Bw upgrade - Authorization concept

Similar Messages

• Switching BW authorization concept back and forth on the fly

  After upgrading to BW 7.0, we are currently developing the BW authorizations from scratch with the new analytical authorizations. The system is currently set to the legacy RSR authorization objects. The idea is now to define two timeframes on our development system, one for the users working with old authorizations, and a second timeframe for testing the new analytical authorizations.
  Can we switch the authorization concept back and forth on the fly, or are there any obstacles?
  Thanks in advance!

  Andreas,
  The latest version of BW is 7.3 which is also Analysis authorization concept like 7.0. So please clarify from the system status what level are you upgrading to.
  Under 7.0, the RSR objects were still available i.e. you can switch the concept back and forth on the fly, it will trigger a transport. AFAIK - In 7.3 however there is no support for RSR anymore in fact even the object class is not visible and so does the switch for the concept and even RSR objects (Z-objects) do not show up in PFCG either.
  So if you are moving to 7.0 switch is possible, 7.3 it is not. But in either case, you should be upgrading using a dual landscape with upgrade work being done & tested in separate boxes than daily production support landscape. It will come in handy at the time of testing also.
  Regards,
  Shivraj Singh

• Authorization Concept - BI7

  Hi ,
  I'm working on authorization concept for BI7 which seems to be having a conflicting statement.
  User : Mary
  InfoObject : ZORDER
  Set 1 : Queries built on multiproviders within infoArea ZSALES should display ONLY order number 123.
  Set 2 : Queries built on multiproviders within infoArea ZPROJECT should display ALL order numbers.
  Its a conflicting scenario.
  Its giving an output for ALL orders for both set 1 and set 2 queries.
  Appreciate if anyone could provide some ideas if this is feasible to achieve within RSECADMIN.
  Thank you.
  Regards
  Maili
  Edited by: Maili06 on Jan 12, 2012 1:19 PM

  hi,
  plz try creating the analysis auth objects for the mentioned scenarios can be:
  1)1st auth object can have  infoarea=ZSALES and order number=123
  2)2nd auth object can have infoarea=ZPROJECT and order number=*
  Both these analysis authorization objects can be assigned to the user via RSECADMIN.
  In the auth profile, S_RS_AUTH = Inactive, read analysis auth from RSECADMIN and manual assignement.
  regards
  laksh

• Not clear with the Authorization concept for Marketing Plan

  Hi All,
  I am new to CRM and was going through some of the prescribed document for CRM marketing
  when i encounter with the authorization concept in marketing plan,for example how
  can i restrict a user with a campaign manager role from changing marketing plan.please
  provide the step by step procedure.
  Regards,
  Sanju

  Hi Sanju
  User with a campaign manager role can be restricted for changing marketing plan using authorization group.
  We define authorization groups for use in the Marketing Planner. Authorization groups can be maintained at both marketing plan level and campaign or trade promotion level. Authorization groups enable us to control which users are authorized to change which of these two types of marketing project. We could, for example, define one authorization group to be assigned to a marketing plan, then define further authorization groups to be assigned to the different campaigns within the marketing plan. In the Marketing Planne.
  Follow below steps
  1. Define authorization group using following IMG Path
  Customer Relationship Management / Marketing / General Settings / Define Authorization Group.
  2. In authorization object CRM_CPGAGR of the role Campaign manager maiantian activity 01, 02, 03 ,06 (this will allow user to create, change, display and delete)
  3. IMG defined authorization group ex: ABC can be seen under the tabstrip Basic Data of marketing plan.
  4. Now user have to choose the Authorization group ABC from the drop down in Basic tab to create a marketing plan. User will get the change access for all the marketing plan which have the authorization object ABC.
  Hope this will help...
  Rgds
  Mallikarjun

• New Authorization concept

  Hi experts,
  what is new Authorization concept in NW2004s.
  All of our queries are created in Query Designer 3.x and our generic Authorization objects are created in RSSM.
  Is it necessary to use new Auth.concept ?
  What are the advantages or disadvantages of new concept?
  Thanks

  Hi there again,
  If you have that entry in RSCUSTV23 it means you're using the old concept of RSSM authorization not mantained anymore by SAP:
  I recommend (as well as SAP) to use the new concept. For that, since you've already the old authorizations, you can do a migration of authorizations with a standard report (transaction se38) called RSEC_MIGRATION.
  This report is of ease to use and does the migration of the old concept to the new one, therefore you can after running the migration use the new concept.
  The worst part, is that is recommended (and you should) do an exaustive battery test, to ensure, no errors are encountered with the new authorization concept after migration.
  You can also read about the migration of authorizations (and the detal of how to use the standard migration report) in here:
  [http://www.sdn.sap.com/irj/scn/events?rid=/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea&overridelayout=true]
  Diogo.

• Basic Authorization  concept

  Hi Friends,
  I want to be clear in basic authorization terminologies.
  Can any one give the definition for the each below mentioned basic authorization terminologies with some example?
  1.Object class
  2.Authorization
  3.Authorization Object
  4.Authorization Field
  5.Field Value
  6.Profile
  7.Role
  8.Composite role
  9.Reference role
  10.Derived role
  Thanks in advance.
  Regards,
  Venu

  Hi Venu,
  Lets come from the top to bottom ...
  at the highest level you have the Role. A role can be defined as follows.
  <b>Role</b>
  The collection of activities that a person performs to participate in one or more business scenarios in an organization.
  Access to the transactions, reports, Web-based applications, and other objects contained in roles is through user menus.
  Also in a simple manner can be defined as a set of transaction codes in one bundle.
  Note : when a Tcode is assigned to a Role hte related authorization objects get autmaticaly assigned to the role. I hope its clear until now.
  So every Tcode i sassigned to a specific set pof Authorization objects and every authorization object has a set of Auth fields assigned to it. They can be che3cked in any role in transaction PFCG.
  for better programming SAP has classified a set of authorization objects into OBJECT classess. its not much of importance to you as its a system thing.
  One more thing is every role has a profile assigned to it when its created and Generated. Usually profiles are the concept until 4.0 system of SAP...later the roles concept came into existence and hence they are defunct exept a few standard SAP profiles like SAP_ALL and stuff which can be assigned to Users directlky. Else Profiles are also automatic assignment and get linked to a uswer once a user is assigned a particular properly generated role.
  Coming to other terms, a group of single roles can be bundles into a single <b>composite role</b>. Hence its justa group of single roles.
  In authorization concept, wehave the Parent Child relations hip in roles.
  That is... when a Role is created we call it the master role and its properties can be inherited by a cild role.
  the scenario is if we r having 4 company codes in an org, and i am supposed to create roles for each comp code seperately..so i try to create a master role and create 5 child roles with inheritance properties. this way any change to master role gets drilled down to child roles without having to change all the rolese seperately.
  This is the concept of <b>derived roles</b>.
  i wish this info has helpfed you...
  Br,
  Sri
  Thanks for the points...

• New authorization concept - Access to data

  Hello, i'm new in SAP BW and i'm in migration process to the new authorization concept.
  Here is what happening:
  I have a role with all access to a company (*) of a provider X.
  I have another role with restricted access to a company (ex: COMPANY1, COMPANY2 and COMPANY3) of a provider Y.
  When i attribute those 2 roles to a user and access a query of the provider Y, i can see all the companies when it was supposed to only see the 1, 2 and 3.
  What am i doing wrong?
  Thank you in advance.
  João Gonçalves

  Hi friend,
  The Authorization concept works on sets concept of mathematics.
  Explanation to your scenario:
  For user A you apply company (*) on provider X and company 1, 2, 3 on provider Y. i.e. u are collectively applying All company codes for provider X and Y. as Company (*) set is a bigger set and the providers set is extended to 2 elements X and Y to get her and not separately.
  Way to check the actual set by which authorization is getting applied:
  RSECADMIN -> Analysis tab -> Execute as user (check with load check box, and RSRT radio button) ->  Execute -> Put a query on which you need to check authorizations (the query must have authorization variable if relevant) -> execute the query -> return back after execution -> on the Execute as user screen hit on Display log option.
  You will get a detailed log for your query execution. Here you will also get a log where what set is applied for the query execution is displayed. You will get an understanding of your issue there.
  Regards,
  Sourabh Deo

• BPS_WIF0 authorization concept

  Authorization object R_PM_NAME can be used to control the access to different planning folders within UPSPL. What is a similar object for Web folders of the kind that can be executed from BPS_WIF0 or directly from the appropriate BSP. How is this same type of authorization concept applied, or does it need to be integrated directly into portal roles?

  Blake,
  there is no special authorization object for BPS web interface. You have to restrict access to the generated BSP application by using roles. However, even if someone had access to the BSP application, the next level of authorizations should be fully sufficient (BW auth. on transaction data, RSSM, or R_AREA, R_PLEVEL, etc).
  Regards
  Marc
  SAP NetWeaver RIG

• BW-BPS and new analysis authorization concept

  We are using BW-BPS on Netweaver 2004s SP8 and the new autorization concept is switched on.
  Where do we need to pay attention?
  Which authorization objects stay the same and which are now to be maintained in analysis authorizations?
  Thanks for your suggestions.
  Anja

  In NW04S, BPS and BI IP share the same new authorization concept so you tend to have to rebuild specific profiles used for BPS.   The old BW-BPS tend to have authorization for R_* and they need to be redone using the new authorization concept and it can take some time if you have a lot of profiles.

• Authorizations concept in SAP BI

  Hi All,
  Can you please tell me about Authoriions concepts in SAP BI ?
  Regards
  Syed

  hi ,
  About Authorizations Concept in SAP BI .....
  SAP BI 7.0 Authorization concept (analysis authorization) change a lot in accessing, analyzing and displaying BI information. The approach allow to restrict data access on Key figure, Characteristic, Characteristic value, Hierarchy node, and InfoCube levels. It enables more flexible data access management.
  Check this links
  http://help.sap.com/bp_bw370/documentation/Authorization_BW_Proj.pdf
  and
  check this two links too
  http://www.bwarea.com/2009/01/sap-bi-70-authorization-part-1.html
  http://www.bwarea.com/2009/01/sap-bi-70-authorization-part-2-creating_18.html
  Regards
  ChandU
  <removed by moderator>
  Edited by: Siegfried Szameitat on Jun 1, 2011 2:26 PM

• SAP Authorizations Concept Project

  Hello,
  Before, i would like to say that this thread will stay open, with questions and answers. Thanks
  I am starting a little project on authorizations. The company has only 9 users, and all of them have the SAP_ALL, SAP_NEW profiles, wich after an audit generated the need to have them removed and the need to implement an Authorization Concept from the root.
  The first step and most important is to get the profiles fixed before the next audit, wich i think will only give me time to create generic profiles based on a List of Transactions and Reports, that each one of them, or a group, executes. I've been reading the ADM940 module, and i have some experience in SAP BI Authorizations, but no experience in Authorizations at a higher level.
  My questions are, Recomendations and attentions i must have to implement this concept i've described and
  Is the automatic profile generator, based only on transactions and reports enough to fullfil the needs i described before enough? Or after that i'll have to maintain some Authorizations objects manually?
  Thank you very much
  JO

  Closing the thread, as it has a lot of days by now

• Webi 4.0 using SAP BW old security model (old authorization concept in BW)

  Hi experts,
  we are facing a problem with a new customer, using SAP BO 4.0 - Webintellingence on top of a SAP BW 7.0 EHP1.
  The customer is still running the old security concept in BW. The hint to upgrade SAP BW to the new reporting authorization will be done, but not within the next half year.
  Could that be a major problem to run this combination (BO 4.0 (Webi) and the old security concept) particularily on hierarchie authorization.
  Thanks in advance for a quick answer.
  Thomas

  (1) BEx queries already in use by the business users are from the BWP and those same queries may or may not exist in BWD or BWT as some business users create BEx queries directly in the BWP.
  1). As I told you earlier, design is purely  based on Requirement and Process also needs to be followed.
  Bex can be created directly in the production, but if query goes wrong or fetches wrong data, don't you think business people will get frustrated. If you or team can explain the process, then Yes you can directly work on Production (just my view)
  (2) Even if those queries do exist in entire BW landscape, including BWD, BWT, and BWP, only BWP has the data that business user can count on. BWD has no data and BWT has only sample data where as BWP has actual and complete data.
  Running the query is BWD or BWT is just for testing, example incase of BOBJ upgrade, you need to do in 577 and test before prod rite.
  3). I can create reports in 577 in connection with BWD to maintain consistency in the schema for both the environments. Upon approval and migration to 578 I know that I can change the underlying connection from BWD to BWP and that would work just fine, however, according to the business users, the auditors would not like the idea in light of SOX compliance and may not approve the methodology.
  You have answer in your question (SOX) and Business also like to follow the process (atleast in the companies, I have seen)
  Just my view...

• Standard authorization concept versus analysis authorizations

  Hi
  I am bit confused about the necessity of maintaining both.
  Example:
  I have designed an analysis authorizations for CO (Controlling), named CO_001:
  InfoProvider: 0COOM_C02
  Thereafter I have put the authorization object S_RS_AUTH into a role (standard authorization object) with CO_001 as value in BIAUTH.
  Is there still a need to maintain authorization objects for Business Explorer or Business Planning, like:
  S_RS_COMP (limiting to the InfoProvider mentioned in the analysis authorization)
  S_RS_PLSE (limiting to a special aggregation level of the appropriate InfoProvider mentioned in the analysis authorization)
  What happens when there is no limitations maintained in the role for these auth objects, "*"?
  Which concepts dominates the other one?
  Thanks
  BEO

  Hi BEOplanet,
  S_RS_COMP will give you access to the Infoprovidor in BEx so this will be access level security.
  Then Analysis authorization will give you the data level security within the infoprovidor (like what data you can see within the infoprovidor)
  There fore you need to maintain both S_RS_COMP and Analysis Authorizations.
  To your question ,if you have maintained the cube 0COOM_C02 in Analysis Authorization and S_RS_COMP has only 0PA_01 then the Query will fail since you dont have access to the cube 0COOM_C02 in S_RS_COMP.
  Regards,
  Karthik.

• Does New BI 7.0 Authorization Concept work on 3.x Queries?

  Hello Experts,
  I have requirement to restrict the query based on Division.
  So I have created the Authorization object based on Division from RSECADMIN TRansaction. and then created a Role from PFCG TRansaction. I have have used this Auth. Object from S_RS_AUTH.
  but when i tested the role The query diaplaying all the division records rather than restricted division.
  My question is does New BI 7 Auth. Concept work on 3.x Queries or does 3.x Auth. Concept work in BI 7.0?
  Could you Please let me Know your Thoughts?
  Thanks in advance.
  Dara.

  Hi Ralf,
  Thanks for your prompt Reply.
  I have created Auth. Object from RSECADMIN Transaction based on Division and also created Role from PFCG TRansaction. when i test the query it's diaplying all the data rather than restricted division.
  DO you think do i made any mistake?
  After Creating Auth. Object Do i need to Generate it?
  Please let me know your thoughts.
  Thanks in advance
  Dara.

• Contract authorization concept

  Dear Experts,
  I have a question regarding the working of contract authorizations in SRM 7.0.
  When we create a central contract, we can assign specific authorizations, to specific parts of a contract to a particular user outside the  startegic purchasing.
  If I assign display authorizations to a user A who is not having the startegic purchasing role, how will this user be able to view the contract?
  The user A does not have the starategic purchaser role and hence does not have the iview access on the portal. Where will this user be able to access the contract?
  also, do we need to assign any specific authorization objects in SRM for this user to view the contract?
  the only documentation that i found for this topic was http://help.sap.com/saphelp_srm70/helpdata/EN/45/dce925088a6976e10000000a1553f6/frameset.htm and this did not answer my questions.
  Could anyone help me here?
  Thanks & Best Regards,
  Vidhya

  We too are looking at this functionality and struggling to understand the concept!
  What we think needs to happen is that all users should have contract display access in their role and this would be linked to a very basic view of the contract, a little bit like the Overview tab. You may have enhance the Overview tab so that no sensitive or confidential information is on view. Then if you want a user to be able to see a confidential contract then you can use the enhanced authorisation to grant them access, so we describe this as 'uplifting' their basic contract access allowing them to see more details.
  Please note we have not yet developed this solution and we are currently in the process of assessing whether or not it will work. Also note we are running SRM-PPS with enhancement pack 1.