BW Analysis Authorization gut check.

Hello all,
Just a gut check about how the AA strategy works.  Take this scenario when executing a query:
The following InfoObjects are auth relevant:
0PLANT:  Aggregated Data so only : is needed.
0WHSE_NUM:  Needs specific value
0TCAACTVT:  Default 03 given.
And then the following special characteristics:
0TCAIPROV:  Infocube Z123
0TCAVALID:  Default * given.
Now..if I were to put these 5 Characteristics in 5 seperate Analysis Authorizations and assign those 5 to a role with S_RS_COMP, the query can be executed.  Not our design...testing purposes only.
I THOUGHT that some of these characteristics needed to exist together in 1 AA, like 0TCAACTVT and 0TCAIPROV in order to work properly.  But apparently when the system is checking authorizations, it only treats each characteristic seperately and on it's own when checking the values.
Thoughts or insight?
Thanks,
Tom

Hi Tom,
To be precise, you'd assign your analysis auths to a role with S_RS_AUTH. S_RS_COMP is to give access to BEx.
Check out the online documentation from SAP on analysis auths. I did a really quick look in there and found this gem that should help answer your question:
In addition to these generic dimensions, an authorization includes special dimensions. These consists of the characteristics 0TCAACTVT (activity), 0TCAIPROV (InfoProvider), and 0TCAVALID (validity). These special characteristics must be included in at least one authorization for a user; otherwise the user is not authorized to execute a query.We recommend that you include these special characteristics in every authorization. You do not have to include them in every authorization, but for reasons of clarity and analysis security, we recommend that you do this.
So it seems that you need those special dimensions in at least one analysis auth to be able to execute queries, but SAP recommends including them in all of them.
Krysta

Similar Messages

  • Scenario in Analysis Authorization to check

    Hi Gurus,
    I am doing a POC for Migration of Analysis Authorization Migration. In which there isone scenario that we want to check.
    The Scenario is for Single user.
    User having access to 2 different Cubes:-
    Cube 1                                                   Cube 2
    Company Code:- XYZ                           Company Code :- *
    Now How can we acheive this scenario in Analysis Authorization.Please guide.
    Regards,
    Amit

    Try this
    AA #1
    0TCAACTVT                                               03
    0TCAIPROV                                                 Cube1
    0TCAVALID                                                 *
    0COMP_CODE                                             XYZ
    All other objects auth-relevant for Cube1   :
    AA #1
    0TCAACTVT                                               03
    0TCAIPROV                                                 Cube2
    0TCAVALID                                                 *
    0COMP_CODE                                             *
    All other objects auth-relevant for Cube2   :

  • Comparing analysis authorization

    Hello BI fans,
    is there any tool or transaction to compare 2 analysis authorizations?
    Maybe similar to transaction S_BCE_68001777 (comparisons of roles).
    I have to compare many analysis authorization. And it takes a long time to double click on every characteristic of the analysis authorization to check the values.
    Thanks in advance!

    Hello,
    There is no special transaction/report to compare authorisations. The best option available is described in the last 2 posts of this thread:
    Comparison of analysis authorization roles ?
    Regards,
    Michael

  • Issues with Analysis Authorization checks in APO

    Hi Friends,
    I am facing an issue with Analysis authorization checks in APO.
    We have setup user access based on Management Entity (Analysis authorization - AGMMGTENT and 0TCAACTVT) and core APO authorizations (based on the work profile - e.g: Demand Planner).
    Scenario: Consider User A has access to India and Australia Management Entities with 0TCAACTVT - *
    This user also has display access to all management Entities (AGMMGTENT - * and 0TCAACTVT - 03). This scenario works very well in Quality where the RSECADMIN trace shows check on both Characteristics. However in Production the RSECADMIN trace shows up only against AGMMGTENT (*) and by default takes 0TCAACTVT as (*).
    In Quality the Characteristics that get checked are as below : and it works as expected. Display access for Management Entities that are supposed to be displayed only and change access to only the Management Entities that it should.
    However the Trace for Production shows the following : As a result it is allowing the user to change access to all management Entities. Which is not desirable..
    Resultant trace results are as below: This should not happen..
    I have compared all Analysis Authorizations and it is same across both Instances. The Demand planner access is consistent too..
    Will it be possible for you to advise on what could I be missing.

    Hi All,
    If it helps, in Quality: the Authorization checks are listed as: Subselection (Technical SUBNR) 1
    while in Production it checks Subselection (Technical SUBNR) 1 in one place, however where it fails - the check happens as Subselection (Technical SUBNR) 0.
    Is there a way we can change this to SUBNR 1. Is there any table entry that I can look at to check if the Authorization check is functioning incorrectly..
    Please advise.. Thanks..
    Regards,
    Prakash

  • Analysis Authorization in BO 4.0 Webi report

    Hi All,
    I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
    We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
    However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
    I have tried:
    1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
    2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
    3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
    Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
    (BO 4.0 no service pack or fix pack installed on the system yet)
    Thanks - Appreciate your help !
    Prasad Rasam

    Ingo,
    1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
    >> Correct you need to setup you OLAP Connection with SSO.
    >>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
    Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
    Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
    2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
    >> The variable in the BEx query needs to be an authorization variable.
    >>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
    Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
    regards
    Ingo Hilgefort

  • Web Intelligence Report + BI 7.0 Analysis Authorizations

    Hello Experts,
    I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
    BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
    It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
    For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
    When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
    I have tried several settings on the universe (like filter working on LoV as well) but none helped.
    If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
    Any ideas?
    Best regards
    Giorgos

    Hi,
    has the Universe been created on the cube level or on the query level ?
    In case it is on the cube level it will fail because :
    Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
    The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
    You can then assign this authorization to one or more users.
    All characteristics flagged as authorization-relevant are checked when a query is executed.
    *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
    Ingo

  • [BO over SAP BW] Web Intelligence Report + BI 7.0 Analysis Authorizations

    Hello Experts,
    I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
    BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
    It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
    For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
    When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
    I have tried several settings on the universe (like filter working on LoV as well) but none helped.
    If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
    Any ideas?
    Best regards
    Giorgos

    Hi,
    has the Universe been created on the cube level or on the query level ?
    In case it is on the cube level it will fail because :
    Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
    The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
    You can then assign this authorization to one or more users.
    All characteristics flagged as authorization-relevant are checked when a query is executed.
    *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
    Ingo

  • BI 7.0 Analysis Authorization issue: some reports displaying a blank page.

    Hi All,
    This is regarding BI 7.0 Analysis Authorization issue.
    Overview:
    we have restricted some queries at infoobject level.
    Issue:
    a. For some of the queries, we can see the selection screen but when we try to execute the query by clicking on the execute button (Queries WAD) we get a blank page, meaning nothing is displayed on the output (white/Blank screen).
    b. When we execute the same query through RSRT, we get a message which says "Disconnecting from BW server..".
    c. Let me explain further on this. Basically we are doing this in order to have limited access to Auditors at the client side. At the same time normal users should not get impacted due to this, hence we created two roles. One for normal users and other for Auditors.
    d.  Now the thing is that we execute the same report with normal user ID's the report executes properly and displays the output. it does not show the blank page.
    e. But when we execute the same report with Auditors ID then we get a blank page.
    Any idea why this is so?

    Hi Neha,
    I tried the below also,
    GL Acnt
    I EQ 0000134010
    I EQ :
    but still it didn't work.
    No Infoobject is missing in Authorization Object.
    For your point, "rsecadmin - > analysis -> execute as -> check for the desired user & analyze the log" it didnu2019t allow me to analyze, since as soon as click on execute button a pop-up comes up saying "Disconnecting from the BW server..."
    As mentioned earlier also it is giving me the below message,
    ""I>> Row: 103 Inc: AUTHORITY_02 Prog: CL_RSR_RRK0_AUTHORIZATION                                                                       RS_EXCEPTION        301CL_RSR_RRK0_AUTHORIZATION                         AUTHORITY_02"
    Kindly suggest, since this is a show-stopper for us!
    Thanks,
    Ishdeep Kohli.

  • Hierarchy Analysis Authorization in BW and BOBJ Webi Report

    Hello,
    We have a scenario wherein we have implemented Analysis Authorizations (Hierarchy) on Organizational Unit info object (0ORGUNIT) and need to report on BOBJ WEBI. Our scenario is as following
    ORGUNIT    - L0 (Overall Enterprise Level)     
    -     L1 (Enterprise - Continent Wise Split)
    -     L2 (Enterprise u2013 Country Wise Split)
    -     L3(Enterprise u2013 City Wise Split)
    E.G- 
          LO (Company ABC) MANAGER 0 will have access to the entire organization
               -L1 (ASIA) MANAGER1 will have access to ASIAN Subcontinent
                      -L2 (India) MANAGER 2 will have Access to country India
                                -L3 (New Delhi) MANAGER 2.1 will have access to city Delhi
                                -L3 (Mumbai) MANAGER 2.2 will have access to city Mumbai
                       -L2 (Malaysia) MANAGER 3 will have access to Country Malaysia
                                  -L3 (Kuala Lampur)
                                  -L3 (pahang)
                 - L1 (Europe)
                                            u2026..
    The requirement is that the CEO of the company should be able to see the entire set of data ( L0-L4).We have continent managers who can see that data specific to their continent, similarly at L3 Level the city manageru2019s should see the data only for their specific city.
    In BI we have used analysis authorization based on hierarchies. We have created an authorization object say ZAUTH1 and have assigned the hierarchy L0 from RSECADMIN. Now, in Webi when we create a report a sample row comes as :
    L0 Org Unit     L1 Org Unit     L2 Org Unit     L3 Org Unit     SALES Key Figure
    Company ABC     Asia          India          Mumbai          1000
    Now, we have MANAGER 2.2 who has only access to the data specific to his city (Mumbai). There is an Analysis Authorization object created for him ZAUTH2, by ONLY assigning the org unit hierarchy L3 (for Mumbai). When we run the bex report with the user MANAGER 2.2 u2013 it correctly displays the result and the user is only able to see the data for L3 Org Unit (Mumbai). However when you bring this data to Webi u2013 the report comes in the below format:
    L0 Org Unit     L1 Org Unit     L2 Org Unit     L3 Org Unit     SALES Key Figure
    Mumbai                                           1000
    The L3 org unit has now got assigned to L0 Org unit , as this is the only org unit assigned to the MANAGER 2.2 user .
    In such a case we are not able to write any generic formulae for the report. Is there a way to correct this issue? u2018Mumbaiu2019 should either get assigned to the L3 OrgUnit column is webi report , or is there a workaround that is possible ?
    Thanks and Best Regards,
    Vj

    Hi Vijay,
    The problem you speak of is known and comes from the fact that the hierachy is flattened in the process of delivering it to WebI. Therefore there is no real 'solution' to the problem, just some work-arounds you can think of...
    1)
    Create a report variable that starts looking at the lowest level, if it is empty check one up, and so on until you found what you were looking for (the lowest leaf available), which by definition must be there (even if it is top level).
    Using similar logic you can also get a 'number of levels avaible' and so fill in the complete tree (duplicating the highest level).
    This is difficult to explain when end users create their own reports, though you could provide a template report with these variables in there already.
    2)
    Extend the hierarchy with duplicates below the lowest level.
    So i.e. L0 Company - L1 Continent - L2 Country - L3 City- L4 City - L5 City- L6 City.
    This will give back on the four levels for top authorization
    L0 Company - L1 Continent - L2 Country - L3 City
    For authorization on Continent:
    L0 Continent - L1 Country - L2 City- L3 City
    For autorization City
    L0 City- L1 City - L2 City- L3 City
    So in all situations the fourth level, the L3 Object will hold the City level.
    This you can then use in your report.
    Hope this helps,
    Marianne

  • How to get Query Results based on Analysis Authorization Ranges????

    Hi Experts,
    I have gone through the lot of SDN Links, however not able to find the answer to my question.
    I have an Authorization Issue, “NO Authorization “
    Error : EYE 007 ( Insufficient Authorizations )
    <b>Here is the issue:</b>
    Need to see the complete query result when I gave the range in Analysis Authorization for Controlling Area 001-005. Controlling Area is auth relevant and right now a variable is inserted in the query for it. If I select Controlling Area 001, the result for Controlling Area 001 is displayed in query. If 002 then also displayed. If I do not enter anything, then I get the <b>Eye 007 error message</b>.
    I am not sure how do I display/authorize the entire result in the query for all the Controlling Areas, I have authorized user to see??
    <b>Its really urgent, please help..!</b>
    Here are the logs:
    Authorization Check Log
    Date and Execution Time (Local Server)
    Execution Date: 06.09.2007
    Execution Time: 14:48:41
    Executed Query: 0CCA_C11/GBCCA_MP01_Q0002_AP
    Executed by User ZBI_TEST_001
    Executed with Analysis Authorizations of Another User ZBI_TEST_001
      InfoProvider Check  
    Building the Buffer...
    ...Buffer Built
    Are there authorizations for accessing InfoProvider 0CCA_C11 with activity 03?
    Authorization exists for general access to InfoProvider 0CCA_C11 with activity 03 
      InfoProvider Check  
    Authorization exists for general access to InfoProvider 0CCA_C11 with activity 03 
      Relevant Characteristics for Detailed Authorization Check  
    (Characteristics with Full Authorization Are Not Listed!)
      List of Effective Authorization-Relevant Characteristics for InfoProvider 0CCA_C11:  
    0CO_AREA 
    0TCAACTVT 
      Relevant Characteristics for Detailed Authorization Check  
    (Characteristics with Full Authorization Are Not Listed!)
      List of Effective Authorization-Relevant Characteristics for InfoProvider :  
    List Is Empty:
      There Are No Characteristics That Have to Be Checked in Detail  
      Authorization Check  
      Detail Check for InfoProvider 0CCA_C11  
      Preprocessing:  
    Selection Checked for Consistency, Preprocessed and Supplemented As Needed
    Subselection (Technical SUBNR) 1
    Check Node Definitions and Value Authorizations...
    Node- and Value Authorizations Are OK
    End of Preprocessing
    Filling the Buffer...
    ...Buffer Filled
      Main Check:  
      Subselection (Technical SUBNR) 1  
    Supplementation of Selection for Aggregated Characteristics
      No Check for Aggregation Authorization Required  
    Following Set Is Checked  Comparison with Following Authorized Set  Result  Remaining Set 
    Characteristic  Contents 
    0CO_AREA
    0TCAACTVT
    SQL Format:
    CO_AREA = '0003'
    AND TCAACTVT = '03'
    Characteristic  Contents 
    0CO_AREA  I BT 0001 0005
    0TCAACTVT  I EQ 03
    I EQ 16
    Authorized   
      Subselection (SUBNR) Is Authorized  
      Authorization Check Complete  
      Authorization Check  
      Detail Check for InfoProvider 0CCA_C11  
      Preprocessing:  
    Selection Checked for Consistency, Preprocessed and Supplemented As Needed
    Subselection (Technical SUBNR) 1
    Check Node Definitions and Value Authorizations...
    Node- and Value Authorizations Are OK
    End of Preprocessing
    Filling the Buffer...
    ...Buffer Filled
      Main Check:  
      Subselection (Technical SUBNR) 1  
    Supplementation of Selection for Aggregated Characteristics
      No Check for Aggregation Authorization Required  
    Following Set Is Checked  Comparison with Following Authorized Set  Result  Remaining Set 
    Characteristic  Contents 
    0CO_AREA
    0TCAACTVT
    SQL Format:
    TCAACTVT = '03'
    Characteristic  Contents 
    0CO_AREA  I BT 0001 0005
    0TCAACTVT  I EQ 03
    I EQ 16
    Partially or Fully Authorized (Intersection)   Characteristic  Contents 
    0CO_AREA
    0TCAACTVT
    SQL Format:
    ( CO_AREA < '0001'
    OR CO_AREA > '0005' )
    AND TCAACTVT = '03'
    Value selection partially authorized. Check of remainder at end
    Following Set Is Checked  Comparison with Following Authorized Set  Result  Remaining Set 
    Characteristic  Contents 
    0CO_AREA
    0TCAACTVT
    SQL Format:
    ( CO_AREA < '0001'
    OR CO_AREA > '0005' )
    AND TCAACTVT = '03'
    Characteristic  Contents 
    0CO_AREA  I BT 0001 0005
    0TCAACTVT  I EQ 03
    I EQ 16
    Not Authorized   
    All Authorizations Tested
      Message EYE007: You do not have sufficient authorization  
      No Sufficient Authorization for This Subselection (SUBNR)  
    Following CHANMIDs Are Affected:
    184 ( 0CO_AREA )
      Authorization Check Complete  

    Hi,
        Have you defined the vaule for 0CO_AREA as BT 001-005 in you Authorization for 0CO_AREA.Also how have you defined your Authorization Variable on the query? Have you define as select options or interval? I thing you need to define it as interval or select options.
    Hope it helps,
    Cheers,
    Balaji

  • Analysis Authorization Migration Question

    Analysis Authorization Migration Question
    This is detail Question
    1)     I am testing Analysis Authorization Migration in NW2004s SP9 and have applied all OSS notes that are relevant to SP09 and are coming in SP10.
    2)     We have 2 Info object flagged as Authorization relevant 0COMP_CODE and 0COSTCENTER
    3)     We have Object level security set-up in BW 3.x system and for a role we have specified values like 0COMP_CODE has value 1000, 1800. “:”. In the same role we have specified 0COSTCENTER value 130001 to 180001, “:”  and hierarchy node.
    4)     When we migrate to Analysis Authorizations, using RSEC_MIGRATION, this program creates 2 Authorizations ZCOCODE00 & ZCOSTCTRH00. Both of them have 0COMP_CODE and 0COST_CENTER Objects.
    5)     ZCOCODE00 authorization gets value 0COMP_CODE values 1000, 1800. “:” and 0COSTCENTER Value “:”.
    6)     On the same line ZCOSTCTRH00 gets value 130001 to 180001, “:”  and 0COMP_CODE “:”.
    1st Question:
    1)     Why does it create 2 Authorizations?
    2)     During Checking it does not pass the authorizations, because it seems to me that it fails in Optimization process.
    3)     I manually merge the authorizations in “ONE” object then authorization check passes.  In other word if I combine ZCOSTCTRH00 & ZCOCODE00 then Query authorization check passes.
    Any one is struggling on this.
    Please note, I am doing Migration so that it updates existing Profiles (Roles now from SP9).
    Any comments will be very help full.
    Pankaj Gupta

    Hello Pankaj
    There are some basic misunderstandings on your side.
    Let me try to clarify:
    First we should distinguish between migration of authorizations and of what a query does with them.
    You had 2 auth objects before migration (in 3.x).
    Of course, they must be migrated to 2 new analysis auths.
    There is no general possibility to combine authorizations to a single one as the may appear in different roles and users. Moreover this would kill performance and finally, nobody would recognize the origin.
    Only in very restricted cases one could think of a combination of auths which come out of migration. But, then people loose overview about what goes on.
    Before the corrections in note "Migration IV" the : had not been inserted but now it is for good reasons.
    Now, accept for the moment that you receive 2 auths.
    Then, you cannnot (must not) combine the 2 resulting authorizations!
    <b>Authorization 1</b>
    COMP_CODE : 1000, 1300, “:”
    Cost Center : “:”
    <b>Authorizations 2</b>
    Comp_Code “:”
    Cost Center : 3100001-31999999; “:” plus a Hierarchy Node.
    This means that e.g. combination
    COMP_CODE 1000
    COST_CENTER 3100001-31999999
    <u>is not allowed!!!</u> Therefore, they must not be combined!
    Also, the query and its optimization is comepletely independent of the migration. And here, during query run time the auths cannot be combined. It is no failure!
    Moreover, the merging optimization is just a performance optimizaiton and has nothing to do with whether the query result is authorized or not.
    If you combine them manually you have authorized different combinations.
    Well, now you may wonder why you get 2 auths at all which leads to a "no auth" result in the query execution.
    The reason is, that in 3.x where you got a result with your 2 auth objects the modeling was wrong.
    If you want to authorize any combination of characteristic values, you should combine these characteritics together in one auth object, not in 2!
    (In BI7.0 it works like that but not in 3.x)
    But you defined 2 which may be valid even in several other InfoProviders independently and not even at the same time. Moreover, the auth objects may come from different roles and may be assigend to different users which then have completely different auth content. In general it is not possible to combine different auth objects or to find out those special situations which nevertheless allow for such optimizations. If you re-do a migration with more objects and users you could even receive different results which is also not satisfying.
    Therefore, instead, the mechanism was introduced to insert a : auth to those characteristics that are auth relevant (and checked now with 7.0) but not in the currently processed auth object.
    In you special case it may have made sense to combine them but not in general. And a migration can only try to work as general as possible.
    For your application you may combine the 2 auths manually if you want to allow also the crossover combinations
    COMP_CODE 1000
    COST_CENTER 3100001-31999999
    Best regards
    Peter John
    BI Development

  • Analysis Authorization problem (new BI auth concept)

    Hi,
    I am trying to implement a analysis authorization for controlling the sales organization characteristic.
    I am working in a APO system.... when I set a * in the value list for the sales organization ..... I can select characteristic in demanding Planing   without problem....
    but when I create a whole list of all possible values (selecting from a pop up list) in the analysis authorization like this
    I EQ 2000
    I EQ 2001
    I get a message :
    You do not have authorization for all the
    characteristic values selected
    I will appreciate any idea
    Thanks
    FedeX

    Hi,
    I was able to trace the problem...and now I do not understand why I get as Result : "Not Authorized"
    here the last part of that trace log:
    Value selection partially authorized. Check of remainder at end
    Following Set Is Checked
    Contents
    SQL Format:
    NOT /BIC/YWSO_S
    ORG IN ('#','0605','0624','0625','0707','0807','2000','2001','707','807',':')
    AND TCAACTVT = '03'
    Comparison with Following Authorized Set
    Characteristic Contents
    0TCAACTVT I CP *
    I EQ #
    I EQ 0605
    I EQ 0624
    I EQ 0625
    I EQ 0707
    I EQ 0807
    I EQ 2000
    I EQ 2001
    I EQ 707
    I EQ 807
    I EQ :
    Result
    Not Authorized
    All Authorizations Tested
    Message EYE007: You do not have sufficient authorization
    No Sufficient Authorization for This Subselection (SUBNR)
    Following CHANMIDs Are Affected:
    103 ( <charac name> )
    Remaining Set
    <no info in this column>
    I really not identify any difference between the data in Following Set Is Checked and Comparison with Following Authorized Set
    well if someone has some idea... I will appreciate it.
    Thanks
    FedeX
    Edited by: FedeX on Apr 1, 2009 4:33 PM

  • Analysis Authorization In Dev and impact of reports and roles in prod trans

    Hello,
    We are planning to switch to analysis authorization. We plan to make that change first in Dev and we were wondering what would be the impact on roles and reports we transport from dev (which is switched to Analysis Authorization) to production( on Old authirization) ? We wont transport new things to production till we switch to new auth in Prd.
    Thanks a lot,
    BP.

    Hello
    Even if you are transporting the roles from dev to quality and production, the analysis authorization objects will not be checked until you set "current procedure..." in RSCUSTV23.
    So there is no harm in transporting the roles and auhotrization until you change the concept to analysis.
    regards,
    Payal

  • Analysis Authorization Object not working

    Hi Gurus,
    I m working on BI 7.0, I have created an analysis authorization object zz_div for 0DIVISION characteristic.
    For a given report i want a given user to view only data for '32' and '33' 0DIVISION.
    I have followed the below steps but still the report shows all data instead of restricted one.
    1)RSECADMIN -> Maintenance ->zz_div ->Create
    2) Add 0DIVISION in Auth structure , and in details 
    I     EQ     32
    I     EQ     33
    3) Add 0TCAIPROV with I     EQ     0SD_C03
    4) Add 0TCAACTVT, 0TCAKYFNM, 0TCAVALID,  this having details as
    I     CP     *
    5) Then in User tab -> Assignment -> User -> Change-> Inserted ZZ_DIV-> Save
    6) In Query created a Authorization variable(with no input prompt) and restricted 0DIVISION.
    Following are the authorization object in that user's Role (Reporting Only)
    S_RFC 
    S_TCODE
    S_GUI
    S_BDS_D  
    S_BDS_DS 
    S_OC_SEND
    S_RS_AUTH - only having zz_div
    S_RS_COMP
    S_RS_COMP1
    S_RS_ICUBE
    S_RS_RSTT
    S_RS_TOOLS
    S_RS_PARAM
    I have surfed lots of thread for this issue but not getting a solution
    Tell me what i m missing in above or any additional setting need before creating analysis authorization
    Edited by: Sonal Patel on Apr 18, 2009 8:10 AM

    Hi
    Thanks a Ton for ur reply
    I have checked in SPRO : Analysis Authorization
    where the authorization mode is " OLD obsolete Concept With RSR  Authorization Objects "
    We have to do the same in Production system .Can u please how its going to effect to others authorizations if change it to New Concept
    Thanks
    Sonal....

  • Analysis Authorization Problem

    Hy, i have create a Analysis Authorization object ZCOMPCODE with 0COMPCODE as characteristic.
    So i assign this object to a users and i create a variable to filter 0COMPCODE with processing type "authorization".
    The problem is that when execute the BEx query i receive the message : No authorization.
    When assign 0BI_ALL to user the ZCOMPCODE has not effect but the query run correctly.
    How can i resolve this serious problem?
    Regards,
    Andrea Maraviglia

    Dear Andrea,
    When you have a problem with authorization data access, may be you need check the following stuff:
    1 All InfoObjects are relevant authorization (see Business Explorer the check box authorization relevant for each InfoObject Tcode RSD1) which these are part of InfoProvider where query request data. It is very important, because you have to include all of this InfoObject (Characteristic) in your analysis authorization.
    2. Remember add the standard characteristic. 0TCAACTVT (3 value), 0TCAIPROV (InfoProvider Tech Name), 0TCAVALID (* value).
    3. In each characteristic relevant authorization, I suggest that add the colon “:” value to avoid problem with variable authorization in the query.
    4. Furthermore, the user need one role for standard object authorization: 
    . S_RS_COMP (Activities 03, 16)
    . S_RS_COMP1 (Query owner)
    . S_RFC (BEx Analyzer or BEx Browser only)
    . S_TCODE (RRMX for BEx Analyzer)
    I hope that can help you!
    Luis

Maybe you are looking for