
Subselection (Technical SUBNR) 1
Check Node Definitions and Value Authorizations...
Node- and Value Authorizations Are OK
End of Preprocessing
Filling the Buffer...
...Buffer Filled
Main Check:
Subselection (Technical SUBNR) 1
Supplementation of Selection for Aggregated Characteristics
No Check for Aggregation Authorization Required
Following Set Is Checked Comparison with Following Authorized Set Result Remaining Set
Characteristic Content(in SQL Format)
0TCAACTVT
ZIOCELOK
ZIOICOUJ
ZIOICOUJ IN ('00699021','30806101','31819559','35822163')
AND 0TCAACTVT = '03'
AND ZIOCELOK LIKE *
Characteristic Content(in SQL Format)
0TCAACTVT I EQ 03
ZIOCELOK I EQ KAP10
ZIOICOUJ I EQ 00699021
I EQ 30806101
I EQ 31819559
I EQ 35822163
Partially or Fully Authorized (Intersection) Partially or Fully Authorized (Intersection)
Characteristic Content(in SQL Format)
0TCAACTVT
ZIOCELOK
ZIOICOUJ
NOT ZIOCELOK = 'KAP10'
AND ZIOICOUJ IN ('00699021','30806101','31819559','35822163')
AND 0TCAACTVT = '03'
Value selection partially authorized. Check of remainder at end
Following Set Is Checked Comparison with Following Authorized Set Result Remaining Set
Characteristic Content(in SQL Format)
0TCAACTVT
ZIOCELOK
ZIOICOUJ
NOT ZIOCELOK = 'KAP10'
AND ZIOICOUJ IN ('00699021','30806101','31819559','35822163')
AND 0TCAACTVT = '03'
Characteristic Content(in SQL Format)
0TCAACTVT I EQ 03
ZIOCELOK I EQ KAP10
ZIOICOUJ I EQ 00699021
I EQ 30806101
I EQ 31819559
I EQ 35822163
Not Authorized Selection is not authorized
All Authorizations Tested
Message EYE007: You do not have sufficient authorization
No Sufficient Authorization for This Subselection (SUBNR)
Following CHANMIDs Are Affected:
477 ( ZIOCELOK )
478 ( ZIOICOUJ )
Authorization Check Complete -
Report authorization problem 0BI_ALL
Hi Experts,
I have few days pending issue (trying to solve on my own but all the time some other error is popping out)
There are 2 reports which need to be assign to 2 users. I can log in and see the report in Analyzer (on user desktop) and in SAP directly but user while login is facing problem:
1st Analyzer was giving error "an error occurred while communicating with BI serv" I figure it out that there s value RFCH missing.. that was added... after in su53 system asked for authorization RSRT- added (but not sure if it s ok ) now it says authorization 0BI_ALL missing
So for sure I cannot give 0BI_ALL but how to fix the problem??Hi
Your Issue was not clear as per my understanding if user getting issue when opening Bex then that is different issue because GUI.
Now user can able to login to system and when executing report if he is getting issues then issue with missing authorizations.
You have not mention abt your Authorization model if you are using RSECADMIN then login with developer id and go to RSECADMIN and under Analysis select execute as provide user id name and tick check box With log and start the trasaction provide your report once it gives error then come back to same screen chek the log it will give you clear picture abt the missing authorizations.
Regards
Jagadeesh -
SAP BO WebI Report on top of BI Bex Query with Authorization Variable
Hi,
We are trying to restrict row level data using BI 7.0 analysis authorization concept. We have an authorization variable in the Bex query and is working perfect in Bex Analyzer as well as in RSRT.
Now we are trying to achieve the same thing in BO webI. We created an Universe using Authentication Mode SSO. We are on BOXI 3.1 and implemented SSO. When we try to run the query in WebI we get the error
"A database error occured. The database error text is: Error in MDDataSetBW.GetCellData..(WS 10901)"
Just for testing purpose, when we use query filter in WebI and use Values from List, it is showing only the authorized value it supposed to show and runs well with that value selected. But we have to achieve this without the query filter in WebI.
So are we missing some thing here or any patch issue? Please share if you have done this type of reports in BO.
Thanks in advance for your help.
Moorthy.Yes I did run MDXTEST and it gives error as 'you do not have sufficient authorization'. The reason it is giving, I guess and we are debugging that to confirm, is first it looks for 0BI_ALL and throws error which is not the case in Bex. See the following trace in RSRT trace.
InfoObject Properties Defined
Reading of Directly Assigned Authorizations
Direct Assignment Does Not Include Universal Authorization 0BI_ALL
Reading the Indirect Assignments with Authorization Object S_RS_AUTH
Does user have OBI_ALL?
No, the User Does Not Have Universal Authorizion 0BI_ALL
Negative Entry in SU53 Result of Failed Check for 0BI_ALL
Indirect assignments found; no universal authorization
Reduction of Authorization Dimensions on Characteristics in InfoProvider
Reduction Successful
Thanks!
Moorthy -
Hierarchy Node Authorization Issue
Hello Experts,
I am trying to restrict a user from seeing the complete hierarchy. The user should only be able to see the text node "text1" and below.
I did the following:
1) Using Tcode RSECADMIN I created an Authorization Object ZTEST2 for 0COMP_CODE hierarchy at node level "text1".
2) I have assigned user "User1" to the Authorization object ZTEST2.
Now, when I click on the "Analysis" tab and click on "Execute As" as user "User1" and then I check the "RSRT" to execute a query that has Company Code hierarchy as a variable. When I click on the prompt for variable input for hierarchy i see the hierarchy name and then when i execute the query i get to see the complete hierarchy.
I would really appreciate if somebody could point me where I am wrong.
I see the following in the error log:
Buffering the Authorization Data
Buffering for InfoProvider 0FIGL_C10 and Users ABARAPATRE
InfoObject Properties Defined
Reading of Directly Assigned Authorizations
Direct Assignment Does Not Include Universal Authorization 0BI_ALL
Reading the Indirect Assignments with Authorization Object S_RS_AUTH
Does user have OBI_ALL?
Yes, the User Has Universal Authorization 0BI_ALL
Indirect Assignment Includes Universal Authorization 0BI_ALL
All Other Assignments Will Be Ignored
The Following Value Authorizations Were Found
TCTAUTH TCTIOBJNM TCTSIGN TCTOPTION TCTLOW TCTHIGH
0BI_ALL 0COMP_CODE I CP *
Thanks.
Regards,
bw_newbieHi,
0BI_ALL will include all the analysis authorization created on the infoobject level. So if a user have 0BI_ALL, by default he is authorized for all the analysis auth that you create, even if you donot asisgn these explicitly to the user. For your scenario, you need to remove 0BI_ALL auth.
Rgds,
Hari -
Authorization issue "No authorization"
Dears gurus,
I created an analysis authorization using tx. RSECADMIN, this contains the IO 0COSTCENTER restricted with some value, and also contains the IO: 0TCAACTVT, 0TCAIPROV, 0TCAVALID. When I assigned it to a role using tx. PFCG. But when the query is executed it appears the following message: "No authorization". Using a trace tool, it appears to requiere the analysis authorization 0BI_ALL, but if I give this authorization, it doesn't restrict the IO 0COSTCENTER as wanted.
Please let me know what is missing.
Best regards,
Pilar Infantas.Remove 0BI_ALL object fro users profile and try executing as below it should give you the authorization objects values missing ..
goto RSECADMIN >Analysis>Execution as User -->enter the user name you are executing the query
Check box -->with Log option
select RSRT option
hit start transaction button ,it should show you the authoriztion errors with authorization objects missed.
if not
again RSECADMIN>Analysis>Error Logs-->check with the latest time stamp for that particular user and analyse the authorization issues
Hope it Helps
Chetan
@CP -
0Orgunit(hierarchy) and authorization object display getcell error in Webi
Hello,
We are facing with GetCellData error in WebI to SAP BEx Query.
This works perfectly fine in Bex for a particular test user who has access to particular org unit value.
But in Webi we are getting this Getcelldata error.
Tried all the options and message as recommended in sdn group.
mdxtest returns no value.
looked at all below messages but no luck.
GetCellData error in WebI to SAP BEx Query
Re: SAP BO WebI Report on top of BI Bex Query with Authorization Variable
in the rsecadmin, we get the same error like mentioned in below message
Hierarchy Authorization doesn't work for MDX but works for BEx Query.
Is any authorization required for this user to execute and view the authorized values in Webi?
or we have to assign any authorization ?(0BI_ALL is not assigned).
Please find below screenshots of BEx query auth log or Webi auth log (differences)
Bex auth log:
The Following Attributes Are Authorized and Thus Are Visible
0BBPPURGRPX
0BBPPURORGX
0BBP_BUYID
0BBP_ISCOMP
0BUS_AREA
0COMP_CODE
0CO_MST_AR
0CRMSALGRPX
0CRMSALOFFX
0CRMSALORGX
0CRMSRVTGRP
0CRM_SALGRP
0CRM_SALOFF
0CRM_SALORG
0CRM_SRVORG
0LEAVERS
0LOGSYS
0MAST_CCTR
0PERS_AREA
0PERS_SAREA
0PLANT
0PURCH_ORG
0PUR_GROUP
0SALESORG
0SALES_GRP
0SALES_OFF
This above log is missing for mdxtest auth log.
Is this the issue?
Any quick reponse or help really appreciated.
Regards,
Ravi
Edited by: Ravi Gadicherla on Feb 28, 2010 5:36 PMHi,
Here is the log of MDXtest:
Buffering the Authorization Data
Buffering for InfoProvider 0PA_C01 and Users HRTEST93
InfoObject Properties Defined
Reading of Directly Assigned Authorizations
Direct Assignment Does Not Include Universal Authorization 0BI_ALL
Reading the Indirect Assignments with Authorization Object S_RS_AUTH
Does user have OBI_ALL?
No, the User Does Not Have Universal Authorizion 0BI_ALL
Negative Entry in SU53 Result of Failed Check for 0BI_ALL
Indirect assignments found; no universal authorization
Regards,
Ravikanth -
Dear All,
A user UABC has been assigned a role RXYZ to execute the certain queries.
The role assigned has the following auth object..
S_RFC ->To access Bex Anakyzer
S_RS_COMP ,S_RS_COMP1 -> To restrict to queries of particular Infoarea.
Currently,S_RS_AUTH -> 0BI_ALL
With the above authorization ,all works fine.
But when perform the following change S_RS_AUTH -> A_TEST ; where A_TEST is analysis Authorization ;user gets error the "Not Authorized for Infoprovider IDEC"
A_TEST has following charateristics
0PLANT --->001
0TCAACTVT--> 03
0TCAIPROV--> IDEC
0TCAVALID-->31.12.2010.
PLease let me know if anything missing in the same.
Regrads
AjitDear ALL
My Error Log of RSECADMIN says
Buffering the Authorization Data
Buffering for InfoProvider ZMMIMMP01 and Users TEST_BWADMIN
InfoObject Properties Defined
Reading of Directly Assigned Authorizations
Direct Assignment Does Not Include Universal Authorization 0BI_ALL
Reading the Indirect Assignments with Authorization Object S_RS_AUTH
Does user have OBI_ALL?
No, the User Does Not Have Universal Authorizion 0BI_ALL
Negative Entry in SU53 Result of Failed Check for 0BI_ALL
Indirect assignments found; no universal authorization
Reduction of Authorization Dimensions on Characteristics in InfoProvider
Reduction Successful
Transformation of DB Data in Authorizations for the InfoCube
Check of Authorizations for Validity (Characteristic 0TCAVALID)
Alpha Exit and Interval Checks
...Interval Definitions OK
Authorization-Releveant Characteristics for Which There Is No Complete Authorization CHANM CHANMID
0PLANT 0
Buffering of Authorization Data Complete -
WAD - Navigation Attribute authorization
Hello Expert,
I have created a WAD report containing analysis and two dropdown items.
One filters a characteristics (profit centrum) and the other one filters navigation attribute of the same characteristics (resp. person of PC). Both the caracteristics and the attiribute are marked as authorization relevant.
If I run the report under my account having profile SAP_ALL and analytical authorizaction 0VI_ALL the reports works as it should. But if I run it under a test account that has a role ZBI_BEX_ENDUSER that should contain all sufficient authorizations to run any report and analytical authorization 0BI_ALL then the report runs also OK, just the dropdown with the navigation attribute (responsible person) is disabled (greyed out) with a text "no data". The other dropdown (PC) works fine.
The navigation attribute is even included in the analysis and all the values are displayed there and I can even filter on it and then the filtered value is populated into the previously disabled dropdown list.
Since I do not see any difference between the two users beside the authorisation I reckon that the issue must be somehow authorization related but I cannot find how.
Can anyone help?
Regards
JiriHi Haran,
You have to consider in ABAP code of user exit variable this:
In a DSO you alreay have the user name and vaules, which he is allowed to see. Just go into this DSO and read the entries from DSO with user ID as selection criteria. Example:
USERID PLANT
XY 1000
XY 2000
YZ 3000
DSO name: ZOPLANT
iKey fields in DSO: UserID & Plant
Abap code would look like: select plant from /bic/azoplant00 where userID = sy-uname.
I hope this helps.
Aban -
Error While Executing Report - "Field symbol has not yet been assigned."
Dear All,
I am using Cube 0PP_C01 which filled with data Source 2LIS_04_P_MATNR.
Based on this Cube I had developed a report.
0MRP_CONTRL characteristic filled using 0MATERIAL master data.
Authorization in this report is based on Characteristic 0MRP_CONTRL & 0PLANT.
While running report User gets error u201CField symbol has not yet been assignedu201D & Analyzer just quit.
Also getting dump in tcode ST22.
This problem occurs when limited authorization of 0MRP_CONTRL & 0PLANT assigned to user & if I provide full authorization 0BI_ALL then report runs fine.
When I will remove 0MATERIAL characteristic from report then Report runs fine & at a time when I put 0MATERIAL in the report its gives error.
Please suggest me what to do as I can not give user 0BI_ALL right in RSECADMIN.
Please help.
Regards,
Divyesh Khambhati.Hello Shashank,
Thanks for your reply.
No material is not checked for authorization relevant.
Is it required to make 0MATERIAL to be checked as Authorization relevant ??
I had make 0MATERIAL authorization relevant & assign all material Authorization to User but still error coming..
I do not have any idea regarding this colon authorization, if possible can you explaine me how I can use this colon authorization ?
Divyesh Khambhati
Edited by: Divyesh M Khambhati on Oct 2, 2010 10:29 AM -
Hello
We have installed BI 7.0. When i try to view query in BEx, i get a message <b><i>No authorizations</i></b>.... In BI side i have assigned <b><i>SAP_ALL</i></b> and <b><i>SAP_NEW</i></b> profiles.
Could anybody give me advice?
Thanks in advance
Best Regards,
Arunas StonysHi:
There is an option in the IMG (tx SPRO), under reporting relevant settings, where you can set the analysis authorization concept back to the 3.x type reporting authorizations. You can run in SAP NetWeaver BI 2004s using 3.x reporting authorizations.
When you are ready to go ahead with the new analysis authorizations, keep in mind that the the special authorization 0BI_ALL is the one you need to give you access to all authorization-relevant infoproviders.
It would make sense to look into concepts like report RSEC_MIGRATION, and transaction RESADMIN, but make sure you have an understanding of the authorization concept before moving ahead with it in your project plan.
Thanks for any points you choose to assign.
Best Regards -
Ron Silberstein
SAP -
Problem with 0BI_ALL Authorizations
Hi,
I created a new authorization using TCODE: RSECADMIN to validates the 0PLANT characteristic, the user is only authourized to see Plant C101.
When I execute the BEX report, it needs the 0BI_ALL authorization to work correctly but the 0BI_ALL authorization allow acces to all plants.
How do I do to deactivate the 0BI_ALL of the 0PLANT characteristic?
Regards,
Mariangel BarrosoHi,
Authorization checks enforced via authorization object S_RS_AUTH and the only valid value to get past the check is 0BI_ALL which is the equivalent to saying
"all of your authorization relevant objects" Not good if you have any, because users that were restricted will not be after giving this access. Hence kindly restrict
plants via TCTAUTH field and check with BI consultants regarding the Nodes for Hierarchy structure. Run the analysis authorization trace in Quality by giving
the necessary palnt values in TCTAUTH field. Please let me know if it helps.
Regards
Aveek. -
0BI_ALL and additional analysis authorizations
Hi there
A user has two authorization objects assigned via RSECADMIN:
0BI_ALL
CO_001: limits the user to a special infoprovider 0TCAIPROV, activity 0TCAACTVT and validity 0TCAVALID.
Does 0BI_ALL overwrite the limitation of CO_001 in that way, that this user will be able to access all data? Does 0BI_ALL works similar to SAP_ALL?
thanks
BEOHi Beo,
Kindly have a look at below note and link,
820183 - New authorization concept in BI
http://help.sap.com/saphelp_nw70/helpdata/en/e3/fc8b41b5b3b45fe10000000a1550b0/content.htm
Special Authorization for Everything: 0BI_ALL
An authorization for all values of all authorization-relevant characteristics is created automatically in the system. It has the name 0BI_ALL. It can be viewed, but not changed. Every user that receives this authorization can access all the data at any time. Each time an InfoObject is activated and the property authorization relevant is changed for the characteristic or a navigation attribute, 0BI_ALL is changed. A user that has a profile with the authorization object S_RS_AUTH and has entered 0BI_ALL there (or has included it, for example with the pattern *) has complete access to all data.
Hope this helps.
Regards,
Mani -
Error in BO Webi using Authorization analysis in Bex with hierarchy display
Hi Experts ,
When we run the WEBI report created on bex query which has 0comp_code restricted with characteristic variable of processing type Authorization and Not ready for input.
The hierarchy display is active in Bex (as we want to see L01, L02.... in webi)
The authorization analysis is working perfectly when I test in Bex analyser (at any drill down level).
But in BO webi, I get below error
The database error text is: The supplied XML is not valid. [char name & Level].
I dont get this error when I deactivate hierarchy display in Bex.
Also I dont get this error for user ids having 0BI_ALL
Please help me to resolve this.
Thanks
SavioHi Atul,
You can achieve this by dragging these two fields in the filter bar section of the webi. then apply variables on these fields.
hope it helps
Regards,
Rathy
Maybe you are looking for
-
Problem with checkbox in JTable when using MyTableModel
Hi all, I have been trawling these message boards for days looking for the answer to my question but have not had any success. I am extending AbstractTabel model to create MyTableModel which returns a vector containing the results of a MySql query. O
-
Can I bring digital Signatures and with a page when I extract it?
I have a client who is adding their own digital signature to documents after reading them. Our current methodology involves extracting the page with the signature and adding said page to another adobe document for our records. However, the digital si
-
Pacman induces kernel panic (intermittent)
Hello Archers, I've got a fresh Arch install. I'm working my way through syncing packages I want from pacman. Two times now, a call to "pacman -S" has resulted in a kernel panic requiring a hard reboot. I've booted into my Arch CD - it was still sitt
-
How would you approach this SQL prob?
Suppose we have an accounts system An account is simplistically defined by its ID All spends of money are logged with that ID, on a date ID, Date, Spend 1, 01-jan-2007, 200 1, 01-feb-2007, 200 1, 01-mar-2007, 200 1, 01-apr-2007, 200 1, 01-may-2007, 2
-
CS4 design premium student licensing, surface pro 2
back in 2009 i bought cs4 design premium package(windows) for school. two years later my computer was badly damaged and was wiped clean of all software and never used again. i now have bought the surface pro 2 and was planning on dowloading my cs4 fo