Reporting authorization issue

Hi all,
After transporting roles, users, authorizations, queries and workbooks from Dev into Prod we have an authorization problem. There is a message during the opening of workbook or a web-query that says: "Your user master record is not sufficiently maintained for object XXX". After that the connection with the server is broken.
TX SU53 shows the message: "The user has no authorization on this authorization object".
Checking everyting in RSSM and PFCG didn't solve the problem. Comparing all relevant items in Dev with Prod showed no differencies. What may cause a problem and where to look to figure it out? In Dev everything works fine.
Thanks in advance.
Eugene

Did you check the authorization objects for the InfoProvider? In TC RSSM you can check, if an authorization object is switched on for an InfoProvider.
There could be a difference between D and P, depending on the order of your transports. An authorization objects gets activated automatically for an InfoCube, if it already exists, when the cube is created. If you create an authorization object but the cube already exists, you have to manualy switch it on, if it should be active.
That means: if you first transported the authorization objects and then transported the InfoCubes, all authorization objects would be active in the cubes.
Did you do an authorizatio trace (TC ST01)? That could give you additional information as well.
hth
Stefanie Schaaf

Similar Messages

Reporting authorization issue after BI 701 05 EHP1 upgrade

Hello,
We have recently upgraded our BI 7.0 to BI 701 EHP1 with 05 patch level. After this we had a problem with reporting authorizations for a report (query), which has created under Virtual Infoprovider.
Earlier the report use to be execute perfectly with authorizations S_RS_ICUBE object with Act 03, Subobject DATA, but after upgrade to EHP1, while executing report its throwing a error pasted below.
=============================================================================================
"Diagnosis
Errors occured while reading a VirtualProvider outside the BI system. Check whether the previous error messages contains any information about the possible cause of this error.
It is possible that the error message can not be displayed because the error message class does not exist in the BI system. If this is the case, only the name of the error class and the message number are displayed. View the error class in the source system of the VirtualProvider.
System Response
Procedure
Since the error is not necessarily in the BI system, there is no specific procedure for resolving it. With VirtualProviders, problems often occure with the connection to the system; these can lead to system termination. If the code for the VirtualProvider is not from the SAP, contact the relevant person to help resolve the issue.
If an SQL error is listed in the previous message, see the procedure for SQL errors."
===============================================================================================
After running st01 trace we identified the missing authorization is S_RS_ICUBE with Act 03, subobject DEFINATION.
Here please tell why is the subobject check is performed to execute a report (query), as this is happening after EHP1 upgrade, so let me know if anyone had any clue on this ...
Thanks

Hi Martin,
Thanks for reply.
The assumption what you made are correct, but these are the possible reasons only. Is there any specific note or any info from sap that these changes came due to the new release change, so that i can tell my manager clearly.
And I am not sure whether this is impacting the reports which using the VirtualProviders (Virtual CUBE) in place. If you could get bit more information that will be helpful...Thanks in advance.
Sridhar

Interactive reports authorization issue ?

Hi All
I am working on CRM 7.0 , interactive reporting
As per SAP CRM interactive reports standards, employees can only see their opportunities and managers can see only the opportunities created by his team.
I need that all employees can see all the opportunities created by them or others and the managers also
What are the settings t be changed to enable this functionality
Regards
Fahim

Hi!
This is not possible with CRM interactive reporting unless you assign every employee to a manager role in the CRM Org Model (which would contradict it's purpose). Unfortunately, your request would contradict the central authorization principle behind interactive reporting.
Due to this fact and because the expected data volume would also probably be too large to be handled by interactive reporting, I recommend to use BW reporting instead. BW is much better designed for large data volumes, and you do not have the Org Model restrictions as in interactive reporting.

Report Authorization issues after Authorization Migration in BI 7.0

Hi SAPians,
we are facing report access for the customers after migration of authorizations (3.x to 7.0). All these are Customer reports and need to restrict their customer codes only. In two ways, i have tried to resolved this.
1. Roles - Maintained Customer Number in the authorized object CUSTOMER - Not working.
2. Created new authorization object through RSECADMIN and maintained the Customer Number with proper activity, validity etc.. - Not Working
(For Ex. Customer Number is "11500" and length of Char is 10)
While executing the report, i am getting below error:
Value "0000011500" for variable "Customer Authorization(Multiple Optional)" is invalid
Message no. BRAIN643
Diagnosis
Characteristic value "0000011500" is not valid for variable Customer Authorization(Multiple Optional).
Thanks and Regards,
Venkat

Hi,
It depends of the way your authorizations has been setup. If you did it role based or profiles direct to the customer. You should also look into the fact that the migration tool can create direct a profile (not a role with a profile). My way of working in a role based application was that I looked for the roles with objects s_rs_mpro, s_rs_icub, s_rs_odso, s_rs_iset(these are the objects that needs to be replaced with RSECADMIN) and the own build objects with rssm. I added the authorization object s_rs_auth to the role and the new objects made with RSECADMIN. If you transport then the roles and objects made in RSECADMIN it works good. Bottom line beaware of profiles that are not created by the profile generator.
Have fun
Jan van Roest

BI 7.0 Analysis Authorization issue: some reports displaying a blank page.

Hi All,
This is regarding BI 7.0 Analysis Authorization issue.
Overview:
we have restricted some queries at infoobject level.
Issue:
a. For some of the queries, we can see the selection screen but when we try to execute the query by clicking on the execute button (Queries WAD) we get a blank page, meaning nothing is displayed on the output (white/Blank screen).
b. When we execute the same query through RSRT, we get a message which says "Disconnecting from BW server..".
c. Let me explain further on this. Basically we are doing this in order to have limited access to Auditors at the client side. At the same time normal users should not get impacted due to this, hence we created two roles. One for normal users and other for Auditors.
d. Now the thing is that we execute the same report with normal user ID's the report executes properly and displays the output. it does not show the blank page.
e. But when we execute the same report with Auditors ID then we get a blank page.
Any idea why this is so?

Hi Neha,
I tried the below also,
GL Acnt
I EQ 0000134010
I EQ :
but still it didn't work.
No Infoobject is missing in Authorization Object.
For your point, "rsecadmin - > analysis -> execute as -> check for the desired user & analyze the log" it didnu2019t allow me to analyze, since as soon as click on execute button a pop-up comes up saying "Disconnecting from the BW server..."
As mentioned earlier also it is giving me the below message,
""I>> Row: 103 Inc: AUTHORITY_02 Prog: CL_RSR_RRK0_AUTHORIZATION RS_EXCEPTION 301CL_RSR_RRK0_AUTHORIZATION AUTHORITY_02"
Kindly suggest, since this is a show-stopper for us!
Thanks,
Ishdeep Kohli.

Analysis Authorization Issue

Hi:
I created an analysis authorization ZCO_CODE to trstrict it by a company code.
I added following objects in authorization with values.
0COMP_CODE = 1000
0TCAACTVT = 03
0TCAIFAREA = *
0TCAIPROV = *
0TCAVALID = *
Then I created a role Z:00:BW_REPORT, where I added following authorization objects S_RS_AUTH and restricted it by value ZCO_CODE. Then I assigned this role to a user test01.
When I execute a program RSEC_MIGRATION for this specific user, I do not see authorization object ZCO_CODE on 2nd step of this program. Any Idea Why? I think this object should show up as I want to migrate this specific object.
Help will be appreciated.

Hi Sachin:
Okay here is my issue.
I have a Reporting authorization Object created earlier which is ZCOCODE. I though I'll have to create a new Analysis authorization object e.g. ZCO_CODE and then restrict it with other chars. as mentioned in Marc Bernards presentation and then you have to migrate it.
In selection list I can see old Reporting authorization object. If I select it and use option "Enhance existing profile" then It will update profile and not role? right....
How can I see whether it has updated existing profile?????
Do I need to create new Analysis Auth. for Company code or I can use old Reporting authorization for company code?
For testing purpose, I created a test user and assigned all reporting roles but It will not show up in RSEC_MIGRATION step???

Variable screen/variant screen authorization issue

HI All,
We have implemented standard Cost Center Overview Report(0SR_C02_Q0002) in BI 7.
We have three selection fields:
1.Company Code which is mandatory
2.My controlling Area which is also mandatory
3.Costcenter which is not mandatory
The requirement we are facing over here is that in the Variable screen/variant screen when I enter a company code, then I need to display dynamically only those "My Controlling Area" values which are assigned to that particular company code and not all. In the same way after selecting the appropriate "My controlling area" value, I need to display only those cost centers in the cost center selection field which are assigned to the selected company code and My controlling area combination and not all.
can anyone guide me on how to go about on this authorization issue at the variable screen itself.
Please treat this issue/requirement on high priority.
Appreciated in advance.
Regards,
raps.

Hi,
I think that an alternative to solve your concern could be using Web Application Designer (WAD). In this respect, there are several design options, with different levels of complexity.
As the simplest alternative, you could create a WAD including your query and three Dropdown Boxes: one for Company, a second for Controlling area and another for Cost center. The four mentioned elements should be linked to the same dataprovider so, when you select a company, the options in the other two Dropdown boxes and the information in the query are updated.
In order to enforce mandatory filter selection at Company and Controlling area level, you should set NO_REMOVE_FILTER='X' in both two Dropdown boxes, so that "All values" option -which would mean no filtering- is not offered.
I hope this helps you.
Regards,
Maximiliano

Authorization issue - help request

Hi guys,
One of the consultants is having an authorization issue ( He is not abele to run a t-code)
I ask him to run a su53 report and i am not sure how to proceed with this.
Please help.
Here are the details from the SU53 report.
DISPLAY AUTHORIZATION DATA FOR USER VYXXXX
User : VYXXX                       profile parameter authorization buffering    4
Authorization Object: F_KNA1_GRP
Description
Authorization check failed:
      + Authorization object F_KNA1_GRP Customer Account Group Authorization
            Activity                                08
            Customer Account Group     ZM01
Users Authorization Data :
      + Authorization object F_KNA1_GRP Customer Account Group Authorization
               Authorization T-PD19002300
              Authorization T-UG39000900
              Authorization T-UG39001000
Please help me guys what need to be performed.
Regards,
Vamsi.

Hi Vamsi,
SU53 shows us the last failed authorization for a user. However, it might not only be the failed authorization object failed.
Hence, "just to learn" , you can use transaction ST01 to enable and run a trace for particular users. Be sure to use in a test environment first, and with proper filters. (for a particular user only).
Then check-> which auth object is failing.
RC=4 means a object value is failing.
RC=12 means an object is missing!
Check, which tcode is calling that object and this tcode is present in which role. Then.........proceed.
You can check the SAP documentation on running traces on the help portal of SAP. I think you will find the answer yourself by troubleshooting more and may be massaging some test roles here and there!
Likewise, if you are new to security, I would encourage you to start by reading some books on SAP security. Authorizations made easy is a good book to start with.
Let me know if you have any questions
EOD for me :P . take care
Abhishek

Authorization issue during Jump

Hi all,
I am faced with an authorization issue when I am jumping from a BW report into an ABAP report in R/3. The particular BW report is built on a Multiprovider and when I jump to the R/3 report it displays a message saying that I have no authorization to display the R/3 report. Now the issue is that when I run the same report on the base infocube and perform the jump there is no problem. It works just fine.
Both the multiprovider and the base infocube have the same authorization objects checked.
Can someone please help?
Regards,
Ashmith Roy

Pls have a look on the below thread:
Authorization by InfoArea
Regards
Ganesh
*Assign points if this helpful

Authorization Issue with ODS

Dear all,
I have an authorization issue with two ODS.
One I activated for BEx reporting --> Is working fine in Dev, but I get error with
missing authorization in QUA, althought some authorizations.
Same issue with a newly created ODS, which works in Dev, but gives an error
with missing authorization in QUA.
What can be the reason for this? Any input is highly appreciated!
Cheers,
Claudia

Hi,
check that the role(s) are transported from your DEV and your QA, and that the user has the correct role(s)
Check as well in your QA transaction RSSM for your ODSs objects; it might be that by transporting the ODS, some authorizations have been applied by default.
hope this helps...
Olivier.

Authorization issue in BPS

Hi guys,
I've the authorization issue in a BPS application, where a user can upload a flatfile into a BPS-cube, but only when I select in the authorization object S_RS_AUTH 0BI_ALL.
Without selecting 0BI_ALL (another analysis authorization) yields to the message, that the user has not enough authorization...
Now the user gets access to data in the BW reporting to all the organizational marks like the organization unit (0ORGUNIT).
How is it possible to design the authorizations / analysis authorization, that the same user can upload data via flatfile, but gets only access to transaction data for organizational data which he should see???
How should the analysis authorization should be designed? Has it something to do with the techn. char. like 0TCAACTVT?
THX in advance!
Clemens

Hi,
Have you tried creating Authorization Variable for organizational Unit ?
This will give restricted access to data based on the authorization assigned .
Thanks
Pratyush

Regarding BI Authorization Issue

Dear Friends,
can anyone help me to solve this issue..
I have a Authorization Issue, u201CNO Authorization u201C
Error : EYE 007 ( Insufficient Authorizations )
I have follow this stepsu2026
Steps 1 :-
Define Authorization-Relevant Characteristics ( ZCUSTOMER )
Note : I have 0Division values C100 and C200, I want to restrict the user on ZCUSTOMER = 100.
Steps 2 :-InfoObjects as u201Cauthorization-relevantu201D
Eg: 0TCAACTVT
0TCAIPROV
0TCAVALID
0TCAKYFNM
ZCUSTOMER
Steps 3 :-Using T-code : (RSECADMIN) created the Analysis Object
For example : ZAUTH In That I have taken
ZCUSTOMERrestricted with value C100.
0TCAACTVT with 3 ( Display )
0TCAIPROV with * ( Astric )
0TCAVALID with *
0TCAKYFNM with *
Steps 4 :-
Assign Authorizations to Roles
Use authorization object S_RS_AUTH for the assignment of
authorizations to roles.
Maintain the authorizations as values for field BIAUTH
Ex: ZTESTA1
S_RS_AUTH
Here I have given my Authorization Analysis Object ( ZTESTA1) which I have created in RSECADMIN.
S_RS_COMP
Activity Create or generate, Change, Display, Delete, Execute <...>
InfoArea : ZDEMO_ MIHI
InfoCube : ZCUBET
Name (ID) of a reporting compo : ZTEST_Q0001
Type of a reporting component Calculated key figure, Query View, Query, Restricted key figure <...>
S_RS_COMP
Activity Create or generate
InfoArea :ZDEMO_ MIHI
InfoCube : ZCUBET
Name (ID) of a reporting compo :ZTEST_Q0001
Type of a reporting component :Query
S_RS_COMP1
Activity Display, Execute
Name (ID) of a reporting compo : ZTEST_Q0001
Type of a reporting component :All values
Owner (Person Responsible) for *
S_RS_COMP1
Activity Change, Display, Delete, Execute, Enter, Include, Assign
Name (ID) of a reporting compo ZTEST_Q0001
Type of a reporting component All values
Owner (Person Responsible) for :*
S_RS_ICUBE
Activity Create or generate
Infocube Sub Objects: DATA, Update rules, Data Definition, Aggregats
InfoArea :ZDEMO_ MIHI
InfoCube : ZCUBET
S_RS_IOBC
Activity Create or generate
InfoArea :ZDEMO_ MIHI
Infoarea Catalog : zioc_test, Zkf_test
S_RS_IOBJ
Activity Create or generate
InfoArea :ZDEMO_ MIHI
InfoObjets: ZCUSTOMER, ZDOCNO,ZMATERIAL
Steps 5 :-
AND Assign this Role to User.
Steps 6 :- ERROR
When I execute the Report it is showing u201CNO Authorization u201C
u201C Insufficient Authorization u201C
EYE 007.
Regards
Siva

Hi,
In RSECADMIN try to put on the trace with your user id & execute the query . System will give you list of authorization object with red color which needs to be reconsidered in order to execute report without error.
Hope that helps.
Regards
Mr Kapadia

BI Reporting Authorization Based on Characteristic Value Level Error

Dear ALL,
i had create one authorization on sap bi and given to one user on plant level , it will work on fine RSRT,
But when i am used it on webi report through this user then i am getting below error
Database Error : Error in MDDataSetBW.GetCellData. You do not have Sufficient Authorization (IES 10901).
But in repor if other than user is login and report will work fine.
If in this report i removed key figure and only show plant then it will work with authorization.
Please help me out from here....
Thank You,
Haresh

Hi,
"If in this report i removed key figure and only show plant then it will work with authorization."
even afterremoving keyfigures you should not get the records, if it is the issue with Authorization object that you have created. Check for some other authorization issues also.
I dont know SU53 marks Authorization error, if you run from WEBI, but try that also once.
Hope you have seen this thread,
https://scn.sap.com/thread/1136359
so, there is no single reason for this error
try posting this thread in BOBJ Integration kit forum also, there some experts can help you quickly
-Sriram
Message was edited by: Sriramvijay R

Authorization issues MM/PP STATUS   Changes

Hello,
I'm getting the following error even with SAP_ALL SAP_NEW
BDC Transaction Report for ZM02. Report: ZUCC0026
Run by:      KHALIFAO                            page:     1
On:          11/11/2009                          at : 09:06:12
In System:   Q47
Authorization issues MM/PP STATUS               Changes
M365SC1110020      ZFIN M680 MM/PP STATUS 00 Not authorized to change MM/PP status
One of my user is having the following error when she excuted the following steps :
Steps:
SE38/ ZUCC0026   - Material Mass update program for Costing View
Enter the following fields before executions
Material : M365SC1110020
Plant: M680
Check off update material
Field to update: select MM/PP status
New Value: 00
Execute transaction
Thanks
Osama
Expected results: output document should states that update of MM/PP status was changed from XX to 00.
This message

Hello Julius,
SY-UNAME
ZUCC0026                           550   WRITE: / 'BDC Transaction Report for ZM02. Report:'(b01),
                                                 / 'Run by:     '(b02) ,sy-uname COLOR 5,
                                  1167 * IF sy-uname <> 'BATCH'.
                                  1183   READ TABLE itab_zusrgroup WITH KEY group_id = group_id
                                                                            user_name = sy-uname.
                                  1212     SELECT SINGLE update_ind scop_ind
                                               FROM zusrgroup INTO (itab-update_field,l_scop_ind)
                                                      WHERE user_name = sy-uname
                                                      AND   group_id = itab_fields-group_id.
                                  1219 *               WHERE user_name = sy-uname
                                  1223     READ TABLE i_zplant WITH KEY
                                                                  user_name = sy-uname
                                                                  werks = itab-werks.
                                  1422   SELECT werks FROM zusrplant
                                                      INTO zusrplant-werks
                                                      WHERE user_name = sy-uname.
                                  1453     MOVE: sy-uname TO i_zplant-user_name,
Parameter :
188 *PARAMETERS: p_mode TYPE c DEFAULT 'N' NO-DISPLAY.    JHSIR35508-
189 PARAMETERS:      p_field LIKE itab_fields-descriptio.
190 PARAMETERS:      p_name LIKE itab_fields NO-DISPLAY.
191 PARAMETERS:      p_newval(14) TYPE c.
193 PARAMETERS:      p_file(100) TYPE c LOWER CASE.
194 PARAMETERS:      p_filval AS CHECKBOX.                      "0001+
195 PARAMETERS:      p_unix   AS CHECKBOX.                      "0004+
33 PARAMETERS:          P_UPD AS CHECKBOX.
Thanks
Osama

Authorization issues in Bex Analyzer

Hello,
Can somebody help me with an authorization challenge Im working on? For certain reports a user should me authorized to see key figures for a certain area and this area is divided into several units. This is the high level report authorization. But when they want to see more detail in the report (the can drill down the person responsible or the customer for example) the user is only allowed to see the key figures of his own unit. To make this possible we have created two authorization roles:
Role 1
Area                          *
Unit                          11
Person Responsible          *
Customer               *
Role 2
Area                    *
Unit                    *
Person Responsible          :
Customer               :
When executing the query with the characteristics area and unit in the rows and person responsible and Customer in the free characteristics there are no authorization issues. But when in the query result the user wants to drill down person responsible the error message You do not have authorization to read object XXX. I expected that the details would only be shown for unit 11. To be able to show the details the user must now first remove the drill down, filter the unit they have authorization for and then drill down the person responsible again. This is considered a workaround but not desirable. Is there a different way to solve this issue?
Kind Regards,
Petra van Noort

Hi,
Have you tried to include a authorization variable on your report that filters 'Unit'?
I'm not sure of what will happen if you use it (maybe you'll always filter your report on '11' unit, or maybe you get different filter values depending on your drill down status, which is what you want).
It's just a thought...
Regards,
David.

Reporting authorization issue

Similar Messages

Maybe you are looking for