BEx Query Authorization

Similar Messages

• BEx query Authorization works in BW but fails in WebI

  Have a BEx query which has 5 fields marked as authorization relevent.  Some of the fields use BW Auth variable in the BEx query, although not all fields do.  The BEx query runs fine and does not throw any authorization failures.  One of the fields is Org Unit, which uses hierarchy node variable.  This field and its user variable exist in two different queries, using different multiprovider. 
  One BEx query and its corresponding universe and WebI report fails when user tries to refresh Org Unit prompt values in WebI, however a secondar query with identical field and variable does not fail.  A trace on BW side does not reveal any authorization failures.  We tried refreshing the universe and even creating a whole new universe, refreshing it, etc.. however the issue is not resolved. 
  Has anyone seen this problem before?  If so, how did you resolve it.

  Hi,
  You need Single sign-on (SSO).
  Regards

• SAP BO WebI Report on top of BI Bex Query with Authorization Variable

  Hi,
       We are trying to restrict row level data using BI 7.0 analysis authorization concept. We have an authorization variable in the Bex query and is working perfect in Bex Analyzer as well as in RSRT.
  Now we are trying to achieve the same thing in BO webI. We created an Universe using Authentication Mode SSO. We are on BOXI 3.1 and implemented SSO. When we try to run the query in WebI we get the error
     "A database error occured. The database error text is: Error in MDDataSetBW.GetCellData..(WS 10901)"
  Just for testing purpose, when we use query filter in WebI and use Values from List, it is showing only the authorized value it supposed to show and runs well with that value selected. But we have to achieve this without the query filter in WebI.
  So are we missing some thing here or any patch issue? Please share if you have done this type of reports in BO.
  Thanks in advance for your help.
  Moorthy.

  Yes I did run MDXTEST and it gives error as 'you do not have sufficient authorization'. The reason it is giving, I guess and we are debugging that to confirm, is first it looks for 0BI_ALL and throws error which is not the case in Bex. See the following trace in RSRT trace.
  InfoObject Properties Defined
  Reading of Directly Assigned Authorizations
  Direct Assignment Does Not Include Universal Authorization 0BI_ALL
  Reading the Indirect Assignments with Authorization Object S_RS_AUTH
  Does user have OBI_ALL?
  No, the User Does Not Have Universal Authorizion 0BI_ALL
  Negative Entry in SU53 Result of Failed Check for 0BI_ALL
  Indirect assignments found; no universal authorization
  Reduction of Authorization Dimensions on Characteristics in InfoProvider
  Reduction Successful
  Thanks!
  Moorthy

• Need your help !!! -- Authorization error for Real-Time Bex query

  Dear experts:
  I have a Bex query built on a multiprovider, this multiprovider is consist of one standard cube and one real-time cube(virtual provider). When I run this query, I can retrive the data and no error occured, but when others execute this query, they will get the error message below:
  Operation Generate a Request could not be carried out for DTP DTP_D7JVT8DGBQWPWL13VIUITNODG
  You do not have authorization for the data transfer process
  Errors occurred during parallel processing of query 2, RC: 3
  Error while reading data; navigation is possible
  Row: 54 Inc: WRITE_MESSAGES Prog: CL_RSDR_AT_QUERY
  I used tcode rsecadmin to track the authorization, when I execute as user XXX, I can get the same error above, but when I go to "Display Log", no error showed there.
  Did anybody meet the same error before? How to resolve that?
  Any post would be appreciated and thank you all in advance!
  Tim

  I think there is some missing authorization,here
  the user has no access to execute the DTP.
  You can analyse it in rsecadmin or also see
  which object you are getting in su53.
  Thanks,
  Saveen

• BI Bex Query prompt based on User's Authorization....

  Hi
  In BI, I created 1 BEx Query based on Authorization. If a user runs the query, it prompts for 'Customer Name' to get data of particular customer. And Customer values are populated in the prompt based on User's Authorization.
  For example:
  User1 is authorized to see data of Customer1 & Customer2. So, Query prompt will show 2 values: 'Customer1' & 'Customer2'.
  But User2 is authorized to see data of Customer1, so Query prompt will show 'Customer1' only.
  I created 2 variables on Customer field:
  1) Authorization Variable in Filter Section
  2) Manual, Single Entry, Mandatory on Default Value section.
  My Requirement:
  If user is authorized to link with only 1 Customer, he should not get prompt & on the background prompt value should be populated from his authorization value. But if user is authorized to see multi-customers, then prompt should appear.
  If possible pls. provide some suggestions....
  Thanks...

  Yes, this can be done.
  but there is little work around.. Using guided navigations
  1. Create a report with column fx as case when 1=0 then markets.region else user() end
  2. apply filter on this column is equal to User_1
  3. Create another report with column fx as case when 1=0 then markets.region else user() end
  4. apply filter on this column is equal to User_2
  5. Now add all your prompts to dashboard, but each prompt should in each section object of dashboard.
  6. For first section click on section properties, go to Guided Navigation...
  7. Browse Source Request as first report.. and keep If request returns rows selected.
  8. Repeat above step for another section.. but this time browse 2nd report.
  9. Just save dashboard.
  Check now..
  Hope you understood..
  Regards
  Kishore Guggilla
  Edited by: Kishore Guggilla on Feb 18, 2009 12:57 PM

• Authorization issue regarding Bex Query

  Hi All,
  User Requirement: When ever the user is executing the report in Design Studio, user can able to see all the company codes (summary data) in the main page of the dashboard. If user wants to drill down to a particular Comp code, then user should access only which are authorized. Ex: If the user Test4444 is executing the report, then he/she can able to see all the comp codes data in the main page of the dashboard. If the user wants to drill down further to see the comp code wise data, then he/she should not allowed to see except comp code-4444 or what and all authorized .
  Back ground work:
  I have a Bex query, which is using the Design Studio. In this query, "0COMP_CODE" is a char InfoObj and I have created a Auth variable on this InfoObj. There are 4 autho objects created based on this "0COMP_CODE". And also 4 Roles and 4 users have created.
  Each autho_Objet has assigned to that corresponding Role and that Role is assigned to that correspond User. Details are as follows.
  Autho_Objet
  Role
  UserID
  ZTEST_MAIN (which includes all - 23 compny codes)
  ZMain_Role
  All users have to access this role
  ZTEST_1111 (which includes only CC- 1111
  Z1111_Role
  Test1111
  ZTEST_2222 (Which Includes only CC - 2222)
  Z2222_Role
  Test2222
  ZTEST_3333 (Which Includes only CC - 3333)
  Z3333_Role
  Test3333
  ZTEST_4444 (Which Includes only CC - 4444)
  Z4444_Role
  Test4444
  To achieve this requirement, I have created 1 auth.object for all Comp.Codes and assigned to one main role and this role is assigned to all users. This looks fine and hopefully it will work.
      The problem is the next step of drill down to comp.code. Here I have created individual autho.object per Role per User and mapped accordingly. Unfortunately, user can able to access all the comp.codes data because of the main role assigned. I got stuck here in this second level restriction. Could some one can through a light how we can achieve this in authorization. It would be a great assistance if some one help here. I would be much appreciated and grateful to your assistance and inputs. Thank you in advance!
  BR
  Venkat...

  In the role ZTEST_MAIN,
  You need to remove all company codes as this is overriding the rest
  Then add aggregate authorization, ie "0COMP_CODE" = ":"
  This is a special authorization which grants authorization to see the summation of all the 0COMP_CODE without giving detailed authorization to any.
  The rest of your design is fine.
  You should then use RSECADMIN to check any authorization issue you have.

• Bex query structure authorization error when copying to Y name

  Hi Gurus,
  We are having a issue in BEX query. As per design, our IT team can copy Z queries to Y queries and modify/create Y queries in production but they cannot update/change Z queries.
  One of the Z query is having structure and BW IT team is trying to copy that query to Y namespace but they can't edit the structure/key figures within that new Y query. . We created a ‘Y Structure’ within a ‘Y Query’ but still cannot edit/modify that Y-Structure. S_RS_COMP and S_RS_COMP1 has full access restricted by Y* in reporting component field.
  Can anyone please help how should we proceed ?
  PS: We don't have problem with other queries which don't have structures.
  Regards,
  Salman

  HI Salman,
  Looks like the structure is globally defined and thats the reason why the team is not able to edit it
  Thanks
  Abhishek Shanbhogue

• Error  in opening  Query  in Bex Query Designer

  Hi all,
  I am getting an error while opening the InfoProvider for a new Query in the Bex Query Designer.
  program error in class SAPMSSY1 method : Uncaught_exception.
  ASystem error in program CL_RSR and form GET_COB_PRO-02
  In RSRT:
  00000003      I>> Row: 78 Inc: LRRMSU13 Prog: SAPLRRMS
  00000003      ASystem error in program CL_RSR and form GET_COB_PRO-02- (see long text).
  With Regards

  Hi Raju,
  Check for the authorization
  Auth object : S_RS_ICUBE , S_RS_MPRO,S_RS_ISET
  Infocube subobject -> aggregate ,data ,definition.
  Auth object S_RS_COMP
  Activity                       01, 03, 16, 22  
  And let us know ...
  Hope that helps.
  Regards
  Mr Kapadia

• Can not create Webi report on a Universe based on Bex Query

  Hi,
  We are using BO XI 3.1 (FP 3.4) with SAP integration Kit (same Patch Level) with SAP Authentication. We have a Universe based on a bex query and its connection is set to use SSO.
  We have say two SAP users U1 & U2. Now "U1" is able to create webi reports but when we Logged in as "U2" and try to create Webi reports or try to refresh reports created by U1 it through an error ...
  The database error text is: (CS) "Error on NumResultCols" . (WIS 10901).....
  As per the "Authorization" section in BusinessObjects XI Integration for SAP Solution Installation Guide we have provided this users with all the mention autherizations.
  Any words over this will be highly appreciated.
  Regards,

  It is highly probable that this is due to missing authorizations on the SAP BW side (not talking about the authroizations which are directly related to the BO/BW integration). I would recommend to ask your SAP Basis team to do a security trace while you are accessing the reports with the user, who gets the error. THey should look for failing authorization checks.
  Regards,
  Stratos

• Steps to create a Universe based on Bex query

  HI Gurus,
  I am (first time ofcourse) creating a Universe based on a Bex Query. I searched on SDN to find steps to craete a universe on top of Bex query and found a document written by tej Trivedi and found other threads also which explains all the steps.
  I understood from his document that in case of OLAP Universes the Structure pan would be empty. And I will not see joins etc..Is that true?
  How can I make sure that I will see data?
  Regards

  Hi,
  I believe this is a cross post from here Re: BEX Query Objects dont show in Universe  ?
  So i will put my answer again:
  Hi,
  If you can select your BEx query,  but the 'universe outline' in the webi query panel stays blank (i.e no available objects in the webi query panel)  then you don't have enough rights (authorizations) on the BW -side.
  to prove it, try using a sap_all profile in the universe connection .
  regards,
  H
  p.s. there is a large section on the required authorizations in the Admin guide.  Also a note covers it :  Note      1585948 - No objects are visible in the query panel when creating a report using Interactive Analysis or BI Launchpad

• Authorisation in Business Objects Explorer Infospaces created on BEx query

  Hello,
  We have installed Business Objects Explorer, created Universe on BEx query and created a Explorer Infospace on that universe. everything works fine but the authorisations created for the user in BEx query are not taken into consideration when I login using SAP username "leveraging" SSO.
  Is Explorer not designed to consider authorisations in BEX query?
  Whats happening during Indexing of an Infospace? Will the system save the data in Business Objects repository from the source of the data?
  Thanks in advance.
  /Suman

  Hi Suman,
  You are right , Explorer is not designed to leverage Authorisations in SAP BW.
  Polestar is indexing data and keeping it out side of BW.  Although you can log in with SSO , it doesn't check the authorization according to BW, it shows everything indexed.
  You can have a workaround if the case is simple such as;
  Suppose you have 3 region , you can create 3 infospaces and give these authorizations to users from CMC.
  But if you really want to use all features of authorization in BW , it is impossible for now.
  Regards,
  Ozan Eroglu

• Query authorizations

  Hi Experts/Fellow SDNers,
  I am currently restricting a BW system and have a few questions/would like some confirmation on a few points to make sure I am understanding things correctly.  My understanding of BW is limited so kindly bare with me:
  1.  Basically, it would appear that query access is restricted by the object S_RS_COMP.  In S_RS_COMP, the field RSZCOMPID (Name) allows me to restrict access to queries by name (i.e. Z* will provide access to all queries with name starting with 'Z').  One thing that is confusing me is the 2 additional fields:  RSINFOAREA (InfoArea) and RSINFOCUBE (InfoCube).  My colleague advised, a BW query basically pulls information from an InfoProvider (such as an InfoCube/ODS Object).  So, does this mean that even if I allow access to a query by name through RSZCOMPID, if the InfoCube it requires is not included in the RSINFOCUBE field, then the query will fail?
  2.  I need help in understanding the differences between S_RS_COMP and S_RS_COMP1.  From what I can see, they are very similar.  Documentation I have read advises that S_RS_COMP1 allows users to administer certain queries but besides the RSZOWNER (Owner - Person Responsible) field, I don't see what else it offers over S_RS_COMP.  If I don't need to restrict by Owner, then I have no need for S_RS_COMP1?  Would it make sense for the fields in S_RS_COMP and S_RS_COMP1 to always match (i.e. same values in ACTV, RSZCOMPID, and RSZCOMPTP)?
  3.  Before, it was my (mistaken) understanding that a query that is published to a role (i.e. exists in a role's role menu) automatically granted the user who was assigned to this role access to that query.  I performed a quick test and this seemed not to be the case.  I gave the user roles that granted access to queries Z*, but non of the roles had any queries published.  I logged in through BEx and sure enough, I could manually type/find the query name and execute the query even though it was not under the Roles list.  Therefore, other than making the name of the query appear when you click on the Roles button in BEx, are there any other uses to publishing a query to a certain role?
  As always, any help is greatly appreciated!

  Are you on BI or old BW, because in BI you also have Analysis Authorization objects which also play a vital role in deciding what can be accesses and what can't be
  >
  Benjamin Seto wrote:
  >
  > 1.  Basically, it would appear that query access is restricted by the object S_RS_COMP.  In S_RS_COMP, the field RSZCOMPID (Name) allows me to restrict access to queries by name (i.e. Z* will provide access to all queries with name starting with 'Z').  One thing that is confusing me is the 2 additional fields:  RSINFOAREA (InfoArea) and RSINFOCUBE (InfoCube).  My colleague advised, a BW query basically pulls information from an InfoProvider (such as an InfoCube/ODS Object).  So, does this mean that even if I allow access to a query by name through RSZCOMPID, if the InfoCube it requires is not included in the RSINFOCUBE field, then the query will fail?
  >
  Yes, you are right with that. You need to have access to data ( infoproviders) even though you have the queries access. Just like if you have access in SAP to do things and don't have access to the computer itself
  >
  > 2.  I need help in understanding the differences between S_RS_COMP and S_RS_COMP1.  From what I can see, they are very similar.  Documentation I have read advises that S_RS_COMP1 allows users to administer certain queries but besides the RSZOWNER (Owner - Person Responsible) field, I don't see what else it offers over S_RS_COMP.  If I don't need to restrict by Owner, then I have no need for S_RS_COMP1?  Would it make sense for the fields in S_RS_COMP and S_RS_COMP1 to always match (i.e. same values in ACTV, RSZCOMPID, and RSZCOMPTP)?
  >
  If you are not going to restrict by owner then it makes sense to exclude this Authorization Object in the roles.
  > 3.  Before, it was my (mistaken) understanding that a query that is published to a role (i.e. exists in a role's role menu) automatically granted the user who was assigned to this role access to that query.  I performed a quick test and this seemed not to be the case.  I gave the user roles that granted access to queries Z*, but non of the roles had any queries published.  I logged in through BEx and sure enough, I could manually type/find the query name and execute the query even though it was not under the Roles list.  Therefore, other than making the name of the query appear when you click on the Roles button in BEx, are there any other uses to publishing a query to a certain role?
  >
  You need to save queries on the role, then only they will appear to the user. You can use BEx Query designer to create and save queries on the role. They will appear in the role menu in PFCG also.
  We have created a separate reporting role which only has the link to queries.
  HAPPY NEW YEAR
  Cheers !!
  Zaheer

• Crystal reports 2013 , SAP MDX Driver not able to connect with BW BEX Query

  Hi All,
  We just installed Crystal 2013, and want to create crystal report on SAP BW CUBE/BEX Query through SAP MDX Driver.
  1.When start connecting through SAP MDX Query option from new connection , SAP Systems which are in SAPLOGON are not appearing in initial screen. where as from OLAP Connection we are able to connect to SAP BEX Query.
  2.Even from SAP Tool kit we are not able to connect to BEX query, we are getting ERROR MESSAGE.
  and we are using SAP BI BO PLATFORM 4.1 sp01 .
  Please suggest me , if I am missing any configuration settings.
  Regards,
  Joseph

  Hi Joseph,
  Before you start building the report, make sure the right transports have been loaded on the SAP System. The right Transport files are the ones found inside the installation zip you download from SAP's server. They're under the "Collaterals\Add-Ons\SAP\Transports" folder.
  For more info on Transports, authorizations etc, please have your BASIS admin go through this wiki:
  Crystal Reports 2008 and BW - Installation and Configuration - Business Intelligence (BusinessObjects) - SCN Wiki
  To resolve your first issue, please follow the steps from this thread:
  Problems with SAPLogon.ini for SAP GUI and Crystal 2011
  P.S: Crystal Reports for Enterprise 4.1 does a better job at handling BEx queries that the CR 2013 designer. It directly connects to BEx queries via the BICS connectivity driver and doesn't need the Transports to be there on the SAP System. You might want to give this flavour of CR a try too.
  -Abhilash

• Optional BEx query variables not working in WebI

  Hi,
  I have an Webi report based on Bex Query using BICS connection.
  One characteristic is restricted with two variables. First an authorization variable and additional with an input ready variable.
  This input ready variable is optional. When it comes up in webi and you choose a value it doesn't filter on it.
  We are on BO 4.1. SP3 and BW 7.31.
  With SAP_ALL the optional prompt is working, but for a user with limited access, the optional variable doesn't work.
  I have already made a RSRT trace with a test user. But I'm not sure what's the problem.
  Trace returned:
  S_RS_AUTH  RC=4 -->  BIAUTH=0BI_ALL; type=RF;name=BICS_PROV_OPEN;
  But I don't want to give the user 0BI_ALL, otherwise my analysis authorizations for this info object would be obsolete.
  Any ideas?
  Thx and Regards,
  Katharina

  Hi Neetika,
  thank you for your advice!
  I tried the filter without authorziation variable and it was working.
  I in addition I tried another option: I defined auth variable as input ready and deleted filter variable and that would work working.
  With this setting I recognized that for the authorization variable all allowed values are set as default values! If you execute query with SAP_ALL no default is set, but with limited access the allowed values are set as default.
  This may be the problem here. I don't know if this behaviour is by design or if there is a problem with rights?
  But now I know where the problem comes from.
  Regards,
  Katharina

• BI 7 Bex Query - User exit variables after variable screen re-processed

  User exit variables are not re-calculated after the variable screen is called up to re-run report with a new selection.  Is there some way to force the user exit variables to change?   I am aware of note 1064273 but this doesn't seem to help in these circumstances.
  Example:
  My Bex Query uses OI_FYPER for a static characteristic selection and  I have defined a customer exit formula variable which uses the values in OI_FYPER.
  All works fine when the query is run first time but if the user calls up the variable screen to change the selection and re-run the query, the customer exit formula variable is not re-calculated (customer exit is called but only with ISTEP = 3).
  Software version is NS2004S (BI 7.0)  SPS10, BI ABAP SP11, BI JAVA SP10, BI Front End Package 1401 rel 354.

  hi.. i just came to know about this in another thread..
  I_STEP 3 does not have I_VNAM stored. So, to access values at I_STEP3 :
  data: l_range TYPE RRS0_S_VAR_RANGE.
  if I_STEP = '3'.
  read table I_T_VAR_RANGE into L_RANGE with key VNAM = 'OI_FYPER'
  if SY-SUBRC = 0.
  ...code as required...
  endif.
  endif.
  Customer-Exit for analysis Authorizations: i_step = 3, i_vnam is empty