OPSS authorization Logs

Similar Messages

• Authorization log / Hierarchy node in SQL format

  Hi!
  I execute rsudo on a restricted user and the authorization log tells me that this fails because the user is not authorized for "Content(in SQL format): Node 5 8 0 31 E"
  Now how do I translate this sql format into something I can read? I've looked through the hierachy tables for the relevant characteristic but I can only identify 31 as the hierarchy sid and E as the version.

  Vice -
  We had to do basically the same thing for 0CRM_TR hierarchy, but our steps were a little different since we are on BI 7.0 - 2004S.
  We also had to limit the users visibility to data from certain nodes and below on the hierarchy. 
  1st, we made the 0CRM_TR object auth releveant. 
  2nd, we created an analysis authorization for the object via transaction code RSECADMIN.  In the transaction we had to specify the Hierarchy variable name that would be used in Queries.  We then selected the node (GUID) where we wanted the authorizaion to take place.  We set the Type Auth to 1(subtree and below) and Hierarchy Validity Area as 2(Name Identical).  We set it to 2 since the Hierarchy would always be loaded in the same name.

• Identifying hierarchy node in authorization log

  Hi,
  I created a error log (RSECADMIN) for an authorization problem.
  The log displays - among other things - :
  Main Check:
  Following Set Is Checked
  Characteristic  Contents 
  0COMPANY    Node 0 1 0 824 1
  What do these 5 numbers after the word Node mean?
  The number 824 seems to be the SID for the hierarchy ID. I assume that the other numbers are somehow used to identify the exact node. But I don't really know.
  Can anybody help me here?

  Hi,
  Please explain, what is your authorization issue.?
  in the previous post, authorization issue was not explained exactly.
  please do the needful.

• Web Intelligence Report + BI 7.0 Analysis Authorizations

  Hello Experts,
  I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
  BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
  It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
  For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
  When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
  I have tried several settings on the universe (like filter working on LoV as well) but none helped.
  If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
  Any ideas?
  Best regards
  Giorgos

  Hi,
  has the Universe been created on the cube level or on the query level ?
  In case it is on the cube level it will fail because :
  Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
  The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
  You can then assign this authorization to one or more users.
  All characteristics flagged as authorization-relevant are checked when a query is executed.
  *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
  Ingo

• [BO over SAP BW] Web Intelligence Report + BI 7.0 Analysis Authorizations

  Hello Experts,
  I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
  BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
  It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
  For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
  When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
  I have tried several settings on the universe (like filter working on LoV as well) but none helped.
  If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
  Any ideas?
  Best regards
  Giorgos

  Hi,
  has the Universe been created on the cube level or on the query level ?
  In case it is on the cube level it will fail because :
  Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
  The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
  You can then assign this authorization to one or more users.
  All characteristics flagged as authorization-relevant are checked when a query is executed.
  *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
  Ingo

• BW authorization issue.

  Hi Guru's,
  I have an issue with BW authorizations and I can't find an acceptable solution for it. Can you advise?
  We run BW 7.0.
  I have created analysis profiles with RSECADMIN and I have inderted them in object SRS_AUTH.
  0CO_AREA and 0COMP_CODE are set to be authorisation relevant.
  Query is set to retreive allowed values from authorizations.
  0COMP_CODE is based on hierarchy.
  All roles work just as designed: they restrict users to their own Business unit.
  But!! Now I have some users who need to be assigned authorisations to 2 business units.
  And they are the only two in their Business unit who needs this, so I just assigned them the relevant role for both Business units.
  Thus, they have role A (0CO_AREA 2100, 0COMP_CODE 2138) and role B ((0CO_AREA 5400, 0COMP_CODE 5478)
  Everything else in the role is the same for both.
  No, when these users select e.g. CompCode 2138, they get a message : No authorisation. Same for 5478.
  When I assign just one of these roles, they work just fine. When conbined, all ends in error.
  Does anybode know how to solve this, other than create new analysis profile?
  Many thanks in advance!
  Regards, Luisella.

  Hi,
  First of all I should tell you that BI reports and analysis authorization doesn't work on similar lines as ECC Authorization Objects.
  The basic reason being in BI, there is nothing called reports but they are queries and therefore authorization check happens through AND logic both intrinsic and extrinsic. However in ECC, check happens through OR logic between two nodes of same auth object and through AND logic within set of fields in the same node of auth object.
  Therefore for BI queries, we will have to be very particular about the set of values we pass and dealing with multiple AA at the same time. So it is always advisable to keep AA as singular as possible from user assignment perspective.
  To resolve this issue, I need to understand what values are being passed while executing reports?
  1. Is there any input selection field for 0CO_AREA in the report? If yes, while passing Company Code - 2138 or 5478, what is the 0CO_AREA value passed? Ensure that it is not kept blank.
  Can you check by passing the following set of values  in the report :
  (0CO_AREA 2100, 0COMP_CODE 2138) OR (0CO_AREA 5400, 0COMP_CODE 5478)
  2. Also trace out AA while executing the report through RSECADMIN and check the authorization log for errors.
  Let me know how it comes up.
  Thanks,
  Deb

• Authorization Error  while executing Workbooks,

  Dear ALL
  We have authorization in place where users are restricted to execute Workbooks PLANT wise.
  For this 0PLANT is kept authorization relevant.
  0PLANT__0COMP_CODE  is Navigational Attribute of 0PLANT also marked as authorization relevant.
  Till now all user were assigned the Analysis authorization A_PLNT_XX as  0PLANT = XX
  But suddenly now the users are getting authorization error of NOT BEING AUTHORIZED .,
  The error log is as shown below.
  Relevant Characteristics for Detailed Authorization Check  
  (Characteristics with Full Authorization Are Not Listed!)
    List of Effective Authorization-Relevant Characteristics for InfoProvider ZMMIMMP05:  
  0PLANT 
  0PLANT__0COMP_CODE 
  0TCAACTVT 
  Subselection (Technical SUBNR) 1  
  Supplementation of Selection for Aggregated Characteristics
    Check Added for Aggregation Authorization:     0PLANT__0COMP_CODE  
    Authorizations missing for aggregation (":")  
  Characteristic  1 
  0PLANT__0COMP_CODE    Empty   
  Entries marked with red do not have aggregation authorization
  You can find more information about this here 1140831
    The authorization check stops here as this selection is no longer needed  
    Message EYE007: You do not have sufficient authorization  
    No Sufficient Authorization for This Subselection (SUBNR)  
  Following CHANMIDs Are Affected:
  51 ( 0PLANT )
    Authorization Check Complete  
  Please let me know the reason for the same.
  Also How can  i track these  changes to avoid such errors
  Regards,
  Ajit

  Hi Ajit,
  The authorization log has been improved constantly and try to make it easy to understand.
  It says:
  Authorizations missing for aggregation (":")
  Characteristic 1
  0PLANT__0COMP_CODE Empty
  Entries marked with red do not have aggregation authorization
  You can find more information about this here 1140831
  So please click the "1140831" which is a hyperlink bringing you to OSS note 1140831.
  The note says:
  1140831  Colon authorization during query execution
  Part 1:  Description of the authorization check
  You require aggregation authorization ("colon authorization") to view
  the values of an authorization-relevant characteristic in aggregated
  form. What does this mean exactly?
  Example:
  The calendar year (0CALYEAR) characteristic is authorization-relevant
  and is contained in the InfoProvider that is in use. You defined a query
  as follows:
  1.  0CALYEAR is in the free characteristics (not in the drilldown)
      without any selections
  - or -
  2.  0CALYEAR does not exist in the query at all.
  In both cases, no 0CALYEAR values are displayed in the query. Also, the
  query is not restricted to any 0CALYEAR values. A colon is required for
  the authorization check in this situation.
  The note contains some more detailed explanation. You could read through it to understand the concept.
  Regards,
  Patricia

• Authorization issue in ICH

  Hello Gurus,
  I am very new to ICH and doing some R&D on the same for some scenarios.
  When I am clicking on the replenishment overview I am getting the below error.Can anyone throw some light on this?
  "No authorizations on location 'ISMP' product 'IS_MATERIAL' for VMI planner ''
  Thanks and regards,
  Murali/Rajesh.

  Can you please check the Authorisation Check log and find out the authorization Object.
  As per the details received in the Authorization log,
  Basis Team will provide the authorization to the user

• You do not have the sufficient authorization

  Hi Experts,
  I am trying to setup Structural Authorization from HCm in BW. I am using 0HR_PA_2 and 0HR_PA_3 extractors to pull the data from HCM in 0TCA_DS01 and 0TCA_DS02. I am able to load the data for both DSO's and Authorizations are generated also via RSECADMIN. 
  The auth relevant info objects are
  0ORGUNIT
  0HRPOSITION
  0EMPLOYEE
  But when i run the query for test user it is giving the error "You do not have the sufficient authorization". Our security guy setup everything for the test user at the back end. Can anyone help me out to fix this problem?

  Hi Shehzad
  Kindly check the below details and confirm.
  1. Check auth objects S_RS_COMP, S_RS_COMP1, S_RS_AUTH and S_RS_DSO as you mentioned data is coming from DSO.
  2. Now check the value maintained in S_RS_AUTH and copy that value and go to RSECADMIN and in maintenance screen put that value click on display and check whether these relevant auth is maintained (this you can also check in rsecval table).
  3. If every thing is fine then go to tcode - rsecadmin-> Analysis-> Check "Authorization Log" ID and put test user Id there and click on run RSRT this will take you to RSRT scrren and there you can Simple RUN or run with debug also.
  Now If error came of No authorization go back and check log in that you will get to know the auth obj which is missing in analysis object.
  Suggestion: Simultaneously run ST01, so that you will also get auth obj if any is missing as there may be possibilty of multi-cube so for that there is requirement of some other object.
  Hope this will help.. Else please share trace results and role objects which is maintained.
  One more IMP point if new query or report is created. it will take some time to synch for other users even 0BI_ALL will not work for that user, need to pass that particular values in analysis object which is required.
  Thanks
  Bhupinder Singh Arora

• [CUA] Compatibility with Analysis Authorizations (RSECADMIN)

  Hello,
  I have two questions for you, BI experts :
  1) Could someone please confirm that it is not possible to centrally maintain Analysis Authorizations (trx RSECADMIN) from the CUA ?
  2) Does it make sense to start a CUA project now with the Identity Management solution coming soon ? What are the pros & cons of each ?
  Thanks in advance.
  Best regards,
  Guillaume

  Hi,
  I had a look at the Roles and Profiles tables used by CUA.
  I found that it uses special tables such as :
  USRSYSACT     CUA: Roles in Distributed Systems
  USRSYSACTT     CUA: Roles in Distributed Systems
  USRSYSPRF     CUA: Profiles in Distributed Systems
  USRSYSPRFT     CUA: Profile Text in Distributed Systems
  USLA04          CUA: Assignment of Users to Local  Roles
  USL04          CUA: Assignment of Users to Local Profiles
  There is no analogous table for RSECADMIN tables such as :
  RSECAUTHGENERATD     BI AS Authorization Reporting: Generated Authorizations
  RSECLOG               Storage for Authorizations Logs xml
  RSECTXT               Authorization Texts
  RSECUSERAUTH          BI AS Authorizations: Assignment of User Auth
  RSECVAL               Authorization Value Status
  This, I conclude that it is not possible to maintain BI analysis authorizations from the CUA central system.
  This kind of authorizations has to be performed in the child system directly.
  Unless, SAP has something to draw out of its pocket soon... 
  I indeed read that some development was done on the CUA, parallel to the SAP NW Identity Management solution.
  Best regards,
  Guillaume

• Analysis Authorizations on Infosets

  Hi,
  I just wonder if analaysis authorizations work on infosets in SAP BW(701) SP8.
  I have got Infoobject A, which is authorization relevant. When I use this object in DSO/Cubes/Multiproviders then data level authorizations(analysis) are work fine.
  But when I use this infoobject into an infoset then it has become F35_XXX. When I create authorization variable on F35 and restrict value of A to certain values in RSECADMIN(analysis Auth). then it is simply allowing user to all values of A instead of restricting access to values specific in RSECADMIN.
  At the moment my analysis auth is restricted as follow:
  0TCAACTVT = 03
  0TCAIPROV = Infoset name
  0TCAVALID = *
  A = 100
  Am I missing anything?
  Regards,
  Ramesh

  Hi Ramesh,
  Infoset authorization should also work for authorization relevant navigational attributes.
  Navigation attribute has it's own setting for authorization relevant. It is set in RSD1 attribute tab.
  Can you check whether it's set to authorization relevant there?
  In addition, if a use has full authorization(*) for a certain characteristic (or navigation attribute), it might not be listed in the authorization log as detailed check does not need to be done for it.
  Best regards,
  Patricia

• BEx Exclusion from Selection Authorization Error

  All,
  Has anyone encountered the following situation and, if so, how have you handled it?
  I have a query based on an InfoProvider which includes Company Code.  We restrict data which users can view by Company Code.  When my user executes the query they see data for all of the companies for which they are authorized.  If they filter by company code and "include" companies which they are authorized to see the query works without any issues.  BUT, if they filter by company code and "EXCLUDE" a company they get a "You do not have sufficient authorization" message and the query fails.
  It seems as though the query is trying to get ALL company codes.
  Any thoughts?

  Hi,
  If you exclude a company, then when you execute a query , system will search for the companies you are authorized for
  but since you have already Excluded it , you get "no authorization".
  This is correct.
  Unless you execute the combination which you have authorization , you will get the 'no authorization'
  You can even check in transaction RSECADMIN, by executing the query using RSECADMIN -> RSRT transaction -> query
  It will collect the authorization logs.
  This will provide you complete details which authorization is failing and then you can correct them based on analysis.
  Regards,
  Amit

• Query display incorrect data by authorize object

  I have 2 location (1001, 1002).
  And I set 0plant for authorization. I set 'AA' user for display 1002 location.
  I create stock query, that it can input location by 0plant infoobject.
  (New variable -> processing by: Authorize -> selection and optional and ready for input)
  Result:
  Input 1001 -> I receive "No Authorize" -> OK
  Input 1002 -> I receive 1002 data -> OK
  Input 1001,1002 -> I receive "No Authorize" -> Not OK -> I want to display only 1002 data
  No input -> I receive all data both 1001 and 1002 -> Not OK -> I want to display only 1002 data
  please help me
  critical solution is no input case

  Hello A J,
  are you using the (new) concept of analysis authorizations?
  If yes, then think about this important rule: authorizations do not work as a filter. Authorizations define the area that the user is allowed to see, but you still need to define the filters in the query in order to make sure that the query does not select more than the user is authorized to. The variable that you created should help the user filter the data, so it should show you only 1002 in the F4 help, but not 1001. If, however, the user manually enters something out of the authorized area, he should get a "not authorized" error.
  So, in your cases:
  - Input 1001,1002 -> I receive "No Authorize" -> Not OK -> I want to display only 1002 data
  Query tries to select both plants, but the user is only authorized to 1002, so "no authorization" message is expected
  - No input -> I receive all data both 1001 and 1002 -> Not OK -> I want to display only 1002 data
  This should not happen. Are you sure that data for 1001 is also displayed? If yes, check the authorization log via RSECADMIN to see which authorization allows the user to see plant 1001.
  I hope this helps.
  Regards,
  Maxim

• Interpretation of values in log generated for auth checks(using RSECADMIN)

  Hi experts
  Could you please help me in reading the error log which is created using transaction RSECADMIN.My question is in particular about the interpretation of the values which occurs in front of the authorization relevant characteristics in the section "main checks" of the error log.
  For example if I run a query , assumption(user is configured for auth. logs using rsecadmin and then finally when the query gets completed we see the authorization logs using rsecadmin only). Then in the log it shows what values were checked for the authorizations against authorized values/sets. Lets say there are 2 characteristics char1 and char2 which have hierarchies below them and I run a query with some values(any random nodes from hierarchy below char 1) for Char 1 and some values(any random nodes from hierarchy below char 2) for char2 in the query selection screen and after I run the query and see the log then below values are shown for log:
  Authorization Check  
  Detail Check for InfoProvider <INFOPROV > 
  and then comes the section related to value checks ( MAIN CHECK)
  Main Check
  Subselection (Technical SUBNR) 1  
  Following Set Is Checked                           Comparison with Following Authorized Set 
  Characteristic | Contents                           Characteristics |  Contents                                                                               result
  Char 1           | Node 0 4 0                           Char 1           | All values of nodes for Char1 for which user is authorized.          Ok/NOK
                       | 121339 1
  Char 2          | Node 3 1 98
                     | 121333 1                             Char 2                | All values of nodes for char 2 which user is authorized             Ok/NOK
  Could you please help in getting how shall I interperate the values which are being checked.I mean how exactly should i get the characteristic values from the below shown values
  Char 1           | Node 0 4 0      
                       | 121339 1
  Char 2          | Node 3 1 98
                     | 121333 1   
  I know that this might have some sids related to those values which are passed as nodes in the query selections but I am not sure how shall I get the values which are being passed for checks to the authorized set of values using above notification from sap.
  Could you please help me so that I can find out what values are passed for checks .
  I actually want to know how shall I use the values 0 4 0 121339 1 after the node for char 1 and 3 1 98 121333 after the node for char2.
  The values for the authorized set can be knows as they are shown at the end of the log but nothing is said about the node values which are passed for being checked.
  Please give me light on above so that i can use above informtion to find out what actually the user is not authorized for.
  I hope I explained the requirement to best of levels but still if this is not clear , please let me know.It might be possible that while posting the question some lines get merged (apology for the same but i could not fine the best way to put the same here).
  Thanks
  Vishal

  Hi Chandu
  Thanks for reply. But using the transaction RSECPROT and seeing the log from the rsecadmin both are same as the main program related to both of them is RSEC_PROTOCOL_MAIN.
  My question was related to this generated log only. I know that is in readable format but in log when you see what values are being checked against the authorized set then the part which is not clear to me is that what does the values in front of characteristic (for the node is selected as input value ( selection filter ) to see the data ) signifies.
  Please see example above (as given by me) and please help in interpreation of those generated values in front of charactertistics char1 and char2 (if possible) .
  Regards
  Vishal

• SAP BW query authorization

  Dear all,
  I have a user id in BW and when this person runs a BW report she will get a No authorization error. I tried using SU53 but it doesnu2019t tell me anything useful. Can someone please help me out here? thanks

  Hi,
  You can use transaction RSUDO where you can execute a report using another user and also check the flag to record the log. As soon as you received the no authorization error message you can simply return using the back (green) button and click in the display logs button.
  You are going to see a detailed authorization log where you are going to see why the checks failed.
  Regards,
  Rafael