D_E_L_E_T_E doesn't delete analysis authorizations

Similar Messages

• BI7 : Transport deletion of analysis authorizations

  Hi,
  I was just wondering if it is possible to transport the deletion of analysis authorizations exactly as we do for roles.
  Do we have to first create a transport request with the analysis authorization before deleting them and then transport the request or do we have to delete them manually on each system?
  I checked in the documentation but I didn't find anything similar.
  Thank you in advance for your help.
  Regards,
  Vince

  Hi Gowrinadh,
  Thank you for your answer. I already worked on the analysis authorization concept and I have seen this blog while I was searching for an answer regarding deletion but unfortunately there is no explanation about it.
  I was just wondering if it is exactly like in PFCG because there is no pop-up message in RSECADMIN explaining that it must be added first to a transport request.
  According to Zaheer it works exactly the same so I will test.
  Thx for your help .
  Edited by: Vince Bl. on Mar 18, 2009 6:04 PM

• Analysis Authorization not working - Empty demarcation

  Can someone help me on this Analysis Authorization? I read many threads in SDN, it seems that I followed the correct steps. The restriction on S_RS_COMP is working well but the restriction on the Analysis Authorization is not working. Surely I'm making some mistake, but can't find what's wrong.
  I'm a User (say USER_00) in a test system, assigned to a Role (say Z:BI_USER). This is a broad role:
  - S_RS_COMP and S_RS_COMP1 have full authorization (*) to all the fields,
  - S_RS_AUTH has the BIAUTH field with Name of Authorization = *.
  Also I have an InfoArea (ZIA_TEST) and an InfoCube (ZIC_TEST). The IC has some characteristics and key figures. The only authorization relevant characteristic is ZCA_CLI (client). The IC has only 5 lines, one for each client ("CLI_01" to "CLI_05").
  Also there's a query (ZQR_TEST) on this IC, with an Authorization Variable (VAR_AUTH_CLI) restricting the characteristic ZCA_CLI.
  I'm trying to create a new User and restrict him to this IC and only to the data of client "CLI_01". If it works I'll apply to a production system.
  What I did:
  1) With tcode SU01 created a new User (USER_01) with no Role neither Analysis Authorization.
  2) With tcode PFCG copied the Role Z:BI_USER as Z:ROLE_TEST then made some changes:
  a) S_RS_COMP
  - Activity = 03 and 16
  - InfoArea = ZIA_TEST
  - InfoCube = ZIC_TEST
  - Type of report component = *
  - Name of report component = *.
  b) S_RS_COMP1
  - Kept * to all fields.
  c) S_RS_AUTH
  - I inactivated and deleted this Authorization Object.
  (I don't want to keep characteristic values restriction inside the role. The idea is to associate different users to the same role, allowing them to see the same ICs and execute the same queries. And differentiate wich characteristic values each one can see by manually associating different analysis authorization to each one.).
  3) With tcode RSECAUTH I created an Analysis Authorization (Z_AA_CLI_01) to restrict access only to client "CLI_01":
  - ZCA_CLI = "CLI_01"
  - 0TCAACTVT = "03"
  - 0TCAIPROV = "ZIC_TEST"
  - 0TCAVALID = "*".
  4) With tcode PFCG I assigned User "USER_01" to the Role " Z:ROLE_TEST" and made Complete Comparison.
  5) With tcode RSU01 I manually assigned Analysis Authorization " Z_AA_CLI_01" to User "USER_01".
  It seems to me that these steps are enough. But:
  a) When I log as USER_00 and go to tcode RSRT2, searching by InfoAreas I can see all the InfoAreas and all the InfoCubes, select and execute the query. That's OK.
  b) When I log as USER_01 and go to RSRT2, searching by InfoAreas I can see only ZIA_TEST and under it I can see only ZIC_TEST. That's OK. Then I select and execute the query.
  Wich means that S_RS_COMP is OK and each user is assigned to the correct Role.
  c) The problem is that in both cases the query brings data from all Clients.
  Under Information and Variable Values (when I run with HTML display) the message is "Empty demarcation".
  I changed the variable to be Ready for Input, just to see wich values it brings. In both cases (as USER_00 and as USER_01) in the Variable Screen it brings all the 5 Clients from the IC and I can select and execute any value.
  So the problem is with the Analysis Authorization or with the Variable, but I can't find what's wrong.
  Any help will be very appreciated.
  César

  OK Marc, it worked.
  Sorry for not answering earlier, but I could get back to this front only some days ago, then began testing your suggestions.
  1) Security Concept
  Authorization Mode was set to "Obsolete Concept with RSR Authorization Objects" (it would never work with this setting).
  I changed to "Current Procedure with Analysis Authorizations".
  Anyway, what's the function of this setting? Do old Reporting Authorizations work with "Current Procedure with Analysis Authorizations" setting?
  2) Variable Representation
  With "Multiple Single Values" it really led to problems.
  With "Selection Option" it worked well.
  3) 0TCAKYFNM
  I don't understand why, but if the AA doesn't have the char/dimension 0TCAKYFNM, when the User tries to run the query (tcode RSRT2) it accuses "You do not have sufficient authorization".
  Info Cube ZIC_VE95 has two KFs (ZKF_QTL95 and ZKF_VLT95). These KFs are used only on this IC (also in the KF Catalog, but it doesn't impact). This IC is used only on Query ZQR_VE95 (also in Transformation and DTP, wich doesn't impact).
  Well, I inserted 0TCAKYFNM and it worked, either with CP, "*" or with EQ, the two KFs.
  4) Authorization Policy Definition
  The situation I'm working on is very typical. Ex.: Some users are Administrators, Managers, Operator 1, Operator 2 and so on. Each Role needs authorization to access some queries. At the same time, they can access information only of the Cost Centers to wich they are related.
  There are many ways to implement it (I tested some of them and they worked well). My point is to define a most practical way, easy to understand and to maintain.
  I'm now sympathetic to this way:
  a) Create functional Roles (ex.: "Administrator", "Manager", "Operator 1", "Operator 2" and so on) defining only the Queries (or Info Areas, Info Providers, etc) each Role needs. No S_RS_AUTH definition.
  b) Create Char Value Roles (ex.: "CC_100_to_199", "CC_200_to_299", etc), only with S_RS_AUTH definition, each one associated with a corresponding AA (ex.: AA for CC 100 to 199, AA for CC 200 to 299 and so on).
  c) Create Composite Roles associating functional and char value Roles. Ex. Composite Role "Administrator for CC 100 to 199", composed of the Roles "Administrator" and "CC_100_to_199".
  d) Associate Users to the Composite Roles.
  Anyway, I'd appreciate if you could indicate some literature (blogs, articles, etc) on this theme.
  Well, thank you very much for your answers. Now I can go on with my studies on this subject.
  César Menezes

• Analysis Authorization in BO 4.0 Webi report

  Hi All,
  I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
  We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
  However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
  I have tried:
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
  Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
  (BO 4.0 no service pack or fix pack installed on the system yet)
  Thanks - Appreciate your help !
  Prasad Rasam

  Ingo,
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  >> Correct you need to setup you OLAP Connection with SSO.
  >>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
  Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
  Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  >> The variable in the BEx query needs to be an authorization variable.
  >>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
  Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
  regards
  Ingo Hilgefort

• Need analysis authorization help

  Hello Gurus,
  Could someone please help me out with my Analysis Authorization issue?
  We have a BW query and workbook outputting "Tcode usage" like the following:
  UserGroup| Username| Tcodename| Frequency
  This one has been running long time without any problems in reporting authorization, but now We want to get it restricted and only allow data associated group HR to display using new Analysis authorization. The scenario for this report is as follows:
  1. Rsecadmin >Maintenance> Create New authorization "Group" which consists of 4 characteristics: 0TCAACTVT, 0TCAIPROV, 0TCAVALID and 0TCTUSRGRP(which is the characteristic about group name and already authorizatio relevant). Set 0TCTUSRGRP "EQ HR".
  2.Assigned this authorization to a role using PFCG through the S_RS_AUTH. Other authorization objects in this role are:   S_BDS_D, S_BDS_DS, S_RS_MPRO, S_RSEC, S_RS_COMP, S_RS_COMP1, S_RS_HIER, S_RS_ICUBE, S_RS_ODSO.
  3.In BEx analyzer, set type: Characteristic Values and Variable filled from authorization and value "Selection Option". Unselected "ready for input". Put the characteristic associated with group name to filter windown on the top righ hand side of the Query Designer. Also compare users in PFCG.
  The question is the I still get all data about all groups. Looks like the authorization group doesn't work. I  used the "execute as " and get no errors back.
  Note: I didn't use "generation" to create the new authorization in Rsecadmin
  Thank you very much for any answers!
  Haifeng

  I guess i have found the reason why my authorization dosen't work. I don't activate infoObjects 0TCA* and 0TCT* and infoCubes 0TCA* as well. But another thing I am confused about is :
  Should I activate HR and CO businees content for authorizations 0TCA_DS02OTCA_DS05 and 0CCA_O010CCA_O03 before i get started? or should i run generation everytime i create a new authorization using Maintenance in Rsecadmin?
  Haifeng

• Analysis Authorization (Role, Profile and Direct Assignments)

  <b>Analysis Authorization Question:</b>
  1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
  2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
  3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
  <b>
  Migration Options:</b>
  1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
  2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
  3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
  <b>Questions</b>
  a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
  b)     Does any one use direct assignment to Users? It is good business practice?
  c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
  d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
  Just want to check how other folks have done migration that can be supported going forward.
  Pankaj Gupta

  Hey Pankaj,
  In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
  Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
  RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

• SAP BI 7.3 Analysis authorization transport log

  Hi,
     We have transported a Analysis authorization to production system, I would like to know the exact changes moved through this transport carrying a particular analysis authorization.
  The issue here is RSECVAL_CL has not recorded the changes done on this particular Analysis authorization in development system.
  So please suggest if there is any table where we can look to find the exact changes made by this transport request.
  Regards,
  Ananth
  Edited by: Anantharama Shivashankar on Oct 26, 2011 6:48 PM

  The issue here is RSECVAL_CL has not recorded the changes done on this particular Analysis authorization in development system
  I guess that is a problem and should be reported to SAP. However this table will give the value that has been deleted. New value to be checked in analysis authorization itself.
  EDITED : If the AA been transported before then might look their content and compare them.
  Regards,
  Arpan Paik
  Edited by: P Arpan on Oct 31, 2011 3:44 PM

• Role and Analysis Authorization Transport

  Dear Experts,
  I'm working with migration authorization project from 3.5 to 7.0. My doubt is when migrate in development enviroment enhancement each whith join S_RS_AUTH with Analysis Authorization which the role doesn't have any users assigning and transport to test enviroment where have a same role with user assigning. Do lose the user assign?
  Thank for all,
  Luis

  Hi,
  I think it will orverwrite the Role. If you want to lock the target system against import of user assignments, you can goto sm30 (Table - PRGN_CUST). Make an entry - USER_REL_IMPORT (value - NO).
  Thanks

• Generated analysis authorization cannot be changed

  Hello all,
  did someone manage to edit/delete generated (from DSO) analysis authorizations? When I want to correct a typo in one of the generated analysis authorizations it is not possible although the system is telling that it should be possible to do so. I did not find any note or thread yet.
  Message number RSEC292:
  Diagnosis text
  A generated authorization can be changed (this message is only a warning ), but one should be sure that this authorization is not generated again. Then it will be removed from the user, created again (perhaps with different content), and if there no fixed name was generated, it is renamed.
  Thanks in advance for your inputs

  Hello Lana,
  this is how SAP solved the problem
  Bye Petra
  Spezifikation: Message RSEC292: Generierte Analyseberechtigungen können nic
  Short text:
  Message RSEC292: Generierte Analyseberechtigungen können nic Langtext
  It is not possible to change from DSOs generated analysis
  authorizations although the system is telling that it should be
  possible to do so. Authorizations are sufficient (SU53; SAP_ALL)
  Message number RSEC292:
  Diagnosis text
  A generated authorization can be changed (this message is only a
  warning ), but one should be sure that this authorization is not
  generated again. Then it will be removed from the user, created again
  (perhaps with different content), and if there no fixed name was
  generated, it is renamed.
  Here is the communication path (please read from below):
  09.07.2007 - 09:03:36 CET Petra King Info für SAP
  Hello Ms. ,
  I always was telling about one issue:
  Change of generated analysis authorization is not possible.
  Since BI 7.0 we are talking about analysis authorizations so the
  transaction code used is obvious.
  There is no need for furhter information because it is only this single
  issue: I guess that it should be an error message and not a warning
  message and SAP made a mistake here by using the wron message category.
  I was never talking about users and xxxxxx is not an user but an
  analysis authorization.
  Please consider the call a solved - in the meantime I got
  professional support from the SDN platform.
  Regards,
  Petra King
  05.07.2007 - 09:14:22 CET SAP Antwort
  Hello Ms King,
  I must say that I find this message quite incomprehensible. First you
  write that you are irritated because my colleague asked you which
  transaction is being used to generate authorizations. This information
  is necessary so that the message can be assigned to the appropriate
  area. Indeed, the message was incorrectly sent to BC-SEC. Next you
  write that you are angry when I give you a consulting note regarding
  generation of analysis authorizations. I am mystified as to how such
  information from customers should help us in solving a technical or
  procedural probem. I have read the message from the beginning and
  there is very little technical and procedural information. Moreover, itis not clear what the "error" is here. The message RSEC292 is a warning(as clearly stated in the long text of the message) and this should not
  hinder the process. Lastly, in your last info you refer to a specific
  user, xxxxxxxx, as an example of a generated authorization. This is
  separate issue than the original:
  It is not possible to change from DSOs generated analysis
  authorizations although the system is telling that it should be
  possible to do so. Authorizations are sufficient (SU53; SAP_ALL)
  So in response to the original inquiry regarding RSEC292. The answer,
  as I have already mentioned and as stated in the text, is that this
  is just for information purposes. Please continue with the process.
  If you have a separate inquiry regarding the authorizations of
  particular users, please open a second message. We request that
  customer log one issue per message. Please read note 375196:
  Separate message for new problem/subsequent problem
  Regards,
  Senior Support Consultant
  SAP Active Global Support
  Netweaver Business Intelligence
  03.07.2007 - 15:14:39 CET Petra King Info für SAP
  Hello ,
  can you please contact the Basis Administrator xxx via phone
  (+xxxxx) so he can open the line and provide you with the
  user and password for system xxxxx.
  Please note that the error occurs on xxxx and you can have a look at the
  analysis auth. xxxxxxxx as representive for one of the generated
  authorizations.
  03.07.2007 - 15:08:43 CET Petra King Info für SAP
  Hello ,
  I am getting angry because note 1052242 is a documentation and I
  executed everything besides the fact that the analysis auths cannot be
  changed. Please read the error message from the beginning.
  Regards,
  Petra King
  28.06.2007 - 14:52:09 CET SAP Antwort
  Hello Ms King,
  Please excuse the delay in the processing of your message.
  Please read note 1052242 if you have not already done so. If this note
  does not help you to solve the problem, I would like to have a look at
  the situation on your system. Please open the R/3 Support connection
  provide me with a user and password. This information can be stored
  in the log on information of this message.
  Regards,
  Senior Support Consultant
  SAP Active Global Support
  Netweaver Business Intelligence
  25.06.2007 - 08:48:03 CET Petra King Info für SAP
  Hello ,
  if this is in the wrong queue, yes please forward it to the appropriate
  queue and please let the question be answered asap.
  Thanks,
  Petra King
  21.06.2007 - 07:47:29 CET SAP Info für Kunde
  Hello Petra,
  it is possible to generate authorizations in PFCG too. As RSECADMIN
  belongs to BW-BEX-OT-OLAP-AUT, I forward your message accordingly.
  Best regards
  Support Consultant
  Global Support Center Austria
  Netweaver Web Application Server ABAP
  20.06.2007 - 09:54:47 CET Petra King Info für SAP
  Hello ,
  sorry to let you know so late but there was a typo in my email address
  xxxxxinstead of xxxxxxxxx
  Your question is a little bit irritating. Generation of analysis
  authorizations in 7.0 is usually done only with transaction code
  RSECADMIN - correct me if there is another possibility. Generation
  works fine but the authorizations cannot be edited after then.
  Bye,
  Petra
  23.05.2007 - 11:53:16 CET SAP Antwort
  Dear Ms. King,
  please let me know which transaction code do you use or in which
  transaction do you get this message.
  Best Regards
  Support Consultant
  SAP Active Global Support - Netweaver Web Application Server

• How to Move Migrated Analysis Authorization across the landscape?

  Hi,
  we have migrated existing 3.x obsolete authorization concept to 7.x Analysis Authorization with the SAP delivered program RSEC_MIGRATION. Unit test is completed in the Development. What is the process to move the changes to quality.
  Any help is greatly appreciated.
  Thanks!

  Hi Tony,
  what about the roles that are updated during the migration process. How do I identify them and Do I need to collect them and transport too? Is there a way I can use the tables you mentioned in the above discussion for this.
  First you should decide on whether you wish to use direct AA assignment or use S_RS_AUTH authorization object (This is referred as indirect AA assignment).
  If you wish to assign AA directly, you doesn't require the roles to be transported and just need to transport the AA, since the AA works independently.
  If you with to implement indirect AA assignment, you should identify the roles (from the tables I've provided in my last post) and findout the roles based on query's. Further the AA that were related to the queries should be added using S_RS_AUTH and these roles require a transport.
  Hope this helps!!
  @Arpan - Those tables are required to quickly find out the roles Vs queries Vs InfoAreas/InfoCubes information to work on the AA.
  Regards,
  Raghu

• Analysis Authorization Mass Load got wrong

  Hi,
  First:
  I accidently made a rubbish CSV massupload via a 0TCA_DS04 formatted DSO and than a
  RSEC_GENERATE_AUTHORIZATIONS for Assignment of authorization to users.
  Second:
  I want to clear up this rubbish completely out  again.
  Third:
  Loading a one line one field CSV File like this:
  0TCTUSERNAME -     D_E_L_E_T_E
  ;0TCTAUTH -               <BLANK>
  ;0TCTADTO -              <BLANK>
  ;0TCTOBJNM -           <BLANK>
  ;0TCTSIGN -                <BLANK>
  ;0TCTOPTION -           <BLANK>
  ;0TCTLOW -                <BLANK> 
  ;0TCTHIGH -                <BLANK>
  ;0TCTOBJVERS -          <BLANK>
  ;0TCTADFROM -           <BLANK>
  via a 0TCA_DS01  formatted DSO
  and RSEC_GENERATE_AUTHORIZATIONS
  does not seem to work.
  Fourth;
  The rubbish Assignment of authorization to users still exist.
  Fivth:
  Something else to do ? The doc ,Generation of Analysis Authorizations - Business Intelligence - SAP Library,
  isn't to clear to this.
  Something more to do ?
  CSV wrongly formatted ?
  Assitant is appreciated.
  Thanks
  Martin

  Hi Petra,
  the message is only thrown when one of the named DataStore Objects is really empty.
  Could it be:
  1.) That you have a typo in your DataStore Object name
  2.) The message should also name a DataStore Object. Which one is it (for which authorisation generation)
  3.) Are you on a Support Package Stack level lower than 14, and try to generate hierarchy authorisation. If so, please check OSS note # 1041515.
  If none of the above is solving your issue, you might have to open a customer message.
    Cheers
       SAP NetWeaver BI Organisation

• Analysis Authorization Issue 7.3

  Hello Friends,
  System BW 7.3, Currently there are 80 odd analysis authorization objects
  We want to introduce a new info object (GL Account) to be authorization relevant, ( there are few objects in the system which are already authorization relevant in the system with proper analysis authorization objects and they are working fine)
  Things done, made the GL Account object authorization relevant in RSA1, Created 2 analysis authorization objects with GL Account and TCT objects and one with hierarchy restrictions and one open access.
  Added this object to the user in addition to its already existing authorization objects. Created authorization variable in BEx.
  Some how the authorization is not picked up and it gives us all the values in the report. But if I add the GL Account info object to the existing analysis authorization objects then it works fine.
  I do not want to change all the existing analysis authorization objects to add GL Account.
  Your inputs are most welcome.
  Thanks
  Ed.

  Gajesh- I have added the new analysis authorization object to the user in RSECadmin.
  Subhendu- Problem statement: What are the steps involved in making a new info object(GL Account) authorization relevant. Authorizations are given at hierarchy level. Can we create a new analysis authorization with  GL Account only or do we have to add it to every existing analysis authorization
  I have done the following steps
  1. Made the GL Account object authorization relevant in RSA1,
  2. Created 2 new analysis authorization objects with GL Account ( with hierarchy restrictions) and TCT objects and one with GL Account open access.
  3. Added this object ( which has restrictions) to the user in RSECADMIN, in addition to its already existing authorization objects.
  4. Created authorization variable in BEx.
  5. No existing analysis authorization objects have been changed.
  When I test the report, It does not restrict based on the hierarchy that I have given, it gives open access.
  But If I add GL Account with restrictions to the existing analysis authorization object, it works good.
  Guess I am missing some thing here.
  Do you need any other screen shots.
  Thanks
  Ed.

• Analysis Authorization Issue

  Hi:
  I created an analysis authorization ZCO_CODE to trstrict it by a company code.
  I added following objects in authorization with values.
  0COMP_CODE = 1000
  0TCAACTVT = 03
  0TCAIFAREA = *
  0TCAIPROV = *
  0TCAVALID = *
  Then I created a role Z:00:BW_REPORT, where I added following authorization objects S_RS_AUTH and restricted it by value ZCO_CODE. Then I assigned this role to a user test01.
  When I execute a program RSEC_MIGRATION for this specific user, I do not see authorization object ZCO_CODE on 2nd step of this program. Any Idea Why? I think this object should show up as I want to migrate this specific object.
  Help will be appreciated.

  Hi Sachin:
  Okay here is my issue.
  I have a Reporting authorization Object created earlier which is ZCOCODE. I though I'll have to create a new Analysis authorization object e.g. ZCO_CODE and then restrict it with other chars. as mentioned in Marc Bernards presentation and then you have to migrate it.
  In selection list I can see old Reporting authorization object. If I select it and use option "Enhance existing profile" then It will update profile and not role? right....
  How can I see whether it has updated existing profile?????
  Do I need to create new Analysis Auth. for Company code or I can use old Reporting authorization for company code?
  For testing purpose, I created a test user and assigned all reporting roles but It will not show up in RSEC_MIGRATION step???

• BW Analysis authorization issue on cost center range

  Hello BIW security experts
  I have a problem where I created an analysis authorization on a cost center range and it looks like the interval is not working. The report is just a list of cost centers (demo to users to prove that analysis authorizations work in order to skip 2 managerial cost centers.
  . Cost centers are numeric. Example:  2000100. In the drop down list they appear as such.
  . I want to have the following cost center range: 1000000 to 1000771, 1000773 to 2000771, 2000773 to 9999999.
  Thereofore 1000772  and 2000772 should not appear in the list.
  . In the analysis authorization I have put the 3 ranges above on 3 separate lines. 'BT' is the operator. The cost centers have been selected from the drop down list.
  Results:  I get only 1 record from the report....  2000772. (which is one I want to exclude..
  Steps tried to debug:
  . When I put a list of cost centers in the analysis authorization on separate line with the 'EQ' operator, then the report works.
  . I tried putting ' ' delimiters since cost center is a char field but it fails.
  . I tried adding leading and trailing zeros to fill up the char(10) but no luck.
  . I tried creating a hierarchy with the interval and put it in the hierachy auth. tab and it does not work either. It gives the same number of records than the first step.
  . A hierarchy with single values work.
  I do not know what else to try..
  Thanks.
  YB.

  Good morning
  Here it is from RSECVAL
  ZCC_TEST     0COSTCENTER                    I       BT        1000000                                                      1000771
  ZCC_TEST     0COSTCENTER                    I       BT        1000773                                                      2000771
  ZCC_TEST     0COSTCENTER                    I       BT        2000773                                                      9999999
  ZCC_TEST     0COSTCENTER                    I       EQ        #
  ZCC_TEST     0COSTCENTER                    I       EQ        :
  ZCC_TEST     0INFOPROV                         I       CP        *
  ZCC_TEST     0TCAACTVT                        I       EQ        03
  ZCC_TEST     0TCAIPROV                         I       CP        *
  ZCC_TEST     0TCAKYFNM                       I       CP        *
  Thank you for your help.

• BW Analysis authorization issue... need help urgently....

  We have one BW query which is pulling data from Contract Division info-object. Now this report does not variable selection object so it is pulling data from all values of Contract Division. Values of  Contract Division are CNC, CNS, CNE and CNL.
  Now we have created an analysis auth. object called z_es_3 and added Contract division info-object. Now we have added that z_es_3 into role and given value to CNS. now when we are running report, we are getting No Authorization error. When we are giving * value in z_es_3, it is running fine.
  Now we have to restrict report to contract division. please help.
  Thanks in advance

  Are you running unrestricted search on Contract division in your queries? You should restrict it to value which is maintained in the authorization for the InfoObject.
  Also please run the analysis authorization trace from RSECADMIN. That will give you a clearer picture of what is wrong.