Role and Analysis Authorization Transport

Similar Messages

• Transport roles and analysis authorization with user assigned

  Hi expert,
  I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
  Thanks for your time,
  Luis

  Hi,
  In role administration, you have the following options for transporting roles:
  You can download the roles from one system and upload them into another  
  You can import the role from a remote system using RFC  
  You can transport the roles with the transport function.
  Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
  Transporting Roles with the Role Transport Function
         1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
         2.      Enter the role to be transported and choose Transport Role.
  The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
  You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
  For more information go thrpugh the below link
  http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
  Regards,
  Marasa.

• Role and Analysis Authorizations in BI

  Hello allo,
  Since analysis authorizations contains carateritics like infocube, queries, activities., is using role and the PFCG transaction (authorizations object)in BI obsolete ? i.e is Analysis authorizations completely replacing Authorization objects (and PFCG) in BI ?
  thanks !!

  Hatem,
  You have an option to use the old method however it's recommend to use analysis authorizations going forward.
  Take a look at the sap wiki for analysis auth for more info or search the site for other good info.
  https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bi/authorizationinSAPNWBI&
  Cheers,
  Ben

• BW BEX Queries and Analysis Authorizations

  Hello....
  Have an opportunity with BW BEX queries and Analysis Authorization...would like to see if anyone has had the same experience and if so is there a answer....
  1) given a query....
  2) given a analysis authorization with a info-object that has intervals defined to be both single values and ranged values
  the following happens...
  after the query is fired the starter screen appears...the info-object in question appears with the defined single values only....if....the window is opened....again only the single values appear...the range values do not appear...once the query is executed the only results given are those for the single values...
  also if you re-fire the query and manually enter a valid value for the info-object that falls with-in any of the range values no result is given...even if there is data for it....the reponse given is no data found....
  NOW...if the single values, for the given info-object, are removed from the Analysis Authoriization then the range values appear and work....
  Is this a problem within in the query...or...is this a "feature" of the query...and thus must be "lived" with...
  Terry
  PS...this problem currently only happens if the window for the info-object allows for multi-selection....this problem does not occurr when the window only allows for one selection...

  Hi,
  This is a known problem with analysis authorization and multi selection IO selection criteria.
  When you define the analysis authorization with ranges and when you try to enter single values on the selection critera of the query, then the system shows zero data.
  You can run the query without entering any selection values for the IO in question only.
  I have tried several combinations and still encountering the same issue.
  Ravi

• Roles and their authorization profiles time period

  Can roles and their authorization profiles be assigned to a user for a limited time period?
  please reply
  Thanks
  Edited by: tracey_hrecc6.0 on Nov 1, 2010 5:24 PM

  Hi,
  It is possible.
  Read below links for more details
  http://help.sap.com/saphelp_mic10/helpdata/en/69/1810a4c51144dc833353183155ec88/content.htm
  http://www.sap-img.com/basis/frequently-asked-questions-on-authorization.htm
  http://help.sap.com/saphelp_wp/helpdata/en/cd/cc5664d22a11d296110000e82de14a/content.htm
  Regards
  S.Ravi
  Edited by: S.Ravi-at-SAP on Nov 25, 2010 5:36 AM

• SAP BI 7.3 Analysis authorization transport log

  Hi,
     We have transported a Analysis authorization to production system, I would like to know the exact changes moved through this transport carrying a particular analysis authorization.
  The issue here is RSECVAL_CL has not recorded the changes done on this particular Analysis authorization in development system.
  So please suggest if there is any table where we can look to find the exact changes made by this transport request.
  Regards,
  Ananth
  Edited by: Anantharama Shivashankar on Oct 26, 2011 6:48 PM

  The issue here is RSECVAL_CL has not recorded the changes done on this particular Analysis authorization in development system
  I guess that is a problem and should be reported to SAP. However this table will give the value that has been deleted. New value to be checked in analysis authorization itself.
  EDITED : If the AA been transported before then might look their content and compare them.
  Regards,
  Arpan Paik
  Edited by: P Arpan on Oct 31, 2011 3:44 PM

• Double Role for Analysis Authorization using Variable via Customer Exit

  Hi Guys I have been implementing AA using variable via customer exit and I have run into this problem, I wonder anyone have encountered this.
  Example I have a User having 2 sets of authorization Roles
  Role 1
  Personnel Area = A, B
  Personnel Sub Area = 1,
  Role 2
  Personnel Area = A
  Personnel Sub Area = 1, 2
  And what we can derive this that is the user is able to see A-1 B-1 and A-2 BUT NOT B-2 when we run all.
  But instate when we run the report it is drawing B-2 as well as because we are entering
  Personnel Area = A,B
  Personnel Sub area = 1,2
  Any idea how to solve this?
  <removed by moderator>
  Edited by: Siegfried Szameitat on Dec 3, 2008 2:41 PM

  Hello Chee Jason,
  Are you working with version 3.5 or 7.0
  How do you specify Hierarchy variable?
  Any advise you can share is very much appreciated.
  Thanks,
  Patrick

• Roles and transaction authorizations for XI developer

  Hi All,
  Can anyone validates my requirements to Basis gui in SAP-XI installation.
  Transactions authorizations needed are:
  SXMB_IFR
  SXMB_MONI
  SXMB_MONI_BPE
  SXI_Monitor
  SXI_Cache
  IDX1
  IDX2
  ALERTCATDEF
  SM59
  WE21
  WE20
  Do we require any other transactions as a developer.
  2) During File-XI-Idoc scenario, we need to place Idocs in one SAP directory with read/write and delete permisions
  Can any one suggests howmuch size should be allocated for this directory.
  Regards,
  venu

  HI Venu
     As a developer you need to have also the authorization of SE80..SE38..etc which are there in ABAP
  There is predifined Authorization Group for Developer ..Just ask him to add you into that group...You will automatically gain those authorization...
  Regarding
  File-XI-Idoc Scenario...
  You need not to place any IDOC in any of You directory..
  You just place a text file which contains all the required information in such a format that can be easily converted into XML using File Adapter...Once You will convert that text file into XML format after that you need to MAP this XML Formated Data to Your IDOC Message Type.
  Also Check out these links
  it could be helpful for your scenario...
  /people/anish.abraham2/blog/2005/12/22/file-to-multiple-idocs-xslt-mapping
  /people/prateek.shah/blog/2005/06/08/introduction-to-idoc-xi-file-scenario-and-complete-walk-through-for-starters
  http://help.sap.com/saphelp_nw04/helpdata/en/b9/c5b13bbeb0cb37e10000000a11402f/content.htm
  Cheers:-)
  Mithlesh

• Rational approach for Analysis Authorization:

  This post is regarding the implementation of Analysis Authorization.  Considering the role based approach; please let me know the optimized way to implement the analysis authorization such that there will be very low maintenance.
  For e.g. I have queries which need to be restricted at data level PLANT wise. So I mark the characteristic 0PLANT as authorization relevant. There are 150 plants so I create the 150 Analysis Authorizations and put each one of them in roles (1:1) resulting in 150 roles. In addition; 151th Role and Analysis Authorization for ALL plant access.
  Now to restrict the queries themselves, I create a Role with object S_RS_COMP , S_RS_COMP1 (For queries) ; S_USER_AGR  and S_USER_TCD( for  workbooks).
  Then I create a composite role  with above 2 single roles (one containing AA and other role for Query restriction)and assign it to user.
  Now suppose when I need to restrict data at some other level say DIVISION wise. Then I would be again creating analysis authorization for all the divisions and putting them in roles.
  Using this approach ; there would be many roles and analysis authorizations. Also during production support it may be cumbersome to debug the errors.
  Please comment if any other approach for implementing the above scenarios.
  Regards,
  Ajit
  Edited by: Ajit Nadkarni on Apr 4, 2010 5:47 PM

  Hi,
  I had a similar requirement where in we had 178 plants and each plant manager has to see their own site by default in the selection screen when they run the query.
  By defalut it should display there own site but its not restricted to only that site. Managers can also look into other sites but by default they wanted their own site to be displayed.
  So I have created DSO and did mapping with username and store. And in query I created a variable in plant of type customerexit and written exit in CMOd using I_STEP 1. This solved our requirement. But to restrict to particular site i guess we can extend the routine in cmod.
  Thanks
  Srikanth

• Aggregation authorization within analysis authorizations

  Hello,
  The BW developers have created several queries that use aggregated data. When testing the queries with the end user ID (assigned to an end user role and analysis authorization), it is failing due to missing authorizations, particularly b/c of the following:
  Supplementation of Selection for Aggregated
  Characteristics
    Check Added for Aggregation Authorization:     0COMP_CODE  
    Check Added for Aggregation Authorization:     0PLANT  
  All Authorizations Tested
    Message EYE007: You Do Not Have Sufficient Authorization  
    No Sufficient Authorization for This Subselection (SUBNR)  
  Following CHANMIDs Are Affected:
  142 ( 0COMP_CODE )
  189 ( 0PLANT )
  192 ( 0SALESORG )
  In the BI documentation, it specifies that : (colon): allows only aggregated access to data (e.g. allows information on all sales areas only on aggregated level –not on particular countries). Is this ( specified as a value within the particular characteristics? I also tried to select the "aggregation authorization" icon within txn code RSECADMIN and this did not help.
  Any help would be GREATLY appreciated.

  Updated: For the analysis authorization, for these characteristics, in addition to the specific values, there is an entry for ":" and this did not resolve the issue.
  Authorization Check  
    Detail Check for InfoProvider ZBL_13IT  
    Preprocessing:  
  Selection Checked for Consistency, Preprocessed and Supplemented As Needed
  Subselection (Technical SUBNR) 1
  Check Node Definitions and Value Authorizations...
  Node- and Value Authorizations Are OK
  End of Preprocessing
    Main Check:  
    Subselection (Technical SUBNR) 1  
  Supplementation of Selection for Aggregated Characteristics
    Check Added for Aggregation Authorization:     0COMP_CODE  
    Check Added for Aggregation Authorization:     0PLANT  
  Following Set Is Checked  Comparison with Following Authorized Set  Result  Restmenge 
  Characteristic  Contents 
  0PLANT
  0SALESORG
  0TCAACTVT
  0COMP_CODE
  SQL Format:
  COMP_CODE = ':'
  AND PLANT = ':'
  AND SALES
  ORG = '0403'
  AND TCAACTVT = '03'
  Characteristic  Contents 
  0PLANT  I EQ IC01
  I EQ IC02
  I EQ IC03
  I EQ IE02
  I EQ IE04
  I EQ IZ01
  I EQ MC01
  I EQ ME01
  I EQ :
  0SALESORG  I EQ 0301
  I EQ 0341
  I EQ :
  0TCAACTVT  I EQ 03
  I EQ :
  0COMP_CODE  I EQ 0327
  I EQ 0341
  I EQ :
  Not Authorized   
  All Authorizations Tested
    Message EYE007: You Do Not Have Sufficient Authorization  
    No Sufficient Authorization for This Subselection (SUBNR)  
  Following CHANMIDs Are Affected:
  142 ( 0COMP_CODE )
  189 ( 0PLANT )
  192 ( 0SALESORG )
    Authorization Check Complete

• Analysis Authorization In Dev and impact of reports and roles in prod trans

  Hello,
  We are planning to switch to analysis authorization. We plan to make that change first in Dev and we were wondering what would be the impact on roles and reports we transport from dev (which is switched to Analysis Authorization) to production( on Old authirization) ? We wont transport new things to production till we switch to new auth in Prd.
  Thanks a lot,
  BP.

  Hello
  Even if you are transporting the roles from dev to quality and production, the analysis authorization objects will not be checked until you set "current procedure..." in RSCUSTV23.
  So there is no harm in transporting the roles and auhotrization until you change the concept to analysis.
  regards,
  Payal

• Analysis Authorization (Role, Profile and Direct Assignments)

  <b>Analysis Authorization Question:</b>
  1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
  2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
  3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
  <b>
  Migration Options:</b>
  1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
  2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
  3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
  <b>Questions</b>
  a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
  b)     Does any one use direct assignment to Users? It is good business practice?
  c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
  d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
  Just want to check how other folks have done migration that can be supported going forward.
  Pankaj Gupta

  Hey Pankaj,
  In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
  Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
  RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

• Diff.between BW and R/3 roles and authorizations

  Hi Experts,
  Please any one let me know is there any difference for creating roles and assigning authorizations in BW and R/3 systems.
  Please let me know the BW related T-codes
  Regards,
  Reedy V.

  What version of BW? Are you using BI7 analysis authorisations.
  BI7 - go [here|https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce]
  If using BW 3.5 or another similar version then build your roles in PFCG and assign to users in SU01
  There is more to it which you can find [here|https://service.sap.com/SECURITY] (sorry for the poor link Bernhard ) under category SAP Business Information Warehouse Security Guides
  Edited by: Julius Bussche on Jul 8, 2008 12:34 PM
  Formatting and link corrected
  Thanks Julius!
  Edited by: Alex Ayers on Jul 8, 2008 2:10 PM

• Analysis Authorization not working - Empty demarcation

  Can someone help me on this Analysis Authorization? I read many threads in SDN, it seems that I followed the correct steps. The restriction on S_RS_COMP is working well but the restriction on the Analysis Authorization is not working. Surely I'm making some mistake, but can't find what's wrong.
  I'm a User (say USER_00) in a test system, assigned to a Role (say Z:BI_USER). This is a broad role:
  - S_RS_COMP and S_RS_COMP1 have full authorization (*) to all the fields,
  - S_RS_AUTH has the BIAUTH field with Name of Authorization = *.
  Also I have an InfoArea (ZIA_TEST) and an InfoCube (ZIC_TEST). The IC has some characteristics and key figures. The only authorization relevant characteristic is ZCA_CLI (client). The IC has only 5 lines, one for each client ("CLI_01" to "CLI_05").
  Also there's a query (ZQR_TEST) on this IC, with an Authorization Variable (VAR_AUTH_CLI) restricting the characteristic ZCA_CLI.
  I'm trying to create a new User and restrict him to this IC and only to the data of client "CLI_01". If it works I'll apply to a production system.
  What I did:
  1) With tcode SU01 created a new User (USER_01) with no Role neither Analysis Authorization.
  2) With tcode PFCG copied the Role Z:BI_USER as Z:ROLE_TEST then made some changes:
  a) S_RS_COMP
  - Activity = 03 and 16
  - InfoArea = ZIA_TEST
  - InfoCube = ZIC_TEST
  - Type of report component = *
  - Name of report component = *.
  b) S_RS_COMP1
  - Kept * to all fields.
  c) S_RS_AUTH
  - I inactivated and deleted this Authorization Object.
  (I don't want to keep characteristic values restriction inside the role. The idea is to associate different users to the same role, allowing them to see the same ICs and execute the same queries. And differentiate wich characteristic values each one can see by manually associating different analysis authorization to each one.).
  3) With tcode RSECAUTH I created an Analysis Authorization (Z_AA_CLI_01) to restrict access only to client "CLI_01":
  - ZCA_CLI = "CLI_01"
  - 0TCAACTVT = "03"
  - 0TCAIPROV = "ZIC_TEST"
  - 0TCAVALID = "*".
  4) With tcode PFCG I assigned User "USER_01" to the Role " Z:ROLE_TEST" and made Complete Comparison.
  5) With tcode RSU01 I manually assigned Analysis Authorization " Z_AA_CLI_01" to User "USER_01".
  It seems to me that these steps are enough. But:
  a) When I log as USER_00 and go to tcode RSRT2, searching by InfoAreas I can see all the InfoAreas and all the InfoCubes, select and execute the query. That's OK.
  b) When I log as USER_01 and go to RSRT2, searching by InfoAreas I can see only ZIA_TEST and under it I can see only ZIC_TEST. That's OK. Then I select and execute the query.
  Wich means that S_RS_COMP is OK and each user is assigned to the correct Role.
  c) The problem is that in both cases the query brings data from all Clients.
  Under Information and Variable Values (when I run with HTML display) the message is "Empty demarcation".
  I changed the variable to be Ready for Input, just to see wich values it brings. In both cases (as USER_00 and as USER_01) in the Variable Screen it brings all the 5 Clients from the IC and I can select and execute any value.
  So the problem is with the Analysis Authorization or with the Variable, but I can't find what's wrong.
  Any help will be very appreciated.
  César

  OK Marc, it worked.
  Sorry for not answering earlier, but I could get back to this front only some days ago, then began testing your suggestions.
  1) Security Concept
  Authorization Mode was set to "Obsolete Concept with RSR Authorization Objects" (it would never work with this setting).
  I changed to "Current Procedure with Analysis Authorizations".
  Anyway, what's the function of this setting? Do old Reporting Authorizations work with "Current Procedure with Analysis Authorizations" setting?
  2) Variable Representation
  With "Multiple Single Values" it really led to problems.
  With "Selection Option" it worked well.
  3) 0TCAKYFNM
  I don't understand why, but if the AA doesn't have the char/dimension 0TCAKYFNM, when the User tries to run the query (tcode RSRT2) it accuses "You do not have sufficient authorization".
  Info Cube ZIC_VE95 has two KFs (ZKF_QTL95 and ZKF_VLT95). These KFs are used only on this IC (also in the KF Catalog, but it doesn't impact). This IC is used only on Query ZQR_VE95 (also in Transformation and DTP, wich doesn't impact).
  Well, I inserted 0TCAKYFNM and it worked, either with CP, "*" or with EQ, the two KFs.
  4) Authorization Policy Definition
  The situation I'm working on is very typical. Ex.: Some users are Administrators, Managers, Operator 1, Operator 2 and so on. Each Role needs authorization to access some queries. At the same time, they can access information only of the Cost Centers to wich they are related.
  There are many ways to implement it (I tested some of them and they worked well). My point is to define a most practical way, easy to understand and to maintain.
  I'm now sympathetic to this way:
  a) Create functional Roles (ex.: "Administrator", "Manager", "Operator 1", "Operator 2" and so on) defining only the Queries (or Info Areas, Info Providers, etc) each Role needs. No S_RS_AUTH definition.
  b) Create Char Value Roles (ex.: "CC_100_to_199", "CC_200_to_299", etc), only with S_RS_AUTH definition, each one associated with a corresponding AA (ex.: AA for CC 100 to 199, AA for CC 200 to 299 and so on).
  c) Create Composite Roles associating functional and char value Roles. Ex. Composite Role "Administrator for CC 100 to 199", composed of the Roles "Administrator" and "CC_100_to_199".
  d) Associate Users to the Composite Roles.
  Anyway, I'd appreciate if you could indicate some literature (blogs, articles, etc) on this theme.
  Well, thank you very much for your answers. Now I can go on with my studies on this subject.
  César Menezes

• Interaction of BW Roles and BWA Explorer Security

  We secure all our BW users via roles these roles have Analysis
  authorizations embedded in them which restrict access to specific
  infoproviders and values in these based on authorization relevant
  infobjects.
  When we try to create a BWA Explorer object in RSDDTPS we are forced to
  assign a userid and an analysis authorization directly in
  the "Authorizations" tab. Our security group only wants to have too
  assign roles to users either via SU01 or CUA.
  Configuration
  BO 2008 Enterprise Server (connected to BW system)
  BW system (Netweaver 7.01 EHP1)
  BWA 7.2
  1) How can we create BWA Explorer objects on a infoprovider without
  directly assigning users in Authorization Tab and how can we make the
  system ignore whatever is on this tab and base access to a BWA explorer
  object on the roles assigned to the user via SU01/CUA.
  2) If a User has roles assigned in BW that give them access to a
  specific infoprovider will this automatically also give them access to
  a BO Server published BWA explorer object built on that infoprovider.
  Related to this do we also need import the same roles and assign to the
  user in CMS server with link to BWA Explorer Server or does the user
  automatically get access to BWA Explorer as long as BWA Explorer is
  published on BO Server.
  3) If the user in BW is assigned roles that limit values based on an
  authorization relevant object is this restriction enforced in the
  values returned in published BWA Explorer for the user. Example
  Authorization Relevant object is Profit Ctr and the user has two value
  roles one contains access to all profit center that role up to a
  hierarchy node limited to the USA and the other contains hierarchy
  analysis authorization limiting access to all profit centers rolling up
  to hierarchy node representing Europe. When a user access's the BWA
  Explorer object which contain profit ctr will the values be limited
  only to USA AND Europe Profit centers or will the BW value based
  security be ignored.
  Please provide advice on above questions and document resources on how
  BW role based security interacts with BWA Explorer.

  Hi Expert,
  I need a solution for same scenario, anyone can give inputs.
  Regards,
  Ganesh