Authorization in Infoobjects

Similar Messages

• Authorization Relevant Infoobject restriction for particular value

  Hi All,
  We have infoobject - 0COMPCODE which is authorization relevant. In query designer authorization variable - ZAUTH1 has been created.
  Now users want to restrict one particular Company Code (Ex- RU10) globally, so that none of the users will view this particular company code.
  We can't restrict this in query designer. Users can select among the company codes in the input selection of the report.
  Authorisations have been mantained in BW3.5 version
  Need help on this urgently.

  Hi Asish,
  Two ways.
  1. You can exclude the company code in the default values section, so that they would be able to view it in the list they see.
  2. You can exclude it in the authorizations assigned to the roles of the users. Give all the company code values in the authorization, except this company code, so that since the auth variable is createed in the query, you woulld view only the company codes that are authorized.
  Hope this helps.
  Regards
  Snehith.

• Table name for authorization relevant InfoObjects

  Hi Gurus,
  In which table I could see all Authorization relevant InfoObjetcs ?
  Thanks
  Liza

  Hi,
  Table RSDCHA, field AUTHRELFL.
  or
  1. Go to RSSM t-code
  2.click the radio button Authorizations for several users there u have to enter ur login  Id name
  3.right hand side 1 spects symbol is there for disply-- click on it.
  It will show u all authorisation Infoobjects for u.
  Try this link. this might be helpful.
  Program to find the list of Authorization relevent info objects for given
  Regards,
  Haritha.
  Edited by: Haritha Molaka on Dec 7, 2009 5:47 AM

• Authorization question: infoObject combined with auth var and input va

  In a sales forecast report an authorization variable 0version is used. 5 different versions are available (1 to 5). When running the query the user has to fill in what version he wants to update by filling in the correct 0version variable. The query itself has also an authorization variable which authorize on the version (users are allowed to see/correct version 1 to 4 and special users only 5).
  Is it possible to have two variables(1. auth var    2. sel var) on 0version in one query?

  Looks all perfect.. Can you recheck while creating the Authorisation variable did u selected 'Value Range' or the 'Single Values' While restricting the variable (or) defining the variable.
  Can you create the variable with Value range option while restricting screen with variables and see?
  regards,
  hari

• List Database Table – Infoprovider, InfoObject, Flag Authorization Relevant

  Dear Expert,
  I’m working with SAP BI 2004s user management & authorization. I have several objects that I’ll have check. I don’t like check one by one, I like to check for the SE16 transaction, for this reason, I need to know what is the database table have content Infoprovider by InfoObject (Characteristics) which each have the flag authorization relevant.
  Moreover, in the same idea, which database has content Queries by Infoprovider which authorization variable?
  Thank for all,
  Luis

  For your first question:
  In addition to be above mentioned table, RSDCUBEIOBJ will give the information about Infoprovider and all the Infoobjects within this infoprovider.
  1. Find all the authorization relevant Infoobjects from RSDCHA table and copy them.
  2. In the table RSDCUBEIOBJ, paste all the Infoobjects obtained from 1 in the field "Infoobject". The result will be list of Infocubes and their corresponding authorization relevant Infoobjects.

• Authorization infoobject provided by SAP

  Hi All,
  I want to know which are authorization relevant infoobject provided by sap?
  I know there name is starting witha 0TCA
  I know few of them 0tcakyfnm, 0tctaiprov, 0tcavalid, 0tcaactvt, 0tcaifarea, 0tcarecmod,0tcatxtlg,0tcatxtmd,0tcatxtsh,0tcalang and the key figure is 0tcacount.
  are these are all or there are some more?
  if anyone is having some information regarding authorization  infoobject
  0tcaifarea,  0tcarecmod, 0tcatxtlg, 0tcatxtmd, 0tcatxtsh, 0tcalang and the key figure is 0tcacount
  please forward it to me.
  Regards,
  Deepak

  Hi,
  please introduce "rsecadmin 0TCAIFAREA" in the search box on the right top of the page, you will find 3 items that will explain you the usage of all these objects.
  1) Analysis Authorization Migration Question.
  2) Authorization in SAP NW BI - Business Intelligence - Wiki.
  3) An Expert Guide to new SAP BI Security Features.
  Hope this help.
  Riccardo.

• Web Intelligence Report + BI 7.0 Analysis Authorizations

  Hello Experts,
  I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
  BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
  It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
  For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
  When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
  I have tried several settings on the universe (like filter working on LoV as well) but none helped.
  If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
  Any ideas?
  Best regards
  Giorgos

  Hi,
  has the Universe been created on the cube level or on the query level ?
  In case it is on the cube level it will fail because :
  Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
  The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
  You can then assign this authorization to one or more users.
  All characteristics flagged as authorization-relevant are checked when a query is executed.
  *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
  Ingo

• [BO over SAP BW] Web Intelligence Report + BI 7.0 Analysis Authorizations

  Hello Experts,
  I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
  BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
  It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
  For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
  When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
  I have tried several settings on the universe (like filter working on LoV as well) but none helped.
  If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
  Any ideas?
  Best regards
  Giorgos

  Hi,
  has the Universe been created on the cube level or on the query level ?
  In case it is on the cube level it will fail because :
  Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
  The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
  You can then assign this authorization to one or more users.
  All characteristics flagged as authorization-relevant are checked when a query is executed.
  *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
  Ingo

• Authorization issue within a table in BI

  Hello All,
  Here is my authorization issue :
  We have set up an authorization on infoobject Zapplication. End user is allowed to choose "HR" only.
  In Rsecadmin, infoObject Zapplication is restricted to "HR"
  Then, this authorization object has been assigned to end user.
  This user go to a specific table to select an application and a date.
  When user display the possible value he only see "HR". Which means our authorization is correct.
  However, this user can enter another value such as "SD". This value does exist in infoObject Zapplication. So, it means that there is an issue with our authorizations settings.
  We have added a control table, it's even worse in this case, authorization are not checked at all and all available values are displayed.
  Any idea to prevent the user to entered a value within this table ?
  Why our authorization does not check the value entered directly in the table ?
  Thanks &
  Regards
  Cath

  Hello
  For info we manged to restrict acces on this table by using event table from table maintenance and we have combined it with a specific authorisation object.
  Regs
  C.

• Authorization problem in executing a Planning Function

  Hi All,
  We are facing an authorization issue  while executing a planning function in a WAD template.
  The error message is :
  The planning function ended with errors.
  The user does not have authorization on infoprovider YF2IGM37.
  But the relevant authorizations have already been provided to the said user for:
  S_RS_ALVL,S_RS_PLENQ ,S_RS_PLSE ,S_RS_RLSQ, S_RS_PLST        along with authorization for
  Cube, multiprovider, query as well as aggregation layer.
  Could anyone pls help us resolving the issue.
  rgds,
  Nandini.

  Check any authorization relevant infoobject user is not authorized for.
  For example, if company code is authorization relevant,and in your query any default company code is provided, user may not have the relevant access.

• Manual migration to analysis authorization-4

  hello BI experts,
  When authorizing InfoProvider via analysis authorization by using 0TCAIPROV with *. Is it still possible to authorize correctly and sharp data via authorization relevant InfoObjects?
  regards
  Imberaureus

  Its possible considering the user will be able to look in to the data of all data targets.

• Authorization to inhibit  the drilldown of a Free Characteristic in a Query

  Hi all
  I have a problem: I want to implement authorizations profiles for two different roles linked to two users, in order to allow the execution of a query from Bex Analyzer. The Query contains the free characteristic "A", which is an authorization relevant object
  - On the first role I want to allow the user to display only values "x" and "y" for the characteristic A: I used analysis authorizations and it works properly
  - On the second one role I need to inhibit the possibility to drilldown characteristic "A", but the user should execute the same query without restrictions. Is it possible without creating a new Query that doesn't contain "A" as a free characteristic?
  Thanks in advance
  Ugo

  Hi,
  Have you tried authorization value ':'?  Basically, value ':' has 2 purposes.
  1. Enable execution of query that do not contain authorization-relevant InfoObjects that are checked in the cube.
  2. Enable summary data to be reported for characteristic levels where users does not have authorization to access details data.
  So, perhaps you can give the user authorization value ':' and build your second query without the authorization object in the free chars.
  Regards
  Kate

• Analyzing existing Authorization - InfoProvider relation in 3.5

  Hi Guys!
  I am still working on a concept to migrate report athorization in 3.5 to analysis authorization in 7.0.
  At the moment, I am struggling to find a way to analyze existing authorizations, in terms of access on InfoProviders.
  In the new analysis authorization, we plan to use the special dimension 0TCAIPROV to restrict access of an authorization object.
  However, to migrate our existing authorizations, we therefore need to know on which InfoProvider an authorization has access to.
  Do you know any "easy" way to identify the InfoProvider, an authorization has access on?
  Thanks in advance,
  Tobias
  Edited by: t.braml on Sep 9, 2009 12:21 PM

  Hi Gaurav!
  Thanks for your reply. I appreciate your effort. The provided information helped me to access the table RSSTOBJDIR and to display the list of InfoProviders for which the Authorization Object is active.
  However, this list does not provide the information I am looking for. I want to know the specific InfoProvider, the authorization relevant InfoObjects of an Authorization are using/accessing.
  Because this way, I can easily migrate the existing authorizations to the new concept and restrict access by assigning InfoProvider to the dimension "0TCAIPROV".
  Maybe it helps to use an example.
  I do have an authorization X that uses the authorization object Y to restrict access on the authorization relevant object Z.
  The authorization relevant object Z is sitting in an InfoProvider.
  And I want to know, how to get the name of the InfoProvider, in which the autorization relevant object Z that is used in the specific authorization X is sitting in.
  Does anyone know how to get the information?
  Cheers,
  Tobias
  Edited by: t.braml on Sep 11, 2009 12:32 PM

• You have no authorization for the requested data. Message no. UPC217

  Hi All,
  When i execute a BPS planning function i am getting the following error.
  'You have no authorization for the requested data. Message no. UPC217'
  Plz let me know how to rectify the problem asap.
  Thank you all in advance
  Kiran

  Hello,
  Your Function/level makes use of an authorization relevant InfoObject without restriction (or at least no restrictions enough).
  Check that the Level is restricted correctly regarding the authorizations.
  regards,

• Delimit authorizations in BW

  Hi,
  I have a problem, how can i delimit the InfoObject in a Cube for security in BW, the user can see the reports of the cube, but there are some fields that they shouldn't have permission.
  Thanks.

  Hi,
  The question is not clear, but if you are speaking about Infoobject level security it can be done using Custom Report Auth object in Transaction RSSM.
  The steps to implement Custom Auth Object is as follows:
  1) Make the InfoObject authorization-relevant.
  The Authorization Relevant setting for an InfoObject made in the InfoObject definition on the Business Explorer tab. The business needs will drive which InfoObjects should be relevant for security. Keep in mind that the people using SAP BWare running queries to help make strategic decisions on how to better run the business. The decision makers typically need to see more data on SAP BW than they would need to see in SAP R/3.
  2) Create a custom reporting authorization object.
  Since there are no reporting authorization objects provided for InfoObjects, you will have to create your own reporting authorization object for any InfoObject you decide to secure. This is done in transaction code RSSM. When creating your reporting authorization object, you select which fields to put in the authorization object from a list of authorization-relevant InfoObjects. Only InfoObjects that have been marked Authorization Relevant are eligible to be put in a reporting authorization object.
  3) Add your new authorization object to a role.
  Once you have created an new reporting authorization object and linked it to the appropriate InfoCube(s), users will need access to your reporting authorization object. You will need to manually insert your object into a role.
  4) Add a variable to the query.
  The reason the variable is required is sometimes unclear at first. If we want a  query to only provide results based on the division, for example, then the query itself needs the ability to filter specific division values. Before we can secure on division, the query must be  able to restrict data by division. The only way the query can restrict data dynamically is through a variable.
  5) Link the reporting authorization object to an InfoProvider.
  Linking your reporting authorization object to an InfoProvider is a very critical step. In this step, you will impact people currently executing queries for the InfoProvider that is now related to your reporting authorization object. This linkage forces your reporting authorization object to be checked when ANY query tied to the InfoProvider is executed.
  Hope i have answere your question.
  Please reward points if it does satisfy your requirement.
  Regards
  Santosh