Rational approach for Analysis Authorization:

Similar Messages

• Table for Analysis authorization along with values for authorization fields

  Hi,
  I am looking for table that contains the Analysis Authorization name along with values for all the authorization fields within this Analysis Authorization. Individually i can go to PFCG or Rsecadmin but since i need all the Analysis auth objects, i need to get this info into excel, so need a table.

  Hi Prashanth
    You can check RSECVAL that is appropriate for your requirement please let us know if any further help is needed.
  Thanks & Regards
  Santosh Varada

• Transport Request for Analysis Authorization

  Hello Everyone,
  When a trasport request is created for any BI analysis authorization ( including the Z*), the type of trasport request created
  is workbench request. What is the reason behind this because when any Customised Role / Profile is included in transport request this will be customised request unlike analysis authorization.
  Thanks in advance.....

  Hi Rashmi,
  The difference is In BI, the AA authorizations are independent. Any objects that are independent of the client will be captured in the workbench type of transport request, when they are required in the other client. Hence you can see the Workbech type request for  transporting changed Repository objects and changed system settings from cross-client tables. However, customizing requests involve changes recorded to client-specific Customizing objects .
  The Analysis authorizations are always captured in a Workbench type of transport request by default due to the above design.
  You can still transport both the PFCG role, and AA in a single transport request, you can do the same by following the steps mentioned in the below Wiki:
  https://wiki.sdn.sap.com/wiki/display/BI/HowtotranportroleandAAtogetherinBI
  Regards,
  Raghu

• Customer-Exit for analysis Authorizations: i_step = 3, i_vnam is empty

  Hello all,
  I have checked multiple scenarios and I cannot figure out the mistake I've done:
  Current situation/setup:
  1. Creation of several variables and adding each of them to different queries :
  Variable Type Processing Infoobject Selection ready for input
  COB 1 6 ZCCOSTCTR__ZCCOB S
  CB2 1 6 ZCCOB S
  CBV 1 3 ZCCOB S
  2. Adding values in a role (currently 3.0 is used and we want to check the exit and if it works before upgrading to 7.0) and assign it to the user:
  Old active Object:ZCKS_COB:
  1KYFNM *
  9ZCCOB $C-B2, $C-OB , $C-BV
  added new object without 1KYFNM:
  ZCCOB $C-B2, $C-OB, , $C-BV
  3. Marked the used object auth. relevant for the cube of the query
  4. Enhanced ZXRSRU01 via CMOD with coding and activated also the project:
  WHEN 'COB' or 'RESPNO'.
  IF I_STEP = 0.
  IF I_STEP = 1.
  IF I_STEP = 3.
  CALL FUNCTION 'Z_VARIABLE_BY_AUTH'
  EXPORTING
  I_VNAM = I_VNAM
  TABLES
  E_T_RANGE = E_T_RANGE
  EXCEPTIONS
  NO_AUTH = 1
  NOT_VALID = 2
  MISSING_OPERATOR = 3
  OTHERS = 4.
  ENDIF.
  The function 'Z_VARIABLE_BY_AUTH' was tested separately and fills in E_T_RANGE as expected.
  I also changed the variable names each time to all the other existing variables while debugging.
  If I use a variable of type customer-exit and process it with i_step =1 the value selection and query result is OK.
  But this scenario works without roles and authorization values triggered by a variable $<VARIABLE> and is not the intended and documented way proposed by SAP. The documentation says to create a variable of type authorizations and to process it in I_Step = 3. But in this step I_VNAM is empty and so there is no processing ot the function module.
  Has anyone a solution? I could not find the issue during several debugging sessions. One strange thing is the protocol of rssm: the authorization buffer is not reflecting the enhanced role but only the value $C-B2 for object ZCKS_COB.
  Thanks in advance to have a look on this tricky issue.
  Bye,
  Petra

  Hi Petra,
  You are correct.  I_VANM is not stored at I_STEP 3.  However, to access that value at I_STEP3, use the following code.
  IF I_STEP = '3'.
       READ TABLE I_T_VAR_RANGE INTO L_RANGE WITH KEY VNAM = '...variable name.....'
       IF SY-SUBRC = 0.
         ...code here to alter values...
        .....for example:  L_RANGE-LOW = 'S'
       ENDIF.
  ENDIF.
  Kind Regards,
  Larry

• Double Role for Analysis Authorization using Variable via Customer Exit

  Hi Guys I have been implementing AA using variable via customer exit and I have run into this problem, I wonder anyone have encountered this.
  Example I have a User having 2 sets of authorization Roles
  Role 1
  Personnel Area = A, B
  Personnel Sub Area = 1,
  Role 2
  Personnel Area = A
  Personnel Sub Area = 1, 2
  And what we can derive this that is the user is able to see A-1 B-1 and A-2 BUT NOT B-2 when we run all.
  But instate when we run the report it is drawing B-2 as well as because we are entering
  Personnel Area = A,B
  Personnel Sub area = 1,2
  Any idea how to solve this?
  <removed by moderator>
  Edited by: Siegfried Szameitat on Dec 3, 2008 2:41 PM

  Hello Chee Jason,
  Are you working with version 3.5 or 7.0
  How do you specify Hierarchy variable?
  Any advise you can share is very much appreciated.
  Thanks,
  Patrick

• Impact of Analysis Authorization on Users using old Authorization

  Hi All,
  I have question regarding Analysis Authorization. Our system has old authorization concept and as part of our project we decided to go for Analysis authorization for Cost Center object. We activated analysis authorization for cost center, assigned it to test user id and found that its working fine in Dev. But it has impacted other users in the system. They are not able to access any other reports and data providers which were not even referring cost center. What is the proper way to activate analysis authorization without impacting access to existing users.
  - Som

  Hello Andreas,
  Sorry to ask you directly here, I didn't get answer from this forum. We will migrate to the new analysis authorization from old reporting concept. I have read the book "An Expert guide to new SAP BI security features" by SAP Lavs, but still confused with some parts. My questions is:
  Are there two ways to create authorizations as follows?
  1. we can type tcode rsecadmin>Maintence button>create a new authorization.
  2. the following part taken from the book:
  Steps for Generating Authorizations
  1. Activate Business content
  2. Load Datastore objects
  3. Generate Authorizations
  4. View Generation Log.
  In the first step, OTCA_DS01 to OTCA_DS05 and OCCA_O01 to OCCA_O03 are Datastore objects required to be activated.
  In the second step, tcode rsecadmin-->generation button --> type OTCA_SDS01 to OTCA_DS05 into respective filed. Should we always type these 5 objects everytime when we create authorization?
  When we should use the second way to create authorizations? and what is the diffrence between them?
  Any answers will be appreciated. Thank you very much in advance!
  Haifeng

• Analysis Authorization Pre Filtered Values

  Hi all Gurus,
  I am currently using Analysis Authorization setup and when I run report with no values input in the variable input screen it seems to display ALL the records in the info provider BUT not by what I am able to see based on my authorization defined.
  Example:
  I am authorized to see Personnel Area = A but when i run the report it hits authorization error and I understand that it is displaying ALL the records.
  So my question is is it possible that this filter is automatically for Analysis Authorization handled by the system like how the OLD Authorization handle this?
  Thanks

  Hello Julie,
  It is not necessary to use Hierarchy or customer exit inorder to restrict the access based on company code.
  1. First of all make, Company code as authorization relevent in IO settings
  2. In RSECADMIN, create one authorization object. It is a good practice to include all SAP Technical objects also. Just click on Inster special characts.
  3. For the company code assign required value.
  4. Assign this authorization to user in USER tab
  5. In the report, If you want to defualt the value of company code, create one authorization relevent variable for company code. You can make this variable as ready for input/Not ready for input.
  6. Execute the report.
  The user will only get data related to authorized company code.
  Regards,
  Ravindra

• Analysis authorization not working on WAS server

  Does BI Java  required for Analysis authorization to work ?
  Can we manage with WAS server to show analyis authorization ?
  Actually we don't have BI java configured in our system...so we are executing the query on WAS server ( BI ABAP).....but on this we are not able to see analysis authorization working....system is showing all the possible values and not the authorized value in AA.....
  Regards
  Tripple k

  Jason
  1. 0BI_ALL is not assigned to the user.
  2. I have already set the Authorization scheme as "New analysis authorization" in SPRO.
  3. i am executing the report from T-Code RSRT
      A> Select the report and click on ABAP Web ( Choose query display as List or Analyzer or HTML) - System is showing entire orgunit while it should show only 3 org unit   assigned to user in RSECADMIN.
     B> Select the query and execute on Java Web - Error in connectin as BI java is not there on portal side
     C> Select the query and choose Query Display as "HTML" click on Execute button - Only 3 values restricted in RSECADMIN are appearing.
  Hope somebody can throw some light on this.
  Regards
  Tripple k

• Analysis authorization - which objects are relevant

  Hi
  We use Analysis Authorization.
  Multicube XXX contains authorization relevant objects A B C.
  Is it possible that some of these objects arent used for analysis authorization. Where can I check it?
  Thanks

  Hi there,
  I don't quite get your question...
  If you go to transaction RSECADMIN and create a new authorization object give it a name and a description, if you click on the Infocube button and select the MultiProvider XXX, the system will open a window with all the InfoObjects that exist on that MultiProvider XXX and are marked as authorizationRelevant on the transaction RSD1, tab Business Explorer.
  If you don't want some of those objects to be checked with the authorizations, you have two ways:
  1. Either you uncheck the option of authorizationRelevant for those InfoObjects in transaction RSD1 tab Business Explorer, but this will afect not only the MultiProvider XXX, but all the InfoProviders were that particular InfoObject is used, will never be checked for authorization purposes.
  2. Create a new authorization object in RSECADMIN and click on the InfoCube button, select the MultiProvider XXX and choose only the InfoObjects you want to bypass the authorization for that MultiProvider. Grant * values for all those InfoObjects and click on the butto of special characteristics (button at the left of the button Infocube) and for the entry 0TCAIPROV restrict it to I EQ XXX (so that only the MultiProvider XXX will be afected by that authorization object). This will grant * all authorization values for those InfoObjects only for the MultiProvider XXX, so these InfoObjects will never need authorization values whenever you're using a query(ies) over that MultiProvider.
  Hope this helps,
  Regards,
  Diogo.

• Analysis Authorizations.

  Hello All,
  We have a scenario where the value will be ex: ABC*D for analysis authorization.
  This value will be populated to a variable through costomer exit.
  But when the value is populated as A* or AB* or ABC* or ABCD* it is working fine.
  If I use multiple * in a single value like ex: ABC* it is not working and giving the below error.
  When the query is executed it is displaying No Authorization.
  Please provide your inputs if somebody had already faced this issue.
  Thanks for inputs.

  Hi,
  This is the design of the system.
  It is described in OSS note :
  1053989 Intervals and Patterns [(*),(+)] in Analysis Authorizations
  The required format for normal characteristics is the following:
    - Single value: I EQ A (characteristic value =A),
    - Interval  : I BT A B (A <= characteristic value<= B)
    - Pattern   : I CP A* and I CP A+ (pattern with exactly one
      wildcard (*) or exactly one plus character after A).
    - Aggregation authorization :
      Colon character (:). Permits an aggregation on the  characteristic.
      Written as single value I EQ :
         Patterns
  Only patterns with exactly one ending + (wild card for a single
  character) or * (pattern for arbitrarily many charactersy) are allowed.
  For example : entering A*A is not possible.
  Regards,
  Patricia

• D_E_L_E_T_E doesn't delete analysis authorizations

  Dear SAP BI colleagues,
  I use the standard DSO's for analysis authorization (0TCA_DS0*). After successful upload and generating the analysis authorizations, I tried to delete this entries again. For this I followed the SAP documentation as well as other community hints: I only have the D_E_L_E_T_E entry for infoobject 0TCTUSERNM in the value DSO 0TCA_DS01. After generating via RSECADMIN the analysis authorization still exist in the user assignment as well as the DB table RSECAUTHGENERATD.
  Does anybody know why?
  Regards,
  Joern

  You need to set the 0TCTOBJVERS to 'A' and 0TCTADTO to '99991231' as well.
  Regards,
  Lars

• Analysis Authorization failed for Multiprovider

  Hi all,
  We are facing an issue pertaining to the Analysis Authorization for a multiprovider. When we attempt to access a query base on a multiprovider, the program complains that it has insufficient authorization. So we did debugging in the customer exit and we realise it fails to populate the rest of the authorization variables in I_step = 0. Base on our initial investigation this only happens on queries on multiprovider, so is there anything I need to set or do to curb this error?
  Many thanks!

  Best solution is to trace the authorization for your issue in ST01.
  Switch on the trace in ST01 and start your work. if you face authoirzation check failed. look into the trace there you will find the logs and authorization failed for your userid.
  And one more thing, have you got anything in SU53 as authorization check failed?
  Hope this would help you.

• Analysis Authorization : Selection screen not appearing for query

  Hi,
  I am facing an issue with analysis authorization. I have created the new roles and assigned to the users. For one user when I am executing the query, the selection screen is not coming up and it shows error message to specify the variables. Whereas its running for all other users.
  In S_RS_COMP I have selected Type of a reporting component as Query View, Query & Template structure. I also tried adding Variable in this field but that also did not help.
  Please let me know if you have faced similar issue.
  Regards,
  Manish

  Hi,
  Go to your query desinger opend your query and select your variable in that you have see first "Ready Input Query" Check box is selected or not. It's not selected you can select that check box.
  Your problem will be sloved.
  Thanks & Regards,
  venkat.

• Analysis Authorization for nav Attr Issue

  Hello:
  I have a 0COMP_CODE as an attribute of 0SALSORG and it is marked as authorization relevant. i.e 0SALESORG_0COMP_CODE is authorization relevant.
  I created an analysis authorization Object ZCOMPCODE_1000 by adding following in it.
  InfoObject           Value
  0COMP_CODE  = 1000
  0SALESORG = *
  0SALESORG_0COMP_CODE = 1000
  0TCAACTVT = *
  0TCAIPROV - *
  0TCAKYFNM = *
  0TCAVALID = *
  Now I have a report on a cube which has 0SALESORG as char and also 0SALESORG as a variable on selection.
  When I run a query for sales org = 1000, I can see rsults as sales org 1000 is assigned to company code 1000.
  If I run report for sales org 2000, I should get not authorized message as 2000 is not assigned to company code 1000 and I only have a role assigned to me which has analysis authorization object ZCOMPCODE_1000. But Still I am getting report results.
  Please explain Why and How can I overcome this issue.
  Thanks

  First of all it is strange that we see two appearances of sales org.
  0SALESORG = *
  0SALESORG_0COMP_CODE = 1000
  Probably the star value overrides the setting in the second one.
  Besides did you create the variable in the query as authorization relevant or you will have problems there.

• Problem wih analysis authorization for two scenarios on same data provider

  Dear all,
  I am looking for a solution on the following authorization scenario (using the new analysis authorization). Unfortunately everything that I tried did not work out as expected:
  User A is allowed to manually access query 1 (based on cube A) with authorization on all sites A-Z
  The same user A shall get an email distribution automatically (derivation of the filter in the query out of the authorization) for query 2, which is as well based on cube A, but this time the authorization shall be limited only to site A.
  As both queries are based on the same infoobject (0PLANT) and the same infoprovider (0TCAIPROV) I always get the result for all sites A-Z. The 0TCAACTVT is in both cases 03 (display), so I have no chance to distinguish between reporting and email distribution.
  Probably the only chance would be to derive the values for the email distribution scenario not from the authorization directly, but using a customer exit to fill the filter - but I would prefer a "standard" solution...
  Any ideas??
  Thanks,
  Andreas

  Dear Andreas,
  Before give you an alternative for you problem, Iu2019d like to comment the combining authorization concept:
  http://help.sap.com/saphelp_nw70/helpdata/EN/46/98cd87f37d19ace10000000a11466f/frameset.htm
  For this reason I suggest you which combing restriction through authorization and query filter. For query 2 try to use in 0PLANT characteristic the single value u201Csite Au201D, this restriction give you only authorization for see this value.
  Otherwise, you have to use customer exit.
  I hope that alternative help you to find a solution,
  Luis