Need analysis authorization help

Hello Gurus,
Could someone please help me out with my Analysis Authorization issue?
We have a BW query and workbook outputting "Tcode usage" like the following:
UserGroup| Username| Tcodename| Frequency
This one has been running long time without any problems in reporting authorization, but now We want to get it restricted and only allow data associated group HR to display using new Analysis authorization. The scenario for this report is as follows:
1. Rsecadmin >Maintenance> Create New authorization "Group" which consists of 4 characteristics: 0TCAACTVT, 0TCAIPROV, 0TCAVALID and 0TCTUSRGRP(which is the characteristic about group name and already authorizatio relevant). Set 0TCTUSRGRP "EQ HR".
2.Assigned this authorization to a role using PFCG through the S_RS_AUTH. Other authorization objects in this role are: S_BDS_D, S_BDS_DS, S_RS_MPRO, S_RSEC, S_RS_COMP, S_RS_COMP1, S_RS_HIER, S_RS_ICUBE, S_RS_ODSO.
3.In BEx analyzer, set type: Characteristic Values and Variable filled from authorization and value "Selection Option". Unselected "ready for input". Put the characteristic associated with group name to filter windown on the top righ hand side of the Query Designer. Also compare users in PFCG.
The question is the I still get all data about all groups. Looks like the authorization group doesn't work. I used the "execute as " and get no errors back.
Note: I didn't use "generation" to create the new authorization in Rsecadmin
Thank you very much for any answers!
Haifeng

I guess i have found the reason why my authorization dosen't work. I don't activate infoObjects 0TCA* and 0TCT* and infoCubes 0TCA* as well. But another thing I am confused about is :
Should I activate HR and CO businees content for authorizations 0TCA_DS02OTCA_DS05 and 0CCA_O010CCA_O03 before i get started? or should i run generation everytime i create a new authorization using Maintenance in Rsecadmin?
Haifeng

Similar Messages

Analysis Authorization with SEM-BPS

Hi,
We have performed technical upgrade from BW 3.5 to BI 7.0. We want to migrate to BI 7.0 functionality phase wise.
We have SEM-BPS and now we want to migrate to Analysis Authorization of BI 7.0.
Once we have igrated to Analysis Authorization, will there be any impact on SEM-BPS? Can we still use SEM-BPS with New Analysis Authorizations? We do not want to move to BI-IP in near future?.
Please advise.
Best Regards,
UR

Dear UR,
Iu2019m going to try helping you,
In difference of reporting functionality, in planning, the data of an InfoCube is not just read; it is also changed or created.
There are two planning tools in BI: BW-BPS (Business Planning and Simulation), and BI Integrated Planning.
There are two main tcode: BPS0 and RSPLAN
There are three authorization objects to manage Integrated Planning:
S_RS_PL_ADMIN - Planning Administrator
S_RS_PL_PLANNER u2013 Planner
S_RS_PL_PLANMOD_D u2013 Planning Modeler (Development System)
The main object in the planning scenario is InfoCube real-time, where can available writing in small package that arrive in parallel. In some cases the security requirements for reporting and planning can be merging. In this case you need authorization object for checking planning, as authorization object above, and you need authorization object for using a query for planning requires as S_RS_COMP.
In addition to authorization for displaying data, the authorizations for changing data you need analysis authorization (the analysis authorization focus in the InfoProvider, no in Aggregation Level).
In your analysis authorization design for reporting stuff, you should use in 0TCAACTVT characteristic 03 value. In the planning stuff, you should use in 0TCAACTVT characteristic 03 and 02 values. As explain following:
Using the characteristics 0TCAACTVT (activity), you can restrict the authorization to different activities. Read (03) is set as the default activity; you must also assign the activity Change (02) for integrated planning.
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/b1/0c9441b8972e7be10000000a1550b0/frameset.htm
I hope this suggestion can help you answer question,
Luis

BW Analysis authorization issue... need help urgently....

We have one BW query which is pulling data from Contract Division info-object. Now this report does not variable selection object so it is pulling data from all values of Contract Division. Values of Contract Division are CNC, CNS, CNE and CNL.
Now we have created an analysis auth. object called z_es_3 and added Contract division info-object. Now we have added that z_es_3 into role and given value to CNS. now when we are running report, we are getting No Authorization error. When we are giving * value in z_es_3, it is running fine.
Now we have to restrict report to contract division. please help.
Thanks in advance

Are you running unrestricted search on Contract division in your queries? You should restrict it to value which is maintained in the authorization for the InfoObject.
Also please run the analysis authorization trace from RSECADMIN. That will give you a clearer picture of what is wrong.

Problem with analysis authorization- 0BI_ALL always needed

Dear all:
we have a serious issue on so-called "analysis authorization" now. We have auth-restricted user who only have authorization to access data on one company code. We also create a BI-authorization in analysis authorization and assign the following auth-relevant object to this authorization-
0TCAACTVT = 01-03
0TCAIPROV = ALL
0TCAVALID = ALL
0TCAKYFNM = ALL
0COMP_CODE = A001
And we create one query with only company code and number of employee in the row and column. But everytime we execute this query, there s always message" No Authorization". We used ST01 to trace and the result shows we need to have "0BI_ALL" in auth object S_RS_AUTH. If we added 0BI_ALL, all company code data will display, which definitely no auth restriction at all. Is there any specific authorization setting we need to do?
We are stuck here pretty bad. Thank you all in advance if any input.
BR
SF

Hi,
I guess the Authorization profile is active , and in the Tcode PFCG -> Role name -> User tab page ( user comparision is done ).
Check if any of the tab page shows red light .
And assignment of 0BI_ALL is not a solution , as any user can do anything in the system.
Also do not forget to log - off and log-in into system after changing into any of the authorization profile to see changes that had happened.
Hope that helps.
Regards
Mr Kapadia
Assigning points is the way to say thanks in SDN.

Do we need to include 0TCTAUTHH in Analysis Authorizations in BI 7.0

Hello Friends,
Upgrading from 3.5 to 7.0.
Can any one tell me abt hierarchies.like
Do we need to include the characterstic 0TCTAUTHH in analysis authorizations along with 0TCAIPROVIDER,0TCAKYFNM,0TCAVALID,0TCAACTVT.
and asign hierarchy ID to it as we did in 3.5 with reporting authorizations.
Thanks,
RAM

Hello Barth
Thanks for the reply.Does it work even in BI 7.0 when upgraded from 3.5.
I am upgrading from 3.5 to 7.0.So i am using the same hierarchies created in 3.5.
Can we use them or we need to create new hierarchies in BI 7.0.
I mean just populating the BI 7.0 fields with hierarchies name and nodes created in 3.5.
Appreciate help.
thanks
Ram

Good day, i need to authoriz adobe with my tablet please help

good day,
i need to authoriz adobe with my tablet to read e-book (rdm) file format

This is a user supported frum, so making threats really doesn't help, besides which it's not like any of us can really make a dent in Toshiba's bottom line despite how many people we think we can influence. Unless those people were standing in line to buy a Toshiba product cash in hand, and you pulled them out, it really doesn't add up for them.
At this point it would probably be better for you to use the 800 number. Have all your e-mails ready to forward, if needed, to whoever you end up talking to. Don;t let them off the hook. An hour on the phone is much better than weeks passing e-mails through a support site. Also contest the charge with your bank or credit card.

Hello guys! Please help me to deauthorize all my computers. It is necessary because I need to authorize other computer, and four of five computers don't exist anymore. It's totally unacceptable for me to wait a year. Thanks for understanding and support!

Hello guys! Please help me to deauthorize all my computers. It is necessary because I need to authorize other computer, and four of five computers don't exist anymore. It's totally unacceptable for me to wait a year. Thanks for understanding and support!

Contact iTunes support.
Contact iTunes support.

Analysis Authorization in BO 4.0 Webi report

Hi All,
I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
I have tried:
1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
(BO 4.0 no service pack or fix pack installed on the system yet)
Thanks - Appreciate your help !
Prasad Rasam

Ingo,
1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
>> Correct you need to setup you OLAP Connection with SSO.
>>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
>> The variable in the BEx query needs to be an authorization variable.
>>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
regards
Ingo Hilgefort

Analysis Authorization Issue

Hi:
I created an analysis authorization ZCO_CODE to trstrict it by a company code.
I added following objects in authorization with values.
0COMP_CODE = 1000
0TCAACTVT = 03
0TCAIFAREA = *
0TCAIPROV = *
0TCAVALID = *
Then I created a role Z:00:BW_REPORT, where I added following authorization objects S_RS_AUTH and restricted it by value ZCO_CODE. Then I assigned this role to a user test01.
When I execute a program RSEC_MIGRATION for this specific user, I do not see authorization object ZCO_CODE on 2nd step of this program. Any Idea Why? I think this object should show up as I want to migrate this specific object.
Help will be appreciated.

Hi Sachin:
Okay here is my issue.
I have a Reporting authorization Object created earlier which is ZCOCODE. I though I'll have to create a new Analysis authorization object e.g. ZCO_CODE and then restrict it with other chars. as mentioned in Marc Bernards presentation and then you have to migrate it.
In selection list I can see old Reporting authorization object. If I select it and use option "Enhance existing profile" then It will update profile and not role? right....
How can I see whether it has updated existing profile?????
Do I need to create new Analysis Auth. for Company code or I can use old Reporting authorization for company code?
For testing purpose, I created a test user and assigned all reporting roles but It will not show up in RSEC_MIGRATION step???

Analysis Authorization based on Hier node with multiple display hierarchies

Hi guys - I've got a problem where s.o. might have an idea of how to switch on the light at the end of the tunnel, I am currently standing in:
Requirement:
Cost Center Authorization should be given through RSECADMIN, reporting should be possible for any hierarchy that exists for the authorization relevant info object.
Preferred solution:
The Cost Center Analysis Authorization should be given through RSECADMIN - Hierarchy node assignment.
u2022     A dedicated Authorization Cost Center Hierarchy will be maintained in ECC6 as an alternative cost center hierarchy and extracted into BW.
u2022     The RSECADMIN Hierarchy node assignment should be based on a particular node (Type 2).
u2022     The display level will be specified as required (here: Level 7)
u2022     The Authorization granted should be independent of hierarchy name and version (validity 3).
Reporting Scenario and technical impact:
As mentioned above, when designing and running a query the user should be able to freely select other (i.e. than the authorization) display hierarchies for the authorization relevant reporting object 'Cost Center' as well. The technical names of the semantically relevant hierarchy nodes could therefore vary. E.g. cost centers 1, 2 and 3, being assigned under hierarchy node u2018Au2019 of the RSECADMIN relevant authorization hierarchy, could be subsumed by hierarchy node u2018Bu2019 in another display hierarchy, which the user may want to display in accordance to his reporting needs. Ideally, the alternative display hierarchy should therefore display node u2018Bu2019.
My findings so far (based on prototyping) turn out that this is not possible as long u2018Bu2019 (and its hierarchy) is not authorized in RSECADMIN. Can these findings be confirmed? And if not, would anyone have an idea of how to facilitate the reporting scenario?
Would there be any other way to grant access, possibly based on RSECADMIN single values, and also enable the user to flexibly display hierarchies with only those hierarchy nodes whose single cost center values the user has been given access to?
Thanks everyone for your input...
Claus
Edited by: Claus64 on Jul 13, 2009 4:10 AM

HI CLause,
On Jul 14 2009, you wrote in SDN and said:
FYI: Found a solution...
The hierarchy analysis authorization will be based on a navigational attribute of cost center.
With analysis authorizations it is possible to declare the Auth object (e.g. 0COSTCENTER__RACCAUT0) as authorization relevant and leave the superior object 0COSTCENTER auth irrelevant.
The auth will be given for 0COSTCENTER__RACCAUT0. This object will be placed as a filter of the query, being restricted by an Authorization variable for hierarchy nodes.
Due to the concept of Analysis Authorizations, this variable will automatically pick up the nodes granted as part of RSECADMIN Hierarchy based Authorization.
As mentioned above, 0COSTCENTER as the regular reporting characteristic remains auth irrelevant and can therefore take any hierarchy thatu2019s available. Reporting on single values will be possible, too. Only those nodes show up that hold the authorized cost centers in accordance to the authorization.
If the auth relevant 0COSTCENTER__RACCAUT0 is not used in the query definition by either not taking it in as a filter or skipping the Auth variable, the query will launch the message that the authorization is missing. No data show up at all.
Claus
See this thread:
Analysis Authorization based on Hier node with multiple display hierarchies
I am also in the same situation as you and need to understadn your solution. I understand that you created a Nav Attr on 0COSTCENTER and made this auth relevant whilst ensuring that 0COSTCENTER is NOT auth relevant. This is all fine. The issue was you have multiple hierachies for 0COSTCENTER, how did the new Nav Attr help you solve your issue. When loading 0COSTCENTER what values did you load ino the new Nav Attribute and how did that link to the hierachies? Also, in RSECADMIN you created hiearchy nodes based on the Nav Attribute but I am confused as to what values you have in the Nav Attr.
I appreciate if you can share your solution from the past in more details.
many thanks

Hierarchy Analysis Authorization in BW and BOBJ Webi Report

Hello,
We have a scenario wherein we have implemented Analysis Authorizations (Hierarchy) on Organizational Unit info object (0ORGUNIT) and need to report on BOBJ WEBI. Our scenario is as following
ORGUNIT    - L0 (Overall Enterprise Level)
-     L1 (Enterprise - Continent Wise Split)
-     L2 (Enterprise u2013 Country Wise Split)
-     L3(Enterprise u2013 City Wise Split)
E.G-
      LO (Company ABC) MANAGER 0 will have access to the entire organization
           -L1 (ASIA) MANAGER1 will have access to ASIAN Subcontinent
                  -L2 (India) MANAGER 2 will have Access to country India
                            -L3 (New Delhi) MANAGER 2.1 will have access to city Delhi
                            -L3 (Mumbai) MANAGER 2.2 will have access to city Mumbai
                   -L2 (Malaysia) MANAGER 3 will have access to Country Malaysia
                              -L3 (Kuala Lampur)
                              -L3 (pahang)
             - L1 (Europe)
                                        u2026..
The requirement is that the CEO of the company should be able to see the entire set of data ( L0-L4).We have continent managers who can see that data specific to their continent, similarly at L3 Level the city manageru2019s should see the data only for their specific city.
In BI we have used analysis authorization based on hierarchies. We have created an authorization object say ZAUTH1 and have assigned the hierarchy L0 from RSECADMIN. Now, in Webi when we create a report a sample row comes as :
L0 Org Unit     L1 Org Unit     L2 Org Unit     L3 Org Unit     SALES Key Figure
Company ABC     Asia          India          Mumbai          1000
Now, we have MANAGER 2.2 who has only access to the data specific to his city (Mumbai). There is an Analysis Authorization object created for him ZAUTH2, by ONLY assigning the org unit hierarchy L3 (for Mumbai). When we run the bex report with the user MANAGER 2.2 u2013 it correctly displays the result and the user is only able to see the data for L3 Org Unit (Mumbai). However when you bring this data to Webi u2013 the report comes in the below format:
L0 Org Unit     L1 Org Unit     L2 Org Unit     L3 Org Unit     SALES Key Figure
Mumbai                                           1000
The L3 org unit has now got assigned to L0 Org unit , as this is the only org unit assigned to the MANAGER 2.2 user .
In such a case we are not able to write any generic formulae for the report. Is there a way to correct this issue? u2018Mumbaiu2019 should either get assigned to the L3 OrgUnit column is webi report , or is there a workaround that is possible ?
Thanks and Best Regards,
Vj

Hi Vijay,
The problem you speak of is known and comes from the fact that the hierachy is flattened in the process of delivering it to WebI. Therefore there is no real 'solution' to the problem, just some work-arounds you can think of...
1)
Create a report variable that starts looking at the lowest level, if it is empty check one up, and so on until you found what you were looking for (the lowest leaf available), which by definition must be there (even if it is top level).
Using similar logic you can also get a 'number of levels avaible' and so fill in the complete tree (duplicating the highest level).
This is difficult to explain when end users create their own reports, though you could provide a template report with these variables in there already.
2)
Extend the hierarchy with duplicates below the lowest level.
So i.e. L0 Company - L1 Continent - L2 Country - L3 City- L4 City - L5 City- L6 City.
This will give back on the four levels for top authorization
L0 Company - L1 Continent - L2 Country - L3 City
For authorization on Continent:
L0 Continent - L1 Country - L2 City- L3 City
For autorization City
L0 City- L1 City - L2 City- L3 City
So in all situations the fourth level, the L3 Object will hold the City level.
This you can then use in your report.
Hope this helps,
Marianne

How to get Query Results based on Analysis Authorization Ranges????

Hi Experts,
I have gone through the lot of SDN Links, however not able to find the answer to my question.
I have an Authorization Issue, NO Authorization
Error : EYE 007 ( Insufficient Authorizations )
Here is the issue:
Need to see the complete query result when I gave the range in Analysis Authorization for Controlling Area 001-005. Controlling Area is auth relevant and right now a variable is inserted in the query for it. If I select Controlling Area 001, the result for Controlling Area 001 is displayed in query. If 002 then also displayed. If I do not enter anything, then I get the Eye 007 error message.
I am not sure how do I display/authorize the entire result in the query for all the Controlling Areas, I have authorized user to see??
Its really urgent, please help..!
Here are the logs:
Authorization Check Log
Date and Execution Time (Local Server)
Execution Date: 06.09.2007
Execution Time: 14:48:41
Executed Query: 0CCA_C11/GBCCA_MP01_Q0002_AP
Executed by User ZBI_TEST_001
Executed with Analysis Authorizations of Another User ZBI_TEST_001
InfoProvider Check
Building the Buffer...
...Buffer Built
Are there authorizations for accessing InfoProvider 0CCA_C11 with activity 03?
Authorization exists for general access to InfoProvider 0CCA_C11 with activity 03
InfoProvider Check
Authorization exists for general access to InfoProvider 0CCA_C11 with activity 03
Relevant Characteristics for Detailed Authorization Check
(Characteristics with Full Authorization Are Not Listed!)
List of Effective Authorization-Relevant Characteristics for InfoProvider 0CCA_C11:
0CO_AREA
0TCAACTVT
Relevant Characteristics for Detailed Authorization Check
(Characteristics with Full Authorization Are Not Listed!)
List of Effective Authorization-Relevant Characteristics for InfoProvider :
List Is Empty:
There Are No Characteristics That Have to Be Checked in Detail
Authorization Check
Detail Check for InfoProvider 0CCA_C11
Preprocessing:
Selection Checked for Consistency, Preprocessed and Supplemented As Needed
Subselection (Technical SUBNR) 1
Check Node Definitions and Value Authorizations...
Node- and Value Authorizations Are OK
End of Preprocessing
Filling the Buffer...
...Buffer Filled
Main Check:
Subselection (Technical SUBNR) 1
Supplementation of Selection for Aggregated Characteristics
No Check for Aggregation Authorization Required
Following Set Is Checked Comparison with Following Authorized Set Result Remaining Set
Characteristic Contents
0CO_AREA
0TCAACTVT
SQL Format:
CO_AREA = '0003'
AND TCAACTVT = '03'
Characteristic Contents
0CO_AREA I BT 0001 0005
0TCAACTVT I EQ 03
I EQ 16
Authorized
Subselection (SUBNR) Is Authorized
Authorization Check Complete
Authorization Check
Detail Check for InfoProvider 0CCA_C11
Preprocessing:
Selection Checked for Consistency, Preprocessed and Supplemented As Needed
Subselection (Technical SUBNR) 1
Check Node Definitions and Value Authorizations...
Node- and Value Authorizations Are OK
End of Preprocessing
Filling the Buffer...
...Buffer Filled
Main Check:
Subselection (Technical SUBNR) 1
Supplementation of Selection for Aggregated Characteristics
No Check for Aggregation Authorization Required
Following Set Is Checked Comparison with Following Authorized Set Result Remaining Set
Characteristic Contents
0CO_AREA
0TCAACTVT
SQL Format:
TCAACTVT = '03'
Characteristic Contents
0CO_AREA I BT 0001 0005
0TCAACTVT I EQ 03
I EQ 16
Partially or Fully Authorized (Intersection) Characteristic Contents
0CO_AREA
0TCAACTVT
SQL Format:
( CO_AREA < '0001'
OR CO_AREA > '0005' )
AND TCAACTVT = '03'
Value selection partially authorized. Check of remainder at end
Following Set Is Checked Comparison with Following Authorized Set Result Remaining Set
Characteristic Contents
0CO_AREA
0TCAACTVT
SQL Format:
( CO_AREA < '0001'
OR CO_AREA > '0005' )
AND TCAACTVT = '03'
Characteristic Contents
0CO_AREA I BT 0001 0005
0TCAACTVT I EQ 03
I EQ 16
Not Authorized
All Authorizations Tested
Message EYE007: You do not have sufficient authorization
No Sufficient Authorization for This Subselection (SUBNR)
Following CHANMIDs Are Affected:
184 ( 0CO_AREA )
Authorization Check Complete

Hi,
 Have you defined the vaule for 0CO_AREA as BT 001-005 in you Authorization for 0CO_AREA.Also how have you defined your Authorization Variable on the query? Have you define as select options or interval? I thing you need to define it as interval or select options.
Hope it helps,
Cheers,
Balaji

Analysis Authorization

We have a need to restrict the majority of our users from seeing transactions of few business accounts. The restricted accounts can be based on a specific gl account, fund range, or they can be a combination of a fund and cost center (or fund and fund center). Until we become more familiar with this process, we are only concerned with 0FUND and it's restricted ranges, so below my question is just about 0FUND..
We need to explore and understand what abilities analysis authorizations give us. I have done a lot of reading, but so far all of the pieces are not falling into place. I am on the BW team and working with the security team to get this accomplished. At this time whereever 0FUND is located in an existing authorization, it has a "*" to indicate the user gets all values. We have already gone live; will every authorization currently in use with 0FUND have to be changed? Is there a detailed How-To located somewhere?
thank you in advance for your help.
LLK

Hi Linda,
SUIM - User Information System is a TRANSACTION CODE. (Its not SUM)
Execute SUIM and follow the path mentioned below:
SUIM -> User -> Users by complex selection criteria -> Users by complex selection criteria. In the Authorization object field mention S_RS_AUTH and in the field mention the name of the analysis authorization which you want to search for.
The output would be users who have access to the analysis authorization that you gave in the search criteria.
Since in your case there would be a lot of analysis authorizations with * in 0FUND, it would be better to identify the roles first and then the users assigned to these roles.
You can identify the roles by browsing the table SE16. Just give the object name and all the analysis authorizations in the multiple selection on appropriate fields. Then use SUIM to identify the users who have access to these roles.
SUIM -> User -> Users by complex selection criteria -> By Roles.
You can also display the roles in this report by pressing the Roles button at the top. Apply filter to restrict the roles to your identified roles.
Thats it !
Regards
Sachin

Analysis Authorization and relates issue

Hello all,
I am in the midst of designing authorizations using RSECADMIN transaction.
We have a set of 50 different queries.
In our cube, there are 5 different characteristics, which are authorization relevent.
So, in RSECADMIN, i have created one analysis auth role, included all special and authorization relevent characteristics and maintained the appropriate values.
But when i execute the queries,the desired output is not coming.
- Do i need to create authorization varaibles and included in all my queries ?
- Without including the auth.variabes in queries, is there any other way to restrict the users ?
I though, by assigning the parameters in RSECADMIN, the query will automatically filter the data.
Can you pls help ?
We are on SP19.

Hi,
First of all, The query is always based on a InfoCube. Now, you have 50 different Queries which is based on this InfoCube if I am not wrong as you are not getting any authorization error.
For a query to run, the user should have access to 1. Query, 2. Infocube and 3. Data(All Auth Relevant + 4 Special Objects)
Authorization relevant objects are for an InfoCube which means that these objects are important or key fields for the infocube.
You say that in your case, you have 5 Auth relevant objects which means they are important. But please note that there are more infoObjects in that InfoCube.
Now, when you go to the query design, you can restrict on any object in the InfoCube but it makes more sense that you do it on one of those authorization relevant objects as you have to specify that in the Analysis Authorization where the system can pick up the data easily and give the output.
Again, on the query design, if you have designed the query with processing type "Authorization", then it would automatically pick up (What you mentioned as automatic filtering) the value from the Analysis Authorization which is contained in the user's role for that query which otherwise gives a wide variety of options to chose from where the user has to choose the correct one.
To get the desired output, all the correct variables should be included in the query and user should have access to all the three mentioned above.
May be this gives a clear picture.
Regards,
Prasanna
Edited by: Prasanna Nagaraja on Sep 11, 2009 11:40 PM

Analysis Authorization not working - Empty demarcation

Can someone help me on this Analysis Authorization? I read many threads in SDN, it seems that I followed the correct steps. The restriction on S_RS_COMP is working well but the restriction on the Analysis Authorization is not working. Surely I'm making some mistake, but can't find what's wrong.
I'm a User (say USER_00) in a test system, assigned to a Role (say Z:BI_USER). This is a broad role:
- S_RS_COMP and S_RS_COMP1 have full authorization (*) to all the fields,
- S_RS_AUTH has the BIAUTH field with Name of Authorization = *.
Also I have an InfoArea (ZIA_TEST) and an InfoCube (ZIC_TEST). The IC has some characteristics and key figures. The only authorization relevant characteristic is ZCA_CLI (client). The IC has only 5 lines, one for each client ("CLI_01" to "CLI_05").
Also there's a query (ZQR_TEST) on this IC, with an Authorization Variable (VAR_AUTH_CLI) restricting the characteristic ZCA_CLI.
I'm trying to create a new User and restrict him to this IC and only to the data of client "CLI_01". If it works I'll apply to a production system.
What I did:
1) With tcode SU01 created a new User (USER_01) with no Role neither Analysis Authorization.
2) With tcode PFCG copied the Role Z:BI_USER as Z:ROLE_TEST then made some changes:
a) S_RS_COMP
- Activity = 03 and 16
- InfoArea = ZIA_TEST
- InfoCube = ZIC_TEST
- Type of report component = *
- Name of report component = *.
b) S_RS_COMP1
- Kept * to all fields.
c) S_RS_AUTH
- I inactivated and deleted this Authorization Object.
(I don't want to keep characteristic values restriction inside the role. The idea is to associate different users to the same role, allowing them to see the same ICs and execute the same queries. And differentiate wich characteristic values each one can see by manually associating different analysis authorization to each one.).
3) With tcode RSECAUTH I created an Analysis Authorization (Z_AA_CLI_01) to restrict access only to client "CLI_01":
- ZCA_CLI = "CLI_01"
- 0TCAACTVT = "03"
- 0TCAIPROV = "ZIC_TEST"
- 0TCAVALID = "*".
4) With tcode PFCG I assigned User "USER_01" to the Role " Z:ROLE_TEST" and made Complete Comparison.
5) With tcode RSU01 I manually assigned Analysis Authorization " Z_AA_CLI_01" to User "USER_01".
It seems to me that these steps are enough. But:
a) When I log as USER_00 and go to tcode RSRT2, searching by InfoAreas I can see all the InfoAreas and all the InfoCubes, select and execute the query. That's OK.
b) When I log as USER_01 and go to RSRT2, searching by InfoAreas I can see only ZIA_TEST and under it I can see only ZIC_TEST. That's OK. Then I select and execute the query.
Wich means that S_RS_COMP is OK and each user is assigned to the correct Role.
c) The problem is that in both cases the query brings data from all Clients.
Under Information and Variable Values (when I run with HTML display) the message is "Empty demarcation".
I changed the variable to be Ready for Input, just to see wich values it brings. In both cases (as USER_00 and as USER_01) in the Variable Screen it brings all the 5 Clients from the IC and I can select and execute any value.
So the problem is with the Analysis Authorization or with the Variable, but I can't find what's wrong.
Any help will be very appreciated.
César

OK Marc, it worked.
Sorry for not answering earlier, but I could get back to this front only some days ago, then began testing your suggestions.
1) Security Concept
Authorization Mode was set to "Obsolete Concept with RSR Authorization Objects" (it would never work with this setting).
I changed to "Current Procedure with Analysis Authorizations".
Anyway, what's the function of this setting? Do old Reporting Authorizations work with "Current Procedure with Analysis Authorizations" setting?
2) Variable Representation
With "Multiple Single Values" it really led to problems.
With "Selection Option" it worked well.
3) 0TCAKYFNM
I don't understand why, but if the AA doesn't have the char/dimension 0TCAKYFNM, when the User tries to run the query (tcode RSRT2) it accuses "You do not have sufficient authorization".
Info Cube ZIC_VE95 has two KFs (ZKF_QTL95 and ZKF_VLT95). These KFs are used only on this IC (also in the KF Catalog, but it doesn't impact). This IC is used only on Query ZQR_VE95 (also in Transformation and DTP, wich doesn't impact).
Well, I inserted 0TCAKYFNM and it worked, either with CP, "*" or with EQ, the two KFs.
4) Authorization Policy Definition
The situation I'm working on is very typical. Ex.: Some users are Administrators, Managers, Operator 1, Operator 2 and so on. Each Role needs authorization to access some queries. At the same time, they can access information only of the Cost Centers to wich they are related.
There are many ways to implement it (I tested some of them and they worked well). My point is to define a most practical way, easy to understand and to maintain.
I'm now sympathetic to this way:
a) Create functional Roles (ex.: "Administrator", "Manager", "Operator 1", "Operator 2" and so on) defining only the Queries (or Info Areas, Info Providers, etc) each Role needs. No S_RS_AUTH definition.
b) Create Char Value Roles (ex.: "CC_100_to_199", "CC_200_to_299", etc), only with S_RS_AUTH definition, each one associated with a corresponding AA (ex.: AA for CC 100 to 199, AA for CC 200 to 299 and so on).
c) Create Composite Roles associating functional and char value Roles. Ex. Composite Role "Administrator for CC 100 to 199", composed of the Roles "Administrator" and "CC_100_to_199".
d) Associate Users to the Composite Roles.
Anyway, I'd appreciate if you could indicate some literature (blogs, articles, etc) on this theme.
Well, thank you very much for your answers. Now I can go on with my studies on this subject.
César Menezes

Need analysis authorization help

Similar Messages

Maybe you are looking for