Authorization Relevant BI Navigational Attribute

Similar Messages

• Authorization check on navigation attribute

  Is there anything special I need to do to make a navigational attribute authorization relevant for a cube.
  On 0sales_off I have checked it as authorization relevant, and this is assigned to 0cust_sales as a nav attribute.  I created an authorization object on 0sales_off.  I have turned on the nav attribute in the cube.  But when I go to turn on the check for the infoprovidor (RSSM), the authorization object is not displayed.

  Michael, Troy:
  Hi, I´ve already verified that the characteristic and the infocube have the navi attr marked, but now when I try to include it in an Authorization Object on RSSM transaction, the list of "Authorization relevant IObjects" doesn't show the nav attr that I'm trying to restrict (in this case the 0COSTCENTER__0BUS_AREA), seems that I can only authorize the 0COSTCENTER or 0BUS_AREA separately.
  What actions should I take in order to make this nav attr relevant for authorization so I could create different roles using the 0COSTCENTER__0BUS_AREA restricted by business areas..?
  Thanks in advance for your help.
  Miguel Campos

• Authorization on Navigation Attribute

  Hi experts,
  i'm faced with a problem. I have a navigation attribute in my data model which is authorization relevant. The problem is that the basic characteristic is not authorization relevant. I am not able to make my setting in the analyse authorization as the basic characteristic is not authorization relevant. The basic characteristic is used in some other projects so that i am not allowed to make this characteristic an an authorization relevant one.
  Has anyone an idea how to solve this problem?
  Thanks all in advance.
  Best Regards,
  Ali

  You did not mention what BW version you are on.  This scenario is allowed in 7.0 Analysis Authorizations, but is not allowed in 3.x 
  In 7.x you can make any navigational attribute authorization relevant on the Attributes tab in RSD1, and the base characteristic does not have to be authorization relevant.
  What problems are you having?

• Navigational Attribute Authorization

  Hello,
  We have a requirement to turn on the authorizatiorelevant flag for number of navigational attributes in a master data. 
  After turning on the flags we have created an analysis authorization object and included the navigational attributes with :.
  We were expecting the report to return with no data. 
  Security tracing did not show any authorizty check against the navigation attributes which were turned on as the athorizatiorelevant on the master data.
  The Master data is authorization relevant however the individual navigation attributes are not authorization relevant objects.
  Do I need to turn the authorization relevant flag for individual nav attributes on their own maintenance screen?

  Hi,
  Check whether this doc helps
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/7052dee3-bce5-2d10-5299-cd5d00ebeb72?QuickLink=index&overridelayout=true
  The Authorization at the Navigational attribute will restict the data for that attribule at the report level.
  You can restrict that Nav Attr specific to  InfoProvider, Roles etc.
  Thanks & Regards,
  Vishnu

• Authorization for navigational attribute

  Hi Gurus,
  I am facing an authorization issue with respect to infoobject hierarchy. I have created authorizations as below.
  There one infoobject 'A' and a navigational attribute 'B' in infoobject 'A'. This navigational atribure A_B is used in an infocube.  And hierarchy is uploaded to Infoobject 'B'. Now I want to give authorization for this hierarchy in infoobject 'B'.
  Now coming to authorization.
  1. I have made Infoobject 'B' as authorization relevant in Business explorer tab.
  2. Created authorization object say ABC in RSSM and inculded infoobject 'B' & 0TCTAUTHH (since I want to authorize the hierarchy and we are using 3.5 authorization concepts in BI 7.0).
  3. Activate this authorization object for the infocube.
  4. Included this authorization object in the role included for my user. In the field 'B' of authorization object I have given ' ' (space) and in the field 0TCTAUTHH I have given the technical name of the hierarchy.
  4. In 3.5 query designer I have put this navigational attribute A_B in the filter area and activated the hierarchy in the properties tab for the same hierarchy that I inculded in previous step.
  5. Created a variable with processing type authorization.
  Now when I run this report I get an error as no authorization for object ABC.
  Can someone help me if I have done anything wrong.
  Thanks,
  Sandeep

  Hi,
  In the infoobject A maintenance screen check the chekc box for field "AuthorizRelevant" for B to make it authorization relevant navigational attribute.
  Then go to RSECADMIN and ope your relevant authorization.
  In the menu bar just above the "Authorization Structure" you will find the button with icon of infoobject.
  Chick on this icon this will give you a screen to enter characteristic name of which attributes are to be added to authorization.
  Enter the infoobject A name here and click on continue.
  This will give you list of all authorization relevant navigational attributes present for A.
  Add B from this list to the authorization.
  Hope this helps.
  - Geetanjali

• Analysis Authorization on Navigational attribute

  Hi All,
  We are using RSECADMIN (BW 7.0), I want to know whether its possible to make a navigational attribute - ZPAYE_SA__0SALES_OFF - to authorization relevent. The object (ZPAYE_SA) with this is associated is not an authorization relevent.
  Even if I am able to make it authorization relevent is there any other setting changes to be done for it to work properly.
  Regards
  Deepesh

  Hi Deepesh
  First need to check Authorization relavent check box for navigational info object "ZPAYE_SA__0SALES_OFF"
  Tcode RSA1 --> Info Object --> Find "ZPAYE_SA" ---> Attributes tab ---> Detail/Naviogation Attibute --> Authorization Check box in front of "0SALES_OFF".
  Goto to RSCEADMIN
  Create a Authorization object and maintain this navigation attribute "ZPAYE_SA__0SALES_OFF"
  Pls let me know incase of further details
  Best Regards
  Rohit

• Reporting Authorization - InfoObject/Navigational Attributes

  We have a custom infoobject for Vendor to which access needs to be controlled. Certain users are not supposed to have access to a number of the navigational attributes on the object however we want these users to have access to all other navigational attributes (meaning we don't want these 'fields' to be visible but everything else). We have other reporting authorization objects that prevent access to the entire 'record' if the user is not authorized for a certain value (cost center, etc.).
  Thanks.

  Hi Joerg,
  navigational attributes are treated like characteristics. You can make them authorization relevant and restrict access, e.g. by granting ":", which allows to see overall results without details on this attribute.
  Regards, Klaus

• WAD - Navigation Attribute authorization

  Hello Expert,
  I have created a WAD report containing analysis and two dropdown items.
  One filters a characteristics (profit centrum) and the other one filters navigation attribute of the same characteristics (resp. person of PC). Both the caracteristics and the attiribute are marked as authorization relevant.
  If I run the report under my account having profile SAP_ALL and analytical authorizaction 0VI_ALL the reports works as it should. But if I run it under a test account that has a role ZBI_BEX_ENDUSER that should contain all sufficient authorizations to run any report and analytical authorization 0BI_ALL then the report runs also OK,  just the dropdown with the navigation attribute (responsible person) is disabled (greyed out) with a text "no data". The other dropdown (PC) works fine.
  The navigation attribute is even included in the analysis and all the values are displayed there and I can even filter on it and then the filtered value is populated into the previously disabled dropdown list.
  Since I do not see any difference between the two users beside the authorisation I reckon that the issue must be somehow authorization related but I cannot find how.
  Can anyone help?
  Regards
  Jiri

  Hi Haran,
  You have to consider in ABAP code of user exit variable this:
  In a DSO you alreay have the user name and vaules, which he is allowed to see. Just go into this DSO and read the entries from DSO with user ID as selection criteria. Example:
  USERID     PLANT
  XY     1000
  XY     2000
  YZ     3000
  DSO name: ZOPLANT
  iKey fields in DSO: UserID & Plant
  Abap code would look like: select plant from /bic/azoplant00 where userID = sy-uname.
  I hope this helps.
  Aban

• Need help on Authorization on Navigational Attribute.

  Hi All,
  I am working on Authorizations.
  I am using the info Object "Material group" which is the Navigational Attribute of 0MATERIAL.
  In Reporting, I have created the Authorization Variable for Material group.
  And after this, i have created the Authorization Object in RSECADMIN and added the info Object "Material group" and harded coded the value as "1000". After this, i have created the Authorization Role in PFCG and added this authorization Object over there.And this role is assigned specific User.
  While Running the report on specific User, for Material group, filteration is not happening over there (Material group = 1000). It is showing all values for this user.
  Can you please help on this issue.
  Thanks,
  Shahina A

  Thanks for your reply. I was on leave for the past 2 days. I have checked as you suggested.
  In 0MATERIAL, 0MATL_GROUP is the attribute and i have made Authorization Relvent for this Attribute.
  And i activated the Info object 0MATERIAL.
  Then i have run the query in RSRT and found an error while running the Report.
  Can u pls help on this issue.
  Diagnosis
  The system determined the authorized characteristic values for the characteristic 0MATERIAL__0MATL_GROUP. It determined that you do not have the (analysis) authorization to view transaction data for any characteristic values or range.
  System Response
  If this situation occurs when a variable is being filled, the query cannot be executed.
  Procedure
  You must have authorization for at least one characteristic value for the characteristic 0MATERIAL__0MATL_GROUP.
  Create the appropriate analysis authorizations for the user.
  If you are only authorized for evaluations that aggregate using the characteristic 0MATERIAL__0MATL_GROUP (for ":" authorizations), use a query without this characteristic. If the characteristic is not used as a filter or in the drilldown, variables should not be used.
  Procedure for System Administration
  Notification Number EYE 018 
  Thanks,
  Shahina A

• Navigation attributes authorization

  Hi,all
  In NW2004s new auth concept allows to create auth for nav attributes as for chars. But! We have situation when one char is used as nav attribute in several chars. I.e. Char A, used in B__A, C__A and D__A. Is that nesesary to create auth for every nav attr use, or maybe there is a setting not to use nav attrs separately.
  I'm afraid, it can be difficult to administer such situations.

  Hi Emerald,
  maybe an approach to resolve some irritations.
  Let consider your scenario, one char is used as nav attribute in several chars. i.e. Char A, used in B__A, C__A and D__A.
  If you want to protect the usage of the characteristic A as navigational attribute in the characteristics B, C or D, you have to set the flag 'Authorisation relevant' in the attribute section of the respective characteristics B, C or D (which means up to 3 flags and corresponding 3 authorisations).
  If you want to use the characteristic A in its on right in an InfoProvider, you have to set the flag 'Authorisation relevant' in the InfoObject maintenance of characteristic A.
  If I have stated something different in my previous replies, please neglect them.
    Cheers
      SAP NetWeaver BI Organisation

• Issue when using Navigation attributes for filtering in BEX

  Hello,
  We are encountering an issue when applying filter on Navigation attributes in BEx query built on top of a BW HANA Virtual Provider.
  The interface is as below :
  HANA Calculation View -> SAP BW 7.4 Virtual InfoCube -> Multiprovider -> BEx Query.
  We have directly mapped the base Infoobject from HANA View to BW Virtual Provider and using this in BEx query free characteristics. We also have used the navigational attribute of this Infoobject in our Report variable screen as well as an Auth relevant object.
  Eg if ZMATERIAL is the base infoobject and ZMATERIAL__ZXYZ navigational attribute is used in the report variable screen and as Authorization variable.
  This is causing the query to fail.
  The query also fails if I apply any filter values on any Navigational attribute with error message  :
  "Termination message sent ERROR DBMAN (305): Error reading the data of InfoProvider"
  Using the navigational attribute with authorization variable fails with below :
  "Termination message sent ERROR DBMAN (099): Invalid query;Failed to find attribute ZMATERIAL__ZXYZ [...]"
  Appreciate any inputs on this issue and how this can be fixed.
  Thanks,
  Tintu

  Hi Andrey,
  Thank you for your input.
  Based on the OSS note , it says to import BW7.4 SP7. We are already on BW7.4 SP7
  We get error "Termination message sent ERROR DBMAN (099): Invalid query;Failed to find attribute
  ZMATERIAL__ZXYZ"  whenever we try to apply filters on any of the navigational attribute.
  Thanks,
  Tintu

• Authorization Relevent Scenarios

  Hi All,
  I need a help of your suggestins to get a proper way to write my thesis over New Bi Authorization topic.
  I want to ask you what are the possible authorization scenarios you can think according to your experience.
  for example
  I have few of them
  1.Restriction to the one value of an InfoObjects.
  2.User has access to two projects in one project he has access to few material plant while in other project he has access to all material plant.
  3.You have for an InfoObject the checkbox authorization relevant has activated. What are the effects of this on other projects.
  4.How Authorization to the hierarchy nodes are defined.
  5.How combination of value authorization restriction and hierarchy authorization is working.
  can you think more of such scenarios.
  Please forward me as meny possible  authorization scenarios you can think.so that i can implement these scenarios as an prototype and it will be helpful to me to write my master thesis.
  Hope for the positive and quick answer from your side.
  With Best Regards And Thanks,
  Deepak

  Well,
  User has access to one key-figure for one project and all key-figures for another project;
  User has automatic filled authorization while executing a query;
  User has his/her authorization automatically filled in a user exit while executing any query;
  User has access to company code has a navigational attribute authorization with for example 0PLANT__0COMP_CODE instead of 0COMP_CODE and even for example 0PLANT is not marked as authorization relevant;
  User has access in one project to view the data (executing queries) and in another project he/her has access to plan the data (write data);
  Diogo.

• Enabling infoobject authorization relevant

  Hi,
  We are planning to make infoobject  'A' auth relevant in BI system. In process of identifying the risk we have listed out the infoproviders and the security roles which are providing access to these infoprovider. But one doubt is - If that object is used as navigational attribute in other infoproviders will those also be affected by making infoobject  'A' auth-relevant?
  Is it necessary to make the navigational attr auth relevant if the concerned infoobject is made auth relevant?
  Your respnse is highly appreciated.

  Hi Ravi,
          You will need to make authorization changes for  your navigational attribute as well in all roles, if you have identified it in your multioprovider or infocube. If it is not identified in multiprovider, there is no need.
  Regards,
  Harpal

• BW Navigation Attributes

  Hey, all,
  I'm just checking myself here -
  We have a BW 3.5 system. We have 0GL_ACCOUNT set as authorizationally relevant. We have a object (Z_GLACCT) created and set with various value ranges for the different GL account sets.
  The user reported an issue where she was able to run queries and workbooks without putting any GL account values in and it returned only the data for the GL accounts that she had authorization for. Now, if she runs them without inputting GL account values that she is authorized for, she gets an authorization error on Z_GLACCT. However, if she runs the queries with specific values for GL account that she is authorized for, the query/workbook runs fine.
  We have made no changes to the security roles or the roles assigned to the user.
  The only change that I can find is that one of our developers turned on the navigation attribute for 0GL_ACCOUNT. In the new 7x systems, there is a checkbox for making navigation attributes auth relevant but we do not have that in our BW 3.5 system.
  Am I off base here in thinking that the change to the navigation attribute is probably causing our issue?
  Thanks!

  Is GL Account marked neccessary input in the variable screen ? That will cause the user to get error if you try to run query without input
  My thought is "no". A user who has Z_GLACCT with a value of * can run the query with no input with no issues. It is only the user with specified values in Z_GLACCT who cannot run the query without inputting specific GL accounts that she has access to.
  Please use authorization variable in the query for GL_ACCOUNT
  We don't want this function working any differently than it was working previously so we don't want to add any levels of security. GL account is relevant but it should not require them to input on queries, it should pull data and then display only that which they have authority for.
  As a precaution please mention : in the field values for Z_GLACCT along with the value range you have assigned to the user
  I'm not sure what you are asking for here? We have told the user that if she enters the gl accounts she has access to, the query will run, however, we are in investigative mode. Obviously, a change was made that impacted the security functions. We need to know what it was.
  Cheers

• Authorization for multiple nav attributes

  Hi Experts,
  I have 2 doubts that I need to confirm with you:
  Scenario :
  an aggregation level has nav attributes  A__C  and B__C.
  A__C is restricted by authorization variable in the filter section of the query.
  A__C is shown in the rows as well.
  B__C is not defined anywhere in the aggregation level and the query.
  Authorization is created for the user on  A__C   and  B__C   and assigned to user via the BI7 auth admin tcode(s).
  The requirement is to control such that user cannot  access certain values of  Both  A__C  values and  B__C values found in records. In this case,  user is set to access  only  :
  A__C  :   1111
  B__C  :   2222
  A record exist like this :
  A__C     ****     B__C   ****  KF
  1111      ****     3333    ****  $1000
  Question:
  1.  when the query is executed, authorization check is ok for  A__C  and the query should execute.
  But given that this user is not authorized to B__C  = 3333,   will the KF value of $1000  be displayed by the query at runtime assuming the query only is selecting A__C and the KF?
  If it does not show results or shows 'not authorized' , can I say its due to B__C = 2222 is granted and not B__C = 3333 was granted?
  Else if it does show the $1000, can I say that even if B__C  is set = 2222 in the user profile / authorization object assigned,  there is no effect of authorization in this case and the record having B__C = 3333 will be displayed with the KF value (B__C value still will not be shown as its not in the query definition).
  2.   Assuming char C is defined in the query and aggregation level,  must this be individually restricted (i.e set auth of  C = value1, value2 .....)  in authorization object or roles in order that the effect of A__C is achieved where authorization values for A__C is defined by  setting auth of A__C = value 1, value2 ...?
  Scenario A:  char C is in the aggregation level but not used in the query definition in the rows and filter.
  Scenario B :  char C is in the aggregation level and used in the query definition in the rows.
  What would the result be in the above 2 scenarios ?
  Hope to get enlightened about this aspects.
  Thanks in advance.
  Best regards
  PRex
  Edited by: pointes rexiproca on Apr 3, 2008 6:21 PM
  Edited by: pointes rexiproca on Apr 3, 2008 6:22 PM

  Dear Pointes,
  For management authorization by navigational attribute, I suggest the following steps:
  1.     Should check the attribute setup of “A” and “B” InfoObject in Tcode RSD1, and be sure if they are relevant of authorization. Remember, in BI2004s the attribute navigational are different component authorization.
  2.     Then, you should check your analysis authorization in Tcode RSECADMIN Authorization and verify which these attributes navigational A__C and B__C are included in analysis authorization, and what value do they have? Be careful which logical sing “<, >, =…”. Also, remember include colum “:” value in each attribute navigational for avoid problem.
  3.     Before that, you should check the queries structure and be sure if theses attribute is like a entry variable authorization.
  I hope that can help you,
  Luis