New Authorization Concept for BI

Similar Messages

• New Authorization concept

  Hi experts,
  what is new Authorization concept in NW2004s.
  All of our queries are created in Query Designer 3.x and our generic Authorization objects are created in RSSM.
  Is it necessary to use new Auth.concept ?
  What are the advantages or disadvantages of new concept?
  Thanks

  Hi there again,
  If you have that entry in RSCUSTV23 it means you're using the old concept of RSSM authorization not mantained anymore by SAP:
  I recommend (as well as SAP) to use the new concept. For that, since you've already the old authorizations, you can do a migration of authorizations with a standard report (transaction se38) called RSEC_MIGRATION.
  This report is of ease to use and does the migration of the old concept to the new one, therefore you can after running the migration use the new concept.
  The worst part, is that is recommended (and you should) do an exaustive battery test, to ensure, no errors are encountered with the new authorization concept after migration.
  You can also read about the migration of authorizations (and the detal of how to use the standard migration report) in here:
  [http://www.sdn.sap.com/irj/scn/events?rid=/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea&overridelayout=true]
  Diogo.

• New authorization concept - Access to data

  Hello, i'm new in SAP BW and i'm in migration process to the new authorization concept.
  Here is what happening:
  I have a role with all access to a company (*) of a provider X.
  I have another role with restricted access to a company (ex: COMPANY1, COMPANY2 and COMPANY3) of a provider Y.
  When i attribute those 2 roles to a user and access a query of the provider Y, i can see all the companies when it was supposed to only see the 1, 2 and 3.
  What am i doing wrong?
  Thank you in advance.
  João Gonçalves

  Hi friend,
  The Authorization concept works on sets concept of mathematics.
  Explanation to your scenario:
  For user A you apply company (*) on provider X and company 1, 2, 3 on provider Y. i.e. u are collectively applying All company codes for provider X and Y. as Company (*) set is a bigger set and the providers set is extended to 2 elements X and Y to get her and not separately.
  Way to check the actual set by which authorization is getting applied:
  RSECADMIN -> Analysis tab -> Execute as user (check with load check box, and RSRT radio button) ->  Execute -> Put a query on which you need to check authorizations (the query must have authorization variable if relevant) -> execute the query -> return back after execution -> on the Execute as user screen hit on Display log option.
  You will get a detailed log for your query execution. Here you will also get a log where what set is applied for the query execution is displayed. You will get an understanding of your issue there.
  Regards,
  Sourabh Deo

• I need help getting new authorization codes for digital copies

  I need help getting new authorization codes for digital copies of movies. Can someone help me out?

  There's a lot of results in Google when you search for this but unfortunately refreshing the page doesn't seem to generate a different code anymore. Mine also says already redeemed

• Add new authorization object for production order creation/change/display

  As mentioned. I definded new authorization object using "Production scheduler" (Field Name : FEVOR) by SU20. then use SU21/SU24 to add authorization object for some transaction code such as COOIS. use PFCG maintain new role and assign a  fixed production scheduler value and assgin transaction code COOIS to this role. create new user ID and assign to that role.
  logon system with new ID, run COOIS. but system don't check new authorization object(production scheduler). who can tell me why it is and how i can add new new authorization object for standard transaction code?
  Thanks.
  Kevin.WU

  Hi,
  there is an icon of generation.  just click there in PFCG and also in su21.
  then add this object in new role.
  Assign this role to user id
  while assigning the role also there is a generation.
  Please take a help of BASIS consultant also as this is entire a BASIS process.
  Regards
  Amit parkhi

• Not clear with the Authorization concept for Marketing Plan

  Hi All,
  I am new to CRM and was going through some of the prescribed document for CRM marketing
  when i encounter with the authorization concept in marketing plan,for example how
  can i restrict a user with a campaign manager role from changing marketing plan.please
  provide the step by step procedure.
  Regards,
  Sanju

  Hi Sanju
  User with a campaign manager role can be restricted for changing marketing plan using authorization group.
  We define authorization groups for use in the Marketing Planner. Authorization groups can be maintained at both marketing plan level and campaign or trade promotion level. Authorization groups enable us to control which users are authorized to change which of these two types of marketing project. We could, for example, define one authorization group to be assigned to a marketing plan, then define further authorization groups to be assigned to the different campaigns within the marketing plan. In the Marketing Planne.
  Follow below steps
  1. Define authorization group using following IMG Path
  Customer Relationship Management / Marketing / General Settings / Define Authorization Group.
  2. In authorization object CRM_CPGAGR of the role Campaign manager maiantian activity 01, 02, 03 ,06 (this will allow user to create, change, display and delete)
  3. IMG defined authorization group ex: ABC can be seen under the tabstrip Basic Data of marketing plan.
  4. Now user have to choose the Authorization group ABC from the drop down in Basic tab to create a marketing plan. User will get the change access for all the marketing plan which have the authorization object ABC.
  Hope this will help...
  Rgds
  Mallikarjun

• New Authorization Objects for latest releases

  Dear Colleagues,
  Do you happen to know how to find out the objects that should be added when using a role from a previous SAP version in a new one. That is, we have imported a role from a previous SAP version into our system and would like to update it with the latest objects. How should I find out which are the new objects?.
  Thanks in advance for your help.
  Best regards,
  CMPT

  Charles,
  If you role has transactions in the menu the new authorization objects will be pulled in when you go to change the authorizations (select read old and merge with new under expert mode).
  If the transactions are not in the menu you will need to do a compare of the usobt_c and usobx_c between the old and the new system.
  During new auth objects analysis is performed via transaction SU25.
  Cheers,
  Ben

• Authorization Concept for WAD developers

  Hello all,
  We want to divide up the development and maintenance of Web templates. To that end, we want to restrict who can maintain which objects. For example, you can maintain the HR web templates HR* and I can maintain the FI templates FI*, etc. BW query development has something similar in which you can be restricted to some InfoCubes and me to others. Has anyone done this or know how to go about it? Any documentation or helpful papers?
  Thanks in advance
  Doug Childs

  hi,
  not sure if access-control by web templates (no authorization object for bw webtemplate? oss note 840068, 845673)
  try to check thread 
  BW 3.1: Authorizations on Web Templates
  and take a look doc 'how to grant authorization for query component by creator'
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/fda2a990-0201-0010-5497-b81b1556df24

• Authorization concept for the operating SAP staff after Go-live

  Dear all,
  we are implementing SAP FI and CO. We will have three systems (development, Quality, Production).
  1)Customizing is supposed to be done in development only. However, we will need to be able to view the customizing in the production client as well. What is best practice to achieve this? Is there a role /authorization object which only can configure "IMG-allowed to read"?
  in the development client, we will need to distiguish the following roles: developer including transports, customizer, and authorization administrator.
  2) Are there any SAP standard roles with which you can distinguish these roles?
  thank you very much for your support.
  best regards Timo

  There is no standard IMG display only role.
  Even with all of the SOX  requirements out there so I guess you will need to build this from scratch.
  You also need to make sure you look at all of the information and not just at a t code level as you need to make sure the authorization levels are display rather than maintain.

• BW-BPS and new analysis authorization concept

  We are using BW-BPS on Netweaver 2004s SP8 and the new autorization concept is switched on.
  Where do we need to pay attention?
  Which authorization objects stay the same and which are now to be maintained in analysis authorizations?
  Thanks for your suggestions.
  Anja

  In NW04S, BPS and BI IP share the same new authorization concept so you tend to have to rebuild specific profiles used for BPS.   The old BW-BPS tend to have authorization for R_* and they need to be redone using the new authorization concept and it can take some time if you have a lot of profiles.

• Bw upgrade - Authorization concept

  Hi,
  We have just completed the BW3.5 upgrade to BI7.3.
  I'm trying to work out the authorization concept in our system again.
  I've created one simple query on a multiprovider with only 1 characteristic and 1 KF.
  -Authorization object S_RS_MPRO for this multiprovider given.
  -User has one role which has the basic  0TCAACTVT , 0TCAIPROV,0TCAVALID
  -Basic BW end user authorization for RS Class is available.(S_RS_COMP,S_RS_COMP1,S_RS_FOLD,S_RS_HIER,S_RS_ICUBE
  S_RS_IOBJ,S_RS_ISET,S_RS_ODSO)
  Now when i run the query, i have 'No authorization'.
  Display authorization check shows authorization check failed for S_RS_AUTH with object 0BI_ALL.
  From my understanding 0BI_ALL should be given to user who is allowed to access all queries.
  Appreciate advice from anyone whos familiar on this. Is it safe to give 0BI_ALL or there is some other object which i am not assigning?
  Thank you.
  Regards
  Maili

  Hi,
  With NW2004s, a new concept was introduced to check analysis authorizations. You can activate this using Transaction RSCUSTV23 or the IMG entry "Analysis authorizations: Select concept".
  To do this, select the "Current procedure with analysis authorizations"
  option. For detailed information, refer to the following link:
  http://help.sap.com/saphelp_nw04s/helpdata/de/80/d71042f664e22ce10000000
  a1550b0/frameset.htm
  Using the new analysis authorizations, the check of the MultiProvider authorization is not carried out any longer.
  If you cannot use the new analysis authorizations, assign corresponding
  authorizations for the "Data Warehousing Workbench - MultiProvider"
  authorization object (S_RS_MPRO).
  The settings of Transaction RSCUSTV16 listed above are obsolete as of
  Release NW2004s and are not analyzed any longer. Instead, the
  MultiProvider authorization is always checked when you execute queries
  using the usual authorization concept.
  Please refer notes
  820183     New authorization concept in BI
  727354    Colon authorization during query execution
  1122407   dealing with prerequisits for message processing in OLAP!!
  Thanks,
  Venkat

• Authorization Concept - BI7

  Hi ,
  I'm working on authorization concept for BI7 which seems to be having a conflicting statement.
  User : Mary
  InfoObject : ZORDER
  Set 1 : Queries built on multiproviders within infoArea ZSALES should display ONLY order number 123.
  Set 2 : Queries built on multiproviders within infoArea ZPROJECT should display ALL order numbers.
  Its a conflicting scenario.
  Its giving an output for ALL orders for both set 1 and set 2 queries.
  Appreciate if anyone could provide some ideas if this is feasible to achieve within RSECADMIN.
  Thank you.
  Regards
  Maili
  Edited by: Maili06 on Jan 12, 2012 1:19 PM

  hi,
  plz try creating the analysis auth objects for the mentioned scenarios can be:
  1)1st auth object can have  infoarea=ZSALES and order number=123
  2)2nd auth object can have infoarea=ZPROJECT and order number=*
  Both these analysis authorization objects can be assigned to the user via RSECADMIN.
  In the auth profile, S_RS_AUTH = Inactive, read analysis auth from RSECADMIN and manual assignement.
  regards
  laksh

• Creating Authorization groups for material types

  Hi All,
  I have a requirement to create Authorization groups for different material types we have in our company. Basically these are intended to restric the users from accessing the material master. Different material types needs to be assigned to differnt group of users.
  So if we can create couple of Authorization groups, then I am thinking of assigning the material types to these groups.
  I went to SPRO---Logistics general ---Material master -
  Tools --- Maintain authorization and authorization profiles.                 TCODE : PFCG
  Is this the right path?
  Please advise
  Shane

  Hi All,
  I don't think SPRO---Logistics general -Material master- Tools --- Maintain authorization and authorization profiles is the right path to create new authorization groups.
  Can anyone explain how to create new authorization groups for different material types. The purpose is to create a role and assign this auth. group to this role and provide that security role to specific users.
  Regards
  Shane

• New Authorization Object within Role

  hi everybody,
  does anyone know how can i get New Authorization Objects for any Role for the new release that did not exist in the same Role from former release?
  tables AGR_1250 and AGR_1251 do not show if object is new for this role. they only show if object is new itself.
  thanks a lot,
  javier rubio

  pandu,
  se54 is not related with this topic.
  thank you very much for your answer, very hepful

• Authorize track for new account

  iTUnes asks me to authorize some of the tracks on my machine before I am allowed to play them. So it asks me for password for my OLD iTUnes account that does not exist any more. So I fill inn user name and password for my NEW and active account. Then iTunes says "This machine is already authorized", but when I then try to play the track the first demand for Authorization comes back (with the non existing account). I fill inn my new account, only for a new round in the carousel....HELP!

  kvitberg wrote:
  thanks. its understandable in a way, but i have lost 6 albums i love. such arrangements are very good arguments for file-sharing.
  Which is why I don't purchase anything from iTunes. I buy CDs or use other online services which do not have that silly authorization and protection built into the files or require me to update my iTunes just to download the "plus" tracks.
  Unfortunately I don't know what people usually do in situations like yours since I don't use the iTunes store other than to look things up. I don't buy from them.
  Patrick