[CUA] Compatibility with Analysis Authorizations (RSECADMIN)

Similar Messages

• Issues with Analysis Authorization checks in APO

  Hi Friends,
  I am facing an issue with Analysis authorization checks in APO.
  We have setup user access based on Management Entity (Analysis authorization - AGMMGTENT and 0TCAACTVT) and core APO authorizations (based on the work profile - e.g: Demand Planner).
  Scenario: Consider User A has access to India and Australia Management Entities with 0TCAACTVT - *
  This user also has display access to all management Entities (AGMMGTENT - * and 0TCAACTVT - 03). This scenario works very well in Quality where the RSECADMIN trace shows check on both Characteristics. However in Production the RSECADMIN trace shows up only against AGMMGTENT (*) and by default takes 0TCAACTVT as (*).
  In Quality the Characteristics that get checked are as below : and it works as expected. Display access for Management Entities that are supposed to be displayed only and change access to only the Management Entities that it should.
  However the Trace for Production shows the following : As a result it is allowing the user to change access to all management Entities. Which is not desirable..
  Resultant trace results are as below: This should not happen..
  I have compared all Analysis Authorizations and it is same across both Instances. The Demand planner access is consistent too..
  Will it be possible for you to advise on what could I be missing.

  Hi All,
  If it helps, in Quality: the Authorization checks are listed as: Subselection (Technical SUBNR) 1
  while in Production it checks Subselection (Technical SUBNR) 1 in one place, however where it fails - the check happens as Subselection (Technical SUBNR) 0.
  Is there a way we can change this to SUBNR 1. Is there any table entry that I can look at to check if the Authorization check is functioning incorrectly..
  Please advise.. Thanks..
  Regards,
  Prakash

• Issues with Analysis Authorization on Infoset

  Hi all
  We are facing an issue with Analysis Authorization on Infoset, it doesnt seem to throw authorization error when we access a record that is outside the authorization. We tried to use the same authorization set up from the same user we try to access the a record that is outside the authorization it behaves correctly.
  Here is my setup
  0CRM_MKTELM__0CRMCAMPTYP = ZA11
  0TCAACTVT = *
  0TCAIPROV = *
  0TCAVALID = *
  When I tried to access ZA12 it should throw an authorization error but for infoset it doesnt seem to work. Is there anything that we should take note for Infoset?

  Hi Chee,
  I am getting similar issue.
  I believe navigational attribute was already a authorization relevant in your case.
  What and where did you set it as authorization relevant to make it work on infosets.
  Regards,
  Ramz

• BI analysis authorizations/ RSECADMIN/  Tables

  Hello,
  Does anybody know which tables are used with RSECADMIN.
  In which tables are the values of the authorizations created in the RSECADMIN stored ?
  Thanks in advance.
  Kind Regards,
  Vincent

  Vincent,
  The tables are:
  RSECAUTHTRUSER - Shows the users that will be log
  RSECVAL - shows analysis authorizations values
  RSECUSERAUTH - Shows analysis authorizations added to users manually.
  You can also check the following page for more information
  https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bi/authorization%2bin%2bsap%2bnw%2bbi
  Regards, Jose

• Problem with analysis authorization- 0BI_ALL always needed

  Dear all:
  we have a serious issue on so-called "analysis authorization" now. We have auth-restricted user who only have authorization to access data on one company code. We also create a BI-authorization in analysis authorization and assign the following auth-relevant object to this authorization-
  0TCAACTVT = 01-03
  0TCAIPROV = ALL
  0TCAVALID = ALL
  0TCAKYFNM = ALL
  0COMP_CODE = A001
  And we create one query with only company code and number of employee in the row and column. But everytime we execute this query, there s always message" No Authorization". We used ST01 to trace and the result shows we need to have "0BI_ALL" in auth object S_RS_AUTH. If we added 0BI_ALL, all company code data will display, which definitely no auth restriction at all. Is there any specific authorization setting we need to do?
  We are stuck here pretty bad. Thank you all in advance if any input.
  BR
  SF

  Hi,
  I guess the Authorization profile is active , and in the Tcode PFCG -> Role name -> User tab page ( user comparision is done ).
  Check if any of the tab page shows red light .
  And assignment of 0BI_ALL is not a solution , as any user can do anything in the system.
  Also do not forget to log - off and log-in into system after changing into any of the authorization profile to see changes that had happened.
  Hope that helps.
  Regards
  Mr Kapadia
  Assigning points is the way to say thanks in SDN.

• Analysis Authorization - RSECADMIN

  Hello everybody,
  I have created an auth object (in RSECADMIN) and added appropriate values to 0PROFIT_CTR and 0TCAACTVT. I have assigned this auth object to a user, everything works fine so far.
  Question: We have about 100+ profit centers and hundreds of users, I need to give access to all these users to different set of profit centers, what would be the best way to accomplish this ?
  Any help would be highly appreciated.
  Thanks,
  Anil

  You may wish to check with LSMW tcode.
  Steps -
  1)Maintain excel file with the mapping of user ID's and authorization object values in the proper format/structure you gonna upload via LSMW.
  2)LSMW
  Here you can record the script or the activity you want to do ,say for example asigning authorization object using RSECADMIN to a user  with values 0PROFIT_CTR and )TCAACTVT.
  Follow the steps of LSMW and Run the batch input session for whole file mapped earlier.
  LSMW - Step by Step
  Hope it Helps
  Chetan
  @CP..

• CUA compatibility with 620 and Netweaver

  Hi All,
  We are planning to install CUA in production
  Since we don't utilized much Solution manager 3.2. We planned to use solution Manager as CUA master / parent and NetWeaver servers 2004 as child.
  But I am not sure if we can use 620 as master and 640 as client.
  I am unable to find any notes on compatibility.
  Please help us to find any known issues and best practice guide on it.
  Thanks,
  Vinod Kaduskar

  Hello,
  I have installed CUA in the described scenario (master in SolMan 6.20, clients in 6.40) without problems.
  I prefer the SolMan as CUA master because it is the central admin system (RZ20, CCMS, ...).
  There are some restrictions in LAW (license admin workbench). You have to upload the data of other clients via file. RFC is not possible, if LAW runs in 6.20.
  Best regards
  Rainer

• Analysis Authorization based on Hier node with multiple display hierarchies

  Hi guys - I've got a problem where s.o. might have an idea of how to switch on the light at the end of the tunnel, I am currently standing in:
  Requirement:
  Cost Center Authorization should be given through RSECADMIN, reporting should be possible for any hierarchy that exists for the authorization relevant info object.
  Preferred solution:
  The Cost Center Analysis Authorization should be given through RSECADMIN - Hierarchy node assignment.
  u2022     A dedicated Authorization Cost Center Hierarchy will be maintained in ECC6 as an alternative cost center hierarchy and extracted into BW.
  u2022     The RSECADMIN Hierarchy node assignment should be based on a particular node (Type 2).
  u2022     The display level will be specified as required (here: Level 7)
  u2022     The Authorization granted should be independent of hierarchy name and version (validity 3).
  Reporting Scenario and technical impact:
  As mentioned above, when designing and running a query the user should be able to freely select other (i.e. than the authorization) display hierarchies for the authorization relevant reporting object 'Cost Center' as well. The technical names of the semantically relevant hierarchy nodes could therefore vary. E.g. cost centers 1, 2 and 3, being assigned under hierarchy node u2018Au2019 of the RSECADMIN relevant authorization hierarchy, could be subsumed by hierarchy node u2018Bu2019 in another display hierarchy, which the user may want to display in accordance to his reporting needs. Ideally, the alternative display hierarchy should therefore display node u2018Bu2019.
  My findings so far (based on prototyping) turn out that this is not possible as long u2018Bu2019 (and its hierarchy) is not authorized in RSECADMIN. Can these findings be confirmed? And if not, would anyone have an idea of how to facilitate the reporting scenario?
  Would there be any other way to grant access, possibly based on RSECADMIN single values, and also enable the user to flexibly display hierarchies with only those hierarchy nodes whose single cost center values the user has been given access to?
  Thanks everyone for your input...
  Claus
  Edited by: Claus64 on Jul 13, 2009 4:10 AM

  HI CLause,
  On Jul 14 2009, you wrote in SDN and said:
  FYI: Found a solution...
  The hierarchy analysis authorization will be based on a navigational attribute of cost center.
  With analysis authorizations it is possible to declare the Auth object (e.g. 0COSTCENTER__RACCAUT0) as authorization relevant and leave the superior object 0COSTCENTER auth irrelevant.
  The auth will be given for 0COSTCENTER__RACCAUT0. This object will be placed as a filter of the query, being restricted by an Authorization variable for hierarchy nodes.
  Due to the concept of Analysis Authorizations, this variable will automatically pick up the nodes granted as part of RSECADMIN Hierarchy based Authorization.
  As mentioned above, 0COSTCENTER as the regular reporting characteristic remains auth irrelevant and can therefore take any hierarchy thatu2019s available. Reporting on single values will be possible, too. Only those nodes show up that hold the authorized cost centers in accordance to the authorization.
  If the auth relevant 0COSTCENTER__RACCAUT0 is not used in the query definition by either not taking it in as a filter or skipping the Auth variable, the query will launch the message that the authorization is missing. No data show up at all.
  Claus
  See this thread:
  Analysis Authorization based on Hier node with multiple display hierarchies
  I am also in the same situation as you and need to understadn your solution. I understand that you created a Nav Attr on 0COSTCENTER and made this auth relevant whilst ensuring that 0COSTCENTER is NOT auth relevant. This is all fine. The issue was you have multiple hierachies for 0COSTCENTER, how did the new Nav Attr help you solve your issue. When loading 0COSTCENTER what values did you load ino the new Nav Attribute and how did that link to the hierachies? Also, in RSECADMIN you created hiearchy nodes based on the Nav Attribute but I am confused as to what values you have in the Nav Attr.
  I appreciate if you can share your solution from the past in more details.
  many thanks

• Analysis Authorization & its compaitbility with BW 3.5 Query

  Hi,
  We have technically upgrade our system from BW 3.5 to BI 7.0. Now we are planning to upgrade to Analysis Authorization.
  1. Is it necessary to Migrate BW 3.5 query to BI 7.0 so that it will work with Analysis Authorization? If not, then how Analysis auth will treat authorization variable defined in the query?
  2.What are pro & cons of two approach: Fresh Implementation of Analysis Authrization v/s Migration using tool ?
  Please advise.
  Best Regards,
  UR

  Dear UR,
  Iu2019m going to try helping you,
  In advance a give you some ideas about migration process regarding authorization system.
  Currently you can use the old concept of authorization (reporting authorization object) in the 7.0 2004s environment. You can set up in Tcode: RSCUSTV23 what authorization mode, you would like use. 
  When have you migrated whole queries but you keep the old concept, this doesnu2019t impact the authorization system functionality.
  When you change the authorization mode to current procedure with analysis authorizations, you need be careful with the attribute navigational. Because, in the old mode, the attribute navigational get setting of its characteristic. Example if you use 0COMP_CODE__0COSTCENTER, and de 0COSTCENTER is relevant authorization, all of attribute navigational com from 0COSTCENTER are relevant authorization. Otherwise, in current procedure with analysis authorizations, where each navigational attribute has the same level of a characteristic.
  When you migrate to analysis authorization, SAP best practice recommend keep in each reporting role all of reporting authorization object for a short period of the time.
  In my experience the main thing was list above.
  Try to get more information in:
  SAP BI - User Management & Authorizations
  OSS Note 923176
  I hope this suggestion can help you,
  Luis

• BW Analysis Authorization on two charcteristics issue

  I am familiar with analysis authorizations in BW 7.0 and worked on it.
  Today we have blanket authorization (RSECADMIN) for 0TAX_NUMB = *. Meaning user who has this auth/role can see values (from where ever 0TAX_NUMB is used, all company codes etc). And as you might know 0TAX_NUMB is used in 0VENDOR & 0CUSTOMER master data (as an attribute). This works well, because its easy
  Now, new requirement is to create more strict analysis authorizations for 0TAX_NUMB based on other characteristic values.
  Auth1 (should apply to 0TAX_NUMB used in 0VENDOR):
  0TAX_NUMB = all values and only for vendor account group = XXX
  Auth2 (should apply to 0TAX_NUMB used in 0VENDOR):
  0TAX_NUMB = all values and only for vendor account group = yyy
  Auth3 (should apply to 0TAX_NUMB used in 0VENDOR):
  0TAX_NUMB = all values and only for vendor account group = zzz
  Auth4 (should apply to 0TAX_NUMB used anywhere other than 0VENDOR, for example, as I said above its also used in 0CUSTOMER and may be used elsewhere in future):
  0TAX_NUMB = all values
  Do I also need to add 0CUSTOMER here? unable to visualize!!!
  Also, 0TAX_NUMB and Vendor account group will have colon authorization.
  So, at this time I am not sure how this will impact other queries with following scenario(s):
  User1 has auth1:
  Here, User1 can see tax_numb values for vendor act grp XXX, thats good, so far.
  But can user see query results where tax_numb is not used but would like to see all vendor account group related data (or other than value XXX)?
  User2 has auth4:
  Since this auth has blanket tax_numb, can user2 see all values for tax_numb used in 0CUSTOMER (which he/she should) and also in 0VENDOR (he/she should not)...
  And what about queries that do not have 0TAX_NUMB (but infoprovider has)? Colon auth on TAX_NUMB & Vendor act grp would resolve this?
  I appreciate your thoughts on this. We are BW 7.01 (Ehp1), SPS10.
  Regards
  -Bala
  Edited by: Bala Shetty on Dec 15, 2011 12:02 AM
  Edited by: Bala Shetty on Dec 15, 2011 12:04 AM
  Edited by: Bala Shetty on Dec 15, 2011 12:05 AM
  Edited by: Bala Shetty on Dec 15, 2011 12:09 AM

  Thank you Sushant.
  I am aware of these notes and provide basic information and also usage of value restrictions. I am looking for usage of different combinations for multiple characteristics (especially the attributes of master data)....
  Regards
  -Bala

• Analysis Authorization (Role, Profile and Direct Assignments)

  <b>Analysis Authorization Question:</b>
  1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
  2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
  3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
  <b>
  Migration Options:</b>
  1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
  2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
  3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
  <b>Questions</b>
  a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
  b)     Does any one use direct assignment to Users? It is good business practice?
  c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
  d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
  Just want to check how other folks have done migration that can be supported going forward.
  Pankaj Gupta

  Hey Pankaj,
  In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
  Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
  RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

• How to get Query Results based on Analysis Authorization Ranges????

  Hi Experts,
  I have gone through the lot of SDN Links, however not able to find the answer to my question.
  I have an Authorization Issue, “NO Authorization “
  Error : EYE 007 ( Insufficient Authorizations )
  <b>Here is the issue:</b>
  Need to see the complete query result when I gave the range in Analysis Authorization for Controlling Area 001-005. Controlling Area is auth relevant and right now a variable is inserted in the query for it. If I select Controlling Area 001, the result for Controlling Area 001 is displayed in query. If 002 then also displayed. If I do not enter anything, then I get the <b>Eye 007 error message</b>.
  I am not sure how do I display/authorize the entire result in the query for all the Controlling Areas, I have authorized user to see??
  <b>Its really urgent, please help..!</b>
  Here are the logs:
  Authorization Check Log
  Date and Execution Time (Local Server)
  Execution Date: 06.09.2007
  Execution Time: 14:48:41
  Executed Query: 0CCA_C11/GBCCA_MP01_Q0002_AP
  Executed by User ZBI_TEST_001
  Executed with Analysis Authorizations of Another User ZBI_TEST_001
    InfoProvider Check  
  Building the Buffer...
  ...Buffer Built
  Are there authorizations for accessing InfoProvider 0CCA_C11 with activity 03?
  Authorization exists for general access to InfoProvider 0CCA_C11 with activity 03 
    InfoProvider Check  
  Authorization exists for general access to InfoProvider 0CCA_C11 with activity 03 
    Relevant Characteristics for Detailed Authorization Check  
  (Characteristics with Full Authorization Are Not Listed!)
    List of Effective Authorization-Relevant Characteristics for InfoProvider 0CCA_C11:  
  0CO_AREA 
  0TCAACTVT 
    Relevant Characteristics for Detailed Authorization Check  
  (Characteristics with Full Authorization Are Not Listed!)
    List of Effective Authorization-Relevant Characteristics for InfoProvider :  
  List Is Empty:
    There Are No Characteristics That Have to Be Checked in Detail  
    Authorization Check  
    Detail Check for InfoProvider 0CCA_C11  
    Preprocessing:  
  Selection Checked for Consistency, Preprocessed and Supplemented As Needed
  Subselection (Technical SUBNR) 1
  Check Node Definitions and Value Authorizations...
  Node- and Value Authorizations Are OK
  End of Preprocessing
  Filling the Buffer...
  ...Buffer Filled
    Main Check:  
    Subselection (Technical SUBNR) 1  
  Supplementation of Selection for Aggregated Characteristics
    No Check for Aggregation Authorization Required  
  Following Set Is Checked  Comparison with Following Authorized Set  Result  Remaining Set 
  Characteristic  Contents 
  0CO_AREA
  0TCAACTVT
  SQL Format:
  CO_AREA = '0003'
  AND TCAACTVT = '03'
  Characteristic  Contents 
  0CO_AREA  I BT 0001 0005
  0TCAACTVT  I EQ 03
  I EQ 16
  Authorized   
    Subselection (SUBNR) Is Authorized  
    Authorization Check Complete  
    Authorization Check  
    Detail Check for InfoProvider 0CCA_C11  
    Preprocessing:  
  Selection Checked for Consistency, Preprocessed and Supplemented As Needed
  Subselection (Technical SUBNR) 1
  Check Node Definitions and Value Authorizations...
  Node- and Value Authorizations Are OK
  End of Preprocessing
  Filling the Buffer...
  ...Buffer Filled
    Main Check:  
    Subselection (Technical SUBNR) 1  
  Supplementation of Selection for Aggregated Characteristics
    No Check for Aggregation Authorization Required  
  Following Set Is Checked  Comparison with Following Authorized Set  Result  Remaining Set 
  Characteristic  Contents 
  0CO_AREA
  0TCAACTVT
  SQL Format:
  TCAACTVT = '03'
  Characteristic  Contents 
  0CO_AREA  I BT 0001 0005
  0TCAACTVT  I EQ 03
  I EQ 16
  Partially or Fully Authorized (Intersection)   Characteristic  Contents 
  0CO_AREA
  0TCAACTVT
  SQL Format:
  ( CO_AREA < '0001'
  OR CO_AREA > '0005' )
  AND TCAACTVT = '03'
  Value selection partially authorized. Check of remainder at end
  Following Set Is Checked  Comparison with Following Authorized Set  Result  Remaining Set 
  Characteristic  Contents 
  0CO_AREA
  0TCAACTVT
  SQL Format:
  ( CO_AREA < '0001'
  OR CO_AREA > '0005' )
  AND TCAACTVT = '03'
  Characteristic  Contents 
  0CO_AREA  I BT 0001 0005
  0TCAACTVT  I EQ 03
  I EQ 16
  Not Authorized   
  All Authorizations Tested
    Message EYE007: You do not have sufficient authorization  
    No Sufficient Authorization for This Subselection (SUBNR)  
  Following CHANMIDs Are Affected:
  184 ( 0CO_AREA )
    Authorization Check Complete  

  Hi,
      Have you defined the vaule for 0CO_AREA as BT 001-005 in you Authorization for 0CO_AREA.Also how have you defined your Authorization Variable on the query? Have you define as select options or interval? I thing you need to define it as interval or select options.
  Hope it helps,
  Cheers,
  Balaji

• Analysis Authorization not working - Empty demarcation

  Can someone help me on this Analysis Authorization? I read many threads in SDN, it seems that I followed the correct steps. The restriction on S_RS_COMP is working well but the restriction on the Analysis Authorization is not working. Surely I'm making some mistake, but can't find what's wrong.
  I'm a User (say USER_00) in a test system, assigned to a Role (say Z:BI_USER). This is a broad role:
  - S_RS_COMP and S_RS_COMP1 have full authorization (*) to all the fields,
  - S_RS_AUTH has the BIAUTH field with Name of Authorization = *.
  Also I have an InfoArea (ZIA_TEST) and an InfoCube (ZIC_TEST). The IC has some characteristics and key figures. The only authorization relevant characteristic is ZCA_CLI (client). The IC has only 5 lines, one for each client ("CLI_01" to "CLI_05").
  Also there's a query (ZQR_TEST) on this IC, with an Authorization Variable (VAR_AUTH_CLI) restricting the characteristic ZCA_CLI.
  I'm trying to create a new User and restrict him to this IC and only to the data of client "CLI_01". If it works I'll apply to a production system.
  What I did:
  1) With tcode SU01 created a new User (USER_01) with no Role neither Analysis Authorization.
  2) With tcode PFCG copied the Role Z:BI_USER as Z:ROLE_TEST then made some changes:
  a) S_RS_COMP
  - Activity = 03 and 16
  - InfoArea = ZIA_TEST
  - InfoCube = ZIC_TEST
  - Type of report component = *
  - Name of report component = *.
  b) S_RS_COMP1
  - Kept * to all fields.
  c) S_RS_AUTH
  - I inactivated and deleted this Authorization Object.
  (I don't want to keep characteristic values restriction inside the role. The idea is to associate different users to the same role, allowing them to see the same ICs and execute the same queries. And differentiate wich characteristic values each one can see by manually associating different analysis authorization to each one.).
  3) With tcode RSECAUTH I created an Analysis Authorization (Z_AA_CLI_01) to restrict access only to client "CLI_01":
  - ZCA_CLI = "CLI_01"
  - 0TCAACTVT = "03"
  - 0TCAIPROV = "ZIC_TEST"
  - 0TCAVALID = "*".
  4) With tcode PFCG I assigned User "USER_01" to the Role " Z:ROLE_TEST" and made Complete Comparison.
  5) With tcode RSU01 I manually assigned Analysis Authorization " Z_AA_CLI_01" to User "USER_01".
  It seems to me that these steps are enough. But:
  a) When I log as USER_00 and go to tcode RSRT2, searching by InfoAreas I can see all the InfoAreas and all the InfoCubes, select and execute the query. That's OK.
  b) When I log as USER_01 and go to RSRT2, searching by InfoAreas I can see only ZIA_TEST and under it I can see only ZIC_TEST. That's OK. Then I select and execute the query.
  Wich means that S_RS_COMP is OK and each user is assigned to the correct Role.
  c) The problem is that in both cases the query brings data from all Clients.
  Under Information and Variable Values (when I run with HTML display) the message is "Empty demarcation".
  I changed the variable to be Ready for Input, just to see wich values it brings. In both cases (as USER_00 and as USER_01) in the Variable Screen it brings all the 5 Clients from the IC and I can select and execute any value.
  So the problem is with the Analysis Authorization or with the Variable, but I can't find what's wrong.
  Any help will be very appreciated.
  César

  OK Marc, it worked.
  Sorry for not answering earlier, but I could get back to this front only some days ago, then began testing your suggestions.
  1) Security Concept
  Authorization Mode was set to "Obsolete Concept with RSR Authorization Objects" (it would never work with this setting).
  I changed to "Current Procedure with Analysis Authorizations".
  Anyway, what's the function of this setting? Do old Reporting Authorizations work with "Current Procedure with Analysis Authorizations" setting?
  2) Variable Representation
  With "Multiple Single Values" it really led to problems.
  With "Selection Option" it worked well.
  3) 0TCAKYFNM
  I don't understand why, but if the AA doesn't have the char/dimension 0TCAKYFNM, when the User tries to run the query (tcode RSRT2) it accuses "You do not have sufficient authorization".
  Info Cube ZIC_VE95 has two KFs (ZKF_QTL95 and ZKF_VLT95). These KFs are used only on this IC (also in the KF Catalog, but it doesn't impact). This IC is used only on Query ZQR_VE95 (also in Transformation and DTP, wich doesn't impact).
  Well, I inserted 0TCAKYFNM and it worked, either with CP, "*" or with EQ, the two KFs.
  4) Authorization Policy Definition
  The situation I'm working on is very typical. Ex.: Some users are Administrators, Managers, Operator 1, Operator 2 and so on. Each Role needs authorization to access some queries. At the same time, they can access information only of the Cost Centers to wich they are related.
  There are many ways to implement it (I tested some of them and they worked well). My point is to define a most practical way, easy to understand and to maintain.
  I'm now sympathetic to this way:
  a) Create functional Roles (ex.: "Administrator", "Manager", "Operator 1", "Operator 2" and so on) defining only the Queries (or Info Areas, Info Providers, etc) each Role needs. No S_RS_AUTH definition.
  b) Create Char Value Roles (ex.: "CC_100_to_199", "CC_200_to_299", etc), only with S_RS_AUTH definition, each one associated with a corresponding AA (ex.: AA for CC 100 to 199, AA for CC 200 to 299 and so on).
  c) Create Composite Roles associating functional and char value Roles. Ex. Composite Role "Administrator for CC 100 to 199", composed of the Roles "Administrator" and "CC_100_to_199".
  d) Associate Users to the Composite Roles.
  Anyway, I'd appreciate if you could indicate some literature (blogs, articles, etc) on this theme.
  Well, thank you very much for your answers. Now I can go on with my studies on this subject.
  César Menezes

• Analysis Authorization : Selection screen not appearing for query

  Hi,
  I am facing an issue with analysis authorization. I have created the new roles and assigned to the users. For one user when I am executing the query, the selection screen is not coming up and it shows error message to specify the variables. Whereas its running for all other users.
  In S_RS_COMP I have selected Type of a reporting component as Query View, Query & Template structure. I also tried adding Variable in this field but that also did not help.
  Please let me know if you have faced similar issue.
  Regards,
  Manish

  Hi,
  Go to your query desinger opend your query and select your variable in that you have see first "Ready Input Query" Check box is selected or not. It's not selected you can select that check box.
  Your problem will be sloved.
  Thanks & Regards,
  venkat.

• Issue w RSCUSTV23 Analysis Authorization System after upg from BW3.5 to BI7

  We set it to "Obsolete Concept with RSR Authorization Objects" and we do no understand why from the suddenly changes to
  "Current Procedure with Analysis Authorization" from no where - any ideas why from the sudden this changes by itself?
  still were not not migrating our security to the new version...we will do it around april...but in the meanwhile i would like ot understand why is happening by itself.
  thanks,

  Note that the logging will probably only help you if you activate it in the transport tool profiles (STMS) as it sounds to me as if imports of the customizing are making this setting.
  Did you set the value in DEV and transport it through or did you use one of the "BW utility reports" to change it (in which case you do not always have change documents and inconsistent customizing is "by design"...).
  Cheers,
  Julius