SAP BI 2004s "Analysis Authorizations"

Similar Messages

• [BO over SAP BW] Web Intelligence Report + BI 7.0 Analysis Authorizations

  Hello Experts,
  I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
  BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
  It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
  For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
  When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
  I have tried several settings on the universe (like filter working on LoV as well) but none helped.
  If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
  Any ideas?
  Best regards
  Giorgos

  Hi,
  has the Universe been created on the cube level or on the query level ?
  In case it is on the cube level it will fail because :
  Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
  The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
  You can then assign this authorization to one or more users.
  All characteristics flagged as authorization-relevant are checked when a query is executed.
  *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
  Ingo

• SAP BI 7.3 Analysis authorization transport log

  Hi,
     We have transported a Analysis authorization to production system, I would like to know the exact changes moved through this transport carrying a particular analysis authorization.
  The issue here is RSECVAL_CL has not recorded the changes done on this particular Analysis authorization in development system.
  So please suggest if there is any table where we can look to find the exact changes made by this transport request.
  Regards,
  Ananth
  Edited by: Anantharama Shivashankar on Oct 26, 2011 6:48 PM

  The issue here is RSECVAL_CL has not recorded the changes done on this particular Analysis authorization in development system
  I guess that is a problem and should be reported to SAP. However this table will give the value that has been deleted. New value to be checked in analysis authorization itself.
  EDITED : If the AA been transported before then might look their content and compare them.
  Regards,
  Arpan Paik
  Edited by: P Arpan on Oct 31, 2011 3:44 PM

• Need help on SAP netweaver Bex Analyser Release 2004s,patch 700.

  Hi BW Buddies,
  Hope everyone is fine.
  I just installed the SAP netweaver Bex Analyser Release 2004s,patch 700.
  The look and feel of this BEx is different from that of BW 3.5 Bex.
  Can anybody suggest me some good documentation about the new Bex Analyser?
  Any kinda reply for this is appreciated.
  Thanks in Advance
  Sam Mathew

  Check this link:
  https://www.sdn.sap.com/irj/sdn/docs?rid=/webcontent/uuid/ba95531a-0e01-0010-5e9b-891fc040a66c [original link is broken]
  KJ!!!

• Analysis Authorization & its compaitbility with BW 3.5 Query

  Hi,
  We have technically upgrade our system from BW 3.5 to BI 7.0. Now we are planning to upgrade to Analysis Authorization.
  1. Is it necessary to Migrate BW 3.5 query to BI 7.0 so that it will work with Analysis Authorization? If not, then how Analysis auth will treat authorization variable defined in the query?
  2.What are pro & cons of two approach: Fresh Implementation of Analysis Authrization v/s Migration using tool ?
  Please advise.
  Best Regards,
  UR

  Dear UR,
  Iu2019m going to try helping you,
  In advance a give you some ideas about migration process regarding authorization system.
  Currently you can use the old concept of authorization (reporting authorization object) in the 7.0 2004s environment. You can set up in Tcode: RSCUSTV23 what authorization mode, you would like use. 
  When have you migrated whole queries but you keep the old concept, this doesnu2019t impact the authorization system functionality.
  When you change the authorization mode to current procedure with analysis authorizations, you need be careful with the attribute navigational. Because, in the old mode, the attribute navigational get setting of its characteristic. Example if you use 0COMP_CODE__0COSTCENTER, and de 0COSTCENTER is relevant authorization, all of attribute navigational com from 0COSTCENTER are relevant authorization. Otherwise, in current procedure with analysis authorizations, where each navigational attribute has the same level of a characteristic.
  When you migrate to analysis authorization, SAP best practice recommend keep in each reporting role all of reporting authorization object for a short period of the time.
  In my experience the main thing was list above.
  Try to get more information in:
  SAP BI - User Management & Authorizations
  OSS Note 923176
  I hope this suggestion can help you,
  Luis

• What is Analysis Authorizations in BI 7.0?

  Hello BW Gurus,
  Greetings!!!!
  Please forward the relevant documents (<b>Analysis Authorizations and also about data migration from 3.0 to 7.0</b> ) to the ID- <b>[email protected]</b>
  Points will be rewarded..
  Best Regards,
  Priya

  Hi Priya,
  These would be great help to you,
  Upgrading to SAP NetWeaver 7.0 BI - The Details doc.
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/10564d5c-cf00-2a10-7b87-c94e38267742
  Please check these blogs for full details:
  /people/prakash.darji/blog/2006/09/22/rolling-out-the-new-sap-netweaver-2004s-bi-frontend-tools?page=last&x-showcontent=off&x-order=date [original link is broken]
  https://weblogs.sdn.sap.com/pub/wlg/4668?page=last&x-order=date [original link is broken] [original link is broken] [original link is broken]
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/6a19f233-0e01-0010-6593-c47af5a8df3b
  Some Insights..
  NW2004s Upgrade - Front-End Migration Strategy
  https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=2331907
  Migration of Data Sources
  https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=3369391
  Migration - Web Templates from 3.x to NW2004s
  https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=2052465
  Migration question
  https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=2935414
  Migration Transformation NW2004s Datasource
  https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=3034054
  Analysis Authorization Migration Question
  https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=2537477
  NW2004s Data flow
  https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=3447826
  Visual composer migration
  https://forums.sdn.sap.com/click.jspa?searchID=3914335&messageID=3775098
  Rfer thez threads.. u will get good idea..
  /thread/439486 [original link is broken]
  /thread/377643 [original link is broken]
  Migrate Transformations
  /message/3034624#3034624 [original link is broken]
  /thread/178564 [original link is broken]
  For Data Flow:
  http://help.sap.com/saphelp_nw2004s/helpdata/en/43/f00e2696d24c5fe10000000a155369/content.htm
  /people/prakash.darji/blog/2006/09/22/rolling-out-the-new-sap-netweaver-2004s-bi-frontend-tools
  Assign points if it helps,
  Regards,
  Mani

• SAP BW 7.0 Authorization problem

  HI,
  we have the following problem on our project and I hope someone can help us!
  First some input:
  We are working with Net weaver 2004s (SAP BW 7.0) and my user has the following profiles S_A.SYSTEM and SAP_ALL. We have loaded the following data model from BC: C0-OM-CCA and are working with info cube 0CCA_C11 (Costs and Allocation. It was possible to load data records from R/3 without errors.
  Now the problem:
  If we want to see the content of our info cube (without any selection) we get the following error messages:
  Message no. EYE007: You do not have sufficient authorization
  Diagnosis: You do not have sufficient authorization for the requested data records.
  Procedure: Either select other data records or get the required authorizations from your administrator.
  Message no. RS_EXECPETION251: User XX does not have authorization for Info Provider 0CCA_C11
  No further Information.
  Does someone know this problem and can help us? Maybe it is really a bug or it has something to do with the new authorization concept of SAP BW 7.0
  Thanks for your help and support!
  Jessica

  Hi Jessica,
  I would start standard authority tracing for your user in transaction ST01. But the authorization concept changed a lot. You should check
  <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/61/8c3842bb58f83ae10000000a1550b0/frameset.htm">Analysis authorization</a> and <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/61/8c3842bb58f83ae10000000a1550b0/frameset.htm">New authorization objects</a>.
  Personally I would add SAP_NEW to your authorization that contains all new authorization objects or even better switch first back to the old authorization concept via SAP Customizing Implementation Guide -> SAP NetWeaver -> Business Intelligence -> Reporting-Relevant Settings -> General Reporting Settings -> Analysis Authorizations: Select Concept.
  Best regards
  Dirk

• Analysis Authorization in BO 4.0 Webi report

  Hi All,
  I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
  We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
  However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
  I have tried:
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
  Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
  (BO 4.0 no service pack or fix pack installed on the system yet)
  Thanks - Appreciate your help !
  Prasad Rasam

  Ingo,
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  >> Correct you need to setup you OLAP Connection with SSO.
  >>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
  Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
  Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  >> The variable in the BEx query needs to be an authorization variable.
  >>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
  Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
  regards
  Ingo Hilgefort

• Web Intelligence Report + BI 7.0 Analysis Authorizations

  Hello Experts,
  I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
  BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
  It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
  For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
  When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
  I have tried several settings on the universe (like filter working on LoV as well) but none helped.
  If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
  Any ideas?
  Best regards
  Giorgos

  Hi,
  has the Universe been created on the cube level or on the query level ?
  In case it is on the cube level it will fail because :
  Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
  The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
  You can then assign this authorization to one or more users.
  All characteristics flagged as authorization-relevant are checked when a query is executed.
  *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
  Ingo

• Impact of Analysis Authorization on Users using old Authorization

  Hi All,
  I have question regarding Analysis Authorization. Our system has old authorization concept and as part of our project we decided to go for Analysis authorization for Cost Center object. We activated analysis authorization for cost center, assigned it to test user id and found that its working fine in Dev. But it has impacted other users in the system. They are not able to access any other reports and data providers which were not even referring cost center. What is the proper way to activate analysis authorization without impacting access to existing users.
  - Som

  Hello Andreas,
  Sorry to ask you directly here, I didn't get answer from this forum. We will migrate to the new analysis authorization from old reporting concept. I have read the book "An Expert guide to new SAP BI security features" by SAP Lavs, but still confused with some parts. My questions is:
  Are there two ways to create authorizations as follows?
  1. we can type tcode rsecadmin>Maintence button>create a new authorization.
  2. the following part taken from the book:
  Steps for Generating Authorizations
  1. Activate Business content
  2. Load Datastore objects
  3. Generate Authorizations
  4. View Generation Log.
  In the first step, OTCA_DS01 to OTCA_DS05 and OCCA_O01 to OCCA_O03 are Datastore objects required to be activated.
  In the second step, tcode rsecadmin-->generation button --> type OTCA_SDS01 to OTCA_DS05 into respective filed. Should we always type these 5 objects everytime when we create authorization?
  When we should use the second way to create authorizations? and what is the diffrence between them?
  Any answers will be appreciated. Thank you very much in advance!
  Haifeng

• Analysis Authorization Pre Filtered Values

  Hi all Gurus,
  I am currently using Analysis Authorization setup and when I run report with no values input in the variable input screen it seems to display ALL the records in the info provider BUT not by what I am able to see based on my authorization defined.
  Example:
  I am authorized to see Personnel Area = A but when i run the report it hits authorization error and I understand that it is displaying ALL the records.
  So my question is is it possible that this filter is automatically for Analysis Authorization handled by the system like how the OLD Authorization handle this?
  Thanks

  Hello Julie,
  It is not necessary to use Hierarchy or customer exit inorder to restrict the access based on company code.
  1. First of all make, Company code as authorization relevent in IO settings
  2. In RSECADMIN, create one authorization object. It is a good practice to include all SAP Technical objects also. Just click on Inster special characts.
  3. For the company code assign required value.
  4. Assign this authorization to user in USER tab
  5. In the report, If you want to defualt the value of company code, create one authorization relevent variable for company code. You can make this variable as ready for input/Not ready for input.
  6. Execute the report.
  The user will only get data related to authorized company code.
  Regards,
  Ravindra

• Analysis Authorization (Role, Profile and Direct Assignments)

  <b>Analysis Authorization Question:</b>
  1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
  2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
  3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
  <b>
  Migration Options:</b>
  1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
  2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
  3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
  <b>Questions</b>
  a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
  b)     Does any one use direct assignment to Users? It is good business practice?
  c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
  d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
  Just want to check how other folks have done migration that can be supported going forward.
  Pankaj Gupta

  Hey Pankaj,
  In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
  Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
  RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

• Hierarchy Analysis Authorization does not work after transport

  Hi Gurus,
  I am facing a issue in hierarchy analysis authorization in quality system but the same authorization works perfectly fine in development.
  All hierarchy authorizations works in Quality except for this one. I found one old sap note describing this as program error but this note is not applicable in BW 7.3.
  I have checked the table RSECVAL, RSECHIER and authorization is active so everything looks good. Please advise if anyone faced this issue after transporting hierarchy auths to other systems
  Regards,
  Salman

  Salman,
  What I understood from your description is that you have same role+AA in Dev and QA, which provides access in Dev for all the nodes for said hierarchy but in QA, same role+AA provides access to the same hierarchy for all the nodes but one. Try to create a ZTEST analysis authorization in QA itself with access for the problematic hierarchy node and see if it works ? This will rule out the case if there is a difference in hierarchy in DEV & QA.
  Regards,
  Shivraj Singh

• Analysis Authorization with SEM-BPS

  Hi,
  We have performed technical upgrade from BW 3.5 to BI 7.0. We want to migrate to BI 7.0 functionality phase wise.
  We have SEM-BPS and now we want to migrate to Analysis Authorization of BI 7.0.
  Once we have igrated to Analysis Authorization, will there be any impact on SEM-BPS? Can we still use SEM-BPS with New Analysis Authorizations? We do not want to move to BI-IP in near future?.
  Please advise.
  Best Regards,
  UR

  Dear UR,
  Iu2019m going to try helping you,
  In difference of reporting functionality, in planning, the data of an InfoCube is not just read; it is also changed or created.
  There are two planning tools in BI: BW-BPS (Business Planning and Simulation), and BI Integrated Planning.
  There are two main tcode: BPS0 and RSPLAN
  There are three authorization objects to manage Integrated Planning:
  S_RS_PL_ADMIN - Planning Administrator
  S_RS_PL_PLANNER u2013 Planner
  S_RS_PL_PLANMOD_D u2013 Planning Modeler (Development System)
  The main object in the planning scenario is InfoCube real-time, where can available writing in small package that arrive in parallel. In some cases the security requirements for reporting and planning can be merging. In this case you need authorization object for checking planning, as authorization object above, and you need authorization object for using a query for planning requires as S_RS_COMP.
  In addition to authorization for displaying data, the authorizations for changing data you need analysis authorization (the analysis authorization focus in the InfoProvider, no in Aggregation Level).
  In your analysis authorization design for reporting stuff, you should use in 0TCAACTVT characteristic 03 value. In the planning stuff, you should use in 0TCAACTVT characteristic 03 and 02 values. As explain following:
  Using the characteristics 0TCAACTVT (activity), you can restrict the authorization to different activities. Read (03) is set as the default activity; you must also assign the activity Change (02) for integrated planning.
  http://help.sap.com/saphelp_nw70ehp1/helpdata/en/b1/0c9441b8972e7be10000000a1550b0/frameset.htm
  I hope this suggestion can help you answer question,
  Luis

• Analysis Authorization mass maintenance

  Hi All,
  During the migration, due to Complexity of our complex BW 3.5 authorization setup we are end up in BI 7 New Design where we have to maintain new Cube to more than 150 Analysis Authorizations each time when we have new Cubes comes.
  Do you guys know any method where you can update the new cube to large no of Analysis Authorization (for ex 150) instead of doing manually? Due to complexity of the old design itu2019s very difficult for us to change the new design.
  Looking forward for expert opinion.
  BR,
  Deepak

  Hi,
  As per my knowledge, it is always recommended to maintain the Analysis authorizations individually. However, you may refer the below thread:
  Analysis Authorization Mass Maintenance
  and also the below link:
  http://help.sap.com/saphelp_nw73/helpdata/en/c4/057a2de519451faf1819dba4092887/content.htm
  Hope this helps!!
  Rgds,
  Raghu