BI Analysis Auth

Similar Messages

• Analysis auth issue

  Hi,
  We have a scenario where we have 2 user IDs:
  X
  Y
  We have a report R1 which has values for an infoobject IO as 1,2,3,4,5
  Now User X is restricted to see only data for values 1,2,3 and Y is restricted for 4,5
  We have created Analysis auth object and assigned it to users. Then we added an auth variable in the report which will restrict data as per user authorization.
  Now the issue is that when we execute the report for User X, only values for 1 is displaying and data for 2 and 3 are not showing up inspite of data being avalable in the underlying Infoprovider.
  Same is the case with User Y where the data is only visible or 4.
  What can be the issue?

  Hi Debanshu,
  Though I could not understand the exact issue, I would rather suggest you to check the authorizations checked while executing the report in Transaction RSECADMIN. In the Transaction goto Analysis tab ->Log Administration. there in the Configure Log recording provide the userid for which you want to test the authorizations And save it.
  When that perticular user runs the report will will be able to see the logs for it using the option "Authorization Logs" screen. And this log will have a detailed information regarding the entire authorization trace for that user for that report.
  Regards,
  Pratap Sone

• Creation of Analysis Auth from SU21

  Hi All,
  I gave a try to one auth. Just wanted anyone of you to clarify this.
  I created one customised object from SU21, and created the field, which we have used in the Analysis Auth (rsecadmin)  like, Compcode, salesorg, co area, etc.
  I have entered the field values and generated. Now included this in a role for a reporting user which contains the objects s_rs_comp and s_rs_comp1 for which Comp1 given full *.
  Now the test user is able to create the queries based on the restrictions assinged, like company code. But he is not able to execute his own query, where he was given full access. SU53 shows that he doesn't have the access to Execute in S_rs_comp1, where I have maintained * for that.
  Does this mean that, the Charateristics for Analysis Auth will not work if assigned through the objects created from SU21. / or do i need to do something more.
  Can anybody help please.
  Thanks for the help.
  Regards,
  Venkat

  Hi JC,
  The idea given by you is good. I tried, it. But its not working securely.
  I created one analysis auth for all common characteristics. and dvarious for different company codes and controlling areas.
  like grouped the following as one
  Company Code, Controlling Area, Keyfigues.
  I assigned a user a role like this. Take for example ODS A and B. Comp Codes, CC1 and CC2, Controling areas CA1 and CA2.
  assigned the Reporting roles like this. where
  1) ODS A > CC1 (CA ) (KF)
  2) ODS B > CA2 (CC) (KF)
  when checked user is able to see all the controlling areas on ODS B,where i gave him only CA2.
  That is the problem..

• ':' in SQL Format causes analysis auth failure

  Hi,
  When running a SEM-BPS planning folder it fails due to analysis authorisation errors. On doing a trace it fails as the SQL Format has PLANT = ':' and SALESORG = ':'. These values are not within the analysis auths set-up.
  Talking to the SEM-BPS person here they don't know how those got into the query.
  Any ideas how we can get round this?
  Thanks,
  Nick.

  hello,
  does oracle showing any errors in user_scheduler_job_run_details for this job ? I would advise try inserting some debug statement to identify where exactly its stuck. Also please check sample configurations syntax for user_scheduler_jobs.
  Cheers
  Sush

• Analysis auth obj assigment

  Hi
     Iam created one auth obj in rsec admin. how can i assign the auth obj to user .My answer is  1)direct assigment 2) through roles.
  for example: created analysis auth obj is : ztest_1
  It have the info obj : 0customer. and iam entered two values(values : A & B) in detail tab.
  In role tab where i have to find the created analysis auth obj.to assign values .like below
  Now i would like to assign this auth obj to user1 through role only for the customer value A .
  For user2 i have to restricted vale B.
  In direct assigment path will be the user>assign>specify the user name (user A)> give the created analysis auth obj (ztest_1)>select insert.
  This is the  process ...right?
  Now i would like to assign only one value (value A for the user A).How it is possiable in direct assigment..
  Other wise i have to create diff analysis auth obj(ztest_1...etc) for diff values(A &B)f or particular info obj(customer)?
  Thanks
  B.K
  Edited by: B.K on Jul 15, 2008 12:44 PM

  Hello B.K.,
  When you create an authorization ztest_1 with 0customer with values A & B, this will always have the two values for the customer just like it was before with the old authorization method.
  So no matter what way you assign this authorization to the user it will always have the two values!
  To separate (filter) only one value (A or B) you have to create two different authorizations, one for customer A and one for customer B.
  To assign, the direct assignment is just like you referred.
  To assign with the roles, go to the desired role in PFCG, enter in change mode, go to tab Authorizations tab and click on change authorization data (pencil button).
  Inside there, click on manual insert objects (something like this) and insert the object name S_RS_AUTH.
  You'll have a yellow sign.
  Expand that tree where the yellow sign is and click on the pencil button in front of the last yellow sign of the tree.
  In "Value from" in that next window insert the name of the authorization (in your example ztest_1).
  Generate your role.
  Now if you assign that role to the user "user1" in transaction su01.
  If ztest_1 has the values A & B for customer then user1 will have both values. If you separate the two authorizations let's say ztest_1A and ztest_1B with respectively the values A and B separate for the 0customer object.
  You could assign in the role the value ztest_1A in S_RS_AUTH values, and assign that role to the user "user1" in su01, and you could direct assign (just like you referred before) to the user2 the authorization object ztest_1B.
  Therefore you'll have user1 with the value A and user2 with the value B.
  Please assign points,
  Diogo.

• BI Role with Analysis Auth Object

  Hi
  How can i use Authorisation Object created in RECADMIN with all the list of Infoproviders in S_RS_COMP and S_RS_COMP1
  So that user can perform mentioned action on the data providers mentioned in analysis authorization object.
  As i need one place to list all the data targets user can access insted of maintaining in S_RS_COMP and S_RS_COMP1 and in Analysis Authorization object
  Thanks in advance

  Thanks Everybody for giving suggestions; I really appreciate alll your efforts.
  I followed step by step book of kamaljeet and findout that , I was missing to add related info objects of the inforprovider .added those info objects to auth analysis object.
  Now query is working fine without errors;
  problem is i am not able to restict the query since it showing all the data ; i am trying to put only few values in "0wbs_elemt "  .
  I added 0wbs_elemt in my analysis auth object;
  Clicked on 0wbs_elemt and kept values in value authorizations and also kept wbsh in hierarchy name , selected type 1, HI 0.
  still i am unable to restrict the data;
  Functinal consultants build WBSE  set up on a hierarchy. like
  18ICT-07/2011
        18ICT-07/2011-1
              18ICT-07/2011-1-AUDTM
                    18ICT-07/2011-1-AUDTM-01
              18ICT-07/2011-1-CETX_
                    18ICT-07/2011-1-CETX_-01
  they want to restrict like if we are giving 181ct-07 then they want to access every thing under it;
  same way like 181ct-08  etc etc..
  looks like they want to restrict the date very granuler level like  restriction on " Attribute Navigation   "
  Can anybody please do let me know how can we achieve  Navigation Restriction.
  Thanks.

• BI Analysis Auth Error

  Hi Have two analysis auths
  1)
  0TCAACTVT        02 03
  0TCAIPROV          X
  0TCAKYFNM       *
  0TCAVALID          *
  ZOBJ1                    A
  ZOBJ2                     B
  ZOBJ3                 1
  2)
  0TCAACTVT        02 03
  0TCAIPROV          X
  0TCAKYFNM       *
  0TCAVALID          *
  ZOBJ1                    *
  ZOBJ2                     *
  ZOBJ3                 2
  Both Auths will go together to same user.
  I want to restrict access to A and B for  ZOBJ1 & ZOBJ2 for value 1 (ZOBJ3)
  but I want to give * access for ZOBJ1 & ZOBJ2 for value 2.
  When I assign both auths user get * access for ZOBJ1 & ZOBJ2 for for 1 also.
  Is there any way I can limit this access.

  Closing so that I can post new quesiton

• Analysis Auth issue - multiple objects

  Currently we have different roles define for each separate section of our business with Comp code and Profit center (along with Hierarchy on PC).
  For e.g.
  Section 1
            Company Code u2013 1010,1050,1500,1520,1700,1800
            Profit Center u2013 150000 u2013 159999 and Profit Center hierarchy u2013 ZPROFIT_CTR_GROUP/99991231/G_15
  Section 2
            Company Code u2013 1110,1150,1500,1520,1700,1800,1980,2050
            Profit Center u2013 190000 u2013 199999 and Profit Center hierarchy u2013 ZPROFIT_CTR_GROUP/99991231/G_19
  Currently there are 30 such roles define, we have quite a segregation within the business. So each BW user generally has one of the 30 roles assign to them. This is working perfectly fine.
  Now because of the consolidations, there are some users who would manage information from different section. So now a user can have access to Section 1 as well as Section 2. Whenever we tried giving access to 2 roles directly to any user, the results of the query comes back as u201CNo Authorizationu201D
  If you notice in the difference between section 1 and 2 is additional company code and some matching company codes along with that is complete different Profit center range and profit center hierarchy node. I am not sure where exactly it is failing.
  Now one more thing for you information is that we have defined Auth variables on Company code (input/Auth/multiple Values) and Profit Center (Input/Authorization/Selection) and Profit Center hierarchy (hierarchy node variable / Authorization)
  I am just trying to understand where the No Auth error msg is coming. Is there some intersection which is killing the query result itself?
  Please let me know if any of you have any suggestion.

  A common problem when authorizing using two different Characteristics is how the authorization variables are filled.
  If a user has access to both section 1 and section 2, a authorization varible for Company Code will contain the values
  1010,1050,1500,1520,1700,1800, 1110,1150,1980,2050
  and the authorization variable for Profit Cetre will contain
  150000 u2013 159999  and 190000 u2013 199999
  If the user doesn't restrict the query further, the system will issue a correct authorization error since the user is not authorized for the selection CC=2050 PC=150000 and all the other "cross-combinations".
  Try creating variants of the selection screen for section 1 and section 2 respectively and force the user to select one of these when executing the query.
  Regards,
  Lars

• BI analysis auths and traces don't work after client copy

  Hello,
  We recently moved our BI Development to a new server.  Now, the analysis authorizations I created and assigned to the S_RS_AUTH object are no longer working.  And, the 'Execute as User' feature in rsecadmin transaction to trace a user is no longer working.
  Do I need to regenerate something or reconfigure something?
  I inherited this system and was not the original person to set up BI authorizations and traces so I do not know what steps may need to be repeated after a client copy.
  Thanks, in advance, for any advice.

  Thank you Juilius.
  It was actually our Developer who made changes to the reports I was testing and really didn't have anything to do with the client copy.
  However, the trace functionaly was weird.  I had to change a parameter on my user id to get it to work.  So, actually, the client copy did change that setting.
  Thanks much.
  Penny

• Crystal Report Enterprise 4.0 reports on SAP BW 7.1 Qry with Analysis Auth.

  hello everyone,
  We have created a crystal report using CR Enterprise 4.0 using a connection published (SSO enabled) in BOE repoitory on a SAP BW 7.0 EHP1 SP6 query. The underlying query has Analysis Authorization at place and variables are processed by authorization. We have also enabled SSO between BOE and BW server.
  But when execute the report in BI Launch Pad, we get the following error
  {bold} The viewer could not process the event.Failed to execute the query: '<java.lang.UnsupportedOperationException: NO SelectionStateSupport! V8>' .Redesign your query or contact your data source maintainer to solve the problem [JRC00005372]
  Error Code: 0 [CRWEB00000119] {bold} 
  'V8' is technical name of variable on characterstic with authorization processing.
  *We have given the rights of the connection to the users.
  *We get the same error either we login using BOE Authentication or SAP Authentication.
  *Web Intelligence reports on simillar query are working properly in the above mentioned scenario.
  thanks and regards
  Sushant Jain

  Hi Don,
  Thanks for your reply.
  This is regarding CR Enterprise 4.0.
  We have not re-imported the BI 4.0 transport files in our BW server, instead the older ones (of XI 3.1) are residing on BW server. But if I'm right then I think transports are relevant only while working with CR Designer 2008/2011 and not with CR Enterprise.
  Hi Ingo,
  Thanks for your reply.
  -Yes, query is working perfectly fine in RSRT showing the data as per the respective User Authorizations on respective InfoObjects' values.
  -Yes, the InfoObjects are restrcied by the means of Variabvle (with 'Authorization' Processing type, 'Varaible ready for input' unchecked, 'Optional' Variable) and are put in Characteristic Restriction area.
  Regards,
  Sushant

• BW Analysis Auth change history

  Hello all,
  Is there a table or report that shows the change history on a BW Analysis Authoirzation?
  Thanks,
  Tom

  Hi,
  You may need to create a table join by using transaction SQVI. The tables need to be joined are RSECVAL_CL, RSECAUTHTRUSER and RSECLOG_CL. Foreign Key should be like below:
  Field BNAME for RSECAUTHTRUSER and RSECLOG_CL.
  Field SESSIONID for RSECLOG_CL and RSECVAL_CL.
  regards,
  Dipanjan

• Analysis Authorization Issue

  Hi:
  I created an analysis authorization ZCO_CODE to trstrict it by a company code.
  I added following objects in authorization with values.
  0COMP_CODE = 1000
  0TCAACTVT = 03
  0TCAIFAREA = *
  0TCAIPROV = *
  0TCAVALID = *
  Then I created a role Z:00:BW_REPORT, where I added following authorization objects S_RS_AUTH and restricted it by value ZCO_CODE. Then I assigned this role to a user test01.
  When I execute a program RSEC_MIGRATION for this specific user, I do not see authorization object ZCO_CODE on 2nd step of this program. Any Idea Why? I think this object should show up as I want to migrate this specific object.
  Help will be appreciated.

  Hi Sachin:
  Okay here is my issue.
  I have a Reporting authorization Object created earlier which is ZCOCODE. I though I'll have to create a new Analysis authorization object e.g. ZCO_CODE and then restrict it with other chars. as mentioned in Marc Bernards presentation and then you have to migrate it.
  In selection list I can see old Reporting authorization object. If I select it and use option "Enhance existing profile" then It will update profile and not role? right....
  How can I see whether it has updated existing profile?????
  Do I need to create new Analysis Auth. for Company code or I can use old Reporting authorization for company code?
  For testing purpose, I created a test user and assigned all reporting roles but It will not show up in RSEC_MIGRATION step???

• BW Analysis authorization issue... need help urgently....

  We have one BW query which is pulling data from Contract Division info-object. Now this report does not variable selection object so it is pulling data from all values of Contract Division. Values of  Contract Division are CNC, CNS, CNE and CNL.
  Now we have created an analysis auth. object called z_es_3 and added Contract division info-object. Now we have added that z_es_3 into role and given value to CNS. now when we are running report, we are getting No Authorization error. When we are giving * value in z_es_3, it is running fine.
  Now we have to restrict report to contract division. please help.
  Thanks in advance

  Are you running unrestricted search on Contract division in your queries? You should restrict it to value which is maintained in the authorization for the InfoObject.
  Also please run the analysis authorization trace from RSECADMIN. That will give you a clearer picture of what is wrong.

• Analysis Authorization Migration Question

  Analysis Authorization Migration Question
  This is detail Question
  1)     I am testing Analysis Authorization Migration in NW2004s SP9 and have applied all OSS notes that are relevant to SP09 and are coming in SP10.
  2)     We have 2 Info object flagged as Authorization relevant 0COMP_CODE and 0COSTCENTER
  3)     We have Object level security set-up in BW 3.x system and for a role we have specified values like 0COMP_CODE has value 1000, 1800. “:”. In the same role we have specified 0COSTCENTER value 130001 to 180001, “:”  and hierarchy node.
  4)     When we migrate to Analysis Authorizations, using RSEC_MIGRATION, this program creates 2 Authorizations ZCOCODE00 & ZCOSTCTRH00. Both of them have 0COMP_CODE and 0COST_CENTER Objects.
  5)     ZCOCODE00 authorization gets value 0COMP_CODE values 1000, 1800. “:” and 0COSTCENTER Value “:”.
  6)     On the same line ZCOSTCTRH00 gets value 130001 to 180001, “:”  and 0COMP_CODE “:”.
  1st Question:
  1)     Why does it create 2 Authorizations?
  2)     During Checking it does not pass the authorizations, because it seems to me that it fails in Optimization process.
  3)     I manually merge the authorizations in “ONE” object then authorization check passes.  In other word if I combine ZCOSTCTRH00 & ZCOCODE00 then Query authorization check passes.
  Any one is struggling on this.
  Please note, I am doing Migration so that it updates existing Profiles (Roles now from SP9).
  Any comments will be very help full.
  Pankaj Gupta

  Hello Pankaj
  There are some basic misunderstandings on your side.
  Let me try to clarify:
  First we should distinguish between migration of authorizations and of what a query does with them.
  You had 2 auth objects before migration (in 3.x).
  Of course, they must be migrated to 2 new analysis auths.
  There is no general possibility to combine authorizations to a single one as the may appear in different roles and users. Moreover this would kill performance and finally, nobody would recognize the origin.
  Only in very restricted cases one could think of a combination of auths which come out of migration. But, then people loose overview about what goes on.
  Before the corrections in note "Migration IV" the : had not been inserted but now it is for good reasons.
  Now, accept for the moment that you receive 2 auths.
  Then, you cannnot (must not) combine the 2 resulting authorizations!
  <b>Authorization 1</b>
  COMP_CODE : 1000, 1300, “:”
  Cost Center : “:”
  <b>Authorizations 2</b>
  Comp_Code “:”
  Cost Center : 3100001-31999999; “:” plus a Hierarchy Node.
  This means that e.g. combination
  COMP_CODE 1000
  COST_CENTER 3100001-31999999
  <u>is not allowed!!!</u> Therefore, they must not be combined!
  Also, the query and its optimization is comepletely independent of the migration. And here, during query run time the auths cannot be combined. It is no failure!
  Moreover, the merging optimization is just a performance optimizaiton and has nothing to do with whether the query result is authorized or not.
  If you combine them manually you have authorized different combinations.
  Well, now you may wonder why you get 2 auths at all which leads to a "no auth" result in the query execution.
  The reason is, that in 3.x where you got a result with your 2 auth objects the modeling was wrong.
  If you want to authorize any combination of characteristic values, you should combine these characteritics together in one auth object, not in 2!
  (In BI7.0 it works like that but not in 3.x)
  But you defined 2 which may be valid even in several other InfoProviders independently and not even at the same time. Moreover, the auth objects may come from different roles and may be assigend to different users which then have completely different auth content. In general it is not possible to combine different auth objects or to find out those special situations which nevertheless allow for such optimizations. If you re-do a migration with more objects and users you could even receive different results which is also not satisfying.
  Therefore, instead, the mechanism was introduced to insert a : auth to those characteristics that are auth relevant (and checked now with 7.0) but not in the currently processed auth object.
  In you special case it may have made sense to combine them but not in general. And a migration can only try to work as general as possible.
  For your application you may combine the 2 auths manually if you want to allow also the crossover combinations
  COMP_CODE 1000
  COST_CENTER 3100001-31999999
  Best regards
  Peter John
  BI Development

• Analysis Authorization and relates issue

  Hello all,
  I am in the midst of designing authorizations using RSECADMIN transaction.
  We have a set of 50 different queries.
  In our cube, there are 5 different characteristics, which are authorization relevent.
  So, in RSECADMIN, i have created one analysis auth role, included all special and authorization relevent characteristics and maintained the appropriate values.
  But when i execute the queries,the desired output is not coming.
  - Do i need to create authorization varaibles and included in all my queries ?
  - Without including the auth.variabes in queries, is there any other way to restrict the users ?
  I though, by assigning the parameters in RSECADMIN, the query will automatically filter the data.
  Can you pls help ?
  We are on SP19.

  Hi,
  First of all, The query is always based on a InfoCube. Now, you have 50 different Queries which is based on this InfoCube if I am not wrong as you are not getting any authorization error.
  For a query to run, the user should have access to 1. Query, 2. Infocube and 3. Data(All Auth Relevant + 4 Special Objects)
  Authorization relevant objects are for an InfoCube which means that these objects are important or key fields for the infocube.
  You say that in your case, you have 5 Auth relevant objects which means they are important. But please note that there are more infoObjects in that InfoCube.
  Now, when you go to the query design, you can restrict on any object in the InfoCube but it makes more sense that you do it on one of those authorization relevant objects as you have to specify that in the Analysis Authorization where the system can pick up the data easily and give the output.
  Again, on the query design, if you have designed the query with processing type "Authorization", then it would automatically pick up (What you mentioned as automatic filtering) the value from the Analysis Authorization which is contained in the user's role for that query which otherwise gives a wide variety of options to chose from where the user has to choose the correct one.
  To get the desired output, all the correct variables should be included in the query and user should have access to all the three mentioned above.
  May be this gives a clear picture.
  Regards,
  Prasanna
  Edited by: Prasanna Nagaraja on Sep 11, 2009 11:40 PM