Generated analysis authorization cannot be changed

Similar Messages

• Dynamic Analysis authorization to handle changing row level security in BW

  Hi experts,
      Is it possible to implement SAP BW 7.x ANALYSIS AUTHORIZATION in a dynamic manner. One example of this will be to replicate the CRM Organization model in SAP BW and display data as per organization Model.
     One example would be a Manager or a Org unit able to display all Sales Orders where all employee belonging to that Org unit are maintained in those Sales Order as employee responsible. If this Org structure is static it can be easily done in BW BY Analysis authorization. But not sure about the approach when the Org structure changes in a regular interval in CRM,
  Thanks for help

  If you maintain the "Org structure" as a BW hierarchy, and if it always changes in CRM,
  then you just need to load the hierarchy again to BW after the change in CRM.
  In the analysis authorization, e.g. if you assign a user to be authorized for all nodes and leaves under a certain node A,
  then it would still work even if what's below node A changes.
  Hope this answers your question.
  Regards,
  Patricia

• To generate DELTA changes via Analysis Authorization Generation

  How to generate Analysis Authorization for DELTA changes?
  I have reviewd the document
  http://help.sap.com/saphelp_nw2004s/helpdata/en/59/fd8b41b5b3b45fe10000000a1550b0/frameset.htm
  Can someone give me a step by step for Delta changes auth generation.

  SAP Note Number: 1052242  - BI Analysis authorization: Generation
  Refer to this SAP notes.
  Hope this would help you.

• Analysis Authorization (Role, Profile and Direct Assignments)

  <b>Analysis Authorization Question:</b>
  1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
  2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
  3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
  <b>
  Migration Options:</b>
  1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
  2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
  3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
  <b>Questions</b>
  a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
  b)     Does any one use direct assignment to Users? It is good business practice?
  c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
  d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
  Just want to check how other folks have done migration that can be supported going forward.
  Pankaj Gupta

  Hey Pankaj,
  In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
  Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
  RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

• Table that stores Analysis authorization values

  Hi all,
         We generated analysis authorizations for users on Profit centers. In RSECADMIN for each user we see an automatic authorization object being assigned with a name like RSR_000234  so on. We can see the values (profit centers) for this object when we double click on it. I would like to create a list of all users and the assigned profit centers. Can you please tell me if a table is available to get this list.
  Thanks,
  Ram.

  Chetan,
           We are loading authorizations values to 0PROFIT_CTR from ECC and flatfile into the Authorization DSO's and generating authorizations to assing the profit centers to users. I would like to see the profit centers assigned to a user. For example suppose if a user is assigned a particular region. I would like to see all the values of the profit centers assigned to the user from a table rather than going to the hierarchy and getting the list for each region.
          The tables that you specified give the userid and the technical name of the authorization(RSR_000234..) but I would like to see the actual values in the authorization.
        Hope I am clear. Thank you for your assistance.
  Ram.

• I am trying to authorize my computer and I get an error message: The required directory was not found or has a permissions error. Correct this permissions problem and try again, or deauthorize this computer if the permissions cannot be changed. Help?

  I am trying to authorize my computer and I get an error message: The required directory was not found or has a permissions error. Correct this permissions problem and try again, or deauthorize this computer if the permissions cannot be changed. Help?

  I used Terminal to change the permissions on the folder in question.  I followed the instructions in this article:
  iTunes: Missing folder or incorrect permissions may prevent authorization
  In my case, the folder was there, so I needed the command to change permissions on the folder, not to create one.   I was hesitant to use Terminal b/c I know that if I made an error I could wipe out my hard drive or render my computer unusable.  So to be SURE I didn't make an error, I carefully copied the command from that page and *pasted* it into Terminal.  Also, before I could do anything in Terminal, I had to go change my admin password (it had been a blank password before and that's not acceptable for making changes in Terminal).  I was just super careful when entering my password or doing anything else while Terminal was open (making sure I didn't accidently hit the spacebar or another key, etc.)  And it fixed the problem right away.
  What was confusing for me was that the iTunes error message said to change permissions in the FINDER, which is what I was trying to do.  It didn't mention Terminal.  What would really be helpful is if Apple included a link to a page like this in their error message.

• Getting authorization error message: Required file was not found or has a permissions error. Correct this permissions problem and try again, or deauthorize this computer if the permissions cannot be changed.

  I have recently purchased this MacBook used and am trying to authorize it on the iTunes Store but even after uninstalling iTunes and re-installing it with a fresh copy I'm getting this error message: "The required file was not found or has a permissions error. Correct this permissions problem and try again, or deauthorize this computer if the permissions cannot be changed."  And I have no idea of where or how to fix this issue.  Any help or suggestions will be greatly appreciated.  I even tried to deauthorize this computer and got the same error message.  HELP!

  I used Terminal to change the permissions on the folder in question.  I followed the instructions in this article:
  iTunes: Missing folder or incorrect permissions may prevent authorization
  In my case, the folder was there, so I needed the command to change permissions on the folder, not to create one.   I was hesitant to use Terminal b/c I know that if I made an error I could wipe out my hard drive or render my computer unusable.  So to be SURE I didn't make an error, I carefully copied the command from that page and *pasted* it into Terminal.  Also, before I could do anything in Terminal, I had to go change my admin password (it had been a blank password before and that's not acceptable for making changes in Terminal).  I was just super careful when entering my password or doing anything else while Terminal was open (making sure I didn't accidently hit the spacebar or another key, etc.)  And it fixed the problem right away.
  What was confusing for me was that the iTunes error message said to change permissions in the FINDER, which is what I was trying to do.  It didn't mention Terminal.  What would really be helpful is if Apple included a link to a page like this in their error message.

• HT1848 I cannot authorize my computer, I'm having this error message The required file was not found or has a permissions error. Correct this permissions problem and try again, or deauthorize this computer if the permissions cannot be changed." please hel

  cannot authorize my computer, I'm having this error message The required file was not found or has a permissions error. Correct this permissions problem and try again, or deauthorize this computer if the permissions cannot be changed." please help me

  Doublechecking. In the course of your troubleshooting to date, have you worked through the instructions from the following document?
  iTunes: Missing folder or incorrect permissions may prevent authorization

• Workbench Request for changing the Analysis Authorizations Switch in SPRO

  Hi Gurus,
  While changing the Analysis Authorizations Switch in DEV(SPRO), its asking to create a work bench request.
  so it means after creating a work bench request should we transport that particular work bench request to QA.
  Please help with some suggestion.
  Regards
  Padmaja.

  Just to add to this... the same way you need to transport a role up the stack, you have to transport AA object up the stack.
  Check out this Wiki
  https://wiki.sdn.sap.com/wiki/display/BI/HowtotranportroleandAAtogetherinBI
  Regards,
  Zaheer

• Transport roles and analysis authorization with user assigned

  Hi expert,
  I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
  Thanks for your time,
  Luis

  Hi,
  In role administration, you have the following options for transporting roles:
  You can download the roles from one system and upload them into another  
  You can import the role from a remote system using RFC  
  You can transport the roles with the transport function.
  Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
  Transporting Roles with the Role Transport Function
         1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
         2.      Enter the role to be transported and choose Transport Role.
  The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
  You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
  For more information go thrpugh the below link
  http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
  Regards,
  Marasa.

• Analysis Authorization in BO 4.0 Webi report

  Hi All,
  I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
  We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
  However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
  I have tried:
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
  Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
  (BO 4.0 no service pack or fix pack installed on the system yet)
  Thanks - Appreciate your help !
  Prasad Rasam

  Ingo,
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  >> Correct you need to setup you OLAP Connection with SSO.
  >>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
  Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
  Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  >> The variable in the BEx query needs to be an authorization variable.
  >>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
  Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
  regards
  Ingo Hilgefort

• Analysis Authorization Issue 7.3

  Hello Friends,
  System BW 7.3, Currently there are 80 odd analysis authorization objects
  We want to introduce a new info object (GL Account) to be authorization relevant, ( there are few objects in the system which are already authorization relevant in the system with proper analysis authorization objects and they are working fine)
  Things done, made the GL Account object authorization relevant in RSA1, Created 2 analysis authorization objects with GL Account and TCT objects and one with hierarchy restrictions and one open access.
  Added this object to the user in addition to its already existing authorization objects. Created authorization variable in BEx.
  Some how the authorization is not picked up and it gives us all the values in the report. But if I add the GL Account info object to the existing analysis authorization objects then it works fine.
  I do not want to change all the existing analysis authorization objects to add GL Account.
  Your inputs are most welcome.
  Thanks
  Ed.

  Gajesh- I have added the new analysis authorization object to the user in RSECadmin.
  Subhendu- Problem statement: What are the steps involved in making a new info object(GL Account) authorization relevant. Authorizations are given at hierarchy level. Can we create a new analysis authorization with  GL Account only or do we have to add it to every existing analysis authorization
  I have done the following steps
  1. Made the GL Account object authorization relevant in RSA1,
  2. Created 2 new analysis authorization objects with GL Account ( with hierarchy restrictions) and TCT objects and one with GL Account open access.
  3. Added this object ( which has restrictions) to the user in RSECADMIN, in addition to its already existing authorization objects.
  4. Created authorization variable in BEx.
  5. No existing analysis authorization objects have been changed.
  When I test the report, It does not restrict based on the hierarchy that I have given, it gives open access.
  But If I add GL Account with restrictions to the existing analysis authorization object, it works good.
  Guess I am missing some thing here.
  Do you need any other screen shots.
  Thanks
  Ed.

• Impact of Analysis Authorization on Users using old Authorization

  Hi All,
  I have question regarding Analysis Authorization. Our system has old authorization concept and as part of our project we decided to go for Analysis authorization for Cost Center object. We activated analysis authorization for cost center, assigned it to test user id and found that its working fine in Dev. But it has impacted other users in the system. They are not able to access any other reports and data providers which were not even referring cost center. What is the proper way to activate analysis authorization without impacting access to existing users.
  - Som

  Hello Andreas,
  Sorry to ask you directly here, I didn't get answer from this forum. We will migrate to the new analysis authorization from old reporting concept. I have read the book "An Expert guide to new SAP BI security features" by SAP Lavs, but still confused with some parts. My questions is:
  Are there two ways to create authorizations as follows?
  1. we can type tcode rsecadmin>Maintence button>create a new authorization.
  2. the following part taken from the book:
  Steps for Generating Authorizations
  1. Activate Business content
  2. Load Datastore objects
  3. Generate Authorizations
  4. View Generation Log.
  In the first step, OTCA_DS01 to OTCA_DS05 and OCCA_O01 to OCCA_O03 are Datastore objects required to be activated.
  In the second step, tcode rsecadmin-->generation button --> type OTCA_SDS01 to OTCA_DS05 into respective filed. Should we always type these 5 objects everytime when we create authorization?
  When we should use the second way to create authorizations? and what is the diffrence between them?
  Any answers will be appreciated. Thank you very much in advance!
  Haifeng

• Analysis Authorization

  We have a need to restrict the majority of our users from seeing transactions of few business accounts.  The restricted accounts can be based on a specific gl account, fund range, or they can be a combination of a fund and cost center (or fund and fund center).  Until we become more familiar with this process, we are only concerned with 0FUND and it's restricted ranges, so below my question is just about 0FUND.. 
  We need to explore and understand what abilities analysis authorizations give us. I have done a lot of reading, but so far all of the pieces are not falling into place.  I am on the BW team and working with the security team to get this accomplished.  At this time whereever 0FUND is located in an existing authorization, it has a "*" to indicate the user gets all values.  We have already gone live; will every authorization currently in use with 0FUND have to be changed?  Is there a detailed How-To located somewhere?
  thank you in advance for your help.
  LLK

  Hi Linda,
  SUIM - User Information System is a TRANSACTION CODE. (Its not SUM)
  Execute SUIM and follow the path mentioned below:
  SUIM -> User -> Users by complex selection criteria -> Users by complex selection criteria. In the Authorization object field mention S_RS_AUTH and in the field mention the name of the analysis authorization which you want to search for.
  The output would be users who have access to the analysis authorization that you gave in the search criteria.
  Since in your case there would be a lot of analysis authorizations with * in 0FUND,  it would be better to identify the roles first and then the users assigned to these roles.
  You can identify the roles by browsing the table SE16. Just give the object name and all the analysis authorizations in the multiple selection on appropriate fields. Then use SUIM to identify the users who have access to these roles.
  SUIM -> User -> Users by complex selection criteria -> By Roles.
  You can also display the roles in this report by pressing the Roles button at the top. Apply filter to restrict the roles to your identified roles.
  Thats it !
  Regards
  Sachin

• Analysis Authorization Migration Question

  Analysis Authorization Migration Question
  This is detail Question
  1)     I am testing Analysis Authorization Migration in NW2004s SP9 and have applied all OSS notes that are relevant to SP09 and are coming in SP10.
  2)     We have 2 Info object flagged as Authorization relevant 0COMP_CODE and 0COSTCENTER
  3)     We have Object level security set-up in BW 3.x system and for a role we have specified values like 0COMP_CODE has value 1000, 1800. “:”. In the same role we have specified 0COSTCENTER value 130001 to 180001, “:”  and hierarchy node.
  4)     When we migrate to Analysis Authorizations, using RSEC_MIGRATION, this program creates 2 Authorizations ZCOCODE00 & ZCOSTCTRH00. Both of them have 0COMP_CODE and 0COST_CENTER Objects.
  5)     ZCOCODE00 authorization gets value 0COMP_CODE values 1000, 1800. “:” and 0COSTCENTER Value “:”.
  6)     On the same line ZCOSTCTRH00 gets value 130001 to 180001, “:”  and 0COMP_CODE “:”.
  1st Question:
  1)     Why does it create 2 Authorizations?
  2)     During Checking it does not pass the authorizations, because it seems to me that it fails in Optimization process.
  3)     I manually merge the authorizations in “ONE” object then authorization check passes.  In other word if I combine ZCOSTCTRH00 & ZCOCODE00 then Query authorization check passes.
  Any one is struggling on this.
  Please note, I am doing Migration so that it updates existing Profiles (Roles now from SP9).
  Any comments will be very help full.
  Pankaj Gupta

  Hello Pankaj
  There are some basic misunderstandings on your side.
  Let me try to clarify:
  First we should distinguish between migration of authorizations and of what a query does with them.
  You had 2 auth objects before migration (in 3.x).
  Of course, they must be migrated to 2 new analysis auths.
  There is no general possibility to combine authorizations to a single one as the may appear in different roles and users. Moreover this would kill performance and finally, nobody would recognize the origin.
  Only in very restricted cases one could think of a combination of auths which come out of migration. But, then people loose overview about what goes on.
  Before the corrections in note "Migration IV" the : had not been inserted but now it is for good reasons.
  Now, accept for the moment that you receive 2 auths.
  Then, you cannnot (must not) combine the 2 resulting authorizations!
  <b>Authorization 1</b>
  COMP_CODE : 1000, 1300, “:”
  Cost Center : “:”
  <b>Authorizations 2</b>
  Comp_Code “:”
  Cost Center : 3100001-31999999; “:” plus a Hierarchy Node.
  This means that e.g. combination
  COMP_CODE 1000
  COST_CENTER 3100001-31999999
  <u>is not allowed!!!</u> Therefore, they must not be combined!
  Also, the query and its optimization is comepletely independent of the migration. And here, during query run time the auths cannot be combined. It is no failure!
  Moreover, the merging optimization is just a performance optimizaiton and has nothing to do with whether the query result is authorized or not.
  If you combine them manually you have authorized different combinations.
  Well, now you may wonder why you get 2 auths at all which leads to a "no auth" result in the query execution.
  The reason is, that in 3.x where you got a result with your 2 auth objects the modeling was wrong.
  If you want to authorize any combination of characteristic values, you should combine these characteritics together in one auth object, not in 2!
  (In BI7.0 it works like that but not in 3.x)
  But you defined 2 which may be valid even in several other InfoProviders independently and not even at the same time. Moreover, the auth objects may come from different roles and may be assigend to different users which then have completely different auth content. In general it is not possible to combine different auth objects or to find out those special situations which nevertheless allow for such optimizations. If you re-do a migration with more objects and users you could even receive different results which is also not satisfying.
  Therefore, instead, the mechanism was introduced to insert a : auth to those characteristics that are auth relevant (and checked now with 7.0) but not in the currently processed auth object.
  In you special case it may have made sense to combine them but not in general. And a migration can only try to work as general as possible.
  For your application you may combine the 2 auths manually if you want to allow also the crossover combinations
  COMP_CODE 1000
  COST_CENTER 3100001-31999999
  Best regards
  Peter John
  BI Development