BW authorizations for universe connections

Hello experts,
Is it possible to use a universe without giving the user 0BI_ALL authorization? We want the same user to connect via BICS and universe and if we use 0BI_ALL for universe connections, the analysis authorizations for BICS doesn't work.
Any idea on how to have row security levels on both connections at same time?
We are using BW 7.0 and BO 4.0 SP5.
Many thanks in advance.

Hello David,
using BI Authorizations in BW and then adding data level security in the Universe on top of that will only lead to situations like you have now.
Data Level security goes into BW alone or into the Universe alone, mixing both will lead to issues and remember that the Universe has far less capabilities in this area.
0BI_ALL is only related to data level security, so the fact that you see the request for 0BI_ALL in the trace clearly shows that your defined data level security entries contradict each other somehow and that BW then requires 0BI_ALL for the user to give the data that was requested.
like I said above, not a good idea to mix those data level security concepts. all data level security should be in BW already.
Also - why even use the Universe inbetween ?
regards
Ingo Hilgefort, SAP

Similar Messages

  • Authorizations for RFC connections

    Hi everyone....
    what are the Authorizations required for the user when creating RFC connections in XI.
    Rewards,
    Varun Reddy.K

    Hi,
    Authorization for using RFC destinations
    http://help.sap.com/saphelp_nw04/helpdata/en/6b/af429b12e9214d9a2d6cba921b162f/frameset.htm
    Regards,
    Shabari

  • Crystal Reports for Enterprise and universe connections

    Hi, I have noticed an issue with Crystal Reports for Enterprise that may give many administrators a headache.
    If a BOBJ user has access to a sensitive universe (eg HR or Finance data) to run pre-built WebI reports from  (but not create new ones or edit the universe) then they must have been give data-access to that universe's connection object. Security on the universe and folder could prevent them from accessing information from the universe they shouldn't see or editing the reports and creating new ones.
    However if the same user is given access to Crystal Reports for Enterprise in order to access other data sources, then the fact that they have data-access to the above universe connection object now creates a security problem.
    Crystal for Enterprise allows a user to open a universe connection object as a data-source. If the user opened the connection for the above 'sensitive' universe they could see all the data in the database - avoiding any universe level restrictions in the process.
    What is the suggested way around this? There doesn't appear to be granular enough security to prevent users with data access on a connection object also using that object to create new reports in Crystal for Enterprise.
    The only way around it I can see is to deny the user access to the sensitive universe output altogether, but this changes the whole business process for the team involved.
    thanks
    Keith

    I have a couple of thoughts:
    1.  Create a special reporting user in the database that only has access to a set of views that don't include the sensitive information.  Then create a universe based on those views which uses a connecting that logs in as that special user.  Give the folks who don't have access to the sensitive data access to this connection and universe instead of the universe and connection that include the sensitive data.
    2.  Since you have BO, you should have a support contract.  I would report this as a bug.  However, SAP may tell you that it is "working as designed", in which case you could go to IdeaPlace (https://ideas.sap.com/) and add this as a requested enhancement.
    -Dell

  • Universe Connection in Business Objects for SAP BW as Source.

    Hi All,
    I am trying to create a new Universe connection where i took SAP  as a source , I filled all the details that is required for connection like Application server and system number.
    when i click on next it showing a error like this--
    businessobjects115.olapi.browseobject.1
    could not load provider for transport"sap"
    Could anyone please help me.

    Hi
    I have also same issue , if some one soluaiotn for it.
    Regards,
    Piyush

  • Universe Connection - options for specifying database authentication

    Are there any options for specifying the id and password for a database connection from the Universe Designer other than entering them directly into the tool?  Our information security group prefers to administer security accounts (i.e. user id's and passwords) in standard security products as compared to having to know development tools (e.g. Business Objects).
    Thank you.

    to create a connection you have to enter a user name or password for this connection.
    in your case, your Administrator can create those connections in the designer before they create any universe and then give an access to which developers access which connections to create specific universes.
    to create a connection there is no other way more than entering the user name and password.
    in the XI 3.0 there is some new and very good option "User BusinessObjects Credentials Mapping"
    which i think send the current connected business objects user name and password to the connection user name and password.
    its just map the user name of the BO system to the user name of the connection, and same thing for the password, and for this you have to have a DB user name for every BusinessObjects user name,
    this is wide use with oracle databases.
    good luck

  • No Authorization to OLAP Cubes during the creation of universe connection

    Hello friends we are not able to see the OLAP Cubes during the creation of universe connection using the Quality system and Application server "sapbmw01" client 100, system # 00. But we are able to set up the connection in our development system.  
    I will highly appreciate if you can let me know if we need some special role to access the OLAP Cubes during the creation of universe connection using the Q system.
    Surprisingly we are using SAP_BW_ALL in Quality system still we are not able to access the infocubes. is there some thing missing in CMS IN BO to make that work.
    Thanks
    Soniya

    Hi Jyothy,
    Refer the below link on how to create universe on Analytic View/Calculation View using relation connection in IDT
    http://www.sapanalyticsguru.com/index.php/sap-bobi/31-universe-creation-on-hana-view-using-information-design-tool

  • Error when refreshing WEBI report with Universe Connection Type "SSO"

    Hi Experts:
    We are trying to refresh the Webi report in Infoview with Universe Connection set as "Use Single Sign On when refreshing the report at view time", so that we can leverage SAP OLAP authorization variable from Bex Query which the Universe is built on.
    However got the error of "incomplete logon data" after all the configurations done following below blogs:
    SNC Part 1
    /people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-1-of-2
    SNC Part 2
    /people/ingo.hilgefort/blog/2009/07/03/businessobjects-enterprise-and-client-side-snc-part-2-of-2
    We already have Win AD SSO to SAP setup, and in BO CMC, Win AD user is mapped to SAP user ID.
    The SNC settings are:
    - AD Account: service.test.bobj (all lower-letters)
    - 32-bit gsslib on the BO server, and 64 bit on the BW server side.
    - SNC0: p:service.test.bobj at DOMAIN
    - SU01 --> BO_Service ; SNC: p:service.test.bobj at DOMAIN
    - Entitlement system tab --> username: BO_Service
    SNC Name: p:service.test.bobj at DOMAIN
    - SNC settings tab:
    SNC Lib: c:\winnt\gsskrb5.dll
    Mutual Authentication settings: p:SAPServiceBP0 at DOMAIN
    In CMC, the role can be imported if "RFC activated" option unchecked in SNC0.
    I found a few threads on the same topic, but they are all not answered:
    SNC Client side configuration error
    SNC Configuration Error: Incomplete logon Data
    Can you please provide details of the solution if you have impleted a same scenario successsfully, or any thoughts to help the investigation?
    Thanks in advance!
    Regards,
    Jonathan

    Hi Ingo,
    Sorry for taking so long to reply, we are trying to set up server side trust and enable SSO; but we still couldn't success.
    What we did is:
    1. We followed installation guide chapter 6, generate certificate and PSE, etc. All looks good.
    2. Then we still have the "incomplete logon data" error when refreshing webi report after logon using Windows AD user ID.
    3. Then we trace the PFC connection, the log is as below. We checked several BO notes, e.g. 1500150, 1461247.. The part bothers us is that we even don't have URI displayed in the log when system trying to use SNC, and we couldn't get more info on this which make us very difficult to diagnosis.
    Can you please help? Thanks a lot!
    Thu Mar 31 10:54:46.857 ThreadID<1980> SAPMODULE : SAPAuthenticationService: Authentication model for SAP connectivity is SSO
    Thu Mar 31 10:54:46.857 ThreadID<1980> SAPMODULE : SAPAuthenticationService: Determining if we can connect using SNC. Calling CanAuthenticate...
    Thu Mar 31 10:54:46.919 ThreadID<1980> SAPMODULE : SAPAuthenticationService: Unable to authenticate using SNC because the URI does not meet the minimum connection requirements.
    Thu Mar 31 10:54:46.919 ThreadID<1980> SAPMODULE : SAPAuthenticationService: Determining if we can connect using SSO. Calling CanAuthenticate...
    Thu Mar 31 10:54:46.919 ThreadID<1980> SAPMODULE : SAPAuthenticationService: Authentication model for SAP connectivity is SSO
    Thu Mar 31 10:54:47.013 ThreadID<1980> SAPMODULE : SAPAuthenticationService: The SAP SSO authentication process will fail because the SAP secondary credential are not properly updated and the password is blank.
    Thu Mar 31 10:54:47.013 ThreadID<1980> SAPMODULE : SAPAuthenticationService: Trying to connect to SAP using this URI : occa:sap://;PROVIDER=sapbw_bapi,R3NAME=PB0,GROUP=BI_Group1,MSHOST=sapaupdb04,LANG=en,CLIENT=100,CATALOG="ZSPUM602",CUBE="ZSPUM602/ZSPUM602_Q50"
    Thu Mar 31 10:54:47.013 ThreadID<1980> SAPMODULE : SAPAuthenticationService: Calling m_pRfcWrapper->RfcOpenEx() ...
    Thu Mar 31 10:54:47.154 ThreadID<1980> SAPMODULE : SAPAuthenticationService: RfcOpenEx(...) returned 0
    Thu Mar 31 10:54:47.154 ThreadID<1980> SAPMODULE : SAPAuthenticationService: Call to m_pRfcWrapper->RfcOpenEx() took 0.141 seconds
    Thu Mar 31 10:54:47.154 ThreadID<1980> SAPMODULE : SAPAuthenticationService: SAPAuthenticationService::~SAPAuthenticationService

  • UWL  : User J2EE_ADMIN has no RFC authorization for function group SYST

    Dear All,
    When I am trying to register the system in universal Worklist Administration, It gives the following error,
    System <>: Fri Jul 11 18:58:11 IST 2008
    (Connector) :com.sap.netweaver.bc.uwl.connect.ConnectorExc  eption:Fri Jul 11 18:58:11 IST 2008
    (Connector) :com.sap.mw.jco.JCO$Exception:User J2EE_ADMIN has no RFC authorization for function group SYST.
       I have tried by giving the role SAP_ALL to J2EE_ADMIN , then also i am getting the same error. Can anybody  through some light on this....
    Helpful tips will be rewarded...
    Sanoj

    Sanoj,
    check these threads
    https://forums.sdn.sap.com/click.jspa?searchID=13972376&messageID=5489621
    https://forums.sdn.sap.com/click.jspa?searchID=13972376&messageID=5267551
    https://forums.sdn.sap.com/click.jspa?searchID=13972376&messageID=5636365
    reward points if helpful

  • Security Authorizations for IDOC

    can anybody explai me following.
    Roles and responsibility wrt the Security Authorizations the user should have to process the IDOCs at the receiving end and also the monitoring the IDOCs
    Regards,
    Rahul

    Hi Shesha,
    I presume you have the SAP Integration kit intalled and configured, and imported the BW roles in the CMC... you are also login with the SAP user account (User1, User2). This would be a base requirement to make this work.
    In your OLAP universe, you need to set the connection properties of the connection to. Select Use Single Sign On when refreshing reports at view time to allow the user to benefit from SAP SSO.
    You have currently used User1 for the connection and saved the universe with this user id, thus, when the connection is made to BW, it is User1 with its role permissions accessing the data, even if you are logged on as User2, User1 is being authenticated.
    Hope this helps
    Jacques

  • Data Federator data source not available causes Universe Connection error

    I created a Data Federator project that connects to 20 servers across US and Canada.  All data sources are SQL Server 2005.  The DF project maps 40 source objects into 4 target objects.  I created a universe based on the DF project and we have been quite pleased with Webi query response.  Today one of the source servers was taken off line and this generated a connection error when trying to access the universe (not trying to access the data source that failed).  We do not want the universe connection to error when one source server is not available u2013 is that possible?
    If the answer is no then I see us abandoning what appears to be a great solution for real time distributed reporting and resorting to ETL and moving data.

    Hi Chapman,
    Can you be little elobrate on what you have done to solve the issue.
    Thanks,
    Dayanand

  • Not getting all objects with Universe connection

    I am using CR 2008 SP2 and I am trying to create my first report using a Universe as the connection.  I click on Blank Report and it opens the Database Expert.  I then open Universes under Create New Connection and the Universe that I want to connect to is there but when I double click on it to create my query I am not seeing all of my Dimensions and Measures.  This is a small Universe with three classes.  The first class has 6 dimensions in it.  The second class has two dimensions in it of which these are date dimensions and then my third dimension is my Measures dimension that has 4 measures.
    I only see 5 of my 6 dimensions from the first class.  I see both of my date dimensions from my date class but I only see one of my measures from my measure class.  When I create a new WEBI report connecting to this universe i get everything as expected.
    Any ideas?

    Hi Ron,
    Since you are using WebI Rich Client of Edge version I assume you are not using a CMS (you are not required to login when you start WRC). Is this correct ?  if so then you might need to make sure your WRC hits the appropriate folder of universes. This can be configured from menu Tools -> Options -> General tab,  where you can define a default folder for universes. Make sure you point to the folder where your latest version of universes are (locally or on a remote machine). Your WRC will always load the version of universe that is stored in that folder.
    Hope this helps
    Abdellatif Astito
    SAP Business Objects

  • Problem with Authorization for Planning folder

    Hi an having a problem with providing authorization for a planning folder
    i am getting the following error when i test it with test user
    Error while calling up RFC
    Message no. UPC202
    Diagnosis
    You have selected a function, to execute this the system must set up an RFC connection to another SAP System. However, setting up this connection was not successful. The following internal error message was generated:
    "You do not have authorization for InfoCube ZT_MR_T "
    Procedure
    Inform the system administrator.
    we are not pulling the data from any other server, all the data is on the sif any one has faced the same issue let me know.
    Regards,
    Abraham

    Calling Thru Trans code: BPS0 in ECC 6
    getting this error:
    Error while calling up RFC
    Message No. UPC202
    Diagnosis
    You have selected a function, to execute this the system must set up an RFC connection to another SAP System. However, setting up this connection was not successful. The following internal error message was generated:
    "An error occurred during the receipt of a complex parameter."
    after i check in bw trans code:st22
    Following this error message:
    Category                   Internal Kernel Error
    Runtime Errors         PARAMETER_CONVERSION_ERROR
    Application Component  BC-MID-RFC
    Short text
        An error occurred during the receipt of a complex parameter.
    What happened?
        During a remote function call, an error occurred while converting
        a complex parameter.
    What can you do?
        Note which actions and input led to the error.
        For further help in handling the problem, contact your SAP administrator
        You can use the ABAP dump analysis transaction ST22 to view and manage
        termination messages, in particular for long term reference.
    Error analysis
        An error occurred during the conversion of a complex parameter.

  • Problem with Authorization for BW BPS planning Folder

    Hi an having a problem with providing authorization for a planning folder
    i am getting the following error when i test it with test user
    Error while calling up RFC
    Message no. UPC202
    Diagnosis
    You have selected a function, to execute this the system must set up an RFC connection to another SAP System. However, setting up this connection was not successful. The following internal error message was generated:
    "You do not have authorization for InfoCube ZT_MR_T "
    Procedure
    Inform the system administrator.
    if any one has faced the same issue let me know.
    Regards,
    Abraham

    HI ,
    I Checked it out we dont have that cube in our system.
    Regards,
    Abraham

  • Unable to use SSO with universe connection on top of SAP BW query

    Hi,
    We're creating a universe on top of a SAP BW query by using universe designer.
    We logon to universe designer by using SAP credential.
    When creating the connection, we set the option "Use Single Sign On when refreshing reports at view time" in order to logon to BW server. But when clicking next, an error arises:
    "DBD: Unable to connect to SAP BW server Incomplete logon data"
    The strange thing on this is that there is one laptop which is able to set up this kind of connection, while all other workstations are not able to set it because they recieve that error (we all work against the same BO server). So this looks like an installation issue.
    We reinstalled SAP Integration Solutions on those workstations, but problem is still the same.
    I found thread: Universe Connection Authentication on SAP BW which talks about the same issue, but solution involves uninstalling Xcelsius. But we do need Xcelsius!
    Any suggestions?
    Thanks,
    David.

    >
    Ingo Hilgefort wrote:
    > Hi,
    >
    > - how did you enter the SAP credentials when logging on ?
    username/password with sap authentication
    >
    > - are you using a application server or a message server for the connection ?
    Application server
    >
    > - SAP GUI is installed ?
    SAP GUI 710 patch 11
    >
    > - SAP Integration Kit is installed ? is it a full keycode or a temp keycode ?
    SAP Integration Solutions with temp keycode
    >
    >
    > thanks
    > Ingo

  • BPS retraction (CCA) - authorizations for background user (R/3)

    Hi,
    I'm  trying to retract plandata for statistical key figures from BW to R/3. During data retraction I get an error message in BW. The message is about missing authorities on R/3 side, but without any detailed information. We use the standard backround user for BW => R/3 RFC connections. So my question is, if the background user needs additional authorizations for data retraction? Are there any notes or documentation?
    Thanks for help,
    Tanja

    Hi,
    I remember having faced this issue...
    I fixed it by creating a RFC connection for the retraction itself connecting with a service user (S_BWRETR) having profiles SAP_ALL, SAP_NEW.
    hope this helps...
    Olivier.

Maybe you are looking for