New Authorization concept
Hi experts,
what is new Authorization concept in NW2004s.
All of our queries are created in Query Designer 3.x and our generic Authorization objects are created in RSSM.
Is it necessary to use new Auth.concept ?
What are the advantages or disadvantages of new concept?
Thanks
Hi there again,
If you have that entry in RSCUSTV23 it means you're using the old concept of RSSM authorization not mantained anymore by SAP:
I recommend (as well as SAP) to use the new concept. For that, since you've already the old authorizations, you can do a migration of authorizations with a standard report (transaction se38) called RSEC_MIGRATION.
This report is of ease to use and does the migration of the old concept to the new one, therefore you can after running the migration use the new concept.
The worst part, is that is recommended (and you should) do an exaustive battery test, to ensure, no errors are encountered with the new authorization concept after migration.
You can also read about the migration of authorizations (and the detal of how to use the standard migration report) in here:
[http://www.sdn.sap.com/irj/scn/events?rid=/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea&overridelayout=true]
Diogo.
Similar Messages
-
New authorization concept - Access to data
Hello, i'm new in SAP BW and i'm in migration process to the new authorization concept.
Here is what happening:
I have a role with all access to a company (*) of a provider X.
I have another role with restricted access to a company (ex: COMPANY1, COMPANY2 and COMPANY3) of a provider Y.
When i attribute those 2 roles to a user and access a query of the provider Y, i can see all the companies when it was supposed to only see the 1, 2 and 3.
What am i doing wrong?
Thank you in advance.
João GonçalvesHi friend,
The Authorization concept works on sets concept of mathematics.
Explanation to your scenario:
For user A you apply company (*) on provider X and company 1, 2, 3 on provider Y. i.e. u are collectively applying All company codes for provider X and Y. as Company (*) set is a bigger set and the providers set is extended to 2 elements X and Y to get her and not separately.
Way to check the actual set by which authorization is getting applied:
RSECADMIN -> Analysis tab -> Execute as user (check with load check box, and RSRT radio button) -> Execute -> Put a query on which you need to check authorizations (the query must have authorization variable if relevant) -> execute the query -> return back after execution -> on the Execute as user screen hit on Display log option.
You will get a detailed log for your query execution. Here you will also get a log where what set is applied for the query execution is displayed. You will get an understanding of your issue there.
Regards,
Sourabh Deo -
New Authorization Concept for BI
HI All
I need to devlope a genral model for a company in which for some projects info objects are not authorization relevent but same info objetcs are need to be authorization relevent in other projects if you make that infoobjects as authorization relevent in new projects then that creates issues in other project which are already running such as output of the query. what should be verious ways to implement such model.
With Regards,
Deepakjust try not having authorization variable for that info object at query level.so that it wont check for authorisations.
-
BW-BPS and new analysis authorization concept
We are using BW-BPS on Netweaver 2004s SP8 and the new autorization concept is switched on.
Where do we need to pay attention?
Which authorization objects stay the same and which are now to be maintained in analysis authorizations?
Thanks for your suggestions.
AnjaIn NW04S, BPS and BI IP share the same new authorization concept so you tend to have to rebuild specific profiles used for BPS. The old BW-BPS tend to have authorization for R_* and they need to be redone using the new authorization concept and it can take some time if you have a lot of profiles.
-
Bw upgrade - Authorization concept
Hi,
We have just completed the BW3.5 upgrade to BI7.3.
I'm trying to work out the authorization concept in our system again.
I've created one simple query on a multiprovider with only 1 characteristic and 1 KF.
-Authorization object S_RS_MPRO for this multiprovider given.
-User has one role which has the basic 0TCAACTVT , 0TCAIPROV,0TCAVALID
-Basic BW end user authorization for RS Class is available.(S_RS_COMP,S_RS_COMP1,S_RS_FOLD,S_RS_HIER,S_RS_ICUBE
S_RS_IOBJ,S_RS_ISET,S_RS_ODSO)
Now when i run the query, i have 'No authorization'.
Display authorization check shows authorization check failed for S_RS_AUTH with object 0BI_ALL.
From my understanding 0BI_ALL should be given to user who is allowed to access all queries.
Appreciate advice from anyone whos familiar on this. Is it safe to give 0BI_ALL or there is some other object which i am not assigning?
Thank you.
Regards
MailiHi,
With NW2004s, a new concept was introduced to check analysis authorizations. You can activate this using Transaction RSCUSTV23 or the IMG entry "Analysis authorizations: Select concept".
To do this, select the "Current procedure with analysis authorizations"
option. For detailed information, refer to the following link:
http://help.sap.com/saphelp_nw04s/helpdata/de/80/d71042f664e22ce10000000
a1550b0/frameset.htm
Using the new analysis authorizations, the check of the MultiProvider authorization is not carried out any longer.
If you cannot use the new analysis authorizations, assign corresponding
authorizations for the "Data Warehousing Workbench - MultiProvider"
authorization object (S_RS_MPRO).
The settings of Transaction RSCUSTV16 listed above are obsolete as of
Release NW2004s and are not analyzed any longer. Instead, the
MultiProvider authorization is always checked when you execute queries
using the usual authorization concept.
Please refer notes
820183 New authorization concept in BI
727354 Colon authorization during query execution
1122407 dealing with prerequisits for message processing in OLAP!!
Thanks,
Venkat -
When to create new authorization objects
Hi Experts,
I am learning SAP Security.
I have one question , what is the necessity of creating new authroization field and object , when SAP gives a huge list of objects /fields.
Is there any reason behind like, whenever a customised transaction is created, a new authorization object or filed has to be created?
Regards,
RekharajTrick is to find not only a standard authorization object with the same field you are looking for, but an object already assigned to the users with those roles with the same semantic for all it's fields - so that you can simply reuse the existing concept which is also assigned to the sets of users.
Often you will find "base" function modules and classes you can use to do all that work for you. Just call them at the correct location in the code and dont forget to check the return code and react to it.
If you use BAPI APIs to access or process data, then many of them make these same semantically correct checks "out of the box".
Cheers,
Julius -
Switching BW authorization concept back and forth on the fly
After upgrading to BW 7.0, we are currently developing the BW authorizations from scratch with the new analytical authorizations. The system is currently set to the legacy RSR authorization objects. The idea is now to define two timeframes on our development system, one for the users working with old authorizations, and a second timeframe for testing the new analytical authorizations.
Can we switch the authorization concept back and forth on the fly, or are there any obstacles?
Thanks in advance!Andreas,
The latest version of BW is 7.3 which is also Analysis authorization concept like 7.0. So please clarify from the system status what level are you upgrading to.
Under 7.0, the RSR objects were still available i.e. you can switch the concept back and forth on the fly, it will trigger a transport. AFAIK - In 7.3 however there is no support for RSR anymore in fact even the object class is not visible and so does the switch for the concept and even RSR objects (Z-objects) do not show up in PFCG either.
So if you are moving to 7.0 switch is possible, 7.3 it is not. But in either case, you should be upgrading using a dual landscape with upgrade work being done & tested in separate boxes than daily production support landscape. It will come in handy at the time of testing also.
Regards,
Shivraj Singh -
Not clear with the Authorization concept for Marketing Plan
Hi All,
I am new to CRM and was going through some of the prescribed document for CRM marketing
when i encounter with the authorization concept in marketing plan,for example how
can i restrict a user with a campaign manager role from changing marketing plan.please
provide the step by step procedure.
Regards,
SanjuHi Sanju
User with a campaign manager role can be restricted for changing marketing plan using authorization group.
We define authorization groups for use in the Marketing Planner. Authorization groups can be maintained at both marketing plan level and campaign or trade promotion level. Authorization groups enable us to control which users are authorized to change which of these two types of marketing project. We could, for example, define one authorization group to be assigned to a marketing plan, then define further authorization groups to be assigned to the different campaigns within the marketing plan. In the Marketing Planne.
Follow below steps
1. Define authorization group using following IMG Path
Customer Relationship Management / Marketing / General Settings / Define Authorization Group.
2. In authorization object CRM_CPGAGR of the role Campaign manager maiantian activity 01, 02, 03 ,06 (this will allow user to create, change, display and delete)
3. IMG defined authorization group ex: ABC can be seen under the tabstrip Basic Data of marketing plan.
4. Now user have to choose the Authorization group ABC from the drop down in Basic tab to create a marketing plan. User will get the change access for all the marketing plan which have the authorization object ABC.
Hope this will help...
Rgds
Mallikarjun -
NW2004s Authorizations concept
Gurus,
Can the old and new authorizations work together in same roles.
lets say i add new auth object S_RS_AUTH to the existing roles can both work together or just one .please explain in brief
thanksFirstly I would say..SAP is always correct..I don't stand a chance against the creator..but I think..
SAP says
"You can have both in one role; and only one set will be relevant depending on the chosen concept."
I think you have misinterpreted the word coexistence....why is migration needed when ....when you can still use 3.x....??
But pleases read second paragraph of my answer..there I have written about use of S_RS_AUTH for adding new authorization object..that's probably..you are referring.to ....way of adding new authorization object..to old role....
I think ...if you are using bi 7 then you should go for the new way of authorization which is far simpler..and easy to use and you can have more flexiblility..and complexity will also be reduced..and again...
I reiterate..SAP is always correct.. -
Creation of a new Authorization object
Hi ,
I need to create a new Authorization group and add three existing tables to it.
Kindly suggest a way.
Regards.Authorization Field
Smallest unit in an authorization object. An authorization field either represents data, such as a key field in a database table, or activities, such as Read or Create. Activities are specified as identifiers, which are stored in the database table TACT and the customer-specific table TACTZ.
Maintenance using transaction SU20.
Authorization Object
Repository object that forms the basis for authorizations. An authorization object comprises up to 10 authorization fields. The combination of authorization fields, which represent data and activities, is used for authorization assignment and to check authorizations. Authorization objects are grouped together in authorization classes.
Maintenance using transaction SU21.
Authorization
Enter in the user master record or part of an authorization profile. An authorization comprises complete or generic values for the authorization fields in an authorization object. The combination determines the activities with which a user can access certain data.
Maintenance in transaction SU03 or generation from transaction PFCG (profile generator for role maintenance).
Authorization Profile
Grouping of several individual authorizations or further authorization profiles. Can be entered in the user master record instead of individual authorizations. An authorization can be assigned to authorization profiles as often as you wish.
Maintenance in transaction SU02 or generation from transaction PFCG (profile generator for role maintenance). -
Adding new authorization objects to transactions
Hi experts,
i would like to add new authorization objects to specific transactions, for example the object K_CCA for checking the cost element in the transaction KB15N.
What do we have to maintain, except the transaction code with (SU22). What do we have to do with the program behind the transaction?
Is it "just" adding two line of code into the auth object check in the program, similar or like described for client specific ABAP-programs???
Any experiences on that?
Regards
FlorianHi,
First add the objects in DSO then in Info Cube.
Map the same with transformation.
Move the objects to production then DSO.
Load the DSO first. then delete the data from cube in production.
Now move the modified cube and transformation to production.
Now load the Cube from DSO.
No need to change any thing in existing query.
I hope this will help.
Thanks,
S -
I need help getting new authorization codes for digital copies
I need help getting new authorization codes for digital copies of movies. Can someone help me out?
There's a lot of results in Google when you search for this but unfortunately refreshing the page doesn't seem to generate a different code anymore. Mine also says already redeemed
-
New OO concepts introduced in ECC 6.0
Hi All,
I want to know what all new object oriented concepts introduced into ECC 6.0 when compared to 4.7C version. Please provide the useful information.
ThanksRe: New OO concepts introduced in ECC 6.0
Regards
Anbu B -
Hi Gurus,
What is the Difference Between Leading Ledger and Non-Leading Ledger conecpt in New Gl concept.
regards
JKHi
Leading Ledger & Non Leading Ledger the difference can be summarized as
1. Different Fiscal year can be mapped ( Suppose you need a reporting in two Fiscal year like Jan-Dec & Apr-Mar, we can have on leading ledger (Jan-Dec) & on NonLeading ledger (Apr-Mar). It means when I am posting in Dec-07 on Leading ledger the period will be 12 (Jan-Dec) & in Nonleading ledger the period would be 9 (Apr-Mar). So that We can take Balance sheet for two seperate fiscal year Jan-Dec & APr-Mar.
2. Apart from above we can have different currency also.
In short prallel ledger (non leading ledger) had replace Special Purpose Ledger.
Thanks
Colin Thomas -
Query on new Authorization Objects after Upgrade&SAP_NEW profile
Dear Experts,
We have upgraded our system from 4.5 to 7.0 version, i was checking what are the new authorization Objects introduced after upgrade comparing older system ojects. I got few objects which are new in upgraded system,
But when i check SAP_NEW profile, and in the latest profile SAP_NEW_7000 profile i can not see all those new Ojects which are new.
generally SAP_NEW should contain all new objects which come after upgrade? i can see those in SAP_ALL but not in SAP_NEW
is there any issue in system? how should I know and where should i check what are the new Objects come in upgrade,
Please advise.
Thanks#Regards,
VijayHi Jurjen Heeck ,
see my previous post
I did 'nt get this.
SAP_NEW is your friend here
does the SAP_NEW profile contains all the new authorization Objects.
Regards,
Anthony
Maybe you are looking for
-
I can't import pictures into iPhoto. (f I can right click and there is a choice to put in iPhoto that works fine) . No matter what happens, even when I download them first, all that imports is a mass of pictures of flags and masks, and they are the
-
I am getting the following error message while activating ODS data <b>ODS object ZXXX was built incorrectly. Cannot update request REQU_9IVH8MQSZIUQEZSNSY8A0YCHG (180,120) Activation of data records from ODS object ZXXX terminated.</b> There is no er
-
Safari wont open after 8.0.2 update
This is what I get when I try to launch Safari after the 8.0.2 update - has anyone else experienced this? Process: Safari [901] Path: /Applications/Safari.app/Contents/MacOS/Safari Identifier: com.apple.Safari Version:
-
Adobe ANE stageAd is not working in App Store
I am using com.adobe.ane.stageAd package with starling game I made (GravityEscape - it is an iPad game approved and released in store). Here is my problem, I am trying to show banner ads but they will not work. a) In development test ads DID show. I
-
Fluid grid template - editable region - resize not possible
Hi, After quitting DW the first resizing problem was gone. Now I saved the page as a template and inserted an editable region. Then it wasn't possible anymore to recize the divs. The lines are know yellow dotted. Do I have to make editable regions in