Authorizations migrations....

Hi all,
  Now our project in the upgrade position.i have to taken care about the migration work for authorization..please respond any one for my questions...
1) Total we have 28 authorization objects.In these 5 authorization obj are based on the hierarchy obj's.how can i migrate the these obj's.
2) At the time of migration i have to instal any sap defiend roles or obj's.?
3)IN the migration   i want to elemenate the some roles and users.how can i elemenate.For example...we have two users with haveing two aauth obj's a1 & a2.user one haveing both obj's and the second user haveing only a2 auth obj. i dont want to incude the second user in migration(i want to delete) ,how can i do this one...?
4) If any one have a step by step approach to do the migration manually... please forward it to me.
<removed-by_moderator>
Thanks
Bharath

Cross-posting is not allowed, as in [this thread|Authorizations; where you wrote:
> after your response i will assign the points and close the thread.
Thread locked => and read the rules of engagement of this site.

Similar Messages

  • Analysis Authorization Migration Question

    Analysis Authorization Migration Question
    This is detail Question
    1)     I am testing Analysis Authorization Migration in NW2004s SP9 and have applied all OSS notes that are relevant to SP09 and are coming in SP10.
    2)     We have 2 Info object flagged as Authorization relevant 0COMP_CODE and 0COSTCENTER
    3)     We have Object level security set-up in BW 3.x system and for a role we have specified values like 0COMP_CODE has value 1000, 1800. “:”. In the same role we have specified 0COSTCENTER value 130001 to 180001, “:”  and hierarchy node.
    4)     When we migrate to Analysis Authorizations, using RSEC_MIGRATION, this program creates 2 Authorizations ZCOCODE00 & ZCOSTCTRH00. Both of them have 0COMP_CODE and 0COST_CENTER Objects.
    5)     ZCOCODE00 authorization gets value 0COMP_CODE values 1000, 1800. “:” and 0COSTCENTER Value “:”.
    6)     On the same line ZCOSTCTRH00 gets value 130001 to 180001, “:”  and 0COMP_CODE “:”.
    1st Question:
    1)     Why does it create 2 Authorizations?
    2)     During Checking it does not pass the authorizations, because it seems to me that it fails in Optimization process.
    3)     I manually merge the authorizations in “ONE” object then authorization check passes.  In other word if I combine ZCOSTCTRH00 & ZCOCODE00 then Query authorization check passes.
    Any one is struggling on this.
    Please note, I am doing Migration so that it updates existing Profiles (Roles now from SP9).
    Any comments will be very help full.
    Pankaj Gupta

    Hello Pankaj
    There are some basic misunderstandings on your side.
    Let me try to clarify:
    First we should distinguish between migration of authorizations and of what a query does with them.
    You had 2 auth objects before migration (in 3.x).
    Of course, they must be migrated to 2 new analysis auths.
    There is no general possibility to combine authorizations to a single one as the may appear in different roles and users. Moreover this would kill performance and finally, nobody would recognize the origin.
    Only in very restricted cases one could think of a combination of auths which come out of migration. But, then people loose overview about what goes on.
    Before the corrections in note "Migration IV" the : had not been inserted but now it is for good reasons.
    Now, accept for the moment that you receive 2 auths.
    Then, you cannnot (must not) combine the 2 resulting authorizations!
    <b>Authorization 1</b>
    COMP_CODE : 1000, 1300, “:”
    Cost Center : “:”
    <b>Authorizations 2</b>
    Comp_Code “:”
    Cost Center : 3100001-31999999; “:” plus a Hierarchy Node.
    This means that e.g. combination
    COMP_CODE 1000
    COST_CENTER 3100001-31999999
    <u>is not allowed!!!</u> Therefore, they must not be combined!
    Also, the query and its optimization is comepletely independent of the migration. And here, during query run time the auths cannot be combined. It is no failure!
    Moreover, the merging optimization is just a performance optimizaiton and has nothing to do with whether the query result is authorized or not.
    If you combine them manually you have authorized different combinations.
    Well, now you may wonder why you get 2 auths at all which leads to a "no auth" result in the query execution.
    The reason is, that in 3.x where you got a result with your 2 auth objects the modeling was wrong.
    If you want to authorize any combination of characteristic values, you should combine these characteritics together in one auth object, not in 2!
    (In BI7.0 it works like that but not in 3.x)
    But you defined 2 which may be valid even in several other InfoProviders independently and not even at the same time. Moreover, the auth objects may come from different roles and may be assigend to different users which then have completely different auth content. In general it is not possible to combine different auth objects or to find out those special situations which nevertheless allow for such optimizations. If you re-do a migration with more objects and users you could even receive different results which is also not satisfying.
    Therefore, instead, the mechanism was introduced to insert a : auth to those characteristics that are auth relevant (and checked now with 7.0) but not in the currently processed auth object.
    In you special case it may have made sense to combine them but not in general. And a migration can only try to work as general as possible.
    For your application you may combine the 2 auths manually if you want to allow also the crossover combinations
    COMP_CODE 1000
    COST_CENTER 3100001-31999999
    Best regards
    Peter John
    BI Development

  • Report Authorization issues after Authorization Migration in BI 7.0

    Hi SAPians,
    we are facing report access for the customers after migration of authorizations (3.x to 7.0). All these are Customer reports and need to restrict their customer codes only. In two ways, i have tried to resolved this.
    1. Roles - Maintained Customer Number in the authorized object CUSTOMER - Not working.
    2. Created new authorization object through RSECADMIN and maintained the Customer Number with proper activity, validity etc.. - Not Working
    (For Ex. Customer Number is "11500" and length of Char is 10)
    While executing the report, i am getting below error:
    Value "0000011500" for variable "Customer Authorization(Multiple Optional)" is invalid
    Message no. BRAIN643
    Diagnosis
    Characteristic value "0000011500" is not valid for variable Customer Authorization(Multiple Optional).
    Thanks and Regards,
    Venkat

    Hi,
    It depends of the way your authorizations has been setup. If you did it role based or profiles direct to the customer. You should also look into the fact that the migration tool can create direct a profile (not a role with a profile). My way of working in a role based application was that I looked for the roles with objects s_rs_mpro, s_rs_icub, s_rs_odso, s_rs_iset(these are the objects that needs to be replaced with RSECADMIN) and the own build objects with rssm. I added the authorization object s_rs_auth to the role and the new objects made with RSECADMIN. If you transport then the roles and objects made in RSECADMIN it works good. Bottom line beaware of profiles that are not created by the profile generator.
    Have fun
    Jan van Roest

  • Running Service pack and Authorization migration at the same time

    Hi BI Experts,
    We are in a situation where planned to run new Enhance pack 3 (from EHP1) in BI 7 system and also in same system migration of Bw 3.5 Authorization concept to BI 7 analysis Authorization. Both the activities are planned at the same time in same system.
    Do you guys see any risk running two activities at the same time in same BI 7 system?
    Would you please highlight your thought or opinion on this?
    My System is on BI 7.0 with EHP1, Authorization still using 3.5 concepts
    Br
    Deepak

    I got the way , no need to reply to this query.
    Br
    Deepak

  • Authorization Migration BW 3.5 BI 7.0

    HI all,
    I notice, there are a lot of documents about the authorization's migration;
    In spite of this fact some aspect  for me  is not still  too clear.
    I have BW 7.01 with a very simple authorization scenario.
    In fact all the roles are used just to allow the users to access to informations of a specified Cube (Ex. ZUSER1 can access just  all the cubes which the technical name start by ZPC*).
    I tried to migrate this scenario with the program  RSEC_MIGRATION .
    Now, the authorizations that before the migration were in the authorization object S_RS_CUBE seem to be in the object 0TCAIPROV (I understood well?), but when I try to open that interval with RSECADMIN  transaction, the system warning me that "0TCAIPROV is not a relevant auth object."
    I have to change the configuration of the infoobject in business Explorer and  to flag auth Relevant?.
    If anyone have an "how to" that can help me I'll be grateful to him if he'll send it to me.
    Best regards.
    Rino

    Check the link below.
    http://wiki.scn.sap.com/wiki/display/BI/Authorization+in+SAP+NW+BI
    Check the differences and it gives the whole insight.
    Cheers!
    Suyash

  • Authorization migration in BI 7.0 from BW 3.5

    Hi Guys,
    Can anyone shed some light on whether RSEC_MIGRATION needs to run in every single BI 7.0 system or if changes can be transported from DEV to QA to PROD.
    Thanks
    Krish

    Hi,
    It depends of the way your authorizations has been setup. If you did it role based or profiles direct to the customer. You should also look into the fact that the migration tool can create direct a profile (not a role with a profile). My way of working in a role based application was that I looked for the roles with objects s_rs_mpro, s_rs_icub, s_rs_odso, s_rs_iset(these are the objects that needs to be replaced with RSECADMIN) and the own build objects with rssm. I added the authorization object s_rs_auth to the role and the new objects made with RSECADMIN. If you transport then the roles and objects made in RSECADMIN it works good. Bottom line beaware of profiles that are not created by the profile generator.
    Have fun
    Jan van Roest

  • Authorization Migration Effort

    Hi Experts,
    We are planning to upgrade BW3.0 to NW2004S BI. Understand that migrating from report authorization to analysis authorization is strongly recommended, we are planning to take that approach.
    Can you advise me what are the factors we should use to consider on estimation of the effort for such a migration? And how much effort is usually required from other projects?
    Thanks.
    Peter

    Hi,
    It depends of the way your authorizations has been setup. If you did it role based or profiles direct to the customer. You should also look into the fact that the migration tool can create direct a profile (not a role with a profile). My way of working in a role based application was that I looked for the roles with objects s_rs_mpro, s_rs_icub, s_rs_odso, s_rs_iset(these are the objects that needs to be replaced with RSECADMIN) and the own build objects with rssm. I added the authorization object s_rs_auth to the role and the new objects made with RSECADMIN. If you transport then the roles and objects made in RSECADMIN it works good. Bottom line beaware of profiles that are not created by the profile generator.
    Also pls chk this links:
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/ded59342-0a01-0010-da92-f6b72d98f144
    SAP BI Security Features
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea
    BI Authorizations for Reporting
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/a6c54319-0e01-0010-20a4-fb81ad32f330
    Hope this helps,
    regards
    CSM Reddy

  • Authorization migration – from BW2004 to BI2004s

    Dear Experts,
    I’m working in a project migration from BW production (Ver 3.5) to BI development (Ver 7). My questions are the follow:
    Before migration the reporting user role and administration user role through report RSEC_MIGRATION, I need transport all of role from BW2004 to BI2004s and after that migration in BI2004s environment. What would I do before use to report RSEC_MIGRATION? I have to transport by transaction RSA1 in BW2004 or transaction PFCG and creating customizing package.
    Thank for all,
    Luis

    Dear Chetan,
    I try to explain with more detail:
    I need to understand all process…
    Before upgrade(from 3.5 to 7.0) I have some role in 3.5 Prod. After that I transport the role in 3.5 Prod to 7.0 Dev. Them I migrate trough transaction SE38 with RSEC_MIGRATION all of roles transported from 3.5 Prod.
    Thank for all,
    Luis

  • Analysis Authorization (Role, Profile and Direct Assignments)

    <b>Analysis Authorization Question:</b>
    1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
    2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
    3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
    <b>
    Migration Options:</b>
    1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
    2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
    3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
    <b>Questions</b>
    a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
    b)     Does any one use direct assignment to Users? It is good business practice?
    c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
    d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
    Just want to check how other folks have done migration that can be supported going forward.
    Pankaj Gupta

    Hey Pankaj,
    In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
    Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
    RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

  • What is Analysis Authorizations in BI 7.0?

    Hello BW Gurus,
    Greetings!!!!
    Please forward the relevant documents (<b>Analysis Authorizations and also about data migration from 3.0 to 7.0</b> ) to the ID- <b>[email protected]</b>
    Points will be rewarded..
    Best Regards,
    Priya

    Hi Priya,
    These would be great help to you,
    Upgrading to SAP NetWeaver 7.0 BI - The Details doc.
    https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/10564d5c-cf00-2a10-7b87-c94e38267742
    Please check these blogs for full details:
    /people/prakash.darji/blog/2006/09/22/rolling-out-the-new-sap-netweaver-2004s-bi-frontend-tools?page=last&x-showcontent=off&x-order=date [original link is broken]
    https://weblogs.sdn.sap.com/pub/wlg/4668?page=last&x-order=date [original link is broken] [original link is broken] [original link is broken]
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/6a19f233-0e01-0010-6593-c47af5a8df3b
    Some Insights..
    NW2004s Upgrade - Front-End Migration Strategy
    https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=2331907
    Migration of Data Sources
    https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=3369391
    Migration - Web Templates from 3.x to NW2004s
    https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=2052465
    Migration question
    https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=2935414
    Migration Transformation NW2004s Datasource
    https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=3034054
    Analysis Authorization Migration Question
    https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=2537477
    NW2004s Data flow
    https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=3447826
    Visual composer migration
    https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=3775098
    Rfer thez threads.. u will get good idea..
    /thread/439486 [original link is broken]
    /thread/377643 [original link is broken]
    Migrate Transformations
    /message/3034624#3034624 [original link is broken]
    /thread/178564 [original link is broken]
    For Data Flow:
    http://help.sap.com/saphelp_nw2004s/helpdata/en/43/f00e2696d24c5fe10000000a155369/content.htm
    /people/prakash.darji/blog/2006/09/22/rolling-out-the-new-sap-netweaver-2004s-bi-frontend-tools
    Assign points if it helps,
    Regards,
    Mani

  • Dynamic Authorization in Analysis Authorization

    Hi All,
    We are planning to migrate 3.x Authorization Migration to Analsysis Authorization. We have implemeneted Dynamic Authorization
    concept which is using Customer Exit Variable. Now Kindly Guide me how I can retain the the same Dynamic Authorization Concept in New Analysis Authorization.
    Regards,
    Amit

    Hi Amit,
    Below article will helpful:
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0f9f33c-0f17-2d10-d3a2-ae52ccd00780?QuickLink=index&overridelayout=true
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/90f762d1-538b-2d10-1695-899a8bb165df?QuickLink=index&overridelayout=true
    Hope this helps!
    Amandeep Sharma

  • Scenario in Analysis Authorization to check

    Hi Gurus,
    I am doing a POC for Migration of Analysis Authorization Migration. In which there isone scenario that we want to check.
    The Scenario is for Single user.
    User having access to 2 different Cubes:-
    Cube 1                                                   Cube 2
    Company Code:- XYZ                           Company Code :- *
    Now How can we acheive this scenario in Analysis Authorization.Please guide.
    Regards,
    Amit

    Try this
    AA #1
    0TCAACTVT                                               03
    0TCAIPROV                                                 Cube1
    0TCAVALID                                                 *
    0COMP_CODE                                             XYZ
    All other objects auth-relevant for Cube1   :
    AA #1
    0TCAACTVT                                               03
    0TCAIPROV                                                 Cube2
    0TCAVALID                                                 *
    0COMP_CODE                                             *
    All other objects auth-relevant for Cube2   :

  • Authorization infoobject provided by SAP

    Hi All,
    I want to know which are authorization relevant infoobject provided by sap?
    I know there name is starting witha 0TCA
    I know few of them 0tcakyfnm, 0tctaiprov, 0tcavalid, 0tcaactvt, 0tcaifarea, 0tcarecmod,0tcatxtlg,0tcatxtmd,0tcatxtsh,0tcalang and the key figure is 0tcacount.
    are these are all or there are some more?
    if anyone is having some information regarding authorization  infoobject
    0tcaifarea,  0tcarecmod, 0tcatxtlg, 0tcatxtmd, 0tcatxtsh, 0tcalang and the key figure is 0tcacount
    please forward it to me.
    Regards,
    Deepak

    Hi,
    please introduce "rsecadmin 0TCAIFAREA" in the search box on the right top of the page, you will find 3 items that will explain you the usage of all these objects.
    1) Analysis Authorization Migration Question.
    2) Authorization in SAP NW BI - Business Intelligence - Wiki.
    3) An Expert Guide to new SAP BI Security Features.
    Hope this help.
    Riccardo.

  • Authorization in BI7.0 - Estimation

    Hello Experts,
    We need to provide Estimation for Authorization Migration in BI7.0.
    Client is getting migrated from 3.x to Bi7.0 now and we need to provide this estimation.
    Can any one help me with the number of Man days for this aspect and the different topics which we need to take care of BI7.0 Authorization changes with respect to 3.x?
    Thanks in advance for your help.
    Raman

    HI Raman,
    We have recently migrated from 3.5 to BI7. It took 4 months to ramp up the project.
    Stages:
    Project preperation:
    Auth requirement collection.
    identification and assigment of data ownership(identify auth objects, roles and profiles).
    freezing requirements
    Installing BCT for new auth
    System Bulid activities:
    review migration of auth objects.
    perform manual adjustments to bjects or queries..
    User system/acceptance testing.....
    Testing by users....
    Go live........
    Regards,
    Raj

  • Visual Studio Online- Features and pricing.

    I am TFS Admin in my organization and we(approx 100 users) have Visual Studio Professional
    with MSDN subscription and i want to know about following things:
    1. Is Visual Studio Online free for me(as we have MSDN Professional license)?
    2. How much storage(on cloud) we can get with this subscription ,as we have thousands
    of applications to store?
    3. What are the features available for me with my current(Visual
    Studio Professional with MSDN) subscription.
    4. is there any other cost or pricing which i will have to pay in order to use Visual
    Studio Online?
    5. Authorization
    migration from existing project : If we migrating from an On-Premises Team Foundation Server to Team Foundation Service:
    1. IS source code history preserved
            2. Are we able to migrate WorkItems with history.
    6. SharePoint Integration with Team Foundation Service: Does
    hosted team foundation service support integrate with SharePoint.

    I have Visual Studio Professional with MSDN subscription and i want to know about following
    things:
    1. Is Visual Studio Online free for me?
    2. How much storage we get with this subscription?
    3. What are the features available for me with my current(Visual
    Studio Professional with MSDN) subscription.
    4. is there any other cost or pricing which i will have to pay in order to use Visual
    Studio Online?

Maybe you are looking for