Comparison of analysis authorization roles ?

Similar Messages

• Analysis Authorization (Role, Profile and Direct Assignments)

  <b>Analysis Authorization Question:</b>
  1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
  2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
  3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
  <b>
  Migration Options:</b>
  1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
  2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
  3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
  <b>Questions</b>
  a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
  b)     Does any one use direct assignment to Users? It is good business practice?
  c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
  d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
  Just want to check how other folks have done migration that can be supported going forward.
  Pankaj Gupta

  Hey Pankaj,
  In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
  Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
  RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

• Comparing analysis authorization

  Hello BI fans,
  is there any tool or transaction to compare 2 analysis authorizations?
  Maybe similar to transaction S_BCE_68001777 (comparisons of roles).
  I have to compare many analysis authorization. And it takes a long time to double click on every characteristic of the analysis authorization to check the values.
  Thanks in advance!

  Hello,
  There is no special transaction/report to compare authorisations. The best option available is described in the last 2 posts of this thread:
  Comparison of analysis authorization roles ?
  Regards,
  Michael

• Analysis Authorization In Dev and impact of reports and roles in prod trans

  Hello,
  We are planning to switch to analysis authorization. We plan to make that change first in Dev and we were wondering what would be the impact on roles and reports we transport from dev (which is switched to Analysis Authorization) to production( on Old authirization) ? We wont transport new things to production till we switch to new auth in Prd.
  Thanks a lot,
  BP.

  Hello
  Even if you are transporting the roles from dev to quality and production, the analysis authorization objects will not be checked until you set "current procedure..." in RSCUSTV23.
  So there is no harm in transporting the roles and auhotrization until you change the concept to analysis.
  regards,
  Payal

• Transport roles and analysis authorization with user assigned

  Hi expert,
  I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
  Thanks for your time,
  Luis

  Hi,
  In role administration, you have the following options for transporting roles:
  You can download the roles from one system and upload them into another  
  You can import the role from a remote system using RFC  
  You can transport the roles with the transport function.
  Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
  Transporting Roles with the Role Transport Function
         1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
         2.      Enter the role to be transported and choose Transport Role.
  The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
  You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
  For more information go thrpugh the below link
  http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
  Regards,
  Marasa.

• Role and Analysis Authorizations in BI

  Hello allo,
  Since analysis authorizations contains carateritics like infocube, queries, activities., is using role and the PFCG transaction (authorizations object)in BI obsolete ? i.e is Analysis authorizations completely replacing Authorization objects (and PFCG) in BI ?
  thanks !!

  Hatem,
  You have an option to use the old method however it's recommend to use analysis authorizations going forward.
  Take a look at the sap wiki for analysis auth for more info or search the site for other good info.
  https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bi/authorizationinSAPNWBI&
  Cheers,
  Ben

• Role and Analysis Authorization Transport

  Dear Experts,
  I'm working with migration authorization project from 3.5 to 7.0. My doubt is when migrate in development enviroment enhancement each whith join S_RS_AUTH with Analysis Authorization which the role doesn't have any users assigning and transport to test enviroment where have a same role with user assigning. Do lose the user assign?
  Thank for all,
  Luis

  Hi,
  I think it will orverwrite the Role. If you want to lock the target system against import of user assignments, you can goto sm30 (Table - PRGN_CUST). Make an entry - USER_REL_IMPORT (value - NO).
  Thanks

• Authorizations analysis versus Authorizations roles

  Hello All,
  I try to understand how to manage BW authorizations in the best way. I'm confused with authorizations analysis we set up in transaction RSECADMIN and authorizations object available in authorizations roles.
  I have got some questions :
  1-Do we have to use both ? My tests shows that I have to declare a cube within analysis authorization using object 0TCAIPROV and I have also to update role with object S_RS_COMP for RSINFOCUBE.
  2-What are the list of all existing analysis authorisation object ?
  Thanks for your help
  Regards
  Catherine

  Hi Catherine,
  1)
  S_RS_COMP gives you the option to only change the object and has nothing to do with the reading the data from the infoprovider.This is maintained by the Basis team for the users to create and do the developments in business exploere.
  So if you want that a user should work upon a particulat infocube only like using that infocube to create query etc in business explorer.  then you should you give the give the cube name here.
  Generally it is kept as *.
  You have to maintain the user profile to read the data from the respective cubes.
  This has to be done by creating an authorization object/ ex .ZAUTH1) and providing the values for  0TCAIPROV  there.
  No need to add 0TCAIPROVto the cubes.
  Once the authorization object is created you need to assing it to a role and then this role should be assigned to the user.
  2)
  Some are here
  Authorization for Analysis Process                           RSANPR    
  Data Warehousing Workbench - Objects                         S_RS_ADMWB
  BI Analysis Authorizations in Role                           S_RS_AUTH 
  Business Explorer - BEx Reusable web items (NW 7.0+)         S_RS_BITM 
  Business Explorer - BEx Web Templates (NW 7.0+)              S_RS_BTMP 
  Business Explorer - Components                               S_RS_COMP 
  Business Explorer - Components: Enhancements to the Owner    S_RS_COMP1
  Data Warehousing Workbench - DataSource (Release > BW 3.x)   S_RS_DS   
  Data Warehousing Workbench - Data Transfer Process           S_RS_DTP  
  Data Warehousing Workbench - Hierarchy                       S_RS_HIER 
  Data Warehousing Workbench - InfoCube                        S_RS_ICUBE
  Data Warehousing Workbench - InfoObject Catalog              S_RS_IOBC 
  Data Warehousing Workbench - InfoObject                      S_RS_IOBJ 
  Data Warehousing Workbench  - Maintain Master Data           S_RS_IOMAD
  Data Warehousing Workbench - InfoSet                         S_RS_ISET 
  Data Warehousing Workbench - InfoSource (Release > BW 3.x)   S_RS_ISNEW
  Data Warehousing Workbench - InfoSource (Flexible Update)    S_RS_ISOUR
  Data Warehousing Workbench - InfoSource (Direct Update)      S_RS_ISRCM
  Data Warehousing Workbench - DataStore Object                S_RS_ODSO 
  Data Warehousing Workbench - Open Hub Destination            S_RS_OHDST
  Data Warehousing Workbench - Process Chains                  S_RS_PC   
  Data Warehousing Workbench - Transformation                  S_RS_TR   
  you can find this values in the table
  RSECVAL.
  Thanks
  Ajeet

• Regarding Analysis Authorizations in role.

  Dear all,
  I am working in Analysis authorization. we need to restrict the user from whole dimension.(for ex: access should be restrcited to whole Material Dimension)
  Senario 2: how to restrict the access to one of the object in whole dimension (for ex: we need to restrict the access to material object in material dimension, but user can have authorization for other objects like division)
  How to do this. any pointers would be appreciated.
  thanks in advance.
  Regards,
  Mohankumar.g

  Good morning,
  I would start with your scenario 2 query.
  Build your analysis authorisation including the standard 3  info objects (Activity, Validity Date, Info Areas) and any other info object required.  Specifically, for your material object to be checked (including any of the others), it has to be made Authorization Relevant in the info object itself (usually done by your BW consultant).
  Once this has been done, you'll be able to add the info object to your authorisation.
  So the authorisation here, would be restricted to the various info sources and your material object could be specified here.
  In order for this to work, your BW consultant would also need to add an Authorisation variable to the report - although I'm sure your consultant would know about this requirement.
  For your first scenario you would have to build the authorisation in exactly the same was as in your 2nd scenario, however the material object info object would be wild-carded.
  Hope this answers your questions?
  Regards
  Lucille

• Double Role for Analysis Authorization using Variable via Customer Exit

  Hi Guys I have been implementing AA using variable via customer exit and I have run into this problem, I wonder anyone have encountered this.
  Example I have a User having 2 sets of authorization Roles
  Role 1
  Personnel Area = A, B
  Personnel Sub Area = 1,
  Role 2
  Personnel Area = A
  Personnel Sub Area = 1, 2
  And what we can derive this that is the user is able to see A-1 B-1 and A-2 BUT NOT B-2 when we run all.
  But instate when we run the report it is drawing B-2 as well as because we are entering
  Personnel Area = A,B
  Personnel Sub area = 1,2
  Any idea how to solve this?
  <removed by moderator>
  Edited by: Siegfried Szameitat on Dec 3, 2008 2:41 PM

  Hello Chee Jason,
  Are you working with version 3.5 or 7.0
  How do you specify Hierarchy variable?
  Any advise you can share is very much appreciated.
  Thanks,
  Patrick

• Analysis Authorization not working - Empty demarcation

  Can someone help me on this Analysis Authorization? I read many threads in SDN, it seems that I followed the correct steps. The restriction on S_RS_COMP is working well but the restriction on the Analysis Authorization is not working. Surely I'm making some mistake, but can't find what's wrong.
  I'm a User (say USER_00) in a test system, assigned to a Role (say Z:BI_USER). This is a broad role:
  - S_RS_COMP and S_RS_COMP1 have full authorization (*) to all the fields,
  - S_RS_AUTH has the BIAUTH field with Name of Authorization = *.
  Also I have an InfoArea (ZIA_TEST) and an InfoCube (ZIC_TEST). The IC has some characteristics and key figures. The only authorization relevant characteristic is ZCA_CLI (client). The IC has only 5 lines, one for each client ("CLI_01" to "CLI_05").
  Also there's a query (ZQR_TEST) on this IC, with an Authorization Variable (VAR_AUTH_CLI) restricting the characteristic ZCA_CLI.
  I'm trying to create a new User and restrict him to this IC and only to the data of client "CLI_01". If it works I'll apply to a production system.
  What I did:
  1) With tcode SU01 created a new User (USER_01) with no Role neither Analysis Authorization.
  2) With tcode PFCG copied the Role Z:BI_USER as Z:ROLE_TEST then made some changes:
  a) S_RS_COMP
  - Activity = 03 and 16
  - InfoArea = ZIA_TEST
  - InfoCube = ZIC_TEST
  - Type of report component = *
  - Name of report component = *.
  b) S_RS_COMP1
  - Kept * to all fields.
  c) S_RS_AUTH
  - I inactivated and deleted this Authorization Object.
  (I don't want to keep characteristic values restriction inside the role. The idea is to associate different users to the same role, allowing them to see the same ICs and execute the same queries. And differentiate wich characteristic values each one can see by manually associating different analysis authorization to each one.).
  3) With tcode RSECAUTH I created an Analysis Authorization (Z_AA_CLI_01) to restrict access only to client "CLI_01":
  - ZCA_CLI = "CLI_01"
  - 0TCAACTVT = "03"
  - 0TCAIPROV = "ZIC_TEST"
  - 0TCAVALID = "*".
  4) With tcode PFCG I assigned User "USER_01" to the Role " Z:ROLE_TEST" and made Complete Comparison.
  5) With tcode RSU01 I manually assigned Analysis Authorization " Z_AA_CLI_01" to User "USER_01".
  It seems to me that these steps are enough. But:
  a) When I log as USER_00 and go to tcode RSRT2, searching by InfoAreas I can see all the InfoAreas and all the InfoCubes, select and execute the query. That's OK.
  b) When I log as USER_01 and go to RSRT2, searching by InfoAreas I can see only ZIA_TEST and under it I can see only ZIC_TEST. That's OK. Then I select and execute the query.
  Wich means that S_RS_COMP is OK and each user is assigned to the correct Role.
  c) The problem is that in both cases the query brings data from all Clients.
  Under Information and Variable Values (when I run with HTML display) the message is "Empty demarcation".
  I changed the variable to be Ready for Input, just to see wich values it brings. In both cases (as USER_00 and as USER_01) in the Variable Screen it brings all the 5 Clients from the IC and I can select and execute any value.
  So the problem is with the Analysis Authorization or with the Variable, but I can't find what's wrong.
  Any help will be very appreciated.
  César

  OK Marc, it worked.
  Sorry for not answering earlier, but I could get back to this front only some days ago, then began testing your suggestions.
  1) Security Concept
  Authorization Mode was set to "Obsolete Concept with RSR Authorization Objects" (it would never work with this setting).
  I changed to "Current Procedure with Analysis Authorizations".
  Anyway, what's the function of this setting? Do old Reporting Authorizations work with "Current Procedure with Analysis Authorizations" setting?
  2) Variable Representation
  With "Multiple Single Values" it really led to problems.
  With "Selection Option" it worked well.
  3) 0TCAKYFNM
  I don't understand why, but if the AA doesn't have the char/dimension 0TCAKYFNM, when the User tries to run the query (tcode RSRT2) it accuses "You do not have sufficient authorization".
  Info Cube ZIC_VE95 has two KFs (ZKF_QTL95 and ZKF_VLT95). These KFs are used only on this IC (also in the KF Catalog, but it doesn't impact). This IC is used only on Query ZQR_VE95 (also in Transformation and DTP, wich doesn't impact).
  Well, I inserted 0TCAKYFNM and it worked, either with CP, "*" or with EQ, the two KFs.
  4) Authorization Policy Definition
  The situation I'm working on is very typical. Ex.: Some users are Administrators, Managers, Operator 1, Operator 2 and so on. Each Role needs authorization to access some queries. At the same time, they can access information only of the Cost Centers to wich they are related.
  There are many ways to implement it (I tested some of them and they worked well). My point is to define a most practical way, easy to understand and to maintain.
  I'm now sympathetic to this way:
  a) Create functional Roles (ex.: "Administrator", "Manager", "Operator 1", "Operator 2" and so on) defining only the Queries (or Info Areas, Info Providers, etc) each Role needs. No S_RS_AUTH definition.
  b) Create Char Value Roles (ex.: "CC_100_to_199", "CC_200_to_299", etc), only with S_RS_AUTH definition, each one associated with a corresponding AA (ex.: AA for CC 100 to 199, AA for CC 200 to 299 and so on).
  c) Create Composite Roles associating functional and char value Roles. Ex. Composite Role "Administrator for CC 100 to 199", composed of the Roles "Administrator" and "CC_100_to_199".
  d) Associate Users to the Composite Roles.
  Anyway, I'd appreciate if you could indicate some literature (blogs, articles, etc) on this theme.
  Well, thank you very much for your answers. Now I can go on with my studies on this subject.
  César Menezes

• Aggregation authorization within analysis authorizations

  Hello,
  The BW developers have created several queries that use aggregated data. When testing the queries with the end user ID (assigned to an end user role and analysis authorization), it is failing due to missing authorizations, particularly b/c of the following:
  Supplementation of Selection for Aggregated
  Characteristics
    Check Added for Aggregation Authorization:     0COMP_CODE  
    Check Added for Aggregation Authorization:     0PLANT  
  All Authorizations Tested
    Message EYE007: You Do Not Have Sufficient Authorization  
    No Sufficient Authorization for This Subselection (SUBNR)  
  Following CHANMIDs Are Affected:
  142 ( 0COMP_CODE )
  189 ( 0PLANT )
  192 ( 0SALESORG )
  In the BI documentation, it specifies that : (colon): allows only aggregated access to data (e.g. allows information on all sales areas only on aggregated level –not on particular countries). Is this ( specified as a value within the particular characteristics? I also tried to select the "aggregation authorization" icon within txn code RSECADMIN and this did not help.
  Any help would be GREATLY appreciated.

  Updated: For the analysis authorization, for these characteristics, in addition to the specific values, there is an entry for ":" and this did not resolve the issue.
  Authorization Check  
    Detail Check for InfoProvider ZBL_13IT  
    Preprocessing:  
  Selection Checked for Consistency, Preprocessed and Supplemented As Needed
  Subselection (Technical SUBNR) 1
  Check Node Definitions and Value Authorizations...
  Node- and Value Authorizations Are OK
  End of Preprocessing
    Main Check:  
    Subselection (Technical SUBNR) 1  
  Supplementation of Selection for Aggregated Characteristics
    Check Added for Aggregation Authorization:     0COMP_CODE  
    Check Added for Aggregation Authorization:     0PLANT  
  Following Set Is Checked  Comparison with Following Authorized Set  Result  Restmenge 
  Characteristic  Contents 
  0PLANT
  0SALESORG
  0TCAACTVT
  0COMP_CODE
  SQL Format:
  COMP_CODE = ':'
  AND PLANT = ':'
  AND SALES
  ORG = '0403'
  AND TCAACTVT = '03'
  Characteristic  Contents 
  0PLANT  I EQ IC01
  I EQ IC02
  I EQ IC03
  I EQ IE02
  I EQ IE04
  I EQ IZ01
  I EQ MC01
  I EQ ME01
  I EQ :
  0SALESORG  I EQ 0301
  I EQ 0341
  I EQ :
  0TCAACTVT  I EQ 03
  I EQ :
  0COMP_CODE  I EQ 0327
  I EQ 0341
  I EQ :
  Not Authorized   
  All Authorizations Tested
    Message EYE007: You Do Not Have Sufficient Authorization  
    No Sufficient Authorization for This Subselection (SUBNR)  
  Following CHANMIDs Are Affected:
  142 ( 0COMP_CODE )
  189 ( 0PLANT )
  192 ( 0SALESORG )
    Authorization Check Complete

• Analysis Authorization in BO 4.0 Webi report

  Hi All,
  I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
  We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
  However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
  I have tried:
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
  Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
  (BO 4.0 no service pack or fix pack installed on the system yet)
  Thanks - Appreciate your help !
  Prasad Rasam

  Ingo,
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  >> Correct you need to setup you OLAP Connection with SSO.
  >>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
  Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
  Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  >> The variable in the BEx query needs to be an authorization variable.
  >>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
  Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
  regards
  Ingo Hilgefort

• Analysis Authorization Issue

  Hi:
  I created an analysis authorization ZCO_CODE to trstrict it by a company code.
  I added following objects in authorization with values.
  0COMP_CODE = 1000
  0TCAACTVT = 03
  0TCAIFAREA = *
  0TCAIPROV = *
  0TCAVALID = *
  Then I created a role Z:00:BW_REPORT, where I added following authorization objects S_RS_AUTH and restricted it by value ZCO_CODE. Then I assigned this role to a user test01.
  When I execute a program RSEC_MIGRATION for this specific user, I do not see authorization object ZCO_CODE on 2nd step of this program. Any Idea Why? I think this object should show up as I want to migrate this specific object.
  Help will be appreciated.

  Hi Sachin:
  Okay here is my issue.
  I have a Reporting authorization Object created earlier which is ZCOCODE. I though I'll have to create a new Analysis authorization object e.g. ZCO_CODE and then restrict it with other chars. as mentioned in Marc Bernards presentation and then you have to migrate it.
  In selection list I can see old Reporting authorization object. If I select it and use option "Enhance existing profile" then It will update profile and not role? right....
  How can I see whether it has updated existing profile?????
  Do I need to create new Analysis Auth. for Company code or I can use old Reporting authorization for company code?
  For testing purpose, I created a test user and assigned all reporting roles but It will not show up in RSEC_MIGRATION step???

• BW Analysis authorization issue... need help urgently....

  We have one BW query which is pulling data from Contract Division info-object. Now this report does not variable selection object so it is pulling data from all values of Contract Division. Values of  Contract Division are CNC, CNS, CNE and CNL.
  Now we have created an analysis auth. object called z_es_3 and added Contract division info-object. Now we have added that z_es_3 into role and given value to CNS. now when we are running report, we are getting No Authorization error. When we are giving * value in z_es_3, it is running fine.
  Now we have to restrict report to contract division. please help.
  Thanks in advance

  Are you running unrestricted search on Contract division in your queries? You should restrict it to value which is maintained in the authorization for the InfoObject.
  Also please run the analysis authorization trace from RSECADMIN. That will give you a clearer picture of what is wrong.