Queries on Rule Authorizations

Similar Messages

• BW BEX Queries and Analysis Authorizations

  Hello....
  Have an opportunity with BW BEX queries and Analysis Authorization...would like to see if anyone has had the same experience and if so is there a answer....
  1) given a query....
  2) given a analysis authorization with a info-object that has intervals defined to be both single values and ranged values
  the following happens...
  after the query is fired the starter screen appears...the info-object in question appears with the defined single values only....if....the window is opened....again only the single values appear...the range values do not appear...once the query is executed the only results given are those for the single values...
  also if you re-fire the query and manually enter a valid value for the info-object that falls with-in any of the range values no result is given...even if there is data for it....the reponse given is no data found....
  NOW...if the single values, for the given info-object, are removed from the Analysis Authoriization then the range values appear and work....
  Is this a problem within in the query...or...is this a "feature" of the query...and thus must be "lived" with...
  Terry
  PS...this problem currently only happens if the window for the info-object allows for multi-selection....this problem does not occurr when the window only allows for one selection...

  Hi,
  This is a known problem with analysis authorization and multi selection IO selection criteria.
  When you define the analysis authorization with ranges and when you try to enter single values on the selection critera of the query, then the system shows zero data.
  You can run the query without entering any selection values for the IO in question only.
  I have tried several combinations and still encountering the same issue.
  Ravi

• List Queries/Infosets by authorization group.

  I have a number of Queries/Infosets that have authorization group assignments in SQ02.  Is there a way to produce a list of all Queries/Infosets that belong to a specific authorization group?
  Regards,
  David

  Authorization Group as setup in the Infoset Global Properties.
  Thanks,
  David

• Mass change rule authorization

  Dear experts,
  I want to allow for several users to allow to create and release substitutions on asset master data. But when user release a worklist, warning message appears:
  <i><b>"No administrator found for the task"
  "Message no. 5W141"</b></i>
  What should I do, what parameter is missing on user profile? We definitely want to grant to some users rights to create and release substitutions, so do we need to grant System Administrator rights?

  Hi Marius,
  I would suggest that once you get the below error execute transaction SU53. You will find which authorization object are missing and forward the same to your Basis Team to create/ assign role appropriately.
  Hope this helps.
  Pls assign points as way to say thanks

• SQ01 Queries; Any rules / Coding posssible?

  Hi,
  I must make a query and want to use TX SQ01.
  When I join the 2 tables I have the issue that the link field has a leading zero in one table and without leading zero in the other table.
  So the join will not work.
  I am wondering if there is any option to implement a short coding (contatenate '0' with number on one table in the query, I did not find any option in SQ01 however perhaps someone knows....
  Thanks in advance,
  Thomas

  Hi,
  1) I suggest better dont select Table join better select direct read from table. Give the Standard Table here.
  because if you select the table join the join condition is automatically assigned.
  2) The pop up appears "Field Groups" I would suggest using the third option (create empty field groups)
  because you donu2019t need all the fields (nobody does), so itu2019s better to choose whatever you really need
  from scratch (empty) to improve the query performance. In next screen, choose which fields you want to include
  into the infoset, itu2019s fairly simple actually because all you need to do is click and drag the fields
  from the left pane into the right pane.
  3) Click u2018Codeu2019. in that code selection having so many event and data declaration also. Please write the code over here.
  4) In the declaration better declare one internal table.
  5) in the start-of-selection write the code as below:
  loop at standard table to wa.
  "call CONVERSION_EXIT_ALPHA_OUTPUT get the field values as leading zero's
  "pass into the newly created itab
  append wa to it.
  endloop.
  "and write the select query with for all entries.
  Please see the below link its sample of SQ02.
  www dot saptechnical dot com/Tutorials/SAPQuery/ABAPCode/Page1 dot htm
  Regards,
  Dhina..
  Edited by: Dhina DMD on Jun 3, 2011 11:03 AM

• Assign queries to authorization role via PFCG maintenace

  Hi,
  I would like to assign several queries to existing authorization roles.
  Therefore I am using the transaction PFCG > maintain the menu > add "other" SAP BW Query URL and fill in the name as well as object description.
  However, the new query will not be shown in the BEx Analyzer in the role folder.
  What do I have to administrate that the query will be shown in the role menu (BEx Analyzer)?
  Thanks!

  Dear Arvind,
  thanks for your reply.
  As an authorization administrator for SAP BI I do have the authorization for S_USER_AGR already.
  I am just testing in our development system.
  However, the query will not appear in the BEx Analyzer while selecting "Open Query" and search in "Roles".
  As far as I know queries could provided to authorization roles via BEx Analyzer.
  But does no possibility exists to maintain the authorization role via PFCG?
  Regards, Christian

• BI7.3 -- BO4.0 - Authorization issue in Webi

  Hello,
  Our Queries with authorization variables work fine in BW (RSRT/BEX), and work with Analysis.
  But when we use Webi, our authorization restrictions doesn't work.
  (FYI In Bex Queries we use authorization variables on every infoObjetcs authorization relevant)
  Thanks for your help.
  Jean Lallart

  Hello Ingo,
  so you are using BI 4 Web Intelligence with the direct BICS connectivity ?
  --> YES
  you are using the access to the BEx query ? and the BEx query has all the authorization variables included ?
  --> YES
  Thanks and Regards,
  Jean Lallart

• BW authorization issue.

  Hi Guru's,
  I have an issue with BW authorizations and I can't find an acceptable solution for it. Can you advise?
  We run BW 7.0.
  I have created analysis profiles with RSECADMIN and I have inderted them in object SRS_AUTH.
  0CO_AREA and 0COMP_CODE are set to be authorisation relevant.
  Query is set to retreive allowed values from authorizations.
  0COMP_CODE is based on hierarchy.
  All roles work just as designed: they restrict users to their own Business unit.
  But!! Now I have some users who need to be assigned authorisations to 2 business units.
  And they are the only two in their Business unit who needs this, so I just assigned them the relevant role for both Business units.
  Thus, they have role A (0CO_AREA 2100, 0COMP_CODE 2138) and role B ((0CO_AREA 5400, 0COMP_CODE 5478)
  Everything else in the role is the same for both.
  No, when these users select e.g. CompCode 2138, they get a message : No authorisation. Same for 5478.
  When I assign just one of these roles, they work just fine. When conbined, all ends in error.
  Does anybode know how to solve this, other than create new analysis profile?
  Many thanks in advance!
  Regards, Luisella.

  Hi,
  First of all I should tell you that BI reports and analysis authorization doesn't work on similar lines as ECC Authorization Objects.
  The basic reason being in BI, there is nothing called reports but they are queries and therefore authorization check happens through AND logic both intrinsic and extrinsic. However in ECC, check happens through OR logic between two nodes of same auth object and through AND logic within set of fields in the same node of auth object.
  Therefore for BI queries, we will have to be very particular about the set of values we pass and dealing with multiple AA at the same time. So it is always advisable to keep AA as singular as possible from user assignment perspective.
  To resolve this issue, I need to understand what values are being passed while executing reports?
  1. Is there any input selection field for 0CO_AREA in the report? If yes, while passing Company Code - 2138 or 5478, what is the 0CO_AREA value passed? Ensure that it is not kept blank.
  Can you check by passing the following set of values  in the report :
  (0CO_AREA 2100, 0COMP_CODE 2138) OR (0CO_AREA 5400, 0COMP_CODE 5478)
  2. Also trace out AA while executing the report through RSECADMIN and check the authorization log for errors.
  Let me know how it comes up.
  Thanks,
  Deb

• Hierarchy authorization pbm in BI7.0 with Front end of BW3.5

  Hello All,
  We have a problem regarding authorizations for the hierarchies in BW7.0
  We have migrated from BW3.1 to BW7.0. Authorization are OK in our BW3.1 server, the authorization on hierrachy work well.
  Current Issue (in BI7.0) :
  An authorization object for XCOMPROD for a hierarchy 'ZMAT_HIER'.
  There are 2 queries which have variables of XCOMPROD & ZCOMPROD in selection criteria, ZCOMPROD has variable of type 'Hierarchy node'
  I've a test_user which has authorization on Product Group 5 (one of the nodes in the hierarchy-ZMAT_HIER).
  When i run the queries independently with this test_user, the user has access to Group 5 only, which is correct. 
  When i run a web template report with any one query (from the 2 queries), the user has access to Group 5 (as in first case) - correct.
  However when i run a web template report having above 2 queries together, the authorization fails, as user gets access to root node (instead of only Group 5).
  FYI, we're using BW3.5 front end (no PORTALS)  with the OLD authorization concept (of BW3.1).  Not 'Analysis Authorization' as in BI7.0.
  Looking forward to an explanation/solution to the above.
  Regards,
  Nagendra.

  Hi,
  Check out the customization of SPRO to select the authorization concept. I suspect that it's set on the new authorization concept.
  Tomer.

• E-Recruiting : Role Authorization in e-recruiting standalone scenario

  Hello Friends,
  We have EREC on a standalone system (ERD 100). HR ECC is another system (ECD 300), Enterprise portal in another system (EPD 100).
  we are on EHP 5, EREC 605, Support Pack 7.
  We have activated the single sign on mechanism.
  I have following queries regarding role authorizations on EREC in  standalone model.
  1) We have standard reference users  such as recruiter, manager, decision-maker, data entry clerk, rec.admic etc;  the" RCF_RECRUIT, RCF_MANAGER, RCF_CAND_INT, RCF_DATA_TYP" etc, Should this reference users be created both in EREC & HR system or only in EREC system ?
  2) If the "RCF_XXXX" reference users roles are supposed to be created only in EREC system, how to assign reference user roles to employees whose master data is in HR System. ?
  3) Can support teams concept help for mass authorizations? Can someone elaborate on the support team, support group concepts ?
  Kindly provide inputs.
  Regards,
  ER.

  Thanks Nicole for the inputs.
  Just  expanding my query on the 2nd point regarding assigning Reference users like manager, recruiter to certain employees :
  Example: Say I have Emp. No 20003000. He is an hiring manager, In HR System,  IT105, subtype user id is "20003000".
  To assign RCF_MANAGER reference user role to user id 20003000, should i have to recreate the userid in EREC system as well and assign it in SU01 for this user id.
  Would like to take your comments.
  Thanks,
  Regards,
  ER.

• Publishing Queries to Roles

  Hello Gurus,
  I would like your take on the practice of publishing BW queries to roles? For an example there are 10 sets of queries and these 10 are published into a role for each company that exists. So in essence if there were 20 company codes we will have 20 roles containing 10 queries hardcoded with a company code. I spoke to our BW developer to get an idea as to why this is being done instead of restricting access through S_RS_COMP. Response was that this was done due to performance reasons (something to do with the queries linking directly to the infoprovider containing the information rather than going through all of the infoproviders). So,  Rather than leaving the query open and the user entering the parameter themselves it was decided that the queries were to be hardcoded to cut down the time it takes for systems to display the results.
  Anyone experience this issue before? My goal is to setup a derived role where the child roles are restricted by S_RS_AUTH for the company codes and query access through S_RS_COMP instead of being published to a single role. Before I do this I would like to figure out a way to move away from this practice without affect performance for end users.
  By the way our users access these queries through the Bex Analyzer. 
  Thanks,
  Wes

  Wes,
          Using derived roles in BW or S_RS_AUTH may not be the best design as field for S_RS_AUTH does not appear as org level. So you are not really going to have any advantage by going with derived role concept in terms of maintainence effort.
          With 10 queries  - 20 Company Codes - you will not need 20 roles  because of Company Code, just update the queries with appropriate authorization variable for company code and restrict users on company code. Just 20 company codes should not cause any performance issues
          Also with hardcoding the queries for each single company code - how are you resolving the scenario when user has access to more than one company code/ or global access. 
  Regards

• BI Query Authorization issue

  Hi,
  When a test user execute a query he is getting Insuffucient athorization
  In  RSECADMIN i executed as a test user and got the log
  Please update me how to resolve the issue
  No Sufficient Authorization for This Subselection (SUBNR)  
  Following CHANMIDs Are Affected:
  17 ( 0TCAKYFNM )
  Thanks

  Hi there,
  Regarding the 0TCAKYFNM "containing" information of all key figures, that's why I put the "", because this object doesn't contain anything, it is simply an InfoObject standard that SAP has with the flag marked in authorization relevant in transaction RSD1. This object exists for assigning key figures authorization used through the transaction RSECADMIN.
  Even without the user notice, this object is checked against all the queries over all the InfoProviders.
  If you go to transaction RSD1 for the InfoObject 0TCAKYFNM click on display on the Business Explorer tab you'll see the option AuthorizationRelevant marked. This will force the check for key figures assignment for all the queries against the authorization grnated through this object assigned to the user.
  So if in this transaction RSD1 you change on the tab Business Explorer for this object 0TCAKYFNM and uncheck the AuthorizationRelevant, none of the key figures will be checked against the authorizations the users have to the InfoObject 0TCAKYFNM (since this InfoObject will no longer be authorization relevant).
  If you leave the flag AuthorizationRelevant for the InfoObject 0TCAKYFNM as it is (marked), then in RSECADMIN as you did before, instead of granting * values (all values, all key figures) for the 0TCAKYFNM, you granted for instance the value 0QUANTITY and assign this authorization to the users, if this user executed a query with only the 0AMOUNT key figure he/she would receive lack of authorization, since he/she was only authorized to see values for 0QUANTITY key figure. So resuming, the values you assign for the InfoObject 0TCAKYFNM will be the key figures the user is authorized to see the query, and if you assing * it will be all the key figures (all values)
  Hope this helps,
  Regards,
  Diogo.

• Oracle ODBC Driver 10.02.00.04 sqora32.dll with /*+ RULE */ base hints

  Hi Everybody,
  I have a problem with SQL queries with /*+ RULE */ base hints being posted to an Oracle database. I have reason to believe that these queries are generated by the Oracle ODBC Driver itself. Although I don't have a performance problem per se, I need to reduce these hints to a minimum so we can fine-tune the database as a whole.
  * The views that are hit are always the same: All_Objects, All_Arguments, All_Synonyms,
  * We are using Oracle ODBC driver 10.02.00.04 for Windows, the database server is a RS6000 with AIX and Oracle 10g,
  * Aside Oracle Development tools, there are no applications, reports or similar gadgets that query the tables described above.
  I would really appreciate any help about this issue.
  Here is an example of the type of queries that I'm writing about:
  SELECT /*+ RULE */ '', b.owner, decode (b.object_type, 'PACKAGE', CONCAT( CONCAT (b.object_name, '.'), a.object_name), b.object_name), NULL, NULL, NULL, NULL, decode (b.object_type, 'PACKAGE', decode(a.position, 0, 2, 1, 1, 0), decode(b.object_type, 'PROCEDURE', 1, 'FUNCTION', 2, 0))
  FROM ALL_ARGUMENTS a, ALL_OBJECTS b
  WHERE ( b.object_type = 'PROCEDURE' OR b.object_type = 'FUNCTION' ) AND b.object_id = a.object_id AND (a.sequence=1 OR a.sequence=0) AND b.OBJECT_NAME = 'MYTABLE' AND b.OWNER = 'MYSCHEMA' UNION
  SELECT /*+ RULE */ '', b.owner,b.object_name,NULL, NULL, NULL, NULL,decode(b.object_type, 'PROCEDURE', 1, 'FUNCTION', 2, 0)
  FROM ALL_OBJECTS b
  WHERE (b.object_type = 'PROCEDURE' OR b.object_type = 'FUNCTION') AND b.OBJECT_NAME = 'MYTABLE' AND b.OWNER = 'MYSCHEMA' UNION
  SELECT /*+ RULE */ distinct '', a.owner,CONCAT(CONCAT (a.package_name, '.'), a.object_name),NULL, NULL, NULL, NULL,decode(a.position, 0, 2, 1, 1, 0)
  FROM ALL_ARGUMENTS a
  WHERE (a.sequence=1 OR a.sequence=0) AND a.OBJECT_NAME = 'MYTABLE' AND a.OWNER = 'MYSCHEMA' ORDER BY 2,3
  Best Regards,
  Manuel
  Edited by: user10165637 on Jul 28, 2009 1:29 PM

  Hi Greg,
  Thank you for your answer. One of the things that we did when we migrated to Oracle 10g was to ensure that the "Disable Rule Base Hints" flag, located in the "Work-arounds" tab in the ODBC DSN window is checked. We previously refreshed all Microsoft's Access databases to use this new DSN connection. Still, the hints are there.
  However... we may have been able to link these calls to these Oracle System Catalog views, with a custom application that launces Crystal Reports.
  Although we all know that Crystal Reports also caches ODBC DSN configuration settings, I must say that these same Crystal Reports do not generate hints when called from their InfoView server.
  We will proceed to modify the custom application, overridding the dissable rule-base hint work-around with the string "DRH=T" on the connection string. Next week we will know if this works.
  Best Regards,
  Manuel

• SQ01 authorization

  Hi Expert,
  I created SAP query for users, and assigned users with their respective infoset and user group.
  The problem is that when users access SQ01 to execute the queries, users have authorization to change / maintain the queries, which I want to disable this functionalities.
  I would like the users have authorization to execute the queries only and they are not allowed to change  / maintain the queries.
  Question:
  What kind of authorization object / way that I can achieve the above objective?
  I read this post, Restricting  Access for SQ01 User Group but it is not working to me.  I am from SAP FICO side (not much knowledge on basis).
  Thanks in advance.
  sbmel

  Hi Both,
  Thanks for your reply.
  Activity under object: S_QUERY, only has 02, 23, 67 (they are not working to prevent user from changing the queries)
  I have several queries; therefore the level of maintainability is not advisable if each queries create a Tcode for it.
  Do you have any other suggestion?
  If there is really no way to prevent user from changing the queries from SQ01, one way that I can think of is to build a customized tcode for SQ01, for example: ZSQ01, and from this tocde, disable some of the buttons (like change button).
  Kindly help on this.
  Thanks in advance.
  Sbmel

• BW  Authorization

  Hello All,
  I am using BW3.0.
  In our system there are many Cubes  and ODS already exist.
  Now I have added  one ODS ABC and created queries on this ODS ABC .
  This ODS ABC  will be accessed  by new users .
  So for this new users  I will have to create authorization in such a way that  they  must have acces to those queries which are based on this new ODS ABc only  .
  No  authorization to other  cubes and   queries
  So what   authorization Objects  should  I  consider  to create a role for this new users.
  Thanks  for your reply.

  Hello Ganesh,
                          Got to transaction suim and select the option Roles by complex selection criteria. In the users give the username of new user and below authorization object box give this authorization object S_RS_ODSO and see if any roles are available , if yes then go the tole and in the auth tab got the auth object and in the field RSODSOBJ give only your ods object.
  similarly in suim search your user with the auth object name as S_RS_ICUBE and if the user is assigned to any roles , request the basis team to remove the user from that role.
  regards,
  Karthik