BI Role with Analysis Auth Object

Similar Messages

• SoD Analysis , tables to relate roles, transactions and auth objects

  Hi everyone,
  I am analyzing my company SAP roles in terms of segregation of duties, however I having a problem.
  I need a table/report to give me for each role, every transactions and for each transaction in the role every authorization objects.
  For example I want to know for Role B that have transaction C which have the follow authorization object D with values X and Y.
  Therefore I want to know for each role and respective transactions which are only display or/and execute or/and editable. How can I do that?
  Thanks!

  Hi,
  There is no default report/table which gives you the required information. However, you can achieve this by using SQVI. Join the tables, and create a tcode for the same. Refer the below link:
  Re: SAP Query in SQVI transaction
  Alternatively, you can download all the data into spreadsheet and create Pivots to plot the information.
  The other alternative is to have a custom program built which takes the information from AGR_DEFINE, AGR_AGRS, AGR_1251, AGR_1252, AGR_TCODE tables.
  Hope this helps!!
  Regards,
  Raghu

• Crystal Report Enterprise 4.0 reports on SAP BW 7.1 Qry with Analysis Auth.

  hello everyone,
  We have created a crystal report using CR Enterprise 4.0 using a connection published (SSO enabled) in BOE repoitory on a SAP BW 7.0 EHP1 SP6 query. The underlying query has Analysis Authorization at place and variables are processed by authorization. We have also enabled SSO between BOE and BW server.
  But when execute the report in BI Launch Pad, we get the following error
  {bold} The viewer could not process the event.Failed to execute the query: '<java.lang.UnsupportedOperationException: NO SelectionStateSupport! V8>' .Redesign your query or contact your data source maintainer to solve the problem [JRC00005372]
  Error Code: 0 [CRWEB00000119] {bold} 
  'V8' is technical name of variable on characterstic with authorization processing.
  *We have given the rights of the connection to the users.
  *We get the same error either we login using BOE Authentication or SAP Authentication.
  *Web Intelligence reports on simillar query are working properly in the above mentioned scenario.
  thanks and regards
  Sushant Jain

  Hi Don,
  Thanks for your reply.
  This is regarding CR Enterprise 4.0.
  We have not re-imported the BI 4.0 transport files in our BW server, instead the older ones (of XI 3.1) are residing on BW server. But if I'm right then I think transports are relevant only while working with CR Designer 2008/2011 and not with CR Enterprise.
  Hi Ingo,
  Thanks for your reply.
  -Yes, query is working perfectly fine in RSRT showing the data as per the respective User Authorizations on respective InfoObjects' values.
  -Yes, the InfoObjects are restrcied by the means of Variabvle (with 'Authorization' Processing type, 'Varaible ready for input' unchecked, 'Optional' Variable) and are put in Characteristic Restriction area.
  Regards,
  Sushant

• PFCG, two roles with the same object but different values

  Hi, Can you help me?
  I need to know if it's possible have two roles like this:
  role A - Object werks = L001 and LIKP-LFART = LF
  role B - Object werks = L005 and LIKP-LFART = ZLF
  If the some user have role A and role B it's possible that he doesn't have authorization for werks = L005 and LIKP-LFART LF?
  Thanks
  Dora

  I guess you made fat figure on the words: "it's possible that he doesn't have authorization for werks = L005 and LIKP-LFART ZLF", right?
  If so, it is impossible.
  When SAP doing the authorization check, it call the function "authority_check", input the Object, the filed and the value to check.
  if some one have role A and B, SAP will check authority both in Role A and Role B.
  What you need to do should be separating the Object into a subrole and assign it separately.
  >
  Jorge Sousa wrote:
  > Hi, Can you help me?
  > I need to know if it's possible have two roles like this:
  > role A - Object werks = L001 and LIKP-LFART = LF
  > role B - Object werks = L005 and LIKP-LFART = ZLF
  > If the some user have role A and role B it's possible that he doesn't have authorization for werks = L005 and LIKP-LFART LF?
  >
  > Thanks
  >
  > Dora

• Role without Tcode but with customized "Z" Object only

  Hi all,
  Please help my querry is that with a Single Role as while seeing that role in PFCG in Menu Tab no Tcode is assigned and in the Authoriztion Tab -> change authorization tab just a single(one) Z auth object is maintained with Display actvt and i am not able to understand how this is going how the user are able to access the the Role without TCODE assigned but with just a Z authobject. please tell How this is going and working .
  Your help will be greatly appreciated and pleas tell how this Z auth object are created.
  Thanks,
  Chandresh.

  >
  > You need to provide more infos (from the system) and just asking on site is a good idea (as mentioned by Alex).
  >
  > Cheers,
  > Julius
  I agree that asking onsite could give more insight into the Z-Object usage. I can explain the probable reason of having the Z-Object as a stand alone authorization
  In a role inheritance scenario, when you have roles with 100+ transactions (role A, B,C, .......) which act as the master roles and the derived roles being A1,A2,A3...... depending on the number of inherited roles you have in the set-up, authorization objects like customer authorization group or vendor authorization group can be a tough task (as these are not called in the organization level values) - in this situation as the authorization groups would have to maintained individually in the inherited roles and can be a time consuming task with the additional risk of passing down the values of the master role every time it is generated and inherited - a better option could be to maintain a non-existent value in the master role , inherit it so the non-existent value is passed down to the inherited roles. To give access on the specific authorization groups , create a role with only the object F_KNA1_BED or F_BKPF_BED as might be the case and maintain organization specific values in these object and assign it to the users who need it
  My guess would be that the Z-object the operator mentions is something that is developed to address such an issue

• Analysis auth issue

  Hi,
  We have a scenario where we have 2 user IDs:
  X
  Y
  We have a report R1 which has values for an infoobject IO as 1,2,3,4,5
  Now User X is restricted to see only data for values 1,2,3 and Y is restricted for 4,5
  We have created Analysis auth object and assigned it to users. Then we added an auth variable in the report which will restrict data as per user authorization.
  Now the issue is that when we execute the report for User X, only values for 1 is displaying and data for 2 and 3 are not showing up inspite of data being avalable in the underlying Infoprovider.
  Same is the case with User Y where the data is only visible or 4.
  What can be the issue?

  Hi Debanshu,
  Though I could not understand the exact issue, I would rather suggest you to check the authorizations checked while executing the report in Transaction RSECADMIN. In the Transaction goto Analysis tab ->Log Administration. there in the Configure Log recording provide the userid for which you want to test the authorizations And save it.
  When that perticular user runs the report will will be able to see the logs for it using the option "Authorization Logs" screen. And this log will have a detailed information regarding the entire authorization trace for that user for that report.
  Regards,
  Pratap Sone

• How can I limit/control the addition of auth. objects to security roles?

  Checking the authorization object S_USER_VAL it seemed that it grants the ability to limit the addition of authorization objects, but I tried using a test ID in sandbox along with a test role, removing the object, creating ranges in order to limit to a certaing type of auth. objects and didn't work. S_USER_AGR will give me access to limit which type of roles I can modify, but I'm looking to restrict the addition of specific security objects to security roles. If anyone knows the answer to this please share! Thanks in advance for your help!!!!
  Edited by: Armando Salas on Nov 29, 2011 7:41 PM

  Hi Armando,
  Try with auth.obj. S_USER_AUT. A suggestion. Search this objects with tcode SU24, for instance, for tcode PFCG and it gives a list with objects.
  I hope this helps you
  Regards
  Eduardo

• APO roles and auth objects

  Hello all,
  Can someone tell me the most common used Tcodes, roles and auth objects in SAP APO - DP and APO-SNP security
  thanks

  I was going to type them out but luckily for me found this link to the DP & SNP auth objects - the info there is as detailed as anything else I have seen
  http://help.sap.com/saphelp_scm50/helpdata/en/21/f6253b90e48743e10000000a11402f/content.htm
  There is a list of useful APO transactions here
  http://help.sap.com/bp_scmv241/documentation/SCM_AIO_BP_Function_List.xls
  I can't help with the standard roles as I build my own.

• Changing Role created with Customizing Auth. Utility

  I created a role in PFCG using the Customizing Auth. option under Utilities by referencing a project view that I created in the IMG.  My intent was to create a security role with access to all of the SPRO tcodes and related security objects.  I then modified that role so that it only granted display access to these transactions.
  Later, I discovered that this role also granted access to SE38, SE37, SA38 and other critical transactions.  I know this will raise concerns with my auditors so I attempted to delete these transactions from my role.  I was unable to do this because my role was created with the Customizing Auth. option.
  Does anyone know of a way that I can remove these tcodes from the S_TCODE object?
  Thanks,
  Dennis Beausoleil   
  <telephone_number_removed_by_moderator>
  Edited by: Julius Bussche on Feb 23, 2010 12:04 PM
  Please use your business card options for such details.

  >
  Dennis Beausoleil wrote:
  > I created a role in PFCG using the Customizing Auth. option under Utilities by referencing a project view that I created in the IMG.  My intent was to create a security role with access to all of the SPRO tcodes and related security objects.  I then modified that role so that it only granted display access to these transactions.
  >
  > Later, I discovered that this role also granted access to SE38, SE37, SA38 and other critical transactions.  I know this will raise concerns with my auditors so I attempted to delete these transactions from my role.  I was unable to do this because my role was created with the Customizing Auth. option.
  >
  > Does anyone know of a way that I can remove these tcodes from the S_TCODE object?
  >
  > Thanks,
  >
  > Dennis Beausoleil   
  > <telephone_number_removed_by_moderator>
  >
  > Edited by: Julius Bussche on Feb 23, 2010 12:04 PM
  > Please use your business card options for such details.
  Dennis,
  In PFCG authorization change, inactivate the S_TCODE auth object then manually add S_TCODE and enter/paste the desired transactions with the exception of SE38, SE37, SA38 and other critical transactions.
  Good Luck!

• Job role design - transaction role and auth object role

  Hi all, please kindly comment following job role design:
  (1) transaction role:
  Keep transactions in single job role to represent business processes in different application areas, e.g.MM: maintain PR, PO, OA.   CO: maintain cost center, internal order   HR: maintain org structure, personnel management.
  The single job role will only keep role menu, object S_TCODE and inactivated all other application related authorization objects.
  (2) authorization role
  Keep application component related authorzation objects except S_TCODE in single job role by different application area, e.g. Objects of MM_B, MM_E, MM_G in MM role. Objects of K_CCA, K_CSKS_SET in CO role.  Objects of HR in HR role.
  Then maintain org level of MM, CO, HR roles for different companies, e.g. Company A MM role, company A CO role, company A HR role, company B MM role.;....
  User will be assigned transaction role + auth object role.   For example, user of company A to perform MM and CO functions will be assigned
  with MM transaction role + company A MM role + company A CO role.
  Please let me know the pros and cons of above design.  Thanks.
  Regards,
  Donald
  * I can see the disadvantage of this design is during SAP upgrade (SU25), revised of authorization object will not reflect in authorization role

  Brent Van Dyck wrote:
  Keep in mind the project was for an HCM implementation where there's already hardly any connection between tcodes and authorization values so it may have made more sense in that context than it would in a classic SD/MM.
  That is correct - but it still exceeds "horrible" beyond imaginable boundaries if you try to split the fields of the objects into different roles and expect it to work or that there will be less roles.
  In the case of HCM and also BW the auths admin needs to know more about the data and organization than what classic ERP auths admins can get away with. That is why they take longer to migrate away from manual profiles and have a greater tendency to have manual authorizations inserted into roles - which could however also be achieved by maintaining fields proposed without values and at least proposing those (such as activity type fields) which are known.
  But splitting cube / characteristics / key figures  or infotype / personel group / auth code into different roles can only go wrong.
  Another mistake some "value role experts" sometimes make is that they don't want Su24 proposals in PFCG because they don't understand them. So what they do is that they clean out the SU24 tables completely... Well... the side affect of that is that all SU24 check indicators flagged as "no check" suddenly become alive in their system although there are mostly good reasons not to have the checks active.
  Cheers,
  Julius

• Single character wildcards ? PFCG, role, auth object

  Hi community,
  we want to implement a naming convention to control access to queries by query names, auth object S_RS_COMP,  RSZCOMPID. The naming convention is e.g.: Z_xx_ST_yyy.
  means:
  digits 1-2: Z:_
  digits 3-4: custom 2-digit identifier
  digits 5-8: "_ ST _" stands for standard query
  digits 9-30: custom name
  we need to distinguish the users by the 2-digit identifier. but some power users are authorized for all standard queries, so we want to use a single character wildcard for digits 3-4. we tried with +, $, %, &, # and <blank>, but nothing worked.
  also asterisk Z_ * STyyy does not work, it works like Z_ * then.
  any idea? many thanks and
  cheers,
  Phil
  Edited by: Phillip Lee on Jun 17, 2008 3:16 PM

  Hi,
  You are in BI 7.0? We also experienced smilar problem when we tried using wild character in 'Analysis authorization'. That wild character did not work. Finally we had to hard code without wild character.
  Regards
  S Meyyappan

• Transport roles and analysis authorization with user assigned

  Hi expert,
  I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
  Thanks for your time,
  Luis

  Hi,
  In role administration, you have the following options for transporting roles:
  You can download the roles from one system and upload them into another  
  You can import the role from a remote system using RFC  
  You can transport the roles with the transport function.
  Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
  Transporting Roles with the Role Transport Function
         1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
         2.      Enter the role to be transported and choose Transport Role.
  The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
  You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
  For more information go thrpugh the below link
  http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
  Regards,
  Marasa.

• Auth objects required for creating super,power,end user roles

  Hi ,
  I need to create 3 roles according to the below requirement. can you tell me what auth objects req inorder to fulfill customer requirement.
  1.     Super User: 
       Have the access to Create/Modify/Delete own queries
       Can create Variables, CKF, Structures, Formulas & RKF at the cube level (global)
  2.     Power User :
       Have the access to Create/Modify/Delete own queries
       Can create Structures, Formulas at the query level
  3.     End User
       Have the access to run and navigate reports at the local level
  Hope I will get reply soon
  Thanks

  Karunakar -
  Few things you have to keep in mind when you are giving access to the reports and queries.
  S_RS_COMP only will not do.
  have you assigned S_RS_COMP1 and S_RS_MPRO for info areas and multi/info providers.
  and one more auth object S_RS_ICUBE for info cubes. you have to assign what ever the info cubes that you need to give access to the users.
  Then only user will get full access.
  precisely in order you can say,
  S_RS_COMP
  S_RS_COMP1
  S_RS_ICUBE
  and S_RS_MPRO.
  These are main auth objects which are related to info cube, info area access and BEx access.
  Hope this would give you clear pic.

• Need to build the security roles (actual technical roles) with HRCON object

  I need to build the security roles (actual technical roles) with HRCON objectfor date driven security.
  Please help me that how could i learn and what should be the approach.
  i.e. What is the requirement for learing to build the security roles (actual technical roles) with HRCON object for date driven security.

  Hi marco,
  It is related to Context solution and I need to implement HR Security in terms of context solution.
  So Could you please describe Following points:
  1. What is context solution
  2. How can i implement this context solution and HR Basic security as well
  3 What is the prerequiest to learn about HR security
  4. I am new for HR Security, SO what would be the approach to implement HR Security.
  Thanks

• Manually added auth objects and Derived roles

  If there are manually added auth objects in the parent role do they come across to the derived roles?
  Also if you manually added auth objects into a derived role will they be overwritten by the parent role if you auto derive from the parent role?

  yes, any auth objects will come across to derived roles when you click 'generate derived roles'  from your parent role. basically its copying your parent role authorizations to derived roles  except org. level data( if you had maintained them thru 'org. maintainence' button and not adding in individual objects).
  yes. manually added auth objects in your derived roles will be overwritten by the parent role authorizations when you click 'generate derived roles'  from your parent role.
  if you just derived the role menu and din't copy the authorizations(generate derived roles) then there will not be any interlink between the parent and derived roles for authorizations.
  http://help.sap.com/erp2005_ehp_02/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm