Authorization in BI7.0 - Estimation
Hello Experts,
We need to provide Estimation for Authorization Migration in BI7.0.
Client is getting migrated from 3.x to Bi7.0 now and we need to provide this estimation.
Can any one help me with the number of Man days for this aspect and the different topics which we need to take care of BI7.0 Authorization changes with respect to 3.x?
Thanks in advance for your help.
Raman
HI Raman,
We have recently migrated from 3.5 to BI7. It took 4 months to ramp up the project.
Stages:
Project preperation:
Auth requirement collection.
identification and assigment of data ownership(identify auth objects, roles and profiles).
freezing requirements
Installing BCT for new auth
System Bulid activities:
review migration of auth objects.
perform manual adjustments to bjects or queries..
User system/acceptance testing.....
Testing by users....
Go live........
Regards,
Raj
Similar Messages
-
Hi ,
I'm working on authorization concept for BI7 which seems to be having a conflicting statement.
User : Mary
InfoObject : ZORDER
Set 1 : Queries built on multiproviders within infoArea ZSALES should display ONLY order number 123.
Set 2 : Queries built on multiproviders within infoArea ZPROJECT should display ALL order numbers.
Its a conflicting scenario.
Its giving an output for ALL orders for both set 1 and set 2 queries.
Appreciate if anyone could provide some ideas if this is feasible to achieve within RSECADMIN.
Thank you.
Regards
Maili
Edited by: Maili06 on Jan 12, 2012 1:19 PMhi,
plz try creating the analysis auth objects for the mentioned scenarios can be:
1)1st auth object can have infoarea=ZSALES and order number=123
2)2nd auth object can have infoarea=ZPROJECT and order number=*
Both these analysis authorization objects can be assigned to the user via RSECADMIN.
In the auth profile, S_RS_AUTH = Inactive, read analysis auth from RSECADMIN and manual assignement.
regards
laksh -
User Authorization in BI7 Problem ListCube
Hi there,
In NW2004s BI7, under Win-server 2003, Oracle 10g
I created one custom role for User, to display DSO data only
Data displayed perfect through Transcation code: LISTCUBE but user can't export data into excel,
option is disabled or grayed out...
Here is Screenshot:
1. Goto ListCube
http://www.flickr.com/photos/25470985@N07/4171781095/sizes/o/
2. Display data any DSO and export to excel
http://www.flickr.com/photos/25470985@N07/4172536260/sizes/o/
3. User Custom's Authorization
http://www.flickr.com/photos/25470985@N07/4171781047/sizes/o/in/photostream/
Where I am getting wrong?
please advised me
Thank in Advance
AngelineHi,
This article shows to create authorization and making it not visible or Grey (reade this and reverse to unblock the authorization)
http://ecohub.sdn.sap.com/irj/scn/index?rid=/library/uuid/101fb4f5-eb7c-2c10-5daa-b479c47f0a14&overridelayout=true
follow the notes procedure it will solve your problem
Check this note 1145885
Check note 1222905. You have some settings to be able to export excel file. http://doa.louisiana.gov/ois/Service/Bulletin_Boards/HR/How%20to%20export%20data%20from%20SAP%20to%20Excel.pdf
hope this will help you
Thanks & Regards,
Ravi. -
Hierarhy Authorizations in BI7
Hi there experts. Am pretty new with the analysis authorization consept and I seem to have problems with it.
Am trying to create a costcenter hierarchy authorization for users and the result I get is either all or nothing, depending on what is maintained for S_RS_AUTH object. If it is * (biall) all hierarchies are displayed and if an authorization is added what I have made -> You don't have sufficient authorization.
For the role I have used the S_RS_RREPU template and added S_RSEC. For the Z -authorization I have used 0COSTCENTER (node 10000000107810 and type 0 tried 1 as well)
0TCAACTVT (01-03), 0TCAIPROV (), 0TCAKYFNM (), 0TCAVALID (*). The authorization is then assigned to user.
Now what could be wrong in here?
Thank you in advance!
MikkoHi,
Settings for Hierarchy Authorizations
Type of Authorization
You can define the authorization starting from a node of the hierarchy in different ways:
● 0 for the node
● 1 for a subtree below the node
● 2 for a subtree below the node up to and including a level (absolute)
You must define a level for this type. A typical example of an absolute level is data protection with regard to the degree of detail of the data (works council ruling: no reports at employee level only at more summarized levels).
● 3 for the entire hierarchy
● 4 for a subtree below the node up to and including a level (relative)
You must specify a level that is defined relative to the node for this type. It makes sense to specify a relative distance if an employee may only expand the hierarchy to a certain depth below his or her initial node, but this node moves to another level when the hierarchy is restructured.
Hierarchy Levels
For types 2 and 4 you can specify, in Hierarchy Level, the level to which the user can expand the hierarchy.
● With authorization type 2 (up to and including a level, absolute), the level refers to the absolute number of the level in the hierarchy where the top-most node of the hierarchy is level 1.
● With authorization type 4 (up to and including a level, relative) the level number refers to the number of levels starting from the selected node itself which is level 1.
Validity Area
In the Validity Area you specify in exactly which ways a hierarchy authorization has to match a selected display hierarchy for it to be included in the authorization check.
● Type 0 (very strict check): Name and version of the hierarchy upon which the hierarchy authorization is based have to agree with the selected display hierarchy. Your key date (the upper validity limit) has to be greater than or equal to the key date (the upper validity limit) of the selected display hierarchy.
● Type 1: The name and version of the hierarchy upon which the hierarchy authorization is based have to agree with the selected display hierarchy.
● Type 2: The name of the hierarchy on which the hierarchy authorization is based has to agree with the display hierarchy.
● Type 3 (least strict check): None of the three properties have to match.
Note that in some circumstances, setting a check level that is too low may lead to more nodes being selected using hierarchy node variables that are filled from authorizations, than actually exist in the display hierarchy for the query. This can cause an error message.
Note that hierarchy authorizations can calculate single values that are the end nodes (leaves) of non-displayed hierarchy, but that in this case, the strictest check type, which is 0, is valid.
As a general rule, make the check as strict as possible. The default is type 0.
GTR -
Hello,
how can I restrict the users to execute querries in just one single Infoarea in BI 7.0 (on all infocubes independet of any infoobject) by using the new Analysis Authorizations in transaction: RSECADMIN
or do I still need to maintain Standard Authorizations rs_comp ->rsinfoarea
thanx.Hi,
Pls chk this links;
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/ded59342-0a01-0010-da92-f6b72d98f144
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/fda2a990-0201-0010-5497-b81b1556df24
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/adeac294-0501-0010-5a97-9ac5d562b1be
Hope this helps,
regards
CSM Reddy -
Hi,
How to create authorization,so that each user is restricted to see only particular reports..
For example if there is three users, User1,User2 and User3..User1 is able to see three reports..like this for user2 and user3.
Also if two users having authorization to see same report, in report dropdown box should display values based on user..Dropdown box should not dispaly all values to two users..How to create authorization for above scenario.
Can anybody give step by step procedure..
I also studied in help link but cant understand,so if possible send documents with screen shots to [email protected]
Regards
PrakashYou should try by first creating an authorization object in RSECADMIN .
In this authorization object try to assingn your restriction for values of characteristics and hierarchy nodes etc.
Then assign it to a reporting user..directly or through a role
Now..In the query create a variable with processing type as authorization .
I think this much won't take much of your time..If you find difficulty in any step ..put it as ur query..
<b>This very very useful documentvery</b> this is very detailed and illustrative...
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/ded59342-0a01-0010-da92-f6b72d98f144
Go through these links
http://help.sap.com/saphelp_nw04s/helpdata/en/26/fd8b41b5b3b45fe10000000a1550b0/content.htm
http://help.sap.com/saphelp_bw33/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/content.htm
Authorization Error
Message was edited by:
rocks
Message was edited by:
rocks -
Authorization Check in BI7 using ABAP
Dear Experts,
i've got a question regarding how to check authorizations in BI7 using ABAP.
How do i check authorizations?
In Detail: I want to check, whether a user has the appropriate authorization to access an company code. For that i created an authorization in resecadmin restricted to one single company code. My user has this single authirization assigned.
In my coding i tried using 'RSEC_GET_AUTH_FOR_USER_MDATA' but it returns an empty table.
Any ideas how to check the authorizations?
Thanks & best regards,
DanielHi,
I am using RSEC_GET_AUTH_FOR_USER and it works fine as long as I test with rsudo testuser.
E_T_RANGESID gives back the authorized characteristic values.
But I have a problem with users with *-authorization. ET_RAGESID is empty and an exception is thrown "not authorized".
So, the coding doesn't work properly if I test with my own user, but yes, works in case that user has explicitly limited values. (btw, fetch the user via FM RSEC_GET_USERNAME beforehand).
I think I'll overcome this problem (maybe in connection with param I_NO_WARNINGS).
I'll keep you informed, though it's pretty late for Daniel or even you I guess...
(But maybe somebody else is interested...) -
Hi,
how can I control which variable is displayed for a characteristic in the BEx Query designer. I tried to use S_RS_COMP for this purpose and exspected that variables that are not in the name range of the authorization would not be diplayed in the BEx InfoCube Area.
I traced the access in ST01 and it looks like there is not authorization checked for the display of variables in BEx. Is there a different solution anybody knows?
We are using 3.0B with SP 22.
Regards,
MichaelHi Nuno,
you might want to use the Analysis tool to assist you in finding the issue. Please search the forum or refer to thread [Hierarhy Authorizations in BI7|Hierarhy Authorizations in BI7]
Cheers
SAP NetWeaver BI Organisation -
BI 7 authorization - Colon Sign
Hi ,
We are working on redesigning our BW3.5 authorization into BI7 authorization concept.
Previously , in BW3.5 via PFCG & RSSM we had controlled 0COSTCENTER by Hierarchy Level definition.
In PFCG , cost center had been assigned as ' ' blank sign.
But in BW7.3 , in RSECADMIN the authorization works only if i change the ' ' blank sign to : colon sign.
I have read up note 1140831 abt colon authorization.
Would like to know from the experienced ones if i could just replace ' ' with : sign instead.
I dont see any implication but just would like to know from anyone familiar with this incase i have missed out an important implication.
1. BW3.5
ZFW_GLOBAL Single Role Global
Manually SAP Business Information Warehouse - Reporting RSR
Manually Cost Center v. Hierarchy ZFWCOST
Manually Cost Center v. Hierarchy ZWFCOST_S00
Cost Center '' COSTCENTER
Unique ID for Authorization De ZFW_0COST_NGLOBAL TCTAUTHH
Regards
Mailihi,
well as far as i know authorization relevant for say queries on one multiprovider will be impacted and in case you do not want to add costcenter in all the queries, then you might have to create a role with : (colon) access and assign it to the users and in case of different multiproviders : (colon) can be used for data access role.
so you can say that : is used where minimal access is required and "" for full access(which is not used generally)
SAP note 1337102 might be helpful in this
Also refer the below thread it explain it litlle better with example and sceanrio
regards
laksh -
S_TABU_LIN from multiple roles to single user
Hi everybody
There is such situation:
We are restricting the values of infoobject using S_TABU_LIN
Everything is working fine if the user has authorization assigned only
by one role.
If the user has more then one role assigned then user has only values
authorized that are included in the first role. All authorizations from
other roles are not available
For example:
We have authorizations in 3 roles
Role1
Activity 03 ACTVT
Organization criterion for key /BIC/ZMINISTRY ORG_CRIT
Org. crit. attribute 1 * ORG_FIELD1
Org. crit. attribute 2 04 ORG_FIELD2
Org. crit. attribute 3 * ORG_FIELD3
Org. crit. attribute 4 * ORG_FIELD4
Org. crit. attribute 5 * ORG_FIELD5
Org. crit. attribute 6 * ORG_FIELD6
Org. crit. attribute 7 * ORG_FIELD7
Org. crit. attribute 8 * ORG_FIELD8
Role2
Activity 03 ACTVT
Organization criterion for key /BIC/ZMINISTRY ORG_CRIT
Org. crit. attribute 1 * ORG_FIELD1
Org. crit. attribute 2 06 ORG_FIELD2
Org. crit. attribute 3 * ORG_FIELD3
Org. crit. attribute 4 * ORG_FIELD4
Org. crit. attribute 5 * ORG_FIELD5
Org. crit. attribute 6 * ORG_FIELD6
Org. crit. attribute 7 * ORG_FIELD7
Org. crit. attribute 8 * ORG_FIELD8
Role3
Activity 03 ACTVT
Organization criterion for key /BIC/ZMINISTRY ORG_CRIT
Org. crit. attribute 1 * ORG_FIELD1
Org. crit. attribute 2 08 ORG_FIELD2
Org. crit. attribute 3 * ORG_FIELD3
Org. crit. attribute 4 * ORG_FIELD4
Org. crit. attribute 5 * ORG_FIELD5
Org. crit. attribute 6 * ORG_FIELD6
Org. crit. attribute 7 * ORG_FIELD7
Org. crit. attribute 8 * ORG_FIELD8
All of the roles are assigned to single user
The problem is that user can get only that values from /BIC/ZMINISTRY
that are authorized in role1
Values authorized in role2 and role3 are not available.
What could be a problem???Are you using BI7 as authorization?
please check the link below regarding combining authorizations for BI7
http://help.sap.com/saphelp_nw04s/helpdata/en/46/98cd87f37d19ace10000000a11466f/content.htm -
Migration steps needed from Security side for BW3.5 to BI 7.0
Hi All,
In our company they have installed BI 7.0 and now we need to do migration from BW 3.5.
So from the Security side what all the steps we have to perform for migrating the users and authorizations to BI7.0.
Please help me out with some solutions <removed_by_moderator>
Thanks in advance
Padmaja.
Edited by: Julius Bussche on Jul 25, 2008 8:05 AMSome one please tell me where we need to run the program " RSEC_MIGRATION" whether in BW system or in the BI system.
Also before that do we need make a client copy of the BW production system.
After the users and the respective authorizations are migrated does they get migrated into new authorizations or we need modify any.
Some one Please give me some inputs.
Thanks
Padmaja. -
Hierarchy authorization pbm in BI7.0 with Front end of BW3.5
Hello All,
We have a problem regarding authorizations for the hierarchies in BW7.0
We have migrated from BW3.1 to BW7.0. Authorization are OK in our BW3.1 server, the authorization on hierrachy work well.
Current Issue (in BI7.0) :
An authorization object for XCOMPROD for a hierarchy 'ZMAT_HIER'.
There are 2 queries which have variables of XCOMPROD & ZCOMPROD in selection criteria, ZCOMPROD has variable of type 'Hierarchy node'
I've a test_user which has authorization on Product Group 5 (one of the nodes in the hierarchy-ZMAT_HIER).
When i run the queries independently with this test_user, the user has access to Group 5 only, which is correct.
When i run a web template report with any one query (from the 2 queries), the user has access to Group 5 (as in first case) - correct.
However when i run a web template report having above 2 queries together, the authorization fails, as user gets access to root node (instead of only Group 5).
FYI, we're using BW3.5 front end (no PORTALS) with the OLD authorization concept (of BW3.1). Not 'Analysis Authorization' as in BI7.0.
Looking forward to an explanation/solution to the above.
Regards,
Nagendra.Hi,
Check out the customization of SPRO to select the authorization concept. I suspect that it's set on the new authorization concept.
Tomer. -
Hi
Recently we had migrated to the new authorization concept in BI7 after that, when the business users open an query or workbook they get the selection screen and when they press F4 on company code info object (Authorization relevant object) to select values they get an message" you dont have sufficient authorization" and the out put does not get displayed. but as an BW developer i am able to open the same report without any error
I checked in for authorizations in Su01 and su53 every thing looks fine for the business user.
Note: This error occurs only to queries having infoobject company code
Can someone help me out in this issue?
Thanks a lot
SheetalHi sheetal,
I am facing the same problem what you have faced regarding authorization error in BI queries.
when users try to open the workbook, select their options in selection screen and run it, they get warning 'you do not have sufficient authorizations'. when i try to run the same, i am able to open it. this is happening in prod.
how are you able to solve this problem. -
Authorizations for Work books in BI7
Hi BW Experts,
I have created a work book by using BI7,and the requirement is to give authorizations to diffrent users to access that work book.I have tried a lot by using diffrent methods.
Could any body can suggest me how to proceed.
Thanks & Regards
DebasishHi,
Assigning workbook to the user role:
Goto User Role > select Menu tab(Change mode)>Seelct +Report icon -->Select Radio button BW Report --> Enter your workbook technical name here(Ex:4E9QCMIXFMRS71K9Z0TP7F4T7). Finally check it in user role.
Or else check this thread
Save Workbook in end User Favorites
Regards
Pcrao. -
Dear Gurus,
I am having an issue with regard to Authorizations. In BW3.x with respect to query designer an end user can just change the local view of a query. How about the same thing in BI7? What are the procedures i need to follow to give an user authorizations to only the edit query local view. Is there any BC role or Profile that i can just add to get the desired result. Kindly give the inputs in a detailed manner as I am new to BASIS part.
Your Kind Inputs will be definitely rewarded with a great honour.
Regards
Mohan Kumar
Message was edited by:
mohan kumarDid you tried defining authorization objects using transaction code RSECADMIN, as this is working of me for Profit Centers.
Thanks.
Sachin
Maybe you are looking for
-
How can I disable the Camera Feature on iOS 5.0.1 or 5.1
I personally DO NOT want this feature accessible for anyone without my pass code seeing how I have had a iPhone stolen b4 I DO NOT want any features like iPod or Camera to be usable to anyone so I for one would like it removed or made an option to di
-
Download restrictions in Mountain Lion?
Looks like ML has new security restrictions. I used to be able to download builds from a trusted site with no problems in OS X 10.6. With ML, I am now getting an error message 'Problem connecting to the server: URLs with the type "file:' are not supp
-
Mac Pro Boot Problems. Kona 3?
I'm having booting problems with a Mac Pro. It's got a kona 3 card in one of the PCI slots, and we've been tinkering with it to try to get the audio to work right. However, I've been having huge problems whenever I try to restart the computer. After
-
Empathy Video Call Doesn't Maintain Aspect Ratio
I'm using empathy 3.6.3-1 with gtalk, and I noticed that video calls don't seem to preserve aspect ratios. Does anyone else have this problem?
-
Hi, We want to do Label printing through Smartforms. Our labels are getting printed but often the barcodes are not getting read as they are exceeding the Label Page Width. We want to use the Interleaved Barcodes in ECC 5.0. Can anybody inform which I