Authorization variable URGENT

Similar Messages

• SAP BO WebI Report on top of BI Bex Query with Authorization Variable

  Hi,
       We are trying to restrict row level data using BI 7.0 analysis authorization concept. We have an authorization variable in the Bex query and is working perfect in Bex Analyzer as well as in RSRT.
  Now we are trying to achieve the same thing in BO webI. We created an Universe using Authentication Mode SSO. We are on BOXI 3.1 and implemented SSO. When we try to run the query in WebI we get the error
     "A database error occured. The database error text is: Error in MDDataSetBW.GetCellData..(WS 10901)"
  Just for testing purpose, when we use query filter in WebI and use Values from List, it is showing only the authorized value it supposed to show and runs well with that value selected. But we have to achieve this without the query filter in WebI.
  So are we missing some thing here or any patch issue? Please share if you have done this type of reports in BO.
  Thanks in advance for your help.
  Moorthy.

  Yes I did run MDXTEST and it gives error as 'you do not have sufficient authorization'. The reason it is giving, I guess and we are debugging that to confirm, is first it looks for 0BI_ALL and throws error which is not the case in Bex. See the following trace in RSRT trace.
  InfoObject Properties Defined
  Reading of Directly Assigned Authorizations
  Direct Assignment Does Not Include Universal Authorization 0BI_ALL
  Reading the Indirect Assignments with Authorization Object S_RS_AUTH
  Does user have OBI_ALL?
  No, the User Does Not Have Universal Authorizion 0BI_ALL
  Negative Entry in SU53 Result of Failed Check for 0BI_ALL
  Indirect assignments found; no universal authorization
  Reduction of Authorization Dimensions on Characteristics in InfoProvider
  Reduction Successful
  Thanks!
  Moorthy

• Authorization Variable doesn't work in Workbook

  Hi all,
  I have defined authorization variable for a characteristics in Query. When I run the query, the variable's value can be derived from user's authorization. But when running in workbook, it doesn't work. The value is empty and workbook shows "No Authorization". Does anyone have the same problem?

  Dear Eric,
  Are you sure that you have enabled the authorization object for your InfoProvider? This is something that has to be done in transaction RSSM after an authorization object as been created.
  Greetings,
  Stefan

• Authorization issue : Urgent

  Hello BW folks ,
  I have created an authorization for 0COMPANY but not working .
  I followed below steps ,
  1. Checked the check mark for  infoobject 0COMPANY for authorization relevant and activated the object.
  2. In T code  RSSM , I created ZCOMPANY and assigned 0COMPANY to it.
     The selected the required infocube in which it is present. saved it.
  3. Then in T code  PFCG in the required role I went to Authorization tab and then
      clicked on 'manually '  , there I eneter the ZCOMPANY and from value as 1000
      and Generated the object properly.
      ( I also tried to put  : and ;  after 1000 but do not work ).
      then come back and compare user selection.
      All the users are maintained properly in the given role.
      Saved the role. The query is also maintained under this role.
  4. Then in the query drag drop the 0COMPANY in the free characteristics area.
      Created a variable on it .
    When I execute the query with the user login which is restricted for the authorization of  0COMPANY of value 1000 , I can see that the same user can get the data for other values of 0COMPANY .
  It means this procedure does not work and I am not able to restrict the user for a particular value of 0COMPANY.
  Please suggest way to correct this issue.
  Regards ,
  Amol Kulkarni.

  Did you create the restriction on 0company io by creating the authorization variable correctly?
  In your case, the variable definition should look like this.
  Type of variable - Char value
  Processing by - Authorization
  Reference char - 0company.
  you can do also try to turn on the trace to see if the auth object you have created is getting used or not.
  -Saket

• Webi  Bypassing BEx Authorization Variable with SAP Exit

  BEx query has Hierarchy Node Variable with Authorization as processing type. Its set as User Input ready
  When the Webi report is refreshed, the LoVs appear as per the Authorization. However, if user doesn't select any value (pushes from right to left in variable screen) he gets NOT_AUTHORIZED error. Which is not intended, it should check the authorization in the background via SAP exit and populate the result. This is how it runs inBEx query.
  However, in Webi it's giving NOT_AUTHORIZED error? This is how the product is designed to work or is it a bug.
  I see several forum threads and SAP KBAs/notes but they are not answering my question. Could anyone please help.
  I am ready to provide more details on this error.
  Thanks,
  Tilak

  Hi,
  this is how authorization variable would work in any of the clients and not just Web Intelligence.
  You created an authorization variable which is configured as "read for input", so the user is getting prompted.
  So In Web Intelligence the LoV shows up.
  if the user does not select a value, then you are not sending a value, so you basically asking for all data and you are not allowed to see all data and therefore you are getting the message "no authorization".
  if you are making authorization variables as ready for input then the user needs to select the proper values - regardless of the BI tool.
  if you want the authorization to be check in the background then the authorization variable should be configured to not have ready for input.
  regards
  Ingo Hilgefort

• Authorization Variable values in BEX.

  Hi all,
  I have a report with an authorization object (for example 0COUNTRY) restricted to an authorization variable.
  The object restricts the report according to the user's role. I want a user, with multiple country authorization, to be able to run the report on a few countries that he is authorized to see. For example he is authorized to see US DE FR & CH, and wants to run the report on DE & FR.
  So, I created the authorization variable "Ready for Input", but now when the user runs the report he <b>can insert</b> other values but when he click on the options he can choose from (F4),<b>he can't see the texts</b> (DE - Germany, FR - France) and he gets the message:
  <b>"BRAIN655 - No values available or not authorized to display"</b>
  Full points for the answer promised.
  Many thanks, Yaniv.

  I've done these steps when I createted this object long ago. I have no problem with the authorization itself. it works great.
  You are right, the selection option window shows the values US DE FR & CH, but I want the user to see the description also (when pressing F4) so he will be able to tell which countries to choose . that is when the message pops up.
  <b>It is like the user does not have the authorization to view the 0COUNTRY values and their texts</b>.

• Problem with Selection screen values of an authorization variable

  hi Gurus,
  I have an authorization variable for Division in my queries....Now whenever a user tries to run the query...a list of divisions is available to him....All divisions for which he/she has proper roles assigned.
  Now the problem is that these values are not restricted to the ones relevant to that query (namely the multi provider)
  Eg. for a Flowers Query (divisions relevant to Flowers only) all the divisions (including the ones for Vegetables, Crops etc.) are also visible only because these roles are also assigned to the same user. This needs to be avoided.
  In a nutshell....
  Is their any way by which i can restrict the number of values popping up for an authorization variable in the selection screen, to only those values which are relevant to the info-provider on which the queries are based ???

  hi Deepu,
  I did go through that SAP note. I just have one concern regarding that. The check at the Info provider level is clear enough and i already have that in place. Now there are 2 more checks required a) at the info object level and b) at the BEX designer level.
  Are all three checks required???
  and also how do you  place the check at the BEX level??? i could not quite figure that one out...
  Any inputs would be welcome.
  Thanks,
  Nikhil

• Authorization variables are used by each query

  Hi,
  I am working with BW 3.5. I need to check how many authorization variables are used by each query.
  Is the any table which shows this?
  I know in RSZGLOBV i can display all the Auth. Variable at the system but i don't have such relation with the queries...
  Thanks in advance,
  F

  Hi,
  Get the UID of your query from the query designer (select query in the properties window, goto Advanced tab).
  Pass it to table RSZELTXREF (pass query UID to field SELTUID and 'VAR' to field LAYTP). This gives the list of variables used in the query. Now got to table RSZGLOBV, pass all the variable IDs (field values for TELTUID from table RSZELTXREF) to the field VARUNIID and restrict VPROCTP to '6'. This gives a list of all the auth variables used in a query.
  Regards,
  Murali.

• Authorization Variables ready for input

  I have a problem whit a variable, is an authorization variable and ready for input, but when i use this variable and clean the input box this variable don't works as an authorization variable...
  I hope that this variable return all the values where the user has authorization but it return ALL values and not only where the user is authorized...
  How can I make that a blank variable gives me all the values the user is authorized to see?
  Hope someone can help me!
  Best regards
  Enrique

  Steps that you may be missing:
  1. Make the info object authorization relevent. You make this setting in info object maintenance screen -RSA1 .
  2. Create a authorization objects in RSSM for this object.
  3. Maintain values for this object in PFCG for the role that you  assign  to the users.
  After that, run the query.
  Ravi Thothadri

• Authorization Variable message

  Guru assistance requested.
  I am testing two separate "test user ID's" for authorization relevant objects.
  Objects are Division / Sales Organization / Plant.
  Test user 1 is functioning correctly.
  Test user 2 is triggering a message when I logon to BEx and choose my query.
  Message dialog box reads:
  "!" Value if variable ZPLNT_XXXX is automatically converted.
  I can not eleminate this message from occuring.
  Test User 1 has authorization restrictions on "Divisions and Plants"
  Test User 2 has authorization reswtrictions on "Sales Organizations and Plants"
  I am not receiving any message with Test User 1 and connot explain the reason behind the above
  information message.
  Any ideas.
  Authorization variables are identical for all three objects and both Test Users have authority to the
  roles with each infoprovider.
  Thanks....Dan

  Sachin,
  I went into Query Designer again and looked at my variables:
  All authority  variables are identical in character definition:
  General Tab: Type of Value = Characteristic Value
  General Tab: Processing by Authorization
  Detail Tab: Multiple Single Values
  Detail Tabl: Variable is Optional ..... ready for input field is "blank"
  This  is my query filter:
  Selection:
  Filter on Variables 0DIVISION / 0CURTYPE / 0PLANT / 0SALESORG / 0FISCPER.
  0CURTYPE is defined for B0 on the COPA InfoProvider.
  All others are Selections are user elected variable options.
  The Authorization variable is a restriction I placed on the "Default Value" of characteristic objects
  0DIVISION / 0PLANT / 0SALESORG
  (So as not to display the object).
  As the user .... I logon to BW.
  Navigate BEx Analyzer >>  Open Query: Choose Query Name then "open"
  At this point the dialog box appears  -- below I select my filter options.
  Dialog box reads:
  There are messages:
  Type" !"  ..... Description: Value if variable ZPLNT_XXXX (my variable name) is automatically converted.
  If the query is the issue .... I would think that this message would appear for both test users.
  Not just User#2.
  Also of note ... I have never seen this message below, but then, I am now just beginning to test
  user "authority variables" over  authorization relevant objects.
  Ant other thoughts.
  Thank you ..... Dan

• Authorization variable defaults to "Exclude"

  Dear Experts,
  We are encountering a user request to have the authorization variable with multiple single values default to "Exclude" instead of "Include" when showing in Portal.
  We have set the plant with Authorization variable representing Multiple Single Values, when we integrated the query to EP, the variable is default to "Include" the authorized plant.
  e.g. UserA is authorized to view the data of PlantAA, PlantBB, PlantCC
  While logon to portal,
  the Vairable is displayed as:
  Plant: PlantAA - Include
           PlantBB - Include
           PlantCC - Include
  How is possible to change the default include to "Exclude'
  like,
  Plant: PlantAA - Exclude
           PlantBB - Exclude
           PlantCC - Exclude
  Thanks for all the inputs!

  Thanks for the reply,
  you kinda misunderstand my question.
  I want to achieve a default "Exclucde" instead of "Include" when calling Authorization variable plant.
  For instance, a particular user is authorized to view 20 plants, he wants the report to display all authorized plant, yet instead of default to including all 20 plants, he wants the report default to Excluding all 20 plants, therefore, he could simply include the plants he is interested in.
  Yet, sadly, I couldn't find a place to change the authorization variable defaults to EXCLUDE.

• Authorization variable

  Hi Bw experts,
  I have implemented the authorization profiles on a hierarchy defined on 0orgunit.
  They work fine, and i have inserted in the report an authorization variable that reads automatically the authorization profile of the users defined in the role assigned (pfcg, rssm..etc).
  Also this variable works..the problem is that if in the report i insert a node selection variable in order to give to user the possibility to select the hier node, it doesn't work. If i don't use the authorization variable it works. Is there a way to utilize both theese variables?
  Thank u,
  Alex B

  Hi
  I there is a way but it may not be very elegant.
  The selected (drill down) hier can be enabled only if it does violate the security, thus if you exclude the non secure nodes on the WorkBook you can then show the rest of the hier.
  Edan

• Authorization Variables with Optional Selection Variables

  Has anyone used authorization variables in addition to optional selection variables?
  I'm getting funny results and trying to figure out why. 
  Here's the scenario:
  InfoObject zcompany has 5 values A - E
  UserX is authorized to see all 5 values in his user profile.
  In the query zcompany has two variables assigned to it. 1 is an optional multiple selection variable, and 2) is an authorization variable
  Here's the funny result:
  User X runs the query and selects company A from the optional selection criteria, he clicks execute and but the results returned are companies A - E.  ?????
  Is there a processing order here?  Are the authorizations being processed last and overwriting the selection criteria?  My users are annoyed with me because they feel like they have to pick everything twice.
  Any help anyone could provide would be much appreciated.
  thanks
  Smitty

  Hey Bhanu,
  thanks for the reply.
  I kinda tried that in the past and found out that it really annoyed my user community.
  I guess im looking for the best of both worlds here, because I like the fact that the authorization variable limits the optional selection values for the users that are only allowed to see one or two things, but for the super users this creates the issue described above because they're allowed to see everything.  But sometimes, the power users only want to see one or two values... and thus the problem above.
  I noticed in the query information the value for zcompany was "Complex Selection" is that the system's way of saying that it's confused?

• Authorization variable - from start to finish? BI7

  Hi all!
  Been spending the bigger part of my working day trying to find out how authorization variables work.
  We are using 0Costcenter to limit what our users can plan on in an input-ready query.
  Right now we have "hardcoded" 12 different reports for 12 different Cost Center managers.
  I want to use only one report instead of 12, so I was thinking about using an authorization variable instead.
  Here's the question -
  How do I go about for using this? What are the different steps needed to make this work?
  I have selected an authorization variable in the query. Next step should be to set authorizations somewhere. So where and how should those settings be made?
  Should this later be saved down to a role - which then is given to a user? It's a jungle out there and I can't seem to find my way...
  Please help!
  Thanks in advance!
  //Anders Jedheim

  I did all that after your advice. Unfortunately - the query is still listing all cost centers. So when I removed the hardcoded costcenter values in the query it lists all of them instead. I have put in an authorization variable but nothing seems to happen. I have created and authorization object in RSECADMIN - selected my aggregation level as infoprovider - selected all the characteristics - * on all excep costcenter - narrowed costcenter down to just one (10146). It seems that RSECADMIN crashes when I want to see what technical character. (from) i can select from. So I just wrote 10146 in that field manually. Don't know if this is correct though.
  I then selected "insert special Characteristics". 3 extra characteristics showed up. All of them needed to be set to "Authorization Relevant" in the Business Eplorer tab in RSA1 for each Characteristics. The system cried a little about this being technical content which will be overwritten in next upgrade or something - but I feel that's a later problem.
  Anyway. I put the auth. object inside a previously created role for a specific report using S_RS_AUTH .
  But as I said earlier - nothing much happened. Any clues to where I need to look deeper? Could the role somehow be granting full access even though we are narrowing it with the auth. object?
  //Anders

• Authorization Variable not prefilling on RRI jump

  Hi,
  I have an Authorization Variable which prefills according to the users authorized values - this works fine in all instance EXCEPT when I jump from another query.
  Has anyone seen this before?
  Anybody know why?
  What is the function which prefills the variable?
  The jump goes to a web analyzer session. The session works fine if I just execute the jump query - but as soon as the url contains passed variables the authorization variable does not prefill.
  eg. http://sldn1450dap:6777/sap/bw/BEx?SAP-LANGUAGE=EN&CMD=LDOC&INFOCUBE=H3FST_M_M&QUERY=QFCMM_AD0060_V2_JMP - works fine, variable prefills
  http://sldn1450dap:6777/sap/bw/BEx?SAP-LANGUAGE=EN&CMD=LDOC&INFOCUBE=H3FST_M_M&QUERY=QFCMM_AD0060_V2_JMP&VAR_NAME=8BBS_ID&VAR_VALUE=43RUCKR22P5SIA2LJXEE2XJBN - variable does not prefill
  Desperate to sort this one out. 2 days to release deadline and spending days on this.
  Regards
  Neville

  Hi Neville,
  First query also has the same authorization variable?
  if yes it should work.
  Otherwise add the same object and variable in the first query also.
  Regards,
  Vijay.