Different Analysis Authorization on same infoprovider

Similar Messages

• Filter the content on different queries for the same infoprovider and user

  Hello,
  We are trying to make the following security scenario in BI, and have
  problem with the analysis object concept to filter at query level.
  The idea is to permit to :
  - user A
    - to execute query Q1 and view information about sites 1,2,3
    - to execute query Q2 and view information about sites 4,5,6
  but for example for another user :
  - user B
    - to execute query Q1 and view information about site 1,3
    - to execute query Q2 and view information about site 5,6,7
  Q1 and Q2 are queries from the same infoprovider.
  The idea is to make an automatic generation of analysis objects based
  on the standard program : RSEC_GENERATE_AUTHORIZATIONS.
  During tests, we have faced a problem with the object 0TCTQUERY that we
  thought will permit us to filter at the query level, but unless we add
  the name on the query on a role in the S_RS_COMP authorization object,
  field RSZCOMPID, the query is not granted to the user.
  The fact that we use both authorization objects : one for the query
  definition, and another for the analysis authorization concept
  (S_RS_AUTH, field BIAUTH), has disastrous effect : all values given in
  the analysis objects are for all queries of an indicated infoprovider.
  With that system, it's then not possible to propose dynamically different
  views of the same data (ie from same infoprovider) based on the
  authorization concept unless using the technic of customer-exit variable,
  but with variable you will have a problem with old queries that doesn't
  have a variable and that will permit to see all data given in the new
  authorization objects.
  Is there exists another object to filter at the query level in the
  analysis objects ? If it's not the case, what is possible to do to reach
  our goal with the new authorization concept ?
  Thank you in advance for your help.
  Best regards,
  Gaël.

  The data is protected on infoprovider level and not on the query level,  so when two querys are build from the same Infoprovider then the authorizations are the same,
  To achieve what you want to do,  the querys must be built off different providers.   This can be achieved by placing the infoprovider in 2 differnt multiproviders and building the querys and authorizations seperatly on these.

• Analysis Authorization not working - Empty demarcation

  Can someone help me on this Analysis Authorization? I read many threads in SDN, it seems that I followed the correct steps. The restriction on S_RS_COMP is working well but the restriction on the Analysis Authorization is not working. Surely I'm making some mistake, but can't find what's wrong.
  I'm a User (say USER_00) in a test system, assigned to a Role (say Z:BI_USER). This is a broad role:
  - S_RS_COMP and S_RS_COMP1 have full authorization (*) to all the fields,
  - S_RS_AUTH has the BIAUTH field with Name of Authorization = *.
  Also I have an InfoArea (ZIA_TEST) and an InfoCube (ZIC_TEST). The IC has some characteristics and key figures. The only authorization relevant characteristic is ZCA_CLI (client). The IC has only 5 lines, one for each client ("CLI_01" to "CLI_05").
  Also there's a query (ZQR_TEST) on this IC, with an Authorization Variable (VAR_AUTH_CLI) restricting the characteristic ZCA_CLI.
  I'm trying to create a new User and restrict him to this IC and only to the data of client "CLI_01". If it works I'll apply to a production system.
  What I did:
  1) With tcode SU01 created a new User (USER_01) with no Role neither Analysis Authorization.
  2) With tcode PFCG copied the Role Z:BI_USER as Z:ROLE_TEST then made some changes:
  a) S_RS_COMP
  - Activity = 03 and 16
  - InfoArea = ZIA_TEST
  - InfoCube = ZIC_TEST
  - Type of report component = *
  - Name of report component = *.
  b) S_RS_COMP1
  - Kept * to all fields.
  c) S_RS_AUTH
  - I inactivated and deleted this Authorization Object.
  (I don't want to keep characteristic values restriction inside the role. The idea is to associate different users to the same role, allowing them to see the same ICs and execute the same queries. And differentiate wich characteristic values each one can see by manually associating different analysis authorization to each one.).
  3) With tcode RSECAUTH I created an Analysis Authorization (Z_AA_CLI_01) to restrict access only to client "CLI_01":
  - ZCA_CLI = "CLI_01"
  - 0TCAACTVT = "03"
  - 0TCAIPROV = "ZIC_TEST"
  - 0TCAVALID = "*".
  4) With tcode PFCG I assigned User "USER_01" to the Role " Z:ROLE_TEST" and made Complete Comparison.
  5) With tcode RSU01 I manually assigned Analysis Authorization " Z_AA_CLI_01" to User "USER_01".
  It seems to me that these steps are enough. But:
  a) When I log as USER_00 and go to tcode RSRT2, searching by InfoAreas I can see all the InfoAreas and all the InfoCubes, select and execute the query. That's OK.
  b) When I log as USER_01 and go to RSRT2, searching by InfoAreas I can see only ZIA_TEST and under it I can see only ZIC_TEST. That's OK. Then I select and execute the query.
  Wich means that S_RS_COMP is OK and each user is assigned to the correct Role.
  c) The problem is that in both cases the query brings data from all Clients.
  Under Information and Variable Values (when I run with HTML display) the message is "Empty demarcation".
  I changed the variable to be Ready for Input, just to see wich values it brings. In both cases (as USER_00 and as USER_01) in the Variable Screen it brings all the 5 Clients from the IC and I can select and execute any value.
  So the problem is with the Analysis Authorization or with the Variable, but I can't find what's wrong.
  Any help will be very appreciated.
  César

  OK Marc, it worked.
  Sorry for not answering earlier, but I could get back to this front only some days ago, then began testing your suggestions.
  1) Security Concept
  Authorization Mode was set to "Obsolete Concept with RSR Authorization Objects" (it would never work with this setting).
  I changed to "Current Procedure with Analysis Authorizations".
  Anyway, what's the function of this setting? Do old Reporting Authorizations work with "Current Procedure with Analysis Authorizations" setting?
  2) Variable Representation
  With "Multiple Single Values" it really led to problems.
  With "Selection Option" it worked well.
  3) 0TCAKYFNM
  I don't understand why, but if the AA doesn't have the char/dimension 0TCAKYFNM, when the User tries to run the query (tcode RSRT2) it accuses "You do not have sufficient authorization".
  Info Cube ZIC_VE95 has two KFs (ZKF_QTL95 and ZKF_VLT95). These KFs are used only on this IC (also in the KF Catalog, but it doesn't impact). This IC is used only on Query ZQR_VE95 (also in Transformation and DTP, wich doesn't impact).
  Well, I inserted 0TCAKYFNM and it worked, either with CP, "*" or with EQ, the two KFs.
  4) Authorization Policy Definition
  The situation I'm working on is very typical. Ex.: Some users are Administrators, Managers, Operator 1, Operator 2 and so on. Each Role needs authorization to access some queries. At the same time, they can access information only of the Cost Centers to wich they are related.
  There are many ways to implement it (I tested some of them and they worked well). My point is to define a most practical way, easy to understand and to maintain.
  I'm now sympathetic to this way:
  a) Create functional Roles (ex.: "Administrator", "Manager", "Operator 1", "Operator 2" and so on) defining only the Queries (or Info Areas, Info Providers, etc) each Role needs. No S_RS_AUTH definition.
  b) Create Char Value Roles (ex.: "CC_100_to_199", "CC_200_to_299", etc), only with S_RS_AUTH definition, each one associated with a corresponding AA (ex.: AA for CC 100 to 199, AA for CC 200 to 299 and so on).
  c) Create Composite Roles associating functional and char value Roles. Ex. Composite Role "Administrator for CC 100 to 199", composed of the Roles "Administrator" and "CC_100_to_199".
  d) Associate Users to the Composite Roles.
  Anyway, I'd appreciate if you could indicate some literature (blogs, articles, etc) on this theme.
  Well, thank you very much for your answers. Now I can go on with my studies on this subject.
  César Menezes

• Problem wih analysis authorization for two scenarios on same data provider

  Dear all,
  I am looking for a solution on the following authorization scenario (using the new analysis authorization). Unfortunately everything that I tried did not work out as expected:
  User A is allowed to manually access query 1 (based on cube A) with authorization on all sites A-Z
  The same user A shall get an email distribution automatically (derivation of the filter in the query out of the authorization) for query 2, which is as well based on cube A, but this time the authorization shall be limited only to site A.
  As both queries are based on the same infoobject (0PLANT) and the same infoprovider (0TCAIPROV) I always get the result for all sites A-Z. The 0TCAACTVT is in both cases 03 (display), so I have no chance to distinguish between reporting and email distribution.
  Probably the only chance would be to derive the values for the email distribution scenario not from the authorization directly, but using a customer exit to fill the filter - but I would prefer a "standard" solution...
  Any ideas??
  Thanks,
  Andreas

  Dear Andreas,
  Before give you an alternative for you problem, Iu2019d like to comment the combining authorization concept:
  http://help.sap.com/saphelp_nw70/helpdata/EN/46/98cd87f37d19ace10000000a11466f/frameset.htm
  For this reason I suggest you which combing restriction through authorization and query filter. For query 2 try to use in 0PLANT characteristic the single value u201Csite Au201D, this restriction give you only authorization for see this value.
  Otherwise, you have to use customer exit.
  I hope that alternative help you to find a solution,
  Luis

• Different authorizations on different cubes for the same characteristic

  Hello,
  Is it possible to implement different authorizations on different groups for the cubes characteristic?
  For example a user should be authorized to see just the data of company code 101 on Cube A but he should see the data of all company codes on Cube B (Cube B also contains the company code. ":"-Authorization is not an option)?
  In transaction RSECADMIN it is possible to insert the "special characteristics" Acitivty, InfoProvider and Validity into an authorization. But standard setting for InfoProvider is * and I get an error message if I want to modify for just 1 Cube because the characteristic "InfoProvider" (SAP Content) isn't marked as authorization relevant.
  Can you please answer:
  1) If it is possible to implement different authorizations on different cubes for the same characteristic?
  2) What is the function of the special charactristics if I can't maintain the values?
  Thank you
  Johannes

  Hi there,
  Yes it is possible.
  The new authorization concept created union also based on InfoProvider Characteristic.
  You have to change in rsd1 transaction the characteristics 0TCAACTVT, 0TCAKYFNM, 0TCAIPROV and 0TCAVALID to be authorization relevant.
  So you can do this:
  Create two authorizations in rsecadmin like this:
  Aut_1:
  0comp_code: 101
  0TCAACTVT: 03 (activity of display)
  0TCAKYFNM: * (all key figures)
  0TCAIPROV: Cube A
  0TCAVALID: * (authorization valid for ever)
  Aut_2:
  0comp_code: *
  0TCAACTVT: 03 (activity of display)
  0TCAKYFNM: * (all key figures)
  0TCAIPROV: Cube B
  0TCAVALID: * (authorization valid for ever)
  Now in rsecadmin give both authorizations aut_1 and aut_2 for the user.
  If the user opens a query built on cube a he will be having authorizations only for company code 101. If the user opens a query for cube B he will be having authorizations for all the company codes.
  Diogo.

• Assigning different authorization to same user based on Query

  Hi experts,
  I am redefining my issue,
  Is there any way i can assign different authorizations to the same user but based on either Query/Workbook.
  lets say i have two Analysis authorizations A & B and two Queries X and Y.
  If the Query/Workbook is X then Add Authorization A to user ABC.
  else if the Query/Workbook is Y then Add authorization B to user ABC.
  this is because i have two set of workbooks the same user can access and authorization for these two set is different based on the workbook.
  I tried using the auth objects 0TCTWORKBK,0TCTQUERID OR 0TCTQUERY but no success so far.
  thank in advance.
  Edited by: youmenbi on Feb 12, 2008 1:20 AM
  Edited by: youmenbi on Feb 12, 2008 1:31 AM

  Hi
  We have set same kind of authorizations based on the users. The Cost Center Manager is assigned a role and the authorizations for each of the Report/Layout/Workbook is based on his/her profile...some are Read only, some or Read & Write...etc.
  If you go through that route......and assign each of the Reports/Layouts/Workbooks to Users....you may succeed.
  I know it is a bit time consuming but that is one alternative we could think of as it addressed seamlessly any changes in CC Managers.
  Regards
  Srinivas

• Same infoprovider, different results

  Hello together,
  here it is my problem: I have one infoprovider and two queries based on it. In both queries I have one identical formula, but the result is different ..
  Could you please help me? Where could be the problem?
  Thank you,
  Iuliana

  Please chacek all the InfoObjects in rows and columns in both Queries and Formulas/CKFs/RKFs/ and variavles too....Definetly there will be a difference..so you are getting different results...all calculated kfs in both Queries using same formulas?
  There is no rule that both Queries should display same result if both are on Same infoProvider unless and until both are similar(one Query is copy of another one)...
  i don't think in u r case it is same..
  Please don't forget to assign points if it is helpfulu.its the way of saying thnaks here in SDN.

• BI analysis authorization - Same info provider- diffrent access ?

  Hi Gurus,
  Designation of roles:
  1. User is having two PFCG roles (A1 & B1) assigned.
  2. Role A1 contains query name ZQRYA1 & Role B1 contains query name ZQRYB1
  3. Role A1 is linked to analysis authrozation role AR1 and Role B1 is linked to analysis auth. role BR1 (thorugh S_RS_AUTH)
  4. AR1 is having access to Company code 1000 & info proivder is ZIC_COPA
  5. BR1 is having access to Company code 2000 & info provider is same ZIC_COPA.
  Requirement :
  When user is executing ZQRYA1, he should see only 1000 company code.
  Result:
  With above design user is able to see 1000 & 2000 company code data for ZQRYA1.
  My analysis:
  1. We should use Customer exit in the Query. (SAP note referred  668520).
    2. As per SAP note 1000004 (Merging and optimizing analysis authorizations), I understand that if same info provider is there then BI analysis auth. will merge the values.
  Please correct me if I understand something wrong. Also suggest how can implement role so that values will not merge.

  Hi experts,
  I am getting confused now.
  As pe rmy practical experience for same info-proivder BI AA will merge the values. Even i got same response in SDN forums.
  But when I raised this issue to SAP (OSS message), SAP says this issue should resolve by applying SAP notes through SNOTE..
  1138708     Unauthorized data is displayed: "Not assigned" (#)     
  1158432     Too many values authorized for hierarchy with intervals     
  1234334     Authorization error for query on InfoSet     
  1229602     Error when using hierarchies: Authorization error     
  1226163     Authorization variables in workbook     
  1000004      Merging and optimizing analysis authorizations
  1150754     Authorizations for InfoSet chars. ignored in input help     
  1235049     F4 help: Unauthorized data for referencing characteristic     
  I have gone through notes but did not find relevant, but still SAP replied it should resolve the issues.
  Please suggest.

• Analysis Authorization in BO 4.0 Webi report

  Hi All,
  I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
  We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
  However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
  I have tried:
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
  Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
  (BO 4.0 no service pack or fix pack installed on the system yet)
  Thanks - Appreciate your help !
  Prasad Rasam

  Ingo,
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  >> Correct you need to setup you OLAP Connection with SSO.
  >>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
  Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
  Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  >> The variable in the BEx query needs to be an authorization variable.
  >>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
  Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
  regards
  Ingo Hilgefort

• BW Analysis Authorization on two charcteristics issue

  I am familiar with analysis authorizations in BW 7.0 and worked on it.
  Today we have blanket authorization (RSECADMIN) for 0TAX_NUMB = *. Meaning user who has this auth/role can see values (from where ever 0TAX_NUMB is used, all company codes etc). And as you might know 0TAX_NUMB is used in 0VENDOR & 0CUSTOMER master data (as an attribute). This works well, because its easy
  Now, new requirement is to create more strict analysis authorizations for 0TAX_NUMB based on other characteristic values.
  Auth1 (should apply to 0TAX_NUMB used in 0VENDOR):
  0TAX_NUMB = all values and only for vendor account group = XXX
  Auth2 (should apply to 0TAX_NUMB used in 0VENDOR):
  0TAX_NUMB = all values and only for vendor account group = yyy
  Auth3 (should apply to 0TAX_NUMB used in 0VENDOR):
  0TAX_NUMB = all values and only for vendor account group = zzz
  Auth4 (should apply to 0TAX_NUMB used anywhere other than 0VENDOR, for example, as I said above its also used in 0CUSTOMER and may be used elsewhere in future):
  0TAX_NUMB = all values
  Do I also need to add 0CUSTOMER here? unable to visualize!!!
  Also, 0TAX_NUMB and Vendor account group will have colon authorization.
  So, at this time I am not sure how this will impact other queries with following scenario(s):
  User1 has auth1:
  Here, User1 can see tax_numb values for vendor act grp XXX, thats good, so far.
  But can user see query results where tax_numb is not used but would like to see all vendor account group related data (or other than value XXX)?
  User2 has auth4:
  Since this auth has blanket tax_numb, can user2 see all values for tax_numb used in 0CUSTOMER (which he/she should) and also in 0VENDOR (he/she should not)...
  And what about queries that do not have 0TAX_NUMB (but infoprovider has)? Colon auth on TAX_NUMB & Vendor act grp would resolve this?
  I appreciate your thoughts on this. We are BW 7.01 (Ehp1), SPS10.
  Regards
  -Bala
  Edited by: Bala Shetty on Dec 15, 2011 12:02 AM
  Edited by: Bala Shetty on Dec 15, 2011 12:04 AM
  Edited by: Bala Shetty on Dec 15, 2011 12:05 AM
  Edited by: Bala Shetty on Dec 15, 2011 12:09 AM

  Thank you Sushant.
  I am aware of these notes and provide basic information and also usage of value restrictions. I am looking for usage of different combinations for multiple characteristics (especially the attributes of master data)....
  Regards
  -Bala

• Analysis Authorization Migration Question

  Analysis Authorization Migration Question
  This is detail Question
  1)     I am testing Analysis Authorization Migration in NW2004s SP9 and have applied all OSS notes that are relevant to SP09 and are coming in SP10.
  2)     We have 2 Info object flagged as Authorization relevant 0COMP_CODE and 0COSTCENTER
  3)     We have Object level security set-up in BW 3.x system and for a role we have specified values like 0COMP_CODE has value 1000, 1800. “:”. In the same role we have specified 0COSTCENTER value 130001 to 180001, “:”  and hierarchy node.
  4)     When we migrate to Analysis Authorizations, using RSEC_MIGRATION, this program creates 2 Authorizations ZCOCODE00 & ZCOSTCTRH00. Both of them have 0COMP_CODE and 0COST_CENTER Objects.
  5)     ZCOCODE00 authorization gets value 0COMP_CODE values 1000, 1800. “:” and 0COSTCENTER Value “:”.
  6)     On the same line ZCOSTCTRH00 gets value 130001 to 180001, “:”  and 0COMP_CODE “:”.
  1st Question:
  1)     Why does it create 2 Authorizations?
  2)     During Checking it does not pass the authorizations, because it seems to me that it fails in Optimization process.
  3)     I manually merge the authorizations in “ONE” object then authorization check passes.  In other word if I combine ZCOSTCTRH00 & ZCOCODE00 then Query authorization check passes.
  Any one is struggling on this.
  Please note, I am doing Migration so that it updates existing Profiles (Roles now from SP9).
  Any comments will be very help full.
  Pankaj Gupta

  Hello Pankaj
  There are some basic misunderstandings on your side.
  Let me try to clarify:
  First we should distinguish between migration of authorizations and of what a query does with them.
  You had 2 auth objects before migration (in 3.x).
  Of course, they must be migrated to 2 new analysis auths.
  There is no general possibility to combine authorizations to a single one as the may appear in different roles and users. Moreover this would kill performance and finally, nobody would recognize the origin.
  Only in very restricted cases one could think of a combination of auths which come out of migration. But, then people loose overview about what goes on.
  Before the corrections in note "Migration IV" the : had not been inserted but now it is for good reasons.
  Now, accept for the moment that you receive 2 auths.
  Then, you cannnot (must not) combine the 2 resulting authorizations!
  <b>Authorization 1</b>
  COMP_CODE : 1000, 1300, “:”
  Cost Center : “:”
  <b>Authorizations 2</b>
  Comp_Code “:”
  Cost Center : 3100001-31999999; “:” plus a Hierarchy Node.
  This means that e.g. combination
  COMP_CODE 1000
  COST_CENTER 3100001-31999999
  <u>is not allowed!!!</u> Therefore, they must not be combined!
  Also, the query and its optimization is comepletely independent of the migration. And here, during query run time the auths cannot be combined. It is no failure!
  Moreover, the merging optimization is just a performance optimizaiton and has nothing to do with whether the query result is authorized or not.
  If you combine them manually you have authorized different combinations.
  Well, now you may wonder why you get 2 auths at all which leads to a "no auth" result in the query execution.
  The reason is, that in 3.x where you got a result with your 2 auth objects the modeling was wrong.
  If you want to authorize any combination of characteristic values, you should combine these characteritics together in one auth object, not in 2!
  (In BI7.0 it works like that but not in 3.x)
  But you defined 2 which may be valid even in several other InfoProviders independently and not even at the same time. Moreover, the auth objects may come from different roles and may be assigend to different users which then have completely different auth content. In general it is not possible to combine different auth objects or to find out those special situations which nevertheless allow for such optimizations. If you re-do a migration with more objects and users you could even receive different results which is also not satisfying.
  Therefore, instead, the mechanism was introduced to insert a : auth to those characteristics that are auth relevant (and checked now with 7.0) but not in the currently processed auth object.
  In you special case it may have made sense to combine them but not in general. And a migration can only try to work as general as possible.
  For your application you may combine the 2 auths manually if you want to allow also the crossover combinations
  COMP_CODE 1000
  COST_CENTER 3100001-31999999
  Best regards
  Peter John
  BI Development

• BI 7.0 Analysis authorization creation issue

  Hi,
  We are prototyping the new analysis authorization concept have a question regarding the build.
  We've had the BI execute the pre-implementation tasks (activate the business related content and OTCT* and OTCTA* infocbues and and OCTA* infoCubes).
  There aren't any custom reporting objects to carry over since the queries were previously just secured by the S_RS_ICUBE Administrator Workbench - InfoCube with specific values for the Infocube. Since this object is no longer checked in query processing, is it a correct statement that the characteristic 0TCAIPROV (InfoProvider) should be populated with whatever values were listed in the S_RS_ICUBE object for the InfoCube field?
  We built an anslysis authorization via RSECADMIN per the requirements below and executed it with a test user ID assigned the regular reporting roles (with access to the queries).
  0TCAIPROV     InfoProvider     EQ          "Value 1"     
  0TCAACTVT     Activity                     EQ     03
  0TCAVALID     Validty Date          
  0TCAIFAREA     InfoArea          *
  However, when executing the query as this test user, we received a "you are not authorized messsage".  The trace didn't show detailed information, so we executed the same query with another user ID that was assigned 0b1_all and obviously could execute successfully.
  Is it correct assume that all the characteristics that were checked in the trace are authorization relevant for the query? we added the characteristics with full authorization and still couldn't execute. In addition, when checking these characteristics via RSD1, they weren't makred as authorization relevant, yet they still appeared in the trace.
  Is there something else that is misisng in the analysis authorization? I checked the characterics for variables and none were defined.
  Any troubleshooting tips would be appreciated.
  Thanks in advance

  Hi Julie,
  0TCAIPROV should have values of infoprovidors ( infocubes) that you want the user to have access. If you dont want to restrict it by infoprovidors then you can give a  ' * ' for 0TCAIPROV  CP value ' * '.
  Also make sure when you run the query it is not looking for any other infoobjects which have been made Auth relevant.
  You can actually see the error log for queries
  Go to RSECADMIN --> Analysis tab  --> click error logs --> click configure log recording --> enter the test id and save. Now you do the test using the test id for query. Then come back and see the log for the test user and it will tell you what went wrong. Please let me know if you have any questions.
  Thanks,
  Karthik Kiran

• Analysis Authorization with SEM-BPS

  Hi,
  We have performed technical upgrade from BW 3.5 to BI 7.0. We want to migrate to BI 7.0 functionality phase wise.
  We have SEM-BPS and now we want to migrate to Analysis Authorization of BI 7.0.
  Once we have igrated to Analysis Authorization, will there be any impact on SEM-BPS? Can we still use SEM-BPS with New Analysis Authorizations? We do not want to move to BI-IP in near future?.
  Please advise.
  Best Regards,
  UR

  Dear UR,
  Iu2019m going to try helping you,
  In difference of reporting functionality, in planning, the data of an InfoCube is not just read; it is also changed or created.
  There are two planning tools in BI: BW-BPS (Business Planning and Simulation), and BI Integrated Planning.
  There are two main tcode: BPS0 and RSPLAN
  There are three authorization objects to manage Integrated Planning:
  S_RS_PL_ADMIN - Planning Administrator
  S_RS_PL_PLANNER u2013 Planner
  S_RS_PL_PLANMOD_D u2013 Planning Modeler (Development System)
  The main object in the planning scenario is InfoCube real-time, where can available writing in small package that arrive in parallel. In some cases the security requirements for reporting and planning can be merging. In this case you need authorization object for checking planning, as authorization object above, and you need authorization object for using a query for planning requires as S_RS_COMP.
  In addition to authorization for displaying data, the authorizations for changing data you need analysis authorization (the analysis authorization focus in the InfoProvider, no in Aggregation Level).
  In your analysis authorization design for reporting stuff, you should use in 0TCAACTVT characteristic 03 value. In the planning stuff, you should use in 0TCAACTVT characteristic 03 and 02 values. As explain following:
  Using the characteristics 0TCAACTVT (activity), you can restrict the authorization to different activities. Read (03) is set as the default activity; you must also assign the activity Change (02) for integrated planning.
  http://help.sap.com/saphelp_nw70ehp1/helpdata/en/b1/0c9441b8972e7be10000000a1550b0/frameset.htm
  I hope this suggestion can help you answer question,
  Luis

• Analysis Authorizations - What exactly does 0TCAIPROV  do?

  Hi,
  I am implementing security for BI 7.0 and I got these questions. Based on what I understood about the new concept I am framing the questions below.
  1. Is specifying values (Infoprovider names) in 0TCAIPROV equivalent to putting the 'check for info providers' in the old security concept?
  2. What is the difference between 0TCAIPROV and 0INFOPROV?
  When I executed a query I gave the infoprovider name that the query is accessing in the auths, in 0TCAIPROV field and gave the same name in 0INFOPROV. It failed. So, I ran a trace and found that the system is checking for aggreagated auths i.e, it is looking for : to be filled in 0INFOPROV. I am a little bit confused here. Why exactly do I need to include 0INFOPROV in the authorizations in the first place when I already have 0TCAIPROV included. And why did it fail when I entered the name of infoprovider in 0INFOPROV, and why is it looking for a "non-inforprovider name" (which is ':' ), and why is it asking for : to be filled in.
  Any help on this is greatly appreciated.
  thanks,
  Sashank

  1. Is specifying values (Infoprovider names) in 0TCAIPROV equivalent to putting the 'check for info providers' in the old security concept?
  Yes. You can also specify the infoarea instead of infoprovider by choosing the hierarchy option on 0TCAIPROV!
  2. What is the difference between 0TCAIPROV and 0INFOPROV?
  When I executed a query I gave the infoprovider name that the query is accessing in the auths, in 0TCAIPROV field and gave the same name in 0INFOPROV. It failed. So, I ran a trace and found that the system is checking for aggreagated auths i.e, it is looking for : to be filled in 0INFOPROV. I am a little bit confused here. Why exactly do I need to include 0INFOPROV in the authorizations in the first place when I already have 0TCAIPROV included. And why did it fail when I entered the name of infoprovider in 0INFOPROV, and why is it looking for a "non-inforprovider name" (which is ':' ), and why is it asking for : to be filled in.
  When you specify 0INFOPROV as auth relevant, this characteristic is in a multiprovider. When you build queries on a multiprovider, you can specify which base cubes under that multiprovider a user can access by using characteristic 0INFOPROV. 0TCAIPROV is a special auth characteristic that allows you to flag which infoproviders that this analysis authorization is relevant for.

• BW Analysis authorization issue on cost center range

  Hello BIW security experts
  I have a problem where I created an analysis authorization on a cost center range and it looks like the interval is not working. The report is just a list of cost centers (demo to users to prove that analysis authorizations work in order to skip 2 managerial cost centers.
  . Cost centers are numeric. Example:  2000100. In the drop down list they appear as such.
  . I want to have the following cost center range: 1000000 to 1000771, 1000773 to 2000771, 2000773 to 9999999.
  Thereofore 1000772  and 2000772 should not appear in the list.
  . In the analysis authorization I have put the 3 ranges above on 3 separate lines. 'BT' is the operator. The cost centers have been selected from the drop down list.
  Results:  I get only 1 record from the report....  2000772. (which is one I want to exclude..
  Steps tried to debug:
  . When I put a list of cost centers in the analysis authorization on separate line with the 'EQ' operator, then the report works.
  . I tried putting ' ' delimiters since cost center is a char field but it fails.
  . I tried adding leading and trailing zeros to fill up the char(10) but no luck.
  . I tried creating a hierarchy with the interval and put it in the hierachy auth. tab and it does not work either. It gives the same number of records than the first step.
  . A hierarchy with single values work.
  I do not know what else to try..
  Thanks.
  YB.

  Good morning
  Here it is from RSECVAL
  ZCC_TEST     0COSTCENTER                    I       BT        1000000                                                      1000771
  ZCC_TEST     0COSTCENTER                    I       BT        1000773                                                      2000771
  ZCC_TEST     0COSTCENTER                    I       BT        2000773                                                      9999999
  ZCC_TEST     0COSTCENTER                    I       EQ        #
  ZCC_TEST     0COSTCENTER                    I       EQ        :
  ZCC_TEST     0INFOPROV                         I       CP        *
  ZCC_TEST     0TCAACTVT                        I       EQ        03
  ZCC_TEST     0TCAIPROV                         I       CP        *
  ZCC_TEST     0TCAKYFNM                       I       CP        *
  Thank you for your help.