SECATT for BI Analysis Authorizations

Similar Messages

• Different Analysis Authorization on same infoprovider

  Hi All,
  I want to setup authorization for the below scenario. I have tried different options but not able to achieve it. Request your inputs.
  Query 1: Z_REPORT1_NOCUST (Only Aggregate authorization-no customer wise drill down)
  Query 2: Z_REPORT2_CUST (Customer wise drill down possible)
  Above both query is from Same info provider. Hence i have tried creating 2 analysis authorization one is for Aggregate authorization for customer I/O and another is for Full authorization on customer. And created 2 different PFCG roles one for each analysis authorization created and assigned both role to a user.
  But when the report is executed both the query was able to drill down with customer. Itseems analysis authorization created for aggregate quthorizaiton is not working and full authoization is over rulling.
  How to resolve this, need your valuable inputs.
  Thanks in advance
  Prem

  You cannot give both roles to the same user that give authorization to the same info provider. This is your problem.
  The security system assembles the user's rights from all of his roles. If two roles provide rights to infoprovider "A", and one gives ":" (Aggregate) rights to 0CUSTOMER, and the other gives "" (All) rights to 0CUSTOMER, then the rights used for the query will be the "" (all) rights for 0CUSTOMER, and the Aggregate rights will be ignored.
  If you truly wish to have two separate reports, one that reports 0CUSTOMER at an aggregate level only (for example, by customer group), and the other by 0CUSTOMER drilldown, then simply remove 0CUSTOMER from the aggregate query.

• Aggregation authorization within analysis authorizations

  Hello,
  The BW developers have created several queries that use aggregated data. When testing the queries with the end user ID (assigned to an end user role and analysis authorization), it is failing due to missing authorizations, particularly b/c of the following:
  Supplementation of Selection for Aggregated
  Characteristics
    Check Added for Aggregation Authorization:     0COMP_CODE  
    Check Added for Aggregation Authorization:     0PLANT  
  All Authorizations Tested
    Message EYE007: You Do Not Have Sufficient Authorization  
    No Sufficient Authorization for This Subselection (SUBNR)  
  Following CHANMIDs Are Affected:
  142 ( 0COMP_CODE )
  189 ( 0PLANT )
  192 ( 0SALESORG )
  In the BI documentation, it specifies that : (colon): allows only aggregated access to data (e.g. allows information on all sales areas only on aggregated level –not on particular countries). Is this ( specified as a value within the particular characteristics? I also tried to select the "aggregation authorization" icon within txn code RSECADMIN and this did not help.
  Any help would be GREATLY appreciated.

  Updated: For the analysis authorization, for these characteristics, in addition to the specific values, there is an entry for ":" and this did not resolve the issue.
  Authorization Check  
    Detail Check for InfoProvider ZBL_13IT  
    Preprocessing:  
  Selection Checked for Consistency, Preprocessed and Supplemented As Needed
  Subselection (Technical SUBNR) 1
  Check Node Definitions and Value Authorizations...
  Node- and Value Authorizations Are OK
  End of Preprocessing
    Main Check:  
    Subselection (Technical SUBNR) 1  
  Supplementation of Selection for Aggregated Characteristics
    Check Added for Aggregation Authorization:     0COMP_CODE  
    Check Added for Aggregation Authorization:     0PLANT  
  Following Set Is Checked  Comparison with Following Authorized Set  Result  Restmenge 
  Characteristic  Contents 
  0PLANT
  0SALESORG
  0TCAACTVT
  0COMP_CODE
  SQL Format:
  COMP_CODE = ':'
  AND PLANT = ':'
  AND SALES
  ORG = '0403'
  AND TCAACTVT = '03'
  Characteristic  Contents 
  0PLANT  I EQ IC01
  I EQ IC02
  I EQ IC03
  I EQ IE02
  I EQ IE04
  I EQ IZ01
  I EQ MC01
  I EQ ME01
  I EQ :
  0SALESORG  I EQ 0301
  I EQ 0341
  I EQ :
  0TCAACTVT  I EQ 03
  I EQ :
  0COMP_CODE  I EQ 0327
  I EQ 0341
  I EQ :
  Not Authorized   
  All Authorizations Tested
    Message EYE007: You Do Not Have Sufficient Authorization  
    No Sufficient Authorization for This Subselection (SUBNR)  
  Following CHANMIDs Are Affected:
  142 ( 0COMP_CODE )
  189 ( 0PLANT )
  192 ( 0SALESORG )
    Authorization Check Complete

• Analysis Authorization failed for Multiprovider

  Hi all,
  We are facing an issue pertaining to the Analysis Authorization for a multiprovider. When we attempt to access a query base on a multiprovider, the program complains that it has insufficient authorization. So we did debugging in the customer exit and we realise it fails to populate the rest of the authorization variables in I_step = 0. Base on our initial investigation this only happens on queries on multiprovider, so is there anything I need to set or do to curb this error?
  Many thanks!

  Best solution is to trace the authorization for your issue in ST01.
  Switch on the trace in ST01 and start your work. if you face authoirzation check failed. look into the trace there you will find the logs and authorization failed for your userid.
  And one more thing, have you got anything in SU53 as authorization check failed?
  Hope this would help you.

• Analysis Authorization : Selection screen not appearing for query

  Hi,
  I am facing an issue with analysis authorization. I have created the new roles and assigned to the users. For one user when I am executing the query, the selection screen is not coming up and it shows error message to specify the variables. Whereas its running for all other users.
  In S_RS_COMP I have selected Type of a reporting component as Query View, Query & Template structure. I also tried adding Variable in this field but that also did not help.
  Please let me know if you have faced similar issue.
  Regards,
  Manish

  Hi,
  Go to your query desinger opend your query and select your variable in that you have see first "Ready Input Query" Check box is selected or not. It's not selected you can select that check box.
  Your problem will be sloved.
  Thanks & Regards,
  venkat.

• Analysis Authorization for nav Attr Issue

  Hello:
  I have a 0COMP_CODE as an attribute of 0SALSORG and it is marked as authorization relevant. i.e 0SALESORG_0COMP_CODE is authorization relevant.
  I created an analysis authorization Object ZCOMPCODE_1000 by adding following in it.
  InfoObject           Value
  0COMP_CODE  = 1000
  0SALESORG = *
  0SALESORG_0COMP_CODE = 1000
  0TCAACTVT = *
  0TCAIPROV - *
  0TCAKYFNM = *
  0TCAVALID = *
  Now I have a report on a cube which has 0SALESORG as char and also 0SALESORG as a variable on selection.
  When I run a query for sales org = 1000, I can see rsults as sales org 1000 is assigned to company code 1000.
  If I run report for sales org 2000, I should get not authorized message as 2000 is not assigned to company code 1000 and I only have a role assigned to me which has analysis authorization object ZCOMPCODE_1000. But Still I am getting report results.
  Please explain Why and How can I overcome this issue.
  Thanks

  First of all it is strange that we see two appearances of sales org.
  0SALESORG = *
  0SALESORG_0COMP_CODE = 1000
  Probably the star value overrides the setting in the second one.
  Besides did you create the variable in the query as authorization relevant or you will have problems there.

• Problem wih analysis authorization for two scenarios on same data provider

  Dear all,
  I am looking for a solution on the following authorization scenario (using the new analysis authorization). Unfortunately everything that I tried did not work out as expected:
  User A is allowed to manually access query 1 (based on cube A) with authorization on all sites A-Z
  The same user A shall get an email distribution automatically (derivation of the filter in the query out of the authorization) for query 2, which is as well based on cube A, but this time the authorization shall be limited only to site A.
  As both queries are based on the same infoobject (0PLANT) and the same infoprovider (0TCAIPROV) I always get the result for all sites A-Z. The 0TCAACTVT is in both cases 03 (display), so I have no chance to distinguish between reporting and email distribution.
  Probably the only chance would be to derive the values for the email distribution scenario not from the authorization directly, but using a customer exit to fill the filter - but I would prefer a "standard" solution...
  Any ideas??
  Thanks,
  Andreas

  Dear Andreas,
  Before give you an alternative for you problem, Iu2019d like to comment the combining authorization concept:
  http://help.sap.com/saphelp_nw70/helpdata/EN/46/98cd87f37d19ace10000000a11466f/frameset.htm
  For this reason I suggest you which combing restriction through authorization and query filter. For query 2 try to use in 0PLANT characteristic the single value u201Csite Au201D, this restriction give you only authorization for see this value.
  Otherwise, you have to use customer exit.
  I hope that alternative help you to find a solution,
  Luis

• Table for Analysis authorization along with values for authorization fields

  Hi,
  I am looking for table that contains the Analysis Authorization name along with values for all the authorization fields within this Analysis Authorization. Individually i can go to PFCG or Rsecadmin but since i need all the Analysis auth objects, i need to get this info into excel, so need a table.

  Hi Prashanth
    You can check RSECVAL that is appropriate for your requirement please let us know if any further help is needed.
  Thanks & Regards
  Santosh Varada

• Rational approach for Analysis Authorization:

  This post is regarding the implementation of Analysis Authorization.  Considering the role based approach; please let me know the optimized way to implement the analysis authorization such that there will be very low maintenance.
  For e.g. I have queries which need to be restricted at data level PLANT wise. So I mark the characteristic 0PLANT as authorization relevant. There are 150 plants so I create the 150 Analysis Authorizations and put each one of them in roles (1:1) resulting in 150 roles. In addition; 151th Role and Analysis Authorization for ALL plant access.
  Now to restrict the queries themselves, I create a Role with object S_RS_COMP , S_RS_COMP1 (For queries) ; S_USER_AGR  and S_USER_TCD( for  workbooks).
  Then I create a composite role  with above 2 single roles (one containing AA and other role for Query restriction)and assign it to user.
  Now suppose when I need to restrict data at some other level say DIVISION wise. Then I would be again creating analysis authorization for all the divisions and putting them in roles.
  Using this approach ; there would be many roles and analysis authorizations. Also during production support it may be cumbersome to debug the errors.
  Please comment if any other approach for implementing the above scenarios.
  Regards,
  Ajit
  Edited by: Ajit Nadkarni on Apr 4, 2010 5:47 PM

  Hi,
  I had a similar requirement where in we had 178 plants and each plant manager has to see their own site by default in the selection screen when they run the query.
  By defalut it should display there own site but its not restricted to only that site. Managers can also look into other sites but by default they wanted their own site to be displayed.
  So I have created DSO and did mapping with username and store. And in query I created a variable in plant of type customerexit and written exit in CMOd using I_STEP 1. This solved our requirement. But to restrict to particular site i guess we can extend the routine in cmod.
  Thanks
  Srikanth

• Transport Request for Analysis Authorization

  Hello Everyone,
  When a trasport request is created for any BI analysis authorization ( including the Z*), the type of trasport request created
  is workbench request. What is the reason behind this because when any Customised Role / Profile is included in transport request this will be customised request unlike analysis authorization.
  Thanks in advance.....

  Hi Rashmi,
  The difference is In BI, the AA authorizations are independent. Any objects that are independent of the client will be captured in the workbench type of transport request, when they are required in the other client. Hence you can see the Workbech type request for  transporting changed Repository objects and changed system settings from cross-client tables. However, customizing requests involve changes recorded to client-specific Customizing objects .
  The Analysis authorizations are always captured in a Workbench type of transport request by default due to the above design.
  You can still transport both the PFCG role, and AA in a single transport request, you can do the same by following the steps mentioned in the below Wiki:
  https://wiki.sdn.sap.com/wiki/display/BI/HowtotranportroleandAAtogetherinBI
  Regards,
  Raghu

• Workbench Request for changing the Analysis Authorizations Switch in SPRO

  Hi Gurus,
  While changing the Analysis Authorizations Switch in DEV(SPRO), its asking to create a work bench request.
  so it means after creating a work bench request should we transport that particular work bench request to QA.
  Please help with some suggestion.
  Regards
  Padmaja.

  Just to add to this... the same way you need to transport a role up the stack, you have to transport AA object up the stack.
  Check out this Wiki
  https://wiki.sdn.sap.com/wiki/display/BI/HowtotranportroleandAAtogetherinBI
  Regards,
  Zaheer

• Analysis Authorization in BO 4.0 Webi report

  Hi All,
  I am using BO 4.0 and creating connection from Information Design tool to a BW query using BICS client. This connection is then published to CMC.
  We are using SAP authentication and importing the roles from BW system. We have added profiles to this role and these profiles have Analysis Authorization set on Company Code. So one user can access data to one company code and vice versa. Now this works well in Bex Analyzer, but if I try to create a report in Webi, the analysis authorization fails. I went through the forum before posting this question and I found that is in 3.1 version and in most cases using SSO in universe connection solved the problem.
  However in 4.0 I am using BICS client and followed the same processes to create a connection but for some reason it doesn't work ? Is this suppose to work differently in 4.0 ?
  I have tried:
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  3. Publish the connection to CMC with my Enterprise and SAP ID and in both cases it doesn't work.
  Please let me know if anyone encountered a similar issue and what is the best method to resolve this.
  (BO 4.0 no service pack or fix pack installed on the system yet)
  Thanks - Appreciate your help !
  Prasad Rasam

  Ingo,
  1. To create connection in Information Design tool using SSO, selecting user ID and password. It doesn't work.
  >> Correct you need to setup you OLAP Connection with SSO.
  >>> What I meant was I created the connections using both the methods, Using SSO it allows me to create a connection. The ID which I am using to create a connection has Admin access to BOBJ system. When I login as a regular user to create a Webi report and select this new connection, it throws an error message 'The DSL Service returned an error: com.businessobjects.dsl.services.workspace.impl.QueryViewAnalyzer$CannotGetCubeFromConnectionException: Cannot get the cube from the connection'
  Using the other method to create a connection with User ID and password, I can create a connection and with the normal user login I can connect to the BW query but Analysis Authorization doesn't work.
  Ingo : Could you be more specific what you mean here with the different users ? When you say "regular" user are you referring to an SAP credentials or SAP BusinessObjects Enteprrise credentials ?
  2. Checked the Bex query and it already has Company code as a Characteristic restrictions (I have made it a mandatory variable).
  >> The variable in the BEx query needs to be an authorization variable.
  >>> This has already been set as Authorization variable. There is still a question here. If I select the variable as Authorization variable, I cannot set the other parameters in the query properties such as Mandatory variable (as this is greyed out).
  Ingo : What other parameters would you like to configure ? Could you perhaps describe the scenario with more details ?
  regards
  Ingo Hilgefort

• Analysis Authorization Issue

  Hi:
  I created an analysis authorization ZCO_CODE to trstrict it by a company code.
  I added following objects in authorization with values.
  0COMP_CODE = 1000
  0TCAACTVT = 03
  0TCAIFAREA = *
  0TCAIPROV = *
  0TCAVALID = *
  Then I created a role Z:00:BW_REPORT, where I added following authorization objects S_RS_AUTH and restricted it by value ZCO_CODE. Then I assigned this role to a user test01.
  When I execute a program RSEC_MIGRATION for this specific user, I do not see authorization object ZCO_CODE on 2nd step of this program. Any Idea Why? I think this object should show up as I want to migrate this specific object.
  Help will be appreciated.

  Hi Sachin:
  Okay here is my issue.
  I have a Reporting authorization Object created earlier which is ZCOCODE. I though I'll have to create a new Analysis authorization object e.g. ZCO_CODE and then restrict it with other chars. as mentioned in Marc Bernards presentation and then you have to migrate it.
  In selection list I can see old Reporting authorization object. If I select it and use option "Enhance existing profile" then It will update profile and not role? right....
  How can I see whether it has updated existing profile?????
  Do I need to create new Analysis Auth. for Company code or I can use old Reporting authorization for company code?
  For testing purpose, I created a test user and assigned all reporting roles but It will not show up in RSEC_MIGRATION step???

• BW Analysis authorization issue on cost center range

  Hello BIW security experts
  I have a problem where I created an analysis authorization on a cost center range and it looks like the interval is not working. The report is just a list of cost centers (demo to users to prove that analysis authorizations work in order to skip 2 managerial cost centers.
  . Cost centers are numeric. Example:  2000100. In the drop down list they appear as such.
  . I want to have the following cost center range: 1000000 to 1000771, 1000773 to 2000771, 2000773 to 9999999.
  Thereofore 1000772  and 2000772 should not appear in the list.
  . In the analysis authorization I have put the 3 ranges above on 3 separate lines. 'BT' is the operator. The cost centers have been selected from the drop down list.
  Results:  I get only 1 record from the report....  2000772. (which is one I want to exclude..
  Steps tried to debug:
  . When I put a list of cost centers in the analysis authorization on separate line with the 'EQ' operator, then the report works.
  . I tried putting ' ' delimiters since cost center is a char field but it fails.
  . I tried adding leading and trailing zeros to fill up the char(10) but no luck.
  . I tried creating a hierarchy with the interval and put it in the hierachy auth. tab and it does not work either. It gives the same number of records than the first step.
  . A hierarchy with single values work.
  I do not know what else to try..
  Thanks.
  YB.

  Good morning
  Here it is from RSECVAL
  ZCC_TEST     0COSTCENTER                    I       BT        1000000                                                      1000771
  ZCC_TEST     0COSTCENTER                    I       BT        1000773                                                      2000771
  ZCC_TEST     0COSTCENTER                    I       BT        2000773                                                      9999999
  ZCC_TEST     0COSTCENTER                    I       EQ        #
  ZCC_TEST     0COSTCENTER                    I       EQ        :
  ZCC_TEST     0INFOPROV                         I       CP        *
  ZCC_TEST     0TCAACTVT                        I       EQ        03
  ZCC_TEST     0TCAIPROV                         I       CP        *
  ZCC_TEST     0TCAKYFNM                       I       CP        *
  Thank you for your help.

• BW Analysis authorization issue... need help urgently....

  We have one BW query which is pulling data from Contract Division info-object. Now this report does not variable selection object so it is pulling data from all values of Contract Division. Values of  Contract Division are CNC, CNS, CNE and CNL.
  Now we have created an analysis auth. object called z_es_3 and added Contract division info-object. Now we have added that z_es_3 into role and given value to CNS. now when we are running report, we are getting No Authorization error. When we are giving * value in z_es_3, it is running fine.
  Now we have to restrict report to contract division. please help.
  Thanks in advance

  Are you running unrestricted search on Contract division in your queries? You should restrict it to value which is maintained in the authorization for the InfoObject.
  Also please run the analysis authorization trace from RSECADMIN. That will give you a clearer picture of what is wrong.