Generation of Authorizations in BI 7.0

Similar Messages

• Help regarding BI Authorization

  Hi Experts,
  I am working for first time on BI analysis authorization and I am having below queries to be clarified. Can you all please clarify my queries and help me.
  1. In the project, we will not use HR and will therefore have to do local maintenance of authorizations in each system (for data access, we will also use a central identity management system). This will for sure affect the possibility of the automatic generation of authorizations. My first question is: can it still be used at all (can we load some data via flat-file or maintain some master data in BI)?
  2. Is the concept of having queries linked to PFCG roles to be used at all in BI 7 (according to SAP standard), or is the thought that InfoProvider authorization should be used instead via 0TCAIPROV?
  3. Is the following a correct way to do authorizations in BI 7, or if there is something that should be changed to comply with standard?
  - Make the following characteristics authorization relevant: 0COMP_CODE, 0SALESORG, 0PLANT
  - Activate the technical content for analysis authorizations: 0TCA*
  - Create authorizations in RSECADMIN, where we link a authorization object to a characteristic value (for instance, assign object: "XY" to characteristic=0comp_code with value=1010)
  - Link the authorizations just created to PFCG roles (for instance create a PFCG role "XY access" which gives access to company code 1010).
  - Create PFCG roles for "Report User" and "BW Developer" which have access to read respective create/change/delete rights of queries.
  - Create PFCG roles with certain queries linked to them.
  - Assign the PFCG roles to BW Users.
  4. Does the BI 7 authorization concept enable the use of user groups, or should authorizations be assigned on a user to user basis?
  5. What happens if I make a characteristic authorization relevant and then include this characteristic in a query and do not do any restriction on this characteristic (i.e. I do not provide any auth values to the system), will I then get an authorization error?
  6. If automatic generation of user authorizations is used together with for instance SAP HR and loaded daily, does this mean that any other manual authorization assignments will be deleted/reset upon the next automatic generation?
  7. Is the following a correct way to do authorizations in BI 7, or if there is something that should be changed to comply with standard?
  - Make the following characteristics authorization relevant: 0COMP_CODE, 0SALESORG, 0PLANT
  - Activate the technical content for analysis authorizations: 0TCA*
  - Create authorizations in RSECADMIN, basically one object that has a restriction for each of the authorization relevant characteristics and that uses different customer exit variables to determine which values to use. This customer exit then reads some table (which we maintain manually in BI) to find the values for each user based on user name.
  - Link the authorization just created to a PFCG role.
  - Give all reporting users this PFCG role.
  - Create PFCG roles with certain queries linked to them.
  - Assign the PFCG query roles to users.
  Thank you very much in advance for helping.
  Thanks & Regards,
  Sharath

  Sharath,
  Here are some insights/replies to the list of questions you supplied. BW Security can be complicated but the trick is NOT to allow the requirements to allow it to be complicated.
  1) Are you sure you dont mean the IdM system will assist with role-based access assignments? If that is the question then, yes. For the data access (linked to roles via S_RS_AUTH : Analysis Authorizations) you could employee a flat-file load to DSOs and variable security on the authorizaiton relevant charactistics.
  2) Yes, you will need to have authorizations to queries/reports via S_RS_COMP/S_RS_COMP1 still maintained in the roles. The InfoProvider (data access) will be maintained in the Analysis Authorization (S_RS_AUTH). You need to have both in order to successfully pass the auth checks from query/report to data.
  3) Fundimentally (BW Security 101) sounds correct but again it typcially depends on the implementation and requirements on how you setup the anaylsis authoriations along with the roles.
  4) No sure what you mean about "user groups" Analysis Authorizations can be assigned to "Users" or "Roles".  You could always assign roles to user groups via SU10 or via IdM solution.
  5) Depends on how its used in the query. If the query is dependant on a value to render the report (included in intial SQL stmt) then you will get "No Authoriation". If its setup as a free characteristic or drill-down, then you wont get authorization error until a statment checks values for authorization.
  6) Depends on how it was implemented. refer to #3
  Hope that helps a little.
  Thanks,
  Matt

• Generating Authorization for non HR/CO requirement

  Hi Experts,
  I am planning to use the generation of authorizations concept for my security requirement. The business users have to view data in the reports based on specific InfoObject values they are authorized to. We are getting this information viz. user and the values they have access to from the source system. I am planning to create a custom version of the standard DSO 0TCA_DS01 and load the data from the source system via a generic datasource. I will be using the standard program RSSB_GENERATE_AUTHORIZATIONS to generate the authorization for each user.
  My questions are:
  1. Is 0TCA_DS01 the right choice of DSO?
  2. If the answer to 1 is yes, then there is a field called 0TCTAUTH in the key fields of the DSO. I am not sure what information has to be brought in from the source system for this field
  3. Is there a way we can change the naming convention of the authorizations generated? If yes, how?
  I did go through this forum and most of the articles on BI Security. I understood the procedure, but the above questions are grey area that were not covered.
  Thanks in Advance!
  A

  I believe that you van use Structural Authorizations to fulfill this business requirement because these authorizations, although maintained based on Org structure, can be and are used across the variuos modules.
  Regards
  Lincoln

• Generated authorizations on 0ORGUNIT - Time-dep.hier.struct&Temp.hier. join

  Hello gurus,
  We use generated hierarchy authorization for 0ORGUNIT with Time dependent heirarchy structure & Temporal hierarchy join.
  Authorization objects (RSR_*) seems to generate well, however they don't work - query ends with EYE 007 message.
  If I make a copy of generated authorization object and split it into two objects - one with very the same 0ORGUNIT limitation and the rest of original auth. object, it suddenly works!
  So I don't know what's wrong whether the generation of authorization or evaluation process.
  We use EHP1 with 05 support package.
  BR
  Ondrej

  Ondrej,
  Please refer to the below post, it is helpful.
  Re: BI HR Structural Authorizations
  Also, refer to the below document. It is old but provides very useful steps to be followed.
  [http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/business-intelligence/a-c/bw_hr%20authorization%20-%20asap%20for%20bw%20accelerator]
  Update your findings.
  -Mann

• Authorization  step by step document on BI 7.0

  Dear Friends,
  Please  send me step by step document on BI 7.0 authorization ,
  Thanks in Advances
  RA

  You can find information from Help.sap.com, related link and initial information listed below.
  http://help.sap.com/saphelp_nw2004s/helpdata/en/59/fd8b41b5b3b45fe10000000a1550b0/frameset.htm
  Generation of Analysis Authorizations
  Use
  With the generation of analysis authorizations, you can load authorized values from other systems into DataStore objects and generate authorizations from them.
  In this way, necessary authorizations from the data for an application (for example, HR) can be generated so that users are able to see or not see the same data in the BI system as in the transactions of the application, even when the authorization concepts are different.
  You can use the generation of authorizations to generate either single authorizations or mass authorizations. It is suitable for scenarios that generate new authorizations periodically, that is, that are constantly changing. It does not necessarily make sense to assign these authorizations to the users in roles and profiles. This is not even possible for automatically generated names that keep changing. Therefore the generated authorizations are assigned directly in the BI system. This is considerably faster than generating them from profiles. If a fixed name is assigned, however, this can be done manually from role maintenance. Keep in mind, however, that there is the danger that you can overwrite constant names.
  The generation of authorizations is a dynamic authorization assignment that is an alternative concept to the role concept.
  Prerequisites
  An extractor must be available for authorizations (up to now, for HR and Controlling).
  For HR:
  You have to transfer the DataStore objects 0TCA_DS01 and 0TCA_DS02 (optional 03 to 05) from BI Content. These DataStore objects should be copied for each application for which you want a complete data load. For more information about the content objects at BI Content ® Human Resources ® Organizational Management ® DataStore Objects ® Structural Authorizations – Hierarchy and Structural Authorizations – Values
  For controlling:
  A complete scenario is available. Transfer the content objects: 0CO_OM_CCA_USER1 (DataSource and InfoSource), as well as the DataStore objects including update rules 0CCA_001, 0CCA_002, and 0CCA_003.
  For all other applications:
  Copy the templates 0TCA_DS01 and 0TCA_DS02 (optional 03 to 05) in DataStore objects for your application area (department, and so on). Note the naming convention with the digits 1 to 5 at the end.
  You need sufficient authorization for generation activities such as deleting, changing and generating analysis authorizations, changing user assignments (authorization object R_SEC), along with any other activities for creating or changing system users using NetWeaver authorization objects for user maintenance. The authorizations required in detail depend on the generation scenario.
  Features
  You get to this function through management of analysis authorizations (transaction RSECADMIN) at Authorizations ® Generation of Authorizations.
  The DataStore objects for generating authorizations have an analogous structure to the authorizations and contain the following authorization values:
  ●      Authorization data (values) (0TCA_DS01)
  ●      Authorization data (hierarchy) (0TCA_DS02)
  ●      Description texts for authorizations (0TCA_DS03)
  ●      Assignment of authorization users (0TCA_DS04)
  ●      Generation of users for authorizations (0TCA_DS05)
  The actual data to be used in the generated authorizations can be found in the two template DataStore objects 0TCA_DS01 and 0TCA_DS02.
  More information:
  ●      Template for DataStore Objects with Authorization Data (Values)
  ●      Template for DataStore Objects with Authorization Data (Hierarchy)
  You define which authorizations are to be generated from which DataStore objects. You then load your authorization data for them. This can be done for example with CSV files or with extractors. Automatic generation assumes correctly filled DataStore objects. However, the system tries to detect incorrect intervals and some other errors, and to correct them if possible. This is recorded in the log.
  For CSV files, the fields User and Authorization need not necessarily be filled with values. In general, however, these fields can be filled with names and numbers. There can be different results when you assign authorizations. You can find more detailed information in the detailed descriptions of the two template DataStore objects above.
  You can generate the authorizations on the Authorizations tab page under Generation in the transaction RSECADMIN. As an alternative, the report RSEC_GENERATE_AUTHORIZATIONS starts or schedules generation.
  Generating Single Authorizations:
  Maintain the user in the DataStore object 0TCA_DS01. It is assigned to the user when the authorization is generated. It can be used for assigning authorizations that are very user specific.
  Generating Mass Authorizations:
  Leave the User key field empty in the DataStore object 0TCA_DS01 and generate the authorizations. A profile appears that can be assigned to any number of users. The profile gets its texts from the DataStore object 0TCA_DS03. There can be language-dependent short, medium and long texts. You maintain the user in the DataStore object 0TCA_DS04. This generates your mass authorizations.
  Generation of Users
  You can also generate users with 0TCA_DS05. To do this, specify an existing reference user from which to copy. The newly created users are assigned randomly generated initial passwords that are not transparent. Users can only log on after manually changing the assigned password.       
  Generating Authorization Names:
  Generate explicit (meaningful) authorization names by filling the field for 0TCTAUTH with your desired name. As an alternative, you can also specify numbers to mark characteristic dimensions that belong to the same authorization. If field 0TCTAUTH is empty, technical names are generated according to the pattern RSR_00000012. All entries with the same name (or an empty field) are assigned the same authorization.
  If a technical name with eight digits (RSR_nnnnnnnn) was created for an authorization and then generated again, the existing names are deleted and new technical names are generated. As a result, the previous authorization is deleted and replaced with the new authorization. This new authorization might not be identical to the old one. You can prevent unintended overwriting by using a number range. There is an overflow after 100,000,000 generated authorizations and numbering starts with 1 again.
  Deletion of Authorizations and Regeneration
  For users for which data exists in the DataStore object that has to be regenerated, first the existing, generated authorizations are deleted. Afterwards, authorizations are generated using the data in the DataStore objects in the usual way.
  If a data record with the user name 'D_E_L_E_T_E' is loaded into the DataStore object 0TCA_DS01, first the generated authorizations for all users in the BI system for the DataStore object record are deleted (separated by the first part of the name before the digits) and then generated for the rest of the data.
  Log for Generation
  A detailed log is created during generation that documents the generation steps and that is displayed automatically. Old logs can be viewed from the transaction RSECADMIN under the Analysis tab page ®   Generation Logs or at the start of the report RSEC_GENERATE_AUTHORIZATIONS by clicking on the log symbol.

• CRM 7.0 How to create Business role & generate

  Hi Team,
  Can you please let me know some breif idea about CRM 7.0 security guide.
  How to created Business role is this part of functional activity?
  Whats the role of Technical colleagues BASIS guys in CRM 7.0 security .
  Please help me to get some document regarding business role creation , generation , assignment & authorization checks in CRM 7.0.
  Thanks & Regards,
  Vyash Mishra

  Hello Viyash
  I will add the most important information for generation of business roles and assignment of authorizations to users.
  You must first create the PFCG roles. PFCG role is built based on the Business Role.
  Please see documentation in : SPRO
  SAP Implementation Guide =>  Customer Relationship Management
  UI Framework  > Business roles > Define Authorization Role
  Then the PFCG role can be assigned to the business role in 
  SAP Implementation Guide =>  Customer Relationship Management
  UI Framework  > Business roles > Define Business role
  Finally you must assign business roles to Organizations or positions in organizations in
  SAP Implementation Guide =>  Customer Relationship Management
  UI Framework  > Business roles > Define Organizational Assignment
  The users that are assigned to such organizations / positions will be therefore linked to the business role.
  With the previous steps the users will have the authorizations that are assigned to the PFCG profile that is linked to their business role.
  Business roles are the main way to configure authorizations for users in CRM but you have more options that give you flexibility.Each business role has assigned one PFCG role, but the relationship between business role and PFCG role is not strict. You can even assign a dummy PFCG role to a certain business role in business role customizing and then go to transaction PFCG and assign other PFCG role(s) to the users that are assigned to that business role.
  I would say that the previous tasks must be performed by the basis team but in cooperation with the functional team
  Best Regards
  Luis Rivera

• Flat File Profiles vs Auth.Analysis : limited flexibility

  Hi,
  How can I combine values of different characteristics - that belong together from a auhtorization point of view - into one profile?
  The subject of this post may not be very clear, but let me explain what I need ...
  Suppose I have a user that may only display data in MultiProvider 'MP1', for country 'BE' and company code '1000'.
  That same user may also plan for country 'BE', but only for company code '2000' in MultiProvider 'MP2'.
  You could maintain this manually by having 2 analysis authorizations:
  analysis 1:
  0TCAACTVT EQ '03'
  0TCAIPROV EQ 'MP1'
  0COUNTRY EQ 'BE'
  0COMP_CODE EQ '1000'
  analysis 2:
  0TCAACTVT EQ '03' '02'
  0TCAIPROV EQ 'MP2'
  0COUNTRY EQ 'BE'
  0COMP_CODE EQ '2000'
  This is possible to achieve when you use t-code rsecadmin, maintain the values and assignments to users manually.
  But we have about 100 users, all with different values they are authorized to (partially display, partially changeable). It goes without saying that this is not possible to maintain manually. Therefore we would like to continue the old way: loading authorizations to DSO's and generate the profiles afterwards.
  How can I load files in the proper way that the right values are validated by the system together? This means that the system will allow the user to change/write data for country 'BE' and company code '2000', while the user will only be able to display data for 'BE' for other company codes (let's assume that the multiprovider does not matter in this case).
  I hope someone can help here, it's been a brainteaser for a while now.
  Please recall that it should be able to achieve this via flat file uploads!
  Thanks in advance!
  Kind regards,
  Bart

  Hi Andreas,
  Thanks for this information.
  The generation of authorizations itself is not the issue.
  We want to combine values of different InfoObjects in the same 'generated profile'.
  The combination of other values for the same selected InfoObjects should be generated in another 'generated profile', as described in the initial post?
  Any idea how this can be managed?
  Thanks in advance!
  Kind regards,
  Bart

• Integrated windows authentication with Oracle access manager 10g

  Hi SSo guys,
  Our project requirement is as follows:
  We have two applications Ebiz 11.5.10.2 and OBIEE10g and we are supposed to integrate IWA for both the applications
  so as per the below note OAM integration with IWA only works for the applications using IIS.
  So can we protect both the applications in OAM 10g and point those applications to two html pages say http://IIS hostname/ebiz and http://IIS hostname/OBIEE and protect those two resorces in OAM suing IIS webserver?
  As per the note :
  Doc ID 1072204.1 specify
  Excerpt from this doc:
  #-begin-
  OAM accomplishes IWA by using an OAM Webgate on the IIS Web Server that uses a hidden feature of external authentication to get the REMOTE_USER header variable value and map it to a DN for the ObSSOCookie generation and authorization. Behind the scenes, the IIS WebGate utilizes the UseIISBuiltinAuthentication parameter, by default, this value is false. IWA can only be achieved when this attribute is set to true on an IIS WebGate. This is not a valid parameter for any other OAM WebGate.
  #-end-

  It should be this way:
  Ebiz:
  1. Integrate OAM with OASSO
  2. Register OASSO and OID with Ebiz11.5.10.2
  3. Protect the resource in OAM
  4. Verify if authentication is successful for this resource.
  Obiee:
  1. Integrate OBIEE with OAM
  2. Verify if authentication is successful for this resource.
  IWA:
  1. Install IIS webser and webgate
  2. Create authentication scheme which protects / of IIS web server.
  Create a Form Authentication Scheme(this scheme should protect OBIEE and EBiz resource) which will have challenge redirect to IIS web server where IWA is configured and / is protected.
  Login Flow:
  1. User tries to access ebiz or obiee resource.
  2. Form Authentication Scheme will challenge redirect to IIS web server where IWA is configured.
  3. As IWA is configured. User will be automatically get ObSSOCookie.
  4. User gets redirected back to the requested resource.
  There is a My oracle support doc which talks in details about this setup.

• Error while generation of the Authorization object (

  Hi Gurus,
  I have created a Authorization object Z_CCTR3 for 0costcenter authorization.
  but getting following error while generation of the Authorization object (type is Flat authorization)
  "Error occurred when reading the data from DataStore object Z_CCTR3"
  Any inputs will helpful...
  Sonal.....

  Hello everybody,
                           my problem is solved.For the UDConnect, whatever DATA SOURCES you create gets registered in a FUNCTION MODULE which has a capacity of only 99 enties, so to increase it implement the SAP NOTE 876340 - UDC Error available on SERVICE MARKET PLACE.
  This problem occurs with BW version 3.5 level 17 or below.
  Regards,
  Priyanka
  Edited by: Priyanka Joshi on Jun 10, 2008 11:03 AM

• Authorization generation error

  Hi Gurus,
  I have created a Authorization object Z_CCTR3 for 0costcenter authorization.
  but getting following error while generation of the Authorization object (type is Flat authorization)
  "Error occurred when reading the data from DataStore object Z_CCTR3"
  Any inputs will helpful...
  Sonal.....

  Hi Kalyan,
  Hope the below documents will help for further analysis,
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/101fb4f5-eb7c-2c10-5daa-b479c47f0a14?QuickLink=index&overridelayout=true
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea?QuickLink=elearn&overridelayout=true
  Thanks,
  Vinod

• To generate DELTA changes via Analysis Authorization Generation

  How to generate Analysis Authorization for DELTA changes?
  I have reviewd the document
  http://help.sap.com/saphelp_nw2004s/helpdata/en/59/fd8b41b5b3b45fe10000000a1550b0/frameset.htm
  Can someone give me a step by step for Delta changes auth generation.

  SAP Note Number: 1052242  - BI Analysis authorization: Generation
  Refer to this SAP notes.
  Hope this would help you.

• I have an old generation Apple TV 160GB when trying to rent I get a message that I have to authorize my account information on my computer via iTunes...There is no problem with my account info how is this done?

  I have an old generation Apple TV 160GB when trying to rent I get a message that I have to authorize my account information on my computer via iTunes...There is no problem with my account info how is this done?

  stf10 wrote:
  ... trying to move my I tunes to my ny PC. ...
  From where are you trying to move your iTunes...

• "Authorize this computer" not working. How to update 2nd generation IOS(2.2.1) to 4.2

  Hi
  I am trying to sync my 2nd generation ipod touch (2.2.1) after almost 3 years in Windows 7 machine. I installed itunes, but when I try to (Store-> Authorize this Computer), it asks for my apple id credentials. After entering details when i click "Authorize" it takes hours, displaying message-"Accessing itunes store". I had forgotten my password and i am using the new password i reset using "forgot password" link in apple website. Please advise how to authorize and upgrade my ios
  I am able to access the music, pictures and video files but not able to add new files or update the apps
  Thansk in advvance
  Satya

  To authorize you have to log into the account.
  Try rebooting the computer
  Powering off and then back on your router.

• Reg: Mass generation of roles with open authorization

  Hi,
           Is there an option to mass generate roles with open authorizations ?
           It would be helpful if it there exists some transactions or reports that would help in doing so unlike CATT scripts or batch sessions.
  Regards,

  Hi Arravind,
  Why cant you correct the roles by filling up those open fields?? I guess you can create a CATT script to acheive your objective but I suggest better to check why there are open fields in the role then generating them blindly.
  Do let us know if you need any more information from our side. If you want to know how to create a CATt script then search for it in SDN/Google you will surely get your answer.

• BW Authorization and setting issue to set up a BICS connection for Xcelsius

  We are trying to create a BICS connection with Xcelsius on our BW production system and would like to know what the minimal settings should be to be able to publish and run an Xcelsius dashboard. We have been able to make a BICS connection with Xcelsius and publish and run/launch the dashboard on BW development. BW Development is completely open; there are no restrictions on the settings. But of course we cannot open our production like this. We have tried to open our BW test according to the SAP NetWeaver How to Guide: How to... Create Authorization Objects Required to Work with Xcelsius Dashboards in SAP BW. We have done the following:
  First of all we get the following message when saving a Xcelsius file to BW, when all the settings are equal to the production settings (not modifiable):
  ! The specified technical name is not valid for the permitted namespace
  !     R7     063     Namespace u2018/BICS/u2019 must be set to u2018changeableu2019 (transaction SE06)
  After that we changed the settings on our BW test environment to modifiable by doing the following steps:
  1.     SCC4 (System temporarely open; after changing the system change options by SE06; the system will be closed again)
  2.     SE06 (Namespace /BIC/ to modifiable)
  After that when trying to do the same thing as before, saving the Xcelsius file to BW, we get the following error message:
  ! The specified technical name is not valid for the permitted namespace
  !     R7     017     Namespace u2018u2019 is not a valid BI namespace
  And also this message:
  Diagnosis
  Namespace u2018u2019 must be entered in both the BI table RSNSPACE and the basis table TRSNSPACE or the view V_TRNSPACE. You also have to enter the relevant generation namespace u2018&V2u2019 in table TRNSPACE. This value is taken from RSNSPACE.
  Both namespaces must be set to u2018Changeableu2019 u2013 providing they are not empty.
  System Response
  You cannot edit or create an object in this namespace.
  Procedure
  Use a different name.
  Or contact your system administrator. He/she can switch the namespace to u2018Changeableu2019  using transaction SE06, or -  if they do not already exist - enter them in the table named above using transaction SM30.
  If the namespace u2018&V1u2019 is empty, then the problem is with the generation namespace u2018/BIC/u2019.
  Procedure for the System Administrator
  Following this error message:
  X    System is not set to changeable u2013 objects are not changeable
  When everything is set to modifiable and the BW test environment is fully open, we are able to publish the Xcelsius file to BW and the dashboard can be run on the BW data.
  What we would like to know what the minimal settings should be to be able to publish and run/launch the Xcelsius dashboard without completely setting the production setting open. And what are the other consequences of adjusting the BW production settings; any drawbacks?

  Hello,
  goto transaction RSA1 – transport Connection – button « Object Changeability » - in the list please switch ligne XCLS as « Changeable ».
  Hope that works
  Best regards
  Arno