BW authorization S_RS_ICUBE

Similar Messages

• Reporting authorization issue after BI 701 05 EHP1 upgrade

  Hello,
  We have recently upgraded our BI 7.0 to BI 701 EHP1 with 05 patch level. After this we had a problem with reporting authorizations for a report (query), which has created under Virtual Infoprovider.
  Earlier the report use to be execute perfectly with authorizations S_RS_ICUBE object with Act 03, Subobject DATA, but after upgrade to EHP1, while executing report its throwing a error pasted below.
  =============================================================================================
  "Diagnosis
  Errors occured while reading a VirtualProvider outside the BI system. Check whether the previous error messages contains any information about the possible cause of this error.
  It is possible that the error message can not be displayed because the error message class does not exist in the BI system. If this is the case, only the name of the error class and the message number are displayed. View the error class in the source system of the VirtualProvider.
  System Response
  Procedure
  Since the error is not necessarily in the BI system, there is no specific procedure for resolving it. With VirtualProviders, problems often occure with the connection to the system; these can lead to system termination. If the code for the VirtualProvider is not from the SAP, contact the relevant person to help resolve the issue.
  If an SQL error is listed in the previous message, see the procedure for SQL errors."
  ===============================================================================================
  After running st01 trace we identified the missing authorization is S_RS_ICUBE with Act 03, subobject DEFINATION.
  Here please tell why is the subobject check is performed to execute a report (query), as this is happening after EHP1 upgrade, so let me know if anyone had any clue on this ...
  Thanks

  Hi Martin,
  Thanks for reply.
  The assumption what you made are correct, but these are the possible reasons only. Is there any specific note or any info from sap that these changes came due to the new release change, so that i can tell my manager clearly.
  And I am not sure whether this is impacting the reports which using the VirtualProviders (Virtual CUBE) in place. If you could get bit more information that will be helpful...Thanks in advance.
  Sridhar

• Query Level Analysis Authorization

  Experts,
  I have a requirement to provide Analysis Authorizations at a QUERY level.  For example, I have two analysis authorizations: (1) Org Unit and (2) Material Number.  I populate each of these Analysis Authorizations using a BEx Variable (through RSECAUTH) and customer exit "EXIT_SAPLRRS0_001".  In the user exit I look up what authorizations the user has for each field in a custom table.  For example, User A has access to Org Unit ORG1 and Materials M1, M2, M3.  User B has access to Org Unit ORG2 and Materials M4, M6, M8.  The Analysis Authorizations are assigned to the users via S_RS_AUTH object and it works perfectly.
  However,  we now have a new report, where we would like continue restricting the user to ORG1 but allow them to see ALL Materials.  But this requirement is only for a couple of reports. All other reports should continue to enforce BOTH restrictions.
  I don't see a way to determine which query the user is running.  In the user exit for normal variable exits, I can reference the field i_s_rkb1d-compid which has the query technical name.  But when filling the authorization variable in I_STEP = 0, that field is not populated.
  Has anyone experienced a way to create authorizations at a query level?  Is there an SAP InfoObject like 0TCAACTVT where I can specify a query name?  Your help is greatly appreciated.  Thanks!
  J

  Hi,
  SAP BW Authorization is definitely different from R/3 authorization. Why? Well, first, R/3 authorization usually involves up to the transaction code level. But for SAP BW, the mostly used transaction is "RSA1" and "RRMX". Therefore, authorization based on transaction code alone, is definitely not sufficient.
  So how do we design authorization in SAP BW? There's a few authorization objects that relates to SAP BW.
  For reporting, you will most probably use the following SAP BW authorization object:
  S_RS_COMP - Reporting Component, here is where you control the query authorization blah blah.
  S_RS_COMP1 - Reporting Component Owner, you can control users to only be able to access report created by Power Users, here.
  S_RS_FOLD - Disable/Enable the 'InfoAreas' button.
  Besides that, you will also need to configure the following authorizations:
  S_RS_ICUBE - Infocube authorization
  S_RS_ODSO - ODS Objects
  S_RS_HIER - Hierarchy Authorization
  For SAP BW administration purposes, aside from the above, you also need to configure the following authorization objects:
  S_RS_ADMWB - Administrator Workbench
  S_RS_IOBJ - Info Objects authorization
  S_RS_ISOURCE - Transaction Infosource
  S_RS_ISRCM - Master Data Infosource
  There that's what you need for authorization. Anyway, to achieve "field level" authorization like those in R/3, you can create a customize object, select the infoobject that has been set "authorization relevant", and add it in the authorization matrix, and walla, you got "field level" authorization.
  and refer the below link,
  Re: BI 7.0 Analysis authorization- How to control
  Hope it helps you,
  Regards,
  Ravindra.

• Migration S_RS_ICUBE

  Hi developers,
  I have migrated the object S_RS_ICUBE and the system have created corrispondent authorizations contained in the roles.
  For example I have an Authorization S_RS_ICUBE on the cube ZFI1and a authorization on the cube CO ZCO1. After migration the users are Ok, if I create an user for copy by another is OK, while if I create a new user inserting the same roles where I have insert the authorization BI migrate and equal to others users,  I do not succeed to execute the query for an error of authorizations on InfoCube:ZCO_1       
  Type of a component: REP             
  Component: ZCCO_MIGR       
  Activity: 16   
  Have you an idea of the problem for resolve the problem!!!
  Thanks in advance
  Domenico

  You should look in to the profiles. It is possible that the migration created a profile and added this to the user. When you copy an user the profile is copied as well, but when you create the user and add the roles you will miss the profile that could be added during the migration. Kind regards Jan

• Need help in IP : no authorization issue

  Hi,
  subject: getting authorization error for multiprovider name in RSPLAN, but my role has that name in it.
     i have created a planning sequence . the aggregation level is built on a mulitprovider which is built upon a realtime infocube.
  i am able to execute the planning sequence from RSPLAN in development system and test system without any issues.
  But in production system, getting "no authorization for multiprovider xxxx" error  for RSPLAN  -> infoprovider = xxxxx.
  i have got one role created for this which has this xxxx mentioned in it and i have got that role also assigned .
  even rssm checks for the multiprovider fine and i have necessary roles for it.
  can anyone help?

  Hi,
  Please check the below link for authorization in BI-IP
  [http://help.sap.com/saphelp_nw70/helpdata/en/43/fd53821d702ae4e10000000a422035/frameset.htm]
  As you are getting error  related to MP/Infocube, check if you have relevant Auth objects with your role:
  1.S_RS_MPRO
  2.S_RS_ICUBE
  Just to be on safer side check other auth objects relevant to planning:
  S_RS_ALVL
  S_RS_PLSE
  S_RS_PLSQ
  S_RS_PLST
  S_RS_PLENQ
  Thanks
  Pratyush

• Need analysis authorization help

  Hello Gurus,
  Could someone please help me out with my Analysis Authorization issue?
  We have a BW query and workbook outputting "Tcode usage" like the following:
  UserGroup| Username| Tcodename| Frequency
  This one has been running long time without any problems in reporting authorization, but now We want to get it restricted and only allow data associated group HR to display using new Analysis authorization. The scenario for this report is as follows:
  1. Rsecadmin >Maintenance> Create New authorization "Group" which consists of 4 characteristics: 0TCAACTVT, 0TCAIPROV, 0TCAVALID and 0TCTUSRGRP(which is the characteristic about group name and already authorizatio relevant). Set 0TCTUSRGRP "EQ HR".
  2.Assigned this authorization to a role using PFCG through the S_RS_AUTH. Other authorization objects in this role are:   S_BDS_D, S_BDS_DS, S_RS_MPRO, S_RSEC, S_RS_COMP, S_RS_COMP1, S_RS_HIER, S_RS_ICUBE, S_RS_ODSO.
  3.In BEx analyzer, set type: Characteristic Values and Variable filled from authorization and value "Selection Option". Unselected "ready for input". Put the characteristic associated with group name to filter windown on the top righ hand side of the Query Designer. Also compare users in PFCG.
  The question is the I still get all data about all groups. Looks like the authorization group doesn't work. I  used the "execute as " and get no errors back.
  Note: I didn't use "generation" to create the new authorization in Rsecadmin
  Thank you very much for any answers!
  Haifeng

  I guess i have found the reason why my authorization dosen't work. I don't activate infoObjects 0TCA* and 0TCT* and infoCubes 0TCA* as well. But another thing I am confused about is :
  Should I activate HR and CO businees content for authorizations 0TCA_DS02OTCA_DS05 and 0CCA_O010CCA_O03 before i get started? or should i run generation everytime i create a new authorization using Maintenance in Rsecadmin?
  Haifeng

• Analysis Authorization Object not working

  Hi Gurus,
  I m working on BI 7.0, I have created an analysis authorization object zz_div for 0DIVISION characteristic.
  For a given report i want a given user to view only data for '32' and '33' 0DIVISION.
  I have followed the below steps but still the report shows all data instead of restricted one.
  1)RSECADMIN -> Maintenance ->zz_div ->Create
  2) Add 0DIVISION in Auth structure , and in details 
  I     EQ     32
  I     EQ     33
  3) Add 0TCAIPROV with I     EQ     0SD_C03
  4) Add 0TCAACTVT, 0TCAKYFNM, 0TCAVALID,  this having details as
  I     CP     *
  5) Then in User tab -> Assignment -> User -> Change-> Inserted ZZ_DIV-> Save
  6) In Query created a Authorization variable(with no input prompt) and restricted 0DIVISION.
  Following are the authorization object in that user's Role (Reporting Only)
  S_RFC 
  S_TCODE
  S_GUI
  S_BDS_D  
  S_BDS_DS 
  S_OC_SEND
  S_RS_AUTH - only having zz_div
  S_RS_COMP
  S_RS_COMP1
  S_RS_ICUBE
  S_RS_RSTT
  S_RS_TOOLS
  S_RS_PARAM
  I have surfed lots of thread for this issue but not getting a solution
  Tell me what i m missing in above or any additional setting need before creating analysis authorization
  Edited by: Sonal Patel on Apr 18, 2009 8:10 AM

  Hi
  Thanks a Ton for ur reply
  I have checked in SPRO : Analysis Authorization
  where the authorization mode is " OLD obsolete Concept With RSR  Authorization Objects "
  We have to do the same in Production system .Can u please how its going to effect to others authorizations if change it to New Concept
  Thanks
  Sonal....

• BI 7.0 Analysis authorization creation issue

  Hi,
  We are prototyping the new analysis authorization concept have a question regarding the build.
  We've had the BI execute the pre-implementation tasks (activate the business related content and OTCT* and OTCTA* infocbues and and OCTA* infoCubes).
  There aren't any custom reporting objects to carry over since the queries were previously just secured by the S_RS_ICUBE Administrator Workbench - InfoCube with specific values for the Infocube. Since this object is no longer checked in query processing, is it a correct statement that the characteristic 0TCAIPROV (InfoProvider) should be populated with whatever values were listed in the S_RS_ICUBE object for the InfoCube field?
  We built an anslysis authorization via RSECADMIN per the requirements below and executed it with a test user ID assigned the regular reporting roles (with access to the queries).
  0TCAIPROV     InfoProvider     EQ          "Value 1"     
  0TCAACTVT     Activity                     EQ     03
  0TCAVALID     Validty Date          
  0TCAIFAREA     InfoArea          *
  However, when executing the query as this test user, we received a "you are not authorized messsage".  The trace didn't show detailed information, so we executed the same query with another user ID that was assigned 0b1_all and obviously could execute successfully.
  Is it correct assume that all the characteristics that were checked in the trace are authorization relevant for the query? we added the characteristics with full authorization and still couldn't execute. In addition, when checking these characteristics via RSD1, they weren't makred as authorization relevant, yet they still appeared in the trace.
  Is there something else that is misisng in the analysis authorization? I checked the characterics for variables and none were defined.
  Any troubleshooting tips would be appreciated.
  Thanks in advance

  Hi Julie,
  0TCAIPROV should have values of infoprovidors ( infocubes) that you want the user to have access. If you dont want to restrict it by infoprovidors then you can give a  ' * ' for 0TCAIPROV  CP value ' * '.
  Also make sure when you run the query it is not looking for any other infoobjects which have been made Auth relevant.
  You can actually see the error log for queries
  Go to RSECADMIN --> Analysis tab  --> click error logs --> click configure log recording --> enter the test id and save. Now you do the test using the test id for query. Then come back and see the log for the test user and it will tell you what went wrong. Please let me know if you have any questions.
  Thanks,
  Karthik Kiran

• How to Create authorization WAD template for BW3.5?

  Hi All
  How To create Authorization for a Web template in Bw 3.5 ?
  I have a requirement to restrict a particular Web templated in bw 3.5 So that all the end users should not be able to access that template only a particular user should be allowed to view the template?
  I cant find any authorization object for the WAD template in bw 3.5 ?
  Can anyone tell me the procedure to include the WAD template authorization?
  Should i include the authorization template in the Menu - in pfcg??? . i have added the template in the Menu in the PFCG but still it didnt work.
  Thanks

  As you said, the authorizations for the WAD templates should be given in PFCG roles.
  But you have to include the access/authorization details in the authorization objects. WAD templates have been created with including info/multiprovider, info cubes right.. first you have to include these objects inside the Role in PFCG.
  S_RS_COMP,S_RS_COMP1,S_RS_MPRO,S_RS_ICUBE.
  just assigning WAD template in the menu of the roles is to display when you login with the userid.
  Please request your BASIS folks to do the same.
  Hope this would help you.

• Regarding BI Authorization Issue

  Dear Friends,
  can anyone help me to solve this issue..
  I have a Authorization Issue, u201CNO Authorization u201C
  Error : EYE 007 ( Insufficient Authorizations )
  I have follow this stepsu2026
  Steps 1 :-
  Define Authorization-Relevant Characteristics ( ZCUSTOMER )
  Note : I have 0Division values C100 and C200, I want to restrict the user on ZCUSTOMER = 100.
  Steps 2 :-InfoObjects as u201Cauthorization-relevantu201D
  Eg: 0TCAACTVT
  0TCAIPROV
  0TCAVALID
  0TCAKYFNM
  ZCUSTOMER
  Steps 3 :-Using T-code : (RSECADMIN) created the Analysis Object
  For example : ZAUTH In That I have taken
  ZCUSTOMERrestricted with value C100.
  0TCAACTVT with 3 ( Display )
  0TCAIPROV with * ( Astric )
  0TCAVALID with *
  0TCAKYFNM with *
  Steps 4 :-
  Assign Authorizations to Roles
  Use authorization object S_RS_AUTH for the assignment of
  authorizations to roles.
  Maintain the authorizations as values for field BIAUTH
  Ex: ZTESTA1
  S_RS_AUTH
  Here I have given my Authorization Analysis Object ( ZTESTA1) which I have created in RSECADMIN.
  S_RS_COMP
  Activity Create or generate, Change, Display, Delete, Execute <...>
  InfoArea : ZDEMO_ MIHI
  InfoCube : ZCUBET
  Name (ID) of a reporting compo : ZTEST_Q0001
  Type of a reporting component Calculated key figure, Query View, Query, Restricted key figure <...>
  S_RS_COMP
  Activity Create or generate
  InfoArea :ZDEMO_ MIHI
  InfoCube : ZCUBET
  Name (ID) of a reporting compo :ZTEST_Q0001
  Type of a reporting component :Query
  S_RS_COMP1
  Activity Display, Execute
  Name (ID) of a reporting compo : ZTEST_Q0001
  Type of a reporting component :All values
  Owner (Person Responsible) for *
  S_RS_COMP1
  Activity Change, Display, Delete, Execute, Enter, Include, Assign
  Name (ID) of a reporting compo ZTEST_Q0001
  Type of a reporting component All values
  Owner (Person Responsible) for :*
  S_RS_ICUBE
  Activity Create or generate
  Infocube Sub Objects: DATA, Update rules, Data Definition, Aggregats
  InfoArea :ZDEMO_ MIHI
  InfoCube : ZCUBET
  S_RS_IOBC
  Activity Create or generate
  InfoArea :ZDEMO_ MIHI
  Infoarea Catalog : zioc_test, Zkf_test
  S_RS_IOBJ
  Activity Create or generate
  InfoArea :ZDEMO_ MIHI
  InfoObjets: ZCUSTOMER, ZDOCNO,ZMATERIAL
  Steps 5 :-
  AND Assign this Role to User.
  Steps 6 :- ERROR
  When I execute the Report it is showing u201CNO Authorization u201C
  u201C Insufficient Authorization u201C
  EYE 007.
  Regards
  Siva

  Hi,
  In RSECADMIN try to put on the trace with your user id & execute the query . System will give you list of authorization object with red color which needs to be reconsidered in order to execute report without error.
  Hope that helps.
  Regards
  Mr Kapadia

• Chain authorization

  hi all,
  i have a problem with authorization. I have to create an authorization for one specific chain and I cant find the authorization object for chains (like S_RS_ICUBE for infocubes)
  thanks for reply 
  pacho

  thanks,
  I know it, but I need authorization object for chains, when I grant transaction rspc (chains) to the user, the user can run all chains in rscp. I want to restrict this access only for one chain. And I cant find authorization object for restriction of chains
  thanks
  pacho

• Authorizations

  Hi Experts
  In BEx Analyzer there are huge reports (for e.g. 225 reports) but i want to create authorizations for only dealer statement report, daily invoice control report and i want to create authorizations for individual InfoObjectsis it possible in the same report or else is there any solution for that.( in BI.7.0) Could you pls explain to me.
  Thanks and Regards,
    Vikas Raj.

  Hello Vikas,
  As you said, you want to give access to   dealer statement report, daily invoice control report  is it?
  Then collect the info areas, info cubes and the owners of it.
  Do like this. create one role in common and add these authorization objects.
  S_RS_COMP, S_RS_COMP1, S_RS_MPRO and S_RS_ICUBE. These authorization objects are related to authorization of reports, queries and BEx.
  in S_RS_COMP1, maintain the specific authorization by mentioning the owner and the users.
  add S_RS_COMP1 twice. First time mention the owner and give full access to the owners. And second time those who are end users they can execute and display queries.
  Remember that in all the authorization objects, you have maintain the info areas, info/multi providers.
  You dont have to create authorization for each and every info objects inside your info cubes.
  Hope this would help you more.

• Authorization issue with report on "Char data target"

  Hi,
  we've a characteristic ZCHAR inserted as data target.
  user is not able to execute a report created on this "Characteristic data target".
  error is as follows : "Error : You are not authorized to use ZCHAR".
  Could some one advise how to resolve this issue & what authorizations need to be assigned to this user.
  <b>PS: same user has no problems running other reports created on infocube & ODS.
  also, this characteristic data target is not "authorization relevant" in the info object definition.</b>
  appreciate your help.
  I've following profile assigned to user.
  S_RS_ICUBE - Administrator Workbench - InfoCube
  Activity   :                     All activities
  InfoCube Subobject :             All values
  InfoArea           :             *
  InfoCube           :             *
  Hari Immadi
  http://immadi.com
  SEM BW Analyst

  Gova,
  thanks for your reply.
  profile doesn't have any authorization object S_RS_IOBJ.
  looks like this is the problem.
  I quickly tested with this object on a dummy profile & it worked with following settings. Is this correct just for reporting?
  Object S_RS_IOBJ
  Activity                       Display 
  InfoObject                     ZCHAR
  InfoObject catalog             *       
  Subobject of InfoObject        Data    
  Hari Immadi
  http://immadi.com
  SEM BW Analyst

• Inserting authorizations from template

  Hi all,
  Does anyone know what are the basic authorizations needed for reporting and planning activities. I do not mean the basic analysis authorizations - I mean the basis authorizations - those you usually insert from a template such as S_RS_TREPU.

  Hi,
  you don't have to use:
  S_RS_ICUBE
  S_RS_ICUBE
  S_RS_ISET
  S_RS_MPRO
  S_RS_ODSO
  Because you have to set at less one authorization with the following authorization IO:
  0TCAACTVT
  0TCAIPROV
  0TCAVALID
  Don't forget:
  S_DEVELOP
  S_RO_BCTRA in ECC side for activate (remote) Datasource
  S_RS_BITM NEW
  S_RS_BTMP NEW
  S_USER_AGR
  S_RS_BC
  S_RS_BCS
  S_RS_AUTH (Data)
  S_RS_IOBJ
  S_GUI
  S_RS_DS: Authorizations for working with the DataSource or its sub-objects (as
  of SAP NetWeaver 2004s)
  &#56256;&#56452; S_RS_ISNEW: Authorizations for working with new InfoSources or their subobjects
  (as of SAP NetWeaver 2004s)
  &#56256;&#56452; S_RS_DTP: Authorizations for working with the data transfer process and its subobjects
  &#56256;&#56452; S_RS_TR: Authorizations for working with transformation rules and their subobjects
  &#56256;&#56452; S_RS_CTT: Authorizations for working with currency translation types
  &#56256;&#56452; S_RS_UOM: Authorizations for working with quantity conversion types
  &#56256;&#56452; S_RS_THJT: Authorizations for working with key date derivation types
  &#56256;&#56452; S_RS_PLENQ: Authorizations for maintaining or displaying the lock settings.
  &#56256;&#56452; S_RS_RST: Authorization object for the RS trace tool
  &#56256;&#56452; S_RS_PC: Authorizations for working with process chains
  &#56256;&#56452; S_RS_OHDEST: Open Hub Destination
  &#56256;&#56452; S_RS_DAS: Authorizations for working with Data Access Services
  &#56256;&#56452; S_RS_BTMP: Authorizations for working with BEx Web templates
  &#56256;&#56452; S_RS_BEXTX: Authorizations for the maintenance of BEx texts
  &#56256;&#56452; Authorization objects for the administration of analysis authorizations:
  &#56256;&#56452; S_RSEC: Authorization for assignment and administration of analysis
  authorizations
  &#56256;&#56452; S_RS_AUTH: Authorization object to include analysis authorizations in
  roles
  &#56256;&#56452; Changed Authorization Objects:
  &#56256;&#56452; S_RS_ADMWB (Data Warehousing Workbench: Objects)
  hope it helps

• Query: no authorization for multicube

  Hello,
  my issue: a user wants to start a query via RRMX and gets the error message: u201CYou donu2019t have the authorization for multicube xyu201D.
  I have checked the roles for the user and found the authorization object S_RS_COMP (field RSINFOCUBE, value *). That is, the authorization was defined. When the user starts another query (based on another infocube u2013 no multicube) there is no problem.
  In the SAP help documentation I have found how to get a protocol from the authorization check (SAP easy access -> BIW -> authorization -> reporting authorization). But I donu2019t have the menu SAP easy access -> BIW -> authorization.
  We have BI 7.0 (SAPKW70017), but we still use the u201Coldu201D authorizations.
  Can anybody help? Which authorization object is missed?
  Thanks in advance!

  Hi Anton,
  I had checked the ST01 before. There where no results. A colleague mentioned that ST01 is not working correctly sometimes if you donu2019t restrict the user. That was the problem. Now I have the missed authorization object, it is S_RS_MPRO.
  But I think the explanation in SAP-help is not correctly. It is an authorization object for the administration workbench, but in reality it is used in BEx. Furthermore it is mentioned that you CAN use this authorization object additional to S_RS_ICUBE. But in reality it is not a CAN it is a MUST obviously.
  Thanks!