To generate DELTA changes via Analysis Authorization Generation

Similar Messages

• Workbench Request for changing the Analysis Authorizations Switch in SPRO

  Hi Gurus,
  While changing the Analysis Authorizations Switch in DEV(SPRO), its asking to create a work bench request.
  so it means after creating a work bench request should we transport that particular work bench request to QA.
  Please help with some suggestion.
  Regards
  Padmaja.

  Just to add to this... the same way you need to transport a role up the stack, you have to transport AA object up the stack.
  Check out this Wiki
  https://wiki.sdn.sap.com/wiki/display/BI/HowtotranportroleandAAtogetherinBI
  Regards,
  Zaheer

• Manual migration to analysis authorization-4

  hello BI experts,
  When authorizing InfoProvider via analysis authorization by using 0TCAIPROV with *. Is it still possible to authorize correctly and sharp data via authorization relevant InfoObjects?
  regards
  Imberaureus

  Its possible considering the user will be able to look in to the data of all data targets.

• Generated analysis authorization cannot be changed

  Hello all,
  did someone manage to edit/delete generated (from DSO) analysis authorizations? When I want to correct a typo in one of the generated analysis authorizations it is not possible although the system is telling that it should be possible to do so. I did not find any note or thread yet.
  Message number RSEC292:
  Diagnosis text
  A generated authorization can be changed (this message is only a warning ), but one should be sure that this authorization is not generated again. Then it will be removed from the user, created again (perhaps with different content), and if there no fixed name was generated, it is renamed.
  Thanks in advance for your inputs

  Hello Lana,
  this is how SAP solved the problem
  Bye Petra
  Spezifikation: Message RSEC292: Generierte Analyseberechtigungen können nic
  Short text:
  Message RSEC292: Generierte Analyseberechtigungen können nic Langtext
  It is not possible to change from DSOs generated analysis
  authorizations although the system is telling that it should be
  possible to do so. Authorizations are sufficient (SU53; SAP_ALL)
  Message number RSEC292:
  Diagnosis text
  A generated authorization can be changed (this message is only a
  warning ), but one should be sure that this authorization is not
  generated again. Then it will be removed from the user, created again
  (perhaps with different content), and if there no fixed name was
  generated, it is renamed.
  Here is the communication path (please read from below):
  09.07.2007 - 09:03:36 CET Petra King Info für SAP
  Hello Ms. ,
  I always was telling about one issue:
  Change of generated analysis authorization is not possible.
  Since BI 7.0 we are talking about analysis authorizations so the
  transaction code used is obvious.
  There is no need for furhter information because it is only this single
  issue: I guess that it should be an error message and not a warning
  message and SAP made a mistake here by using the wron message category.
  I was never talking about users and xxxxxx is not an user but an
  analysis authorization.
  Please consider the call a solved - in the meantime I got
  professional support from the SDN platform.
  Regards,
  Petra King
  05.07.2007 - 09:14:22 CET SAP Antwort
  Hello Ms King,
  I must say that I find this message quite incomprehensible. First you
  write that you are irritated because my colleague asked you which
  transaction is being used to generate authorizations. This information
  is necessary so that the message can be assigned to the appropriate
  area. Indeed, the message was incorrectly sent to BC-SEC. Next you
  write that you are angry when I give you a consulting note regarding
  generation of analysis authorizations. I am mystified as to how such
  information from customers should help us in solving a technical or
  procedural probem. I have read the message from the beginning and
  there is very little technical and procedural information. Moreover, itis not clear what the "error" is here. The message RSEC292 is a warning(as clearly stated in the long text of the message) and this should not
  hinder the process. Lastly, in your last info you refer to a specific
  user, xxxxxxxx, as an example of a generated authorization. This is
  separate issue than the original:
  It is not possible to change from DSOs generated analysis
  authorizations although the system is telling that it should be
  possible to do so. Authorizations are sufficient (SU53; SAP_ALL)
  So in response to the original inquiry regarding RSEC292. The answer,
  as I have already mentioned and as stated in the text, is that this
  is just for information purposes. Please continue with the process.
  If you have a separate inquiry regarding the authorizations of
  particular users, please open a second message. We request that
  customer log one issue per message. Please read note 375196:
  Separate message for new problem/subsequent problem
  Regards,
  Senior Support Consultant
  SAP Active Global Support
  Netweaver Business Intelligence
  03.07.2007 - 15:14:39 CET Petra King Info für SAP
  Hello ,
  can you please contact the Basis Administrator xxx via phone
  (+xxxxx) so he can open the line and provide you with the
  user and password for system xxxxx.
  Please note that the error occurs on xxxx and you can have a look at the
  analysis auth. xxxxxxxx as representive for one of the generated
  authorizations.
  03.07.2007 - 15:08:43 CET Petra King Info für SAP
  Hello ,
  I am getting angry because note 1052242 is a documentation and I
  executed everything besides the fact that the analysis auths cannot be
  changed. Please read the error message from the beginning.
  Regards,
  Petra King
  28.06.2007 - 14:52:09 CET SAP Antwort
  Hello Ms King,
  Please excuse the delay in the processing of your message.
  Please read note 1052242 if you have not already done so. If this note
  does not help you to solve the problem, I would like to have a look at
  the situation on your system. Please open the R/3 Support connection
  provide me with a user and password. This information can be stored
  in the log on information of this message.
  Regards,
  Senior Support Consultant
  SAP Active Global Support
  Netweaver Business Intelligence
  25.06.2007 - 08:48:03 CET Petra King Info für SAP
  Hello ,
  if this is in the wrong queue, yes please forward it to the appropriate
  queue and please let the question be answered asap.
  Thanks,
  Petra King
  21.06.2007 - 07:47:29 CET SAP Info für Kunde
  Hello Petra,
  it is possible to generate authorizations in PFCG too. As RSECADMIN
  belongs to BW-BEX-OT-OLAP-AUT, I forward your message accordingly.
  Best regards
  Support Consultant
  Global Support Center Austria
  Netweaver Web Application Server ABAP
  20.06.2007 - 09:54:47 CET Petra King Info für SAP
  Hello ,
  sorry to let you know so late but there was a typo in my email address
  xxxxxinstead of xxxxxxxxx
  Your question is a little bit irritating. Generation of analysis
  authorizations in 7.0 is usually done only with transaction code
  RSECADMIN - correct me if there is another possibility. Generation
  works fine but the authorizations cannot be edited after then.
  Bye,
  Petra
  23.05.2007 - 11:53:16 CET SAP Antwort
  Dear Ms. King,
  please let me know which transaction code do you use or in which
  transaction do you get this message.
  Best Regards
  Support Consultant
  SAP Active Global Support - Netweaver Web Application Server

• Dynamic Analysis authorization to handle changing row level security in BW

  Hi experts,
      Is it possible to implement SAP BW 7.x ANALYSIS AUTHORIZATION in a dynamic manner. One example of this will be to replicate the CRM Organization model in SAP BW and display data as per organization Model.
     One example would be a Manager or a Org unit able to display all Sales Orders where all employee belonging to that Org unit are maintained in those Sales Order as employee responsible. If this Org structure is static it can be easily done in BW BY Analysis authorization. But not sure about the approach when the Org structure changes in a regular interval in CRM,
  Thanks for help

  If you maintain the "Org structure" as a BW hierarchy, and if it always changes in CRM,
  then you just need to load the hierarchy again to BW after the change in CRM.
  In the analysis authorization, e.g. if you assign a user to be authorized for all nodes and leaves under a certain node A,
  then it would still work even if what's below node A changes.
  Hope this answers your question.
  Regards,
  Patricia

• Analysis Authorization Mass Load got wrong

  Hi,
  First:
  I accidently made a rubbish CSV massupload via a 0TCA_DS04 formatted DSO and than a
  RSEC_GENERATE_AUTHORIZATIONS for Assignment of authorization to users.
  Second:
  I want to clear up this rubbish completely out  again.
  Third:
  Loading a one line one field CSV File like this:
  0TCTUSERNAME -     D_E_L_E_T_E
  ;0TCTAUTH -               <BLANK>
  ;0TCTADTO -              <BLANK>
  ;0TCTOBJNM -           <BLANK>
  ;0TCTSIGN -                <BLANK>
  ;0TCTOPTION -           <BLANK>
  ;0TCTLOW -                <BLANK> 
  ;0TCTHIGH -                <BLANK>
  ;0TCTOBJVERS -          <BLANK>
  ;0TCTADFROM -           <BLANK>
  via a 0TCA_DS01  formatted DSO
  and RSEC_GENERATE_AUTHORIZATIONS
  does not seem to work.
  Fourth;
  The rubbish Assignment of authorization to users still exist.
  Fivth:
  Something else to do ? The doc ,Generation of Analysis Authorizations - Business Intelligence - SAP Library,
  isn't to clear to this.
  Something more to do ?
  CSV wrongly formatted ?
  Assitant is appreciated.
  Thanks
  Martin

  Hi Petra,
  the message is only thrown when one of the named DataStore Objects is really empty.
  Could it be:
  1.) That you have a typo in your DataStore Object name
  2.) The message should also name a DataStore Object. Which one is it (for which authorisation generation)
  3.) Are you on a Support Package Stack level lower than 14, and try to generate hierarchy authorisation. If so, please check OSS note # 1041515.
  If none of the above is solving your issue, you might have to open a customer message.
    Cheers
       SAP NetWeaver BI Organisation

• Impact of Analysis Authorization on Users using old Authorization

  Hi All,
  I have question regarding Analysis Authorization. Our system has old authorization concept and as part of our project we decided to go for Analysis authorization for Cost Center object. We activated analysis authorization for cost center, assigned it to test user id and found that its working fine in Dev. But it has impacted other users in the system. They are not able to access any other reports and data providers which were not even referring cost center. What is the proper way to activate analysis authorization without impacting access to existing users.
  - Som

  Hello Andreas,
  Sorry to ask you directly here, I didn't get answer from this forum. We will migrate to the new analysis authorization from old reporting concept. I have read the book "An Expert guide to new SAP BI security features" by SAP Lavs, but still confused with some parts. My questions is:
  Are there two ways to create authorizations as follows?
  1. we can type tcode rsecadmin>Maintence button>create a new authorization.
  2. the following part taken from the book:
  Steps for Generating Authorizations
  1. Activate Business content
  2. Load Datastore objects
  3. Generate Authorizations
  4. View Generation Log.
  In the first step, OTCA_DS01 to OTCA_DS05 and OCCA_O01 to OCCA_O03 are Datastore objects required to be activated.
  In the second step, tcode rsecadmin-->generation button --> type OTCA_SDS01 to OTCA_DS05 into respective filed. Should we always type these 5 objects everytime when we create authorization?
  When we should use the second way to create authorizations? and what is the diffrence between them?
  Any answers will be appreciated. Thank you very much in advance!
  Haifeng

• Analysis Authorization (Role, Profile and Direct Assignments)

  <b>Analysis Authorization Question:</b>
  1)     In BW 3.x environment, customers have used Role Maintenance Process to assign proper object level security and then assign to the users.
  2)     Most of the places R/3 security team takes over support/administration function of BI Security and they continue to use Role method to assign “Reporting Authorizations” as per the process defined in BW 3.x system.
  3)     Customer sometime have 100 + Roles to have 3.X “Reporting Authorizations”. This is Managed, assigned, approved using role concept.
  <b>
  Migration Options:</b>
  1)     New Analysis Authorization makes process of Role Maintenance like "hierarchy authorizations" of BW 3.x. You have to create Value in other transactions and assign them in Role as a pointer or link object. With Analysis Authorization concept, Actual value of the Object Assigned “Like Company code 1100” not visible in Role Maintenance PFCG transactions. It is only visible in Transaction code RSECADMIN.
  2)     Analysis Migration Tool - RSEC_MIGRATION does not update “ROLES”. It creates or changes “PROFILES”.
  3)     Profiles are assigned to the users and Roles does not reflect any Impact by Analysis Authorization migration.
  <b>Questions</b>
  a)     This means customer need to update all the roles by hand. If they want to use Roles to manage the assignment of the Security to users. Migration Tool does not update Roles, it only updates PROFILES.
  b)     Does any one use direct assignment to Users? It is good business practice?
  c) Is <b>Profiles</b> recommended method of Authorization Maintenance?
  d) Can we run migration tool to create Analysis Authorizations, but not assign to the users as a Profile. But stop at creating Analysis Authorizations. If Customer wants to use Roles maintenance process then, they can do not have delete profile assignments from all users before updating Roles using Analysis Authorizations.
  Just want to check how other folks have done migration that can be supported going forward.
  Pankaj Gupta

  Hey Pankaj,
  In general, assigning the analysis authorization directly to user makes a lot of sense for granular levels of authorization. For example, if you had 3,000 users, 3,000 specific authorization combinations, and 3,000 roles, using roles is a lot of additional overhead. If you had 12 roles and 3,000 users, your role concept makes a lot of sense.
  Therefore, the recommendation is that it varies on what makes the most sense logically. Authorization groups can be created to group analysis authorizations and combine them. Also, you have the ability to generate analysis authorizations using the Content Datastores for this. That is an option as well.
  RSEC_MIGRATION does use profiles as you've stated. If you want, there would be manual work to convert to roles afterwards. In case you haven't seen Marc's presentation on security, it's pretty good and covers how to generate authorizations from the datastore.
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/media/uuid/ac7d7c27-0a01-0010-d5a9-9cb9ddcb6bce

• Transport roles and analysis authorization with user assigned

  Hi expert,
  I face with this problem transport roles and analysis authorization with user assigned. When I have created a transport request to move the roles and analysis authorization from development system to test system. I couldnu2019t maintain the user assigned, after transport I have to assigned manually all of user or create a program to fill AGR_USER table or there are other way.
  Thanks for your time,
  Luis

  Hi,
  In role administration, you have the following options for transporting roles:
  You can download the roles from one system and upload them into another  
  You can import the role from a remote system using RFC  
  You can transport the roles with the transport function.
  Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
  Transporting Roles with the Role Transport Function
         1.      Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
         2.      Enter the role to be transported and choose Transport Role.
  The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
  You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
  For more information go thrpugh the below link
  http://help.sap.com/saphelp_nw70/helpdata/EN/6d/7c8cfd410ea040aadf92e1f78107a4/content.htm
  Regards,
  Marasa.

• D_E_L_E_T_E doesn't delete analysis authorizations

  Dear SAP BI colleagues,
  I use the standard DSO's for analysis authorization (0TCA_DS0*). After successful upload and generating the analysis authorizations, I tried to delete this entries again. For this I followed the SAP documentation as well as other community hints: I only have the D_E_L_E_T_E entry for infoobject 0TCTUSERNM in the value DSO 0TCA_DS01. After generating via RSECADMIN the analysis authorization still exist in the user assignment as well as the DB table RSECAUTHGENERATD.
  Does anybody know why?
  Regards,
  Joern

  You need to set the 0TCTOBJVERS to 'A' and 0TCTADTO to '99991231' as well.
  Regards,
  Lars

• Analysis Authorization Issue 7.3

  Hello Friends,
  System BW 7.3, Currently there are 80 odd analysis authorization objects
  We want to introduce a new info object (GL Account) to be authorization relevant, ( there are few objects in the system which are already authorization relevant in the system with proper analysis authorization objects and they are working fine)
  Things done, made the GL Account object authorization relevant in RSA1, Created 2 analysis authorization objects with GL Account and TCT objects and one with hierarchy restrictions and one open access.
  Added this object to the user in addition to its already existing authorization objects. Created authorization variable in BEx.
  Some how the authorization is not picked up and it gives us all the values in the report. But if I add the GL Account info object to the existing analysis authorization objects then it works fine.
  I do not want to change all the existing analysis authorization objects to add GL Account.
  Your inputs are most welcome.
  Thanks
  Ed.

  Gajesh- I have added the new analysis authorization object to the user in RSECadmin.
  Subhendu- Problem statement: What are the steps involved in making a new info object(GL Account) authorization relevant. Authorizations are given at hierarchy level. Can we create a new analysis authorization with  GL Account only or do we have to add it to every existing analysis authorization
  I have done the following steps
  1. Made the GL Account object authorization relevant in RSA1,
  2. Created 2 new analysis authorization objects with GL Account ( with hierarchy restrictions) and TCT objects and one with GL Account open access.
  3. Added this object ( which has restrictions) to the user in RSECADMIN, in addition to its already existing authorization objects.
  4. Created authorization variable in BEx.
  5. No existing analysis authorization objects have been changed.
  When I test the report, It does not restrict based on the hierarchy that I have given, it gives open access.
  But If I add GL Account with restrictions to the existing analysis authorization object, it works good.
  Guess I am missing some thing here.
  Do you need any other screen shots.
  Thanks
  Ed.

• Web Intelligence Report + BI 7.0 Analysis Authorizations

  Hello Experts,
  I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
  BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
  It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
  For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
  When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
  I have tried several settings on the universe (like filter working on LoV as well) but none helped.
  If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
  Any ideas?
  Best regards
  Giorgos

  Hi,
  has the Universe been created on the cube level or on the query level ?
  In case it is on the cube level it will fail because :
  Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
  The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
  You can then assign this authorization to one or more users.
  All characteristics flagged as authorization-relevant are checked when a query is executed.
  *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
  Ingo

• [BO over SAP BW] Web Intelligence Report + BI 7.0 Analysis Authorizations

  Hello Experts,
  I have created a report on a universe based in a SAP BW InfoCube that contains an authorization relevant InfoObject (Company Code).
  BW Analysis authorization have been set up for this cube in such way that the user should have access only to data containing one of the two values of Company Code (lets say for example that the user can access value "A").
  It seems to be working fine when testing them via a BEx Query or via rsecadmin (rsrt with detailed analysis authorization logs). When the test user tries to view the full contents of the specific cube gets an "access denied" message (this is normal), whereas if the user runs a report with a filter "A" on Company Code the report returns the results as it should have. So far so good.
  For testing use within Web Intelligence, I have created the following Single Sign On (SSO) universes: a)directly on the cube, b)via a "select all" query and finally c)via a filtered query (filtering the exact allowed values of analysis authorization of the test user). All of the above have unfortunately the exact same issues:
  When a test user with limited analysis authorization (i.e. a user that can only access value "A" of Company Code) tries to view a report on either of these universes, then the result is the following message when trying to execute the query "A database error occured. The database error text is: Error loading cube MyCube/MyQuery (catalog MyCube): Unknown error. (WIS 10901)"
  I have tried several settings on the universe (like filter working on LoV as well) but none helped.
  If we replace the user's analysis authorizations with full access on company code (values "A" and "B") the query runs as it should have.
  Any ideas?
  Best regards
  Giorgos

  Hi,
  has the Universe been created on the cube level or on the query level ?
  In case it is on the cube level it will fail because :
  Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
  The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
  You can then assign this authorization to one or more users.
  All characteristics flagged as authorization-relevant are checked when a query is executed.
  *A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic*
  Ingo

• Need analysis authorization help

  Hello Gurus,
  Could someone please help me out with my Analysis Authorization issue?
  We have a BW query and workbook outputting "Tcode usage" like the following:
  UserGroup| Username| Tcodename| Frequency
  This one has been running long time without any problems in reporting authorization, but now We want to get it restricted and only allow data associated group HR to display using new Analysis authorization. The scenario for this report is as follows:
  1. Rsecadmin >Maintenance> Create New authorization "Group" which consists of 4 characteristics: 0TCAACTVT, 0TCAIPROV, 0TCAVALID and 0TCTUSRGRP(which is the characteristic about group name and already authorizatio relevant). Set 0TCTUSRGRP "EQ HR".
  2.Assigned this authorization to a role using PFCG through the S_RS_AUTH. Other authorization objects in this role are:   S_BDS_D, S_BDS_DS, S_RS_MPRO, S_RSEC, S_RS_COMP, S_RS_COMP1, S_RS_HIER, S_RS_ICUBE, S_RS_ODSO.
  3.In BEx analyzer, set type: Characteristic Values and Variable filled from authorization and value "Selection Option". Unselected "ready for input". Put the characteristic associated with group name to filter windown on the top righ hand side of the Query Designer. Also compare users in PFCG.
  The question is the I still get all data about all groups. Looks like the authorization group doesn't work. I  used the "execute as " and get no errors back.
  Note: I didn't use "generation" to create the new authorization in Rsecadmin
  Thank you very much for any answers!
  Haifeng

  I guess i have found the reason why my authorization dosen't work. I don't activate infoObjects 0TCA* and 0TCT* and infoCubes 0TCA* as well. But another thing I am confused about is :
  Should I activate HR and CO businees content for authorizations 0TCA_DS02OTCA_DS05 and 0CCA_O010CCA_O03 before i get started? or should i run generation everytime i create a new authorization using Maintenance in Rsecadmin?
  Haifeng

• Analysis Authorization

  We have a need to restrict the majority of our users from seeing transactions of few business accounts.  The restricted accounts can be based on a specific gl account, fund range, or they can be a combination of a fund and cost center (or fund and fund center).  Until we become more familiar with this process, we are only concerned with 0FUND and it's restricted ranges, so below my question is just about 0FUND.. 
  We need to explore and understand what abilities analysis authorizations give us. I have done a lot of reading, but so far all of the pieces are not falling into place.  I am on the BW team and working with the security team to get this accomplished.  At this time whereever 0FUND is located in an existing authorization, it has a "*" to indicate the user gets all values.  We have already gone live; will every authorization currently in use with 0FUND have to be changed?  Is there a detailed How-To located somewhere?
  thank you in advance for your help.
  LLK

  Hi Linda,
  SUIM - User Information System is a TRANSACTION CODE. (Its not SUM)
  Execute SUIM and follow the path mentioned below:
  SUIM -> User -> Users by complex selection criteria -> Users by complex selection criteria. In the Authorization object field mention S_RS_AUTH and in the field mention the name of the analysis authorization which you want to search for.
  The output would be users who have access to the analysis authorization that you gave in the search criteria.
  Since in your case there would be a lot of analysis authorizations with * in 0FUND,  it would be better to identify the roles first and then the users assigned to these roles.
  You can identify the roles by browsing the table SE16. Just give the object name and all the analysis authorizations in the multiple selection on appropriate fields. Then use SUIM to identify the users who have access to these roles.
  SUIM -> User -> Users by complex selection criteria -> By Roles.
  You can also display the roles in this report by pressing the Roles button at the top. Apply filter to restrict the roles to your identified roles.
  Thats it !
  Regards
  Sachin