BW Analysis Authorization Problem when no selection is done
Hi Everybody,
I am facing the following problem with the implemented authorization concept.
We have marked 2 IOs as Authorization relevant: company and costcenter. We have defined an authorization object where the values are assigned through two variables $ZCompany and $ZCostcenter. The values are picked up from 2 Ztables where the User/Usergroup/Values assignement is done. Eveything seems to work fine.
We have a problem when using an optional variable built on Company or Costcenter in our queries and no selection is done.
If no selection is done, the variables ZCompay and ZCostcenter both are given values equals *. It si the same as every value. Since the user ZTESTUSER is authorized only for some comapnies and some costcenters, the match between the * selection and the authorization set is not sucessful and the user doesn´t get any authorization. this is what we can when executing the display error log:
Following Set Is Checked Comparison with Following Authorized Set Result Remaining Set
Characteristic Content in SQL Format
0TCAACTVT
ZIFCM004
ZIFCM014
0TCAACTVT = '03'
AND ZIFCM004 LIKE *
AND ZIFCM014 LIKE *
Characteristic Content in SQL Format
0TCAACTVT I EQ 03
ZIFCM004 I EQ $Z1PME009
ZIFCM014 I EQ $Z1PME004
Partially or Fully Authorized (Intersection) Characteristic Content in SQL Format
0TCAACTVT
ZIFCM004
ZIFCM014
NOT ZIFCM004 IN ('0012','0015')
AND 0TCAACTVT = '03'
OR ZIFCM004 IN ('0012','0015')
AND NOT ZIFCM014 IN ('00000000000000012100','00000000000000012300')
AND 0TCAACTVT = '03'
Value selection partially authorized. Check of remainder at end
Following Set Is Checked Comparison with Following Authorized Set Result Remaining Set
Characteristic Content in SQL Format
0TCAACTVT
ZIFCM004
ZIFCM014
NOT ZIFCM004 IN ('0012','0015')
AND 0TCAACTVT = '03'
OR ZIFCM004 IN ('0012','0015')
AND NOT ZIFCM014 IN ('00000000000000012100','00000000000000012300')
AND 0TCAACTVT = '03'
Characteristic Content in SQL Format
0TCAACTVT I EQ 03
ZIFCM004 I EQ $Z1PME009
ZIFCM014 I EQ $Z1PME004
Not Authorized
What i don´t really understand is why the user doesn´t get any authorization only for the values subset for which he is authorized for. Is that normal according to your experience?
How can we get rid of it obtaining that for such selection the user gets authorizations for the subset?
Thanks in advance
Best regards
Enrico
Edited by: Dottblabla on May 3, 2010 12:13 PM
Hi,
thank you both for the answers.
Since the user is authorized for some certain values rappresenting a subset of * (all values) I dont really understand why he receives an error message as if he hasn´t any authorization at all. According to my logic, a partial dispaly of the data should be possible.. according to my logic, I repeat
Using a mandatory variable would force the user to give a value. The problem is that we have users who are authorized for a large number of costcenters. In this case the best solution would be to define the mandatory variable as a selection option, allowing the user to define intervals of values as well. BUT in this case we would have the same problem described above as soon as the user pick up an interval of values containing also single costcenters for which he has no authorization. I hope, it is clear what i mean.
Using an Authorization variable has the only charme that we get a kind of preselection of values. If the user wants to modify the selection and to define an interval, then we face the same issue again.
It seems to me that BW Authorization concept doesn´t work with "subset" of values. Am i right? Any suggestion?
Best regards
Enrico
Similar Messages
-
Authorization problem when using the Transaction Launcher
Hi All,
We have an authorization problem when we call a transaction (EL37) in ECC from the IC Web Client.
We believe that we have done all the necessary customizing in CRM and when we press the link in the Navigation Bar we are asked to logon to our ECC system. After logging on, we get an error message saying that "You do not have authorization for transaction EL37". If I then enter the transaction directly in the white command field in top of the ECC screen, then I have no problem calling the transaction.
My user has SAP_ALL, so it shouldn't be a problem with the authorizations. Maybe it has something to do with the transaction IC_LTXE? I have also tried to add this transaction to my user profile, but that didn't help.
Does anyone have a suggestion for how to fix this problem?
Kind Regards,
Gitte.Hi,
I have found the solution for the problem myself. The transation code in the Transation Launcher Wizard must be written in capitals! We had entered 'el37' and have now changed it to 'EL37'.
Best Regards,
Gitte. -
Analysis Authorization problem (new BI auth concept)
Hi,
I am trying to implement a analysis authorization for controlling the sales organization characteristic.
I am working in a APO system.... when I set a * in the value list for the sales organization ..... I can select characteristic in demanding Planing without problem....
but when I create a whole list of all possible values (selecting from a pop up list) in the analysis authorization like this
I EQ 2000
I EQ 2001
I get a message :
You do not have authorization for all the
characteristic values selected
I will appreciate any idea
Thanks
FedeXHi,
I was able to trace the problem...and now I do not understand why I get as Result : "Not Authorized"
here the last part of that trace log:
Value selection partially authorized. Check of remainder at end
Following Set Is Checked
Contents
SQL Format:
NOT /BIC/YWSO_S
ORG IN ('#','0605','0624','0625','0707','0807','2000','2001','707','807',':')
AND TCAACTVT = '03'
Comparison with Following Authorized Set
Characteristic Contents
0TCAACTVT I CP *
I EQ #
I EQ 0605
I EQ 0624
I EQ 0625
I EQ 0707
I EQ 0807
I EQ 2000
I EQ 2001
I EQ 707
I EQ 807
I EQ :
Result
Not Authorized
All Authorizations Tested
Message EYE007: You do not have sufficient authorization
No Sufficient Authorization for This Subselection (SUBNR)
Following CHANMIDs Are Affected:
103 ( <charac name> )
Remaining Set
<no info in this column>
I really not identify any difference between the data in Following Set Is Checked and Comparison with Following Authorized Set
well if someone has some idea... I will appreciate it.
Thanks
FedeX
Edited by: FedeX on Apr 1, 2009 4:33 PM -
Analysis Authorization Problem
Hy, i have create a Analysis Authorization object ZCOMPCODE with 0COMPCODE as characteristic.
So i assign this object to a users and i create a variable to filter 0COMPCODE with processing type "authorization".
The problem is that when execute the BEx query i receive the message : No authorization.
When assign 0BI_ALL to user the ZCOMPCODE has not effect but the query run correctly.
How can i resolve this serious problem?
Regards,
Andrea MaravigliaDear Andrea,
When you have a problem with authorization data access, may be you need check the following stuff:
1 All InfoObjects are relevant authorization (see Business Explorer the check box authorization relevant for each InfoObject Tcode RSD1) which these are part of InfoProvider where query request data. It is very important, because you have to include all of this InfoObject (Characteristic) in your analysis authorization.
2. Remember add the standard characteristic. 0TCAACTVT (3 value), 0TCAIPROV (InfoProvider Tech Name), 0TCAVALID (* value).
3. In each characteristic relevant authorization, I suggest that add the colon : value to avoid problem with variable authorization in the query.
4. Furthermore, the user need one role for standard object authorization:
. S_RS_COMP (Activities 03, 16)
. S_RS_COMP1 (Query owner)
. S_RFC (BEx Analyzer or BEx Browser only)
. S_TCODE (RRMX for BEx Analyzer)
I hope that can help you!
Luis -
Authorization problem when displaying icons in BW Report
Hi All
I have the following problem when display BW Report as iView: The report data itself is displayed perfectly but to display the icons (like DrillDown arrows, Hierarhy level open arrows) the Windows login message "Connect to <my BW server.com>:8000" appears and I have to enter BW user name and password explicitly. The system for BW is defined, the user is mapped, UIDPW method is used. Again, the report data itself is displayed, the problem is only with icons. I can see that the path to icons is like:
http://<my BW server>.com:8000/sap/bw/Mime/BEx/Icons/s_b_up.gif
How could I rid of this authorization request?Thanks! I already did this and it helped for most of icons. But for five remaining icons i still get authorization request althoug these icons are in the same path. The icons are:
http://<server>.com/sap/bw/Mime/BEx/Icons/cascading.gif
http://<server>.com/sap/bw/Mime/BEx/Icons/checked.gif
http://<server>.com/sap/bw/Mime/BEx/Icons/separator.gif
http://<server>.com/sap/bw/Mime/BEx/Icons/marked_right_35.gif
http://<server>.com/sap/bw/Mime/BEx/Icons/loading.gif -
App Store screen seems to be locked. Screen shows 5 updates but there is no response to "update all" or anything on that page.
sign in and out of app store
shut down iphone
reset iphone
reset network setting -
How can I contact apple to find out what I have to do for them to allow me to downgrade as when I go into iCloud click storage then click 5Gb the done tab will not highlight allowing me to downgrade. Very frustrated!
You can downgrade before the renewal date and it will become effective when your current plan year ends. Make sure you are doing it this way: http://support.apple.com/kb/ht4874. If you are and it isn't working, try contacting the Apple online store for your country for assistance. If worse comes to worse, you can always call the online store withing 15 days after the renewal and request a refund.
-
Generated analysis authorization cannot be changed
Hello all,
did someone manage to edit/delete generated (from DSO) analysis authorizations? When I want to correct a typo in one of the generated analysis authorizations it is not possible although the system is telling that it should be possible to do so. I did not find any note or thread yet.
Message number RSEC292:
Diagnosis text
A generated authorization can be changed (this message is only a warning ), but one should be sure that this authorization is not generated again. Then it will be removed from the user, created again (perhaps with different content), and if there no fixed name was generated, it is renamed.
Thanks in advance for your inputsHello Lana,
this is how SAP solved the problem
Bye Petra
Spezifikation: Message RSEC292: Generierte Analyseberechtigungen können nic
Short text:
Message RSEC292: Generierte Analyseberechtigungen können nic Langtext
It is not possible to change from DSOs generated analysis
authorizations although the system is telling that it should be
possible to do so. Authorizations are sufficient (SU53; SAP_ALL)
Message number RSEC292:
Diagnosis text
A generated authorization can be changed (this message is only a
warning ), but one should be sure that this authorization is not
generated again. Then it will be removed from the user, created again
(perhaps with different content), and if there no fixed name was
generated, it is renamed.
Here is the communication path (please read from below):
09.07.2007 - 09:03:36 CET Petra King Info für SAP
Hello Ms. ,
I always was telling about one issue:
Change of generated analysis authorization is not possible.
Since BI 7.0 we are talking about analysis authorizations so the
transaction code used is obvious.
There is no need for furhter information because it is only this single
issue: I guess that it should be an error message and not a warning
message and SAP made a mistake here by using the wron message category.
I was never talking about users and xxxxxx is not an user but an
analysis authorization.
Please consider the call a solved - in the meantime I got
professional support from the SDN platform.
Regards,
Petra King
05.07.2007 - 09:14:22 CET SAP Antwort
Hello Ms King,
I must say that I find this message quite incomprehensible. First you
write that you are irritated because my colleague asked you which
transaction is being used to generate authorizations. This information
is necessary so that the message can be assigned to the appropriate
area. Indeed, the message was incorrectly sent to BC-SEC. Next you
write that you are angry when I give you a consulting note regarding
generation of analysis authorizations. I am mystified as to how such
information from customers should help us in solving a technical or
procedural probem. I have read the message from the beginning and
there is very little technical and procedural information. Moreover, itis not clear what the "error" is here. The message RSEC292 is a warning(as clearly stated in the long text of the message) and this should not
hinder the process. Lastly, in your last info you refer to a specific
user, xxxxxxxx, as an example of a generated authorization. This is
separate issue than the original:
It is not possible to change from DSOs generated analysis
authorizations although the system is telling that it should be
possible to do so. Authorizations are sufficient (SU53; SAP_ALL)
So in response to the original inquiry regarding RSEC292. The answer,
as I have already mentioned and as stated in the text, is that this
is just for information purposes. Please continue with the process.
If you have a separate inquiry regarding the authorizations of
particular users, please open a second message. We request that
customer log one issue per message. Please read note 375196:
Separate message for new problem/subsequent problem
Regards,
Senior Support Consultant
SAP Active Global Support
Netweaver Business Intelligence
03.07.2007 - 15:14:39 CET Petra King Info für SAP
Hello ,
can you please contact the Basis Administrator xxx via phone
(+xxxxx) so he can open the line and provide you with the
user and password for system xxxxx.
Please note that the error occurs on xxxx and you can have a look at the
analysis auth. xxxxxxxx as representive for one of the generated
authorizations.
03.07.2007 - 15:08:43 CET Petra King Info für SAP
Hello ,
I am getting angry because note 1052242 is a documentation and I
executed everything besides the fact that the analysis auths cannot be
changed. Please read the error message from the beginning.
Regards,
Petra King
28.06.2007 - 14:52:09 CET SAP Antwort
Hello Ms King,
Please excuse the delay in the processing of your message.
Please read note 1052242 if you have not already done so. If this note
does not help you to solve the problem, I would like to have a look at
the situation on your system. Please open the R/3 Support connection
provide me with a user and password. This information can be stored
in the log on information of this message.
Regards,
Senior Support Consultant
SAP Active Global Support
Netweaver Business Intelligence
25.06.2007 - 08:48:03 CET Petra King Info für SAP
Hello ,
if this is in the wrong queue, yes please forward it to the appropriate
queue and please let the question be answered asap.
Thanks,
Petra King
21.06.2007 - 07:47:29 CET SAP Info für Kunde
Hello Petra,
it is possible to generate authorizations in PFCG too. As RSECADMIN
belongs to BW-BEX-OT-OLAP-AUT, I forward your message accordingly.
Best regards
Support Consultant
Global Support Center Austria
Netweaver Web Application Server ABAP
20.06.2007 - 09:54:47 CET Petra King Info für SAP
Hello ,
sorry to let you know so late but there was a typo in my email address
xxxxxinstead of xxxxxxxxx
Your question is a little bit irritating. Generation of analysis
authorizations in 7.0 is usually done only with transaction code
RSECADMIN - correct me if there is another possibility. Generation
works fine but the authorizations cannot be edited after then.
Bye,
Petra
23.05.2007 - 11:53:16 CET SAP Antwort
Dear Ms. King,
please let me know which transaction code do you use or in which
transaction do you get this message.
Best Regards
Support Consultant
SAP Active Global Support - Netweaver Web Application Server -
We have a need to restrict the majority of our users from seeing transactions of few business accounts. The restricted accounts can be based on a specific gl account, fund range, or they can be a combination of a fund and cost center (or fund and fund center). Until we become more familiar with this process, we are only concerned with 0FUND and it's restricted ranges, so below my question is just about 0FUND..
We need to explore and understand what abilities analysis authorizations give us. I have done a lot of reading, but so far all of the pieces are not falling into place. I am on the BW team and working with the security team to get this accomplished. At this time whereever 0FUND is located in an existing authorization, it has a "*" to indicate the user gets all values. We have already gone live; will every authorization currently in use with 0FUND have to be changed? Is there a detailed How-To located somewhere?
thank you in advance for your help.
LLKHi Linda,
SUIM - User Information System is a TRANSACTION CODE. (Its not SUM)
Execute SUIM and follow the path mentioned below:
SUIM -> User -> Users by complex selection criteria -> Users by complex selection criteria. In the Authorization object field mention S_RS_AUTH and in the field mention the name of the analysis authorization which you want to search for.
The output would be users who have access to the analysis authorization that you gave in the search criteria.
Since in your case there would be a lot of analysis authorizations with * in 0FUND, it would be better to identify the roles first and then the users assigned to these roles.
You can identify the roles by browsing the table SE16. Just give the object name and all the analysis authorizations in the multiple selection on appropriate fields. Then use SUIM to identify the users who have access to these roles.
SUIM -> User -> Users by complex selection criteria -> By Roles.
You can also display the roles in this report by pressing the Roles button at the top. Apply filter to restrict the roles to your identified roles.
Thats it !
Regards
Sachin -
Authorization check when creating shipment document
Dear Experts,
I have a shipment document type that is shared for all shipping point. I found that there are no shipping point checking when we select outbound deliveries. Can we add shipping point authorization check when we select delivery document?
Please advice.
Thanks.If you want to use frameworks, I think the right model would be to place the methods in EJBs and then use security constraints and user roles and the like.
OTOH, Spring probably has something very similar without requiring EJBs. It will require the beans come from the Spring container however and not the JSF managed bean container. -
Analysis Authorization : Selection screen not appearing for query
Hi,
I am facing an issue with analysis authorization. I have created the new roles and assigned to the users. For one user when I am executing the query, the selection screen is not coming up and it shows error message to specify the variables. Whereas its running for all other users.
In S_RS_COMP I have selected Type of a reporting component as Query View, Query & Template structure. I also tried adding Variable in this field but that also did not help.
Please let me know if you have faced similar issue.
Regards,
ManishHi,
Go to your query desinger opend your query and select your variable in that you have see first "Ready Input Query" Check box is selected or not. It's not selected you can select that check box.
Your problem will be sloved.
Thanks & Regards,
venkat. -
Started a similar string before. When I select a recipient in Messages on my Macbook Pro the name shows up in red and says the recipient is no longer registered on iMessage. I know that they are registered. Is there a problem with Contacts possibly. The previous help has been appreciated but the problem persists.
Hi,
Try iMessaging your own iPhone and see if your account is actually logged in.
It can appear "enabled" and On line but sometimes it is not.
Also try sending from your iPhone (number) to your Apple ID and see if it gets to the Mac.
If it does not use the Sign Out button.
Then shut down the Mac
On restart add back the Apple ID to the iMessages account settings.
I also just checked My wife's iPhone as she popped up red.
It turned out her iPhone did not have Messages On.
10:00 pm Tuesday; January 28, 2014
iMac 2.5Ghz 5i 2011 (Mavericks 10.9)
G4/1GhzDual MDD (Leopard 10.5.8)
MacBookPro 2Gb (Snow Leopard 10.6.8)
Mac OS X (10.6.8),
Couple of iPhones and an iPad -
Hi, I am having a little trouble with exporting images to another drive and Catalogue and need some help if anyone can give me some advice
I am currently using Lightroom 5.6 and operating on a Mac with OSX Ver 10.9.5.
I am receiving an error problem when doing the following -
I am exporting selected photos from a particular Catalogue saved on Drive 1 to a folder created on another Drive where a Lightroom Catalogue has been created. In this Catalogue I have arranged for the images once exported to be moved to a different folder - I used the Auto Import process under the File dialogue box.
When processing the Export I receive an error message for each of the images being exported indicating the following -
Heading Import Results
Some import operations were not performed
Could not move a file to requested location. (1)
then a description of the image with file name
Box Save As Box OK
If I click the OK button to each image I can then go to the other Catalogue and all images are then transferred to the file as required.
To click the OK button each time is time consuming, possibly I have missed an action or maybe you can advise an alternative method to save the time in actioning this process.
Thanks if you can can help out.Thank You, but this is a gong show. Why is something that is so important to us all so very, very difficult to do?
-
Problem wih analysis authorization for two scenarios on same data provider
Dear all,
I am looking for a solution on the following authorization scenario (using the new analysis authorization). Unfortunately everything that I tried did not work out as expected:
User A is allowed to manually access query 1 (based on cube A) with authorization on all sites A-Z
The same user A shall get an email distribution automatically (derivation of the filter in the query out of the authorization) for query 2, which is as well based on cube A, but this time the authorization shall be limited only to site A.
As both queries are based on the same infoobject (0PLANT) and the same infoprovider (0TCAIPROV) I always get the result for all sites A-Z. The 0TCAACTVT is in both cases 03 (display), so I have no chance to distinguish between reporting and email distribution.
Probably the only chance would be to derive the values for the email distribution scenario not from the authorization directly, but using a customer exit to fill the filter - but I would prefer a "standard" solution...
Any ideas??
Thanks,
AndreasDear Andreas,
Before give you an alternative for you problem, Iu2019d like to comment the combining authorization concept:
http://help.sap.com/saphelp_nw70/helpdata/EN/46/98cd87f37d19ace10000000a11466f/frameset.htm
For this reason I suggest you which combing restriction through authorization and query filter. For query 2 try to use in 0PLANT characteristic the single value u201Csite Au201D, this restriction give you only authorization for see this value.
Otherwise, you have to use customer exit.
I hope that alternative help you to find a solution,
Luis -
I am having a problem when I try to select a photo or itunes song in Imovie or other programs. I get a window with grey lettering that says: "Open Itunes to populate this list" or "Open iphoto to see photos from your iPhoto library in this list. I have tried relaunching programs and nothing appears. Seemed to start happening a while back after one of my system upgrades.
After a a lengthy conversation with Apple Tech. ($20), my problem seems to be solves. The Iphoto problem solved by trashing the plist file. The Itunes was more involved. We had to create a new Itunes folder and import the files into the new folder; and then import the playlists.
Maybe you are looking for
-
Why can i not open "show stationery" in mail
Hello, in my mail i cannot use „show stationery" anymore. If i click on ''show stationery'' in a new massage, the connection with my mail will be broken. Recently i tried to save a photo in: ''save as stationery''and than i have had this problem .
-
I am attempting to use my Apple TV and Ipad for a public presentation and want to show business pictures on the screen saver, but I don't want personal family pictures shown. Is there a way to limit these photos or set up an album for the screen save
-
HDCP error with new HDCP compliant monitor
I just bought a new Asus VE228H monitor. I have a ATI Radeon HD 4200, HDCP compliant video card and I am running Windows 7 and iTunes 12.1.1.4. Even though the new monitor is HDCP compliant, I still get an HDCP error in iTunes. I replaced the cabl
-
Data base tables for delivery & post goods issue
Hi, can u plz tell me which database tables are going to update after the delivery is completed? which database tables are going to update after post goods issue. Thanks for ur help. Regards pabitra
-
Automatically Exporting to XML when open a file
Hello, I'm trying to set up my new machine to export the XML of a file when I open it by dragging the files onto the Ps icon (Mac). It used to automoatically happen on my old work machine, and it's super helpful. I'm pulling my hair out trying to fin