BI7 : Transport deletion of analysis authorizations

Similar Messages

• Transport roles and analysis authorization with user assigned

  Hi expert,
  I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
  Thanks for your time,
  Luis

  Hi,
  In role administration, you have the following options for transporting roles:
  You can download the roles from one system and upload them into another  
  You can import the role from a remote system using RFC  
  You can transport the roles with the transport function.
  Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
  Transporting Roles with the Role Transport Function
         1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
         2.      Enter the role to be transported and choose Transport Role.
  The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
  You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
  For more information go thrpugh the below link
  http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
  Regards,
  Marasa.

• Transport Request for Analysis Authorization

  Hello Everyone,
  When a trasport request is created for any BI analysis authorization ( including the Z*), the type of trasport request created
  is workbench request. What is the reason behind this because when any Customised Role / Profile is included in transport request this will be customised request unlike analysis authorization.
  Thanks in advance.....

  Hi Rashmi,
  The difference is In BI, the AA authorizations are independent. Any objects that are independent of the client will be captured in the workbench type of transport request, when they are required in the other client. Hence you can see the Workbech type request for  transporting changed Repository objects and changed system settings from cross-client tables. However, customizing requests involve changes recorded to client-specific Customizing objects .
  The Analysis authorizations are always captured in a Workbench type of transport request by default due to the above design.
  You can still transport both the PFCG role, and AA in a single transport request, you can do the same by following the steps mentioned in the below Wiki:
  https://wiki.sdn.sap.com/wiki/display/BI/HowtotranportroleandAAtogetherinBI
  Regards,
  Raghu

• SAP BI 7.3 Analysis authorization transport log

  Hi,
     We have transported a Analysis authorization to production system, I would like to know the exact changes moved through this transport carrying a particular analysis authorization.
  The issue here is RSECVAL_CL has not recorded the changes done on this particular Analysis authorization in development system.
  So please suggest if there is any table where we can look to find the exact changes made by this transport request.
  Regards,
  Ananth
  Edited by: Anantharama Shivashankar on Oct 26, 2011 6:48 PM

  The issue here is RSECVAL_CL has not recorded the changes done on this particular Analysis authorization in development system
  I guess that is a problem and should be reported to SAP. However this table will give the value that has been deleted. New value to be checked in analysis authorization itself.
  EDITED : If the AA been transported before then might look their content and compare them.
  Regards,
  Arpan Paik
  Edited by: P Arpan on Oct 31, 2011 3:44 PM

• Hierarchy Analysis Authorization does not work after transport

  Hi Gurus,
  I am facing a issue in hierarchy analysis authorization in quality system but the same authorization works perfectly fine in development.
  All hierarchy authorizations works in Quality except for this one. I found one old sap note describing this as program error but this note is not applicable in BW 7.3.
  I have checked the table RSECVAL, RSECHIER and authorization is active so everything looks good. Please advise if anyone faced this issue after transporting hierarchy auths to other systems
  Regards,
  Salman

  Salman,
  What I understood from your description is that you have same role+AA in Dev and QA, which provides access in Dev for all the nodes for said hierarchy but in QA, same role+AA provides access to the same hierarchy for all the nodes but one. Try to create a ZTEST analysis authorization in QA itself with access for the problematic hierarchy node and see if it works ? This will rule out the case if there is a difference in hierarchy in DEV & QA.
  Regards,
  Shivraj Singh

• Issue w RSCUSTV23 Analysis Authorization System after upg from BW3.5 to BI7

  We set it to "Obsolete Concept with RSR Authorization Objects" and we do no understand why from the suddenly changes to
  "Current Procedure with Analysis Authorization" from no where - any ideas why from the sudden this changes by itself?
  still were not not migrating our security to the new version...we will do it around april...but in the meanwhile i would like ot understand why is happening by itself.
  thanks,

  Note that the logging will probably only help you if you activate it in the transport tool profiles (STMS) as it sounds to me as if imports of the customizing are making this setting.
  Did you set the value in DEV and transport it through or did you use one of the "BW utility reports" to change it (in which case you do not always have change documents and inconsistent customizing is "by design"...).
  Cheers,
  Julius

• Role and Analysis Authorization Transport

  Dear Experts,
  I'm working with migration authorization project from 3.5 to 7.0. My doubt is when migrate in development enviroment enhancement each whith join S_RS_AUTH with Analysis Authorization which the role doesn't have any users assigning and transport to test enviroment where have a same role with user assigning. Do lose the user assign?
  Thank for all,
  Luis

  Hi,
  I think it will orverwrite the Role. If you want to lock the target system against import of user assignments, you can goto sm30 (Table - PRGN_CUST). Make an entry - USER_REL_IMPORT (value - NO).
  Thanks

• D_E_L_E_T_E doesn't delete analysis authorizations

  Dear SAP BI colleagues,
  I use the standard DSO's for analysis authorization (0TCA_DS0*). After successful upload and generating the analysis authorizations, I tried to delete this entries again. For this I followed the SAP documentation as well as other community hints: I only have the D_E_L_E_T_E entry for infoobject 0TCTUSERNM in the value DSO 0TCA_DS01. After generating via RSECADMIN the analysis authorization still exist in the user assignment as well as the DB table RSECAUTHGENERATD.
  Does anybody know why?
  Regards,
  Joern

  You need to set the 0TCTOBJVERS to 'A' and 0TCTADTO to '99991231' as well.
  Regards,
  Lars

• Comparison of analysis authorization roles ?

  Hello Experts,
  I am using BI7.0 new analysis authorization concept.
  I know how to compare pfcg role across systems but does anybody know how we can compare analysis authorization roles across systems?
  Thanks and Regards
  Imran

  Hi,
  Easy comparison of roles (PFUD):
  Many times the Role Comparison (Profile match up) is required after the transport of roles. One usually does it from PFCG for each role individually. For a quick solution to this problem, use transaction code PFUD.
  Please check the below link :
  http://help.sap.com/saphelp_bw21c/helpdata/en/5c/deaa7dd3d411d3970a0000e82de14a/content.htm
  http://help.sap.com/saphelp_nw04/Helpdata/EN/5c/deaa7dd3d411d3970a0000e82de14a/content.htm
  http://help.sap.com/saphelp_nw70/helpdata/EN/c1/db3fc2fd3111d5997a00508b6b8b11/content.htm
  http://help.sap.com/saphelp_mic10/helpdata/en/69/1810a4c51144dc833353183155ec88/content.htm
  Regards
  Sreedhar Reddy

• Analysis Authorization Migration Question

  Analysis Authorization Migration Question
  This is detail Question
  1)     I am testing Analysis Authorization Migration in NW2004s SP9 and have applied all OSS notes that are relevant to SP09 and are coming in SP10.
  2)     We have 2 Info object flagged as Authorization relevant 0COMP_CODE and 0COSTCENTER
  3)     We have Object level security set-up in BW 3.x system and for a role we have specified values like 0COMP_CODE has value 1000, 1800. “:”. In the same role we have specified 0COSTCENTER value 130001 to 180001, “:”  and hierarchy node.
  4)     When we migrate to Analysis Authorizations, using RSEC_MIGRATION, this program creates 2 Authorizations ZCOCODE00 & ZCOSTCTRH00. Both of them have 0COMP_CODE and 0COST_CENTER Objects.
  5)     ZCOCODE00 authorization gets value 0COMP_CODE values 1000, 1800. “:” and 0COSTCENTER Value “:”.
  6)     On the same line ZCOSTCTRH00 gets value 130001 to 180001, “:”  and 0COMP_CODE “:”.
  1st Question:
  1)     Why does it create 2 Authorizations?
  2)     During Checking it does not pass the authorizations, because it seems to me that it fails in Optimization process.
  3)     I manually merge the authorizations in “ONE” object then authorization check passes.  In other word if I combine ZCOSTCTRH00 & ZCOCODE00 then Query authorization check passes.
  Any one is struggling on this.
  Please note, I am doing Migration so that it updates existing Profiles (Roles now from SP9).
  Any comments will be very help full.
  Pankaj Gupta

  Hello Pankaj
  There are some basic misunderstandings on your side.
  Let me try to clarify:
  First we should distinguish between migration of authorizations and of what a query does with them.
  You had 2 auth objects before migration (in 3.x).
  Of course, they must be migrated to 2 new analysis auths.
  There is no general possibility to combine authorizations to a single one as the may appear in different roles and users. Moreover this would kill performance and finally, nobody would recognize the origin.
  Only in very restricted cases one could think of a combination of auths which come out of migration. But, then people loose overview about what goes on.
  Before the corrections in note "Migration IV" the : had not been inserted but now it is for good reasons.
  Now, accept for the moment that you receive 2 auths.
  Then, you cannnot (must not) combine the 2 resulting authorizations!
  <b>Authorization 1</b>
  COMP_CODE : 1000, 1300, “:”
  Cost Center : “:”
  <b>Authorizations 2</b>
  Comp_Code “:”
  Cost Center : 3100001-31999999; “:” plus a Hierarchy Node.
  This means that e.g. combination
  COMP_CODE 1000
  COST_CENTER 3100001-31999999
  <u>is not allowed!!!</u> Therefore, they must not be combined!
  Also, the query and its optimization is comepletely independent of the migration. And here, during query run time the auths cannot be combined. It is no failure!
  Moreover, the merging optimization is just a performance optimizaiton and has nothing to do with whether the query result is authorized or not.
  If you combine them manually you have authorized different combinations.
  Well, now you may wonder why you get 2 auths at all which leads to a "no auth" result in the query execution.
  The reason is, that in 3.x where you got a result with your 2 auth objects the modeling was wrong.
  If you want to authorize any combination of characteristic values, you should combine these characteritics together in one auth object, not in 2!
  (In BI7.0 it works like that but not in 3.x)
  But you defined 2 which may be valid even in several other InfoProviders independently and not even at the same time. Moreover, the auth objects may come from different roles and may be assigend to different users which then have completely different auth content. In general it is not possible to combine different auth objects or to find out those special situations which nevertheless allow for such optimizations. If you re-do a migration with more objects and users you could even receive different results which is also not satisfying.
  Therefore, instead, the mechanism was introduced to insert a : auth to those characteristics that are auth relevant (and checked now with 7.0) but not in the currently processed auth object.
  In you special case it may have made sense to combine them but not in general. And a migration can only try to work as general as possible.
  For your application you may combine the 2 auths manually if you want to allow also the crossover combinations
  COMP_CODE 1000
  COST_CENTER 3100001-31999999
  Best regards
  Peter John
  BI Development

• Analysis Authorization In Dev and impact of reports and roles in prod trans

  Hello,
  We are planning to switch to analysis authorization. We plan to make that change first in Dev and we were wondering what would be the impact on roles and reports we transport from dev (which is switched to Analysis Authorization) to production( on Old authirization) ? We wont transport new things to production till we switch to new auth in Prd.
  Thanks a lot,
  BP.

  Hello
  Even if you are transporting the roles from dev to quality and production, the analysis authorization objects will not be checked until you set "current procedure..." in RSCUSTV23.
  So there is no harm in transporting the roles and auhotrization until you change the concept to analysis.
  regards,
  Payal

• Analysis Authorization not working - Empty demarcation

  Can someone help me on this Analysis Authorization? I read many threads in SDN, it seems that I followed the correct steps. The restriction on S_RS_COMP is working well but the restriction on the Analysis Authorization is not working. Surely I'm making some mistake, but can't find what's wrong.
  I'm a User (say USER_00) in a test system, assigned to a Role (say Z:BI_USER). This is a broad role:
  - S_RS_COMP and S_RS_COMP1 have full authorization (*) to all the fields,
  - S_RS_AUTH has the BIAUTH field with Name of Authorization = *.
  Also I have an InfoArea (ZIA_TEST) and an InfoCube (ZIC_TEST). The IC has some characteristics and key figures. The only authorization relevant characteristic is ZCA_CLI (client). The IC has only 5 lines, one for each client ("CLI_01" to "CLI_05").
  Also there's a query (ZQR_TEST) on this IC, with an Authorization Variable (VAR_AUTH_CLI) restricting the characteristic ZCA_CLI.
  I'm trying to create a new User and restrict him to this IC and only to the data of client "CLI_01". If it works I'll apply to a production system.
  What I did:
  1) With tcode SU01 created a new User (USER_01) with no Role neither Analysis Authorization.
  2) With tcode PFCG copied the Role Z:BI_USER as Z:ROLE_TEST then made some changes:
  a) S_RS_COMP
  - Activity = 03 and 16
  - InfoArea = ZIA_TEST
  - InfoCube = ZIC_TEST
  - Type of report component = *
  - Name of report component = *.
  b) S_RS_COMP1
  - Kept * to all fields.
  c) S_RS_AUTH
  - I inactivated and deleted this Authorization Object.
  (I don't want to keep characteristic values restriction inside the role. The idea is to associate different users to the same role, allowing them to see the same ICs and execute the same queries. And differentiate wich characteristic values each one can see by manually associating different analysis authorization to each one.).
  3) With tcode RSECAUTH I created an Analysis Authorization (Z_AA_CLI_01) to restrict access only to client "CLI_01":
  - ZCA_CLI = "CLI_01"
  - 0TCAACTVT = "03"
  - 0TCAIPROV = "ZIC_TEST"
  - 0TCAVALID = "*".
  4) With tcode PFCG I assigned User "USER_01" to the Role " Z:ROLE_TEST" and made Complete Comparison.
  5) With tcode RSU01 I manually assigned Analysis Authorization " Z_AA_CLI_01" to User "USER_01".
  It seems to me that these steps are enough. But:
  a) When I log as USER_00 and go to tcode RSRT2, searching by InfoAreas I can see all the InfoAreas and all the InfoCubes, select and execute the query. That's OK.
  b) When I log as USER_01 and go to RSRT2, searching by InfoAreas I can see only ZIA_TEST and under it I can see only ZIC_TEST. That's OK. Then I select and execute the query.
  Wich means that S_RS_COMP is OK and each user is assigned to the correct Role.
  c) The problem is that in both cases the query brings data from all Clients.
  Under Information and Variable Values (when I run with HTML display) the message is "Empty demarcation".
  I changed the variable to be Ready for Input, just to see wich values it brings. In both cases (as USER_00 and as USER_01) in the Variable Screen it brings all the 5 Clients from the IC and I can select and execute any value.
  So the problem is with the Analysis Authorization or with the Variable, but I can't find what's wrong.
  Any help will be very appreciated.
  César

  OK Marc, it worked.
  Sorry for not answering earlier, but I could get back to this front only some days ago, then began testing your suggestions.
  1) Security Concept
  Authorization Mode was set to "Obsolete Concept with RSR Authorization Objects" (it would never work with this setting).
  I changed to "Current Procedure with Analysis Authorizations".
  Anyway, what's the function of this setting? Do old Reporting Authorizations work with "Current Procedure with Analysis Authorizations" setting?
  2) Variable Representation
  With "Multiple Single Values" it really led to problems.
  With "Selection Option" it worked well.
  3) 0TCAKYFNM
  I don't understand why, but if the AA doesn't have the char/dimension 0TCAKYFNM, when the User tries to run the query (tcode RSRT2) it accuses "You do not have sufficient authorization".
  Info Cube ZIC_VE95 has two KFs (ZKF_QTL95 and ZKF_VLT95). These KFs are used only on this IC (also in the KF Catalog, but it doesn't impact). This IC is used only on Query ZQR_VE95 (also in Transformation and DTP, wich doesn't impact).
  Well, I inserted 0TCAKYFNM and it worked, either with CP, "*" or with EQ, the two KFs.
  4) Authorization Policy Definition
  The situation I'm working on is very typical. Ex.: Some users are Administrators, Managers, Operator 1, Operator 2 and so on. Each Role needs authorization to access some queries. At the same time, they can access information only of the Cost Centers to wich they are related.
  There are many ways to implement it (I tested some of them and they worked well). My point is to define a most practical way, easy to understand and to maintain.
  I'm now sympathetic to this way:
  a) Create functional Roles (ex.: "Administrator", "Manager", "Operator 1", "Operator 2" and so on) defining only the Queries (or Info Areas, Info Providers, etc) each Role needs. No S_RS_AUTH definition.
  b) Create Char Value Roles (ex.: "CC_100_to_199", "CC_200_to_299", etc), only with S_RS_AUTH definition, each one associated with a corresponding AA (ex.: AA for CC 100 to 199, AA for CC 200 to 299 and so on).
  c) Create Composite Roles associating functional and char value Roles. Ex. Composite Role "Administrator for CC 100 to 199", composed of the Roles "Administrator" and "CC_100_to_199".
  d) Associate Users to the Composite Roles.
  Anyway, I'd appreciate if you could indicate some literature (blogs, articles, etc) on this theme.
  Well, thank you very much for your answers. Now I can go on with my studies on this subject.
  César Menezes

• Analysis Authorization and Query

  Hi everybody,
  while studying the new analysis authorization concept in BI7 I tested a little bit around. I was wondering how I can realize the following scenario:
  A user should see "0VERSION" "2" and "0DIVISION" "01" as well as "0VERSION" "5" and "0DIVISION" "02" while executing the query with BEx Analyzer.
  Am I right that I have to create two analysis authorizations?  How do I have to model the query? I always get the message that my testuser does not have enough authority.
  Thanks for your suggestions.

  Hi Anja,
  Did you ever get a resolution to the question you asked.  I am facing the same scenario now where i want to restrict a user to seeing seeing the following:
  user must see:
  Division = 001 and Area = A
  Division = 002 and Area = B
  But he must not see Division 001, Area B for example
  Creating the analysis authorizations is not a problem, the problem is modelling the query to return this result.  I always get no results due to lack of authorization as the authorization variables try to return All Division "001" and "002" and All "A" and "B"
  As i see it, you cannot model the query to return the required result.  What would be ideal is if the query would only return what the user is authorized to, rather than returning nothing and giving an auth error.
  Thanks
  Gavin

• Analysis Authorization (Role, Profile and Direct Assignments)

  <b>Analysis Authorization Question:</b>
  1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
  2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
  3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
  <b>
  Migration Options:</b>
  1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
  2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
  3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
  <b>Questions</b>
  a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
  b)     Does any one use direct assignment to Users? It is good business practice?
  c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
  d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
  Just want to check how other folks have done migration that can be supported going forward.
  Pankaj Gupta

  Hey Pankaj,
  In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
  Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
  RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

• Generated analysis authorization cannot be changed

  Hello all,
  did someone manage to edit/delete generated (from DSO) analysis authorizations? When I want to correct a typo in one of the generated analysis authorizations it is not possible although the system is telling that it should be possible to do so. I did not find any note or thread yet.
  Message number RSEC292:
  Diagnosis text
  A generated authorization can be changed (this message is only a warning ), but one should be sure that this authorization is not generated again. Then it will be removed from the user, created again (perhaps with different content), and if there no fixed name was generated, it is renamed.
  Thanks in advance for your inputs

  Hello Lana,
  this is how SAP solved the problem
  Bye Petra
  Spezifikation: Message RSEC292: Generierte Analyseberechtigungen können nic
  Short text:
  Message RSEC292: Generierte Analyseberechtigungen können nic Langtext
  It is not possible to change from DSOs generated analysis
  authorizations although the system is telling that it should be
  possible to do so. Authorizations are sufficient (SU53; SAP_ALL)
  Message number RSEC292:
  Diagnosis text
  A generated authorization can be changed (this message is only a
  warning ), but one should be sure that this authorization is not
  generated again. Then it will be removed from the user, created again
  (perhaps with different content), and if there no fixed name was
  generated, it is renamed.
  Here is the communication path (please read from below):
  09.07.2007 - 09:03:36 CET Petra King Info für SAP
  Hello Ms. ,
  I always was telling about one issue:
  Change of generated analysis authorization is not possible.
  Since BI 7.0 we are talking about analysis authorizations so the
  transaction code used is obvious.
  There is no need for furhter information because it is only this single
  issue: I guess that it should be an error message and not a warning
  message and SAP made a mistake here by using the wron message category.
  I was never talking about users and xxxxxx is not an user but an
  analysis authorization.
  Please consider the call a solved - in the meantime I got
  professional support from the SDN platform.
  Regards,
  Petra King
  05.07.2007 - 09:14:22 CET SAP Antwort
  Hello Ms King,
  I must say that I find this message quite incomprehensible. First you
  write that you are irritated because my colleague asked you which
  transaction is being used to generate authorizations. This information
  is necessary so that the message can be assigned to the appropriate
  area. Indeed, the message was incorrectly sent to BC-SEC. Next you
  write that you are angry when I give you a consulting note regarding
  generation of analysis authorizations. I am mystified as to how such
  information from customers should help us in solving a technical or
  procedural probem. I have read the message from the beginning and
  there is very little technical and procedural information. Moreover, itis not clear what the "error" is here. The message RSEC292 is a warning(as clearly stated in the long text of the message) and this should not
  hinder the process. Lastly, in your last info you refer to a specific
  user, xxxxxxxx, as an example of a generated authorization. This is
  separate issue than the original:
  It is not possible to change from DSOs generated analysis
  authorizations although the system is telling that it should be
  possible to do so. Authorizations are sufficient (SU53; SAP_ALL)
  So in response to the original inquiry regarding RSEC292. The answer,
  as I have already mentioned and as stated in the text, is that this
  is just for information purposes. Please continue with the process.
  If you have a separate inquiry regarding the authorizations of
  particular users, please open a second message. We request that
  customer log one issue per message. Please read note 375196:
  Separate message for new problem/subsequent problem
  Regards,
  Senior Support Consultant
  SAP Active Global Support
  Netweaver Business Intelligence
  03.07.2007 - 15:14:39 CET Petra King Info für SAP
  Hello ,
  can you please contact the Basis Administrator xxx via phone
  (+xxxxx) so he can open the line and provide you with the
  user and password for system xxxxx.
  Please note that the error occurs on xxxx and you can have a look at the
  analysis auth. xxxxxxxx as representive for one of the generated
  authorizations.
  03.07.2007 - 15:08:43 CET Petra King Info für SAP
  Hello ,
  I am getting angry because note 1052242 is a documentation and I
  executed everything besides the fact that the analysis auths cannot be
  changed. Please read the error message from the beginning.
  Regards,
  Petra King
  28.06.2007 - 14:52:09 CET SAP Antwort
  Hello Ms King,
  Please excuse the delay in the processing of your message.
  Please read note 1052242 if you have not already done so. If this note
  does not help you to solve the problem, I would like to have a look at
  the situation on your system. Please open the R/3 Support connection
  provide me with a user and password. This information can be stored
  in the log on information of this message.
  Regards,
  Senior Support Consultant
  SAP Active Global Support
  Netweaver Business Intelligence
  25.06.2007 - 08:48:03 CET Petra King Info für SAP
  Hello ,
  if this is in the wrong queue, yes please forward it to the appropriate
  queue and please let the question be answered asap.
  Thanks,
  Petra King
  21.06.2007 - 07:47:29 CET SAP Info für Kunde
  Hello Petra,
  it is possible to generate authorizations in PFCG too. As RSECADMIN
  belongs to BW-BEX-OT-OLAP-AUT, I forward your message accordingly.
  Best regards
  Support Consultant
  Global Support Center Austria
  Netweaver Web Application Server ABAP
  20.06.2007 - 09:54:47 CET Petra King Info für SAP
  Hello ,
  sorry to let you know so late but there was a typo in my email address
  xxxxxinstead of xxxxxxxxx
  Your question is a little bit irritating. Generation of analysis
  authorizations in 7.0 is usually done only with transaction code
  RSECADMIN - correct me if there is another possibility. Generation
  works fine but the authorizations cannot be edited after then.
  Bye,
  Petra
  23.05.2007 - 11:53:16 CET SAP Antwort
  Dear Ms. King,
  please let me know which transaction code do you use or in which
  transaction do you get this message.
  Best Regards
  Support Consultant
  SAP Active Global Support - Netweaver Web Application Server