To Restrict Auth relevancy in RSD1 * removed_by_moderator *

Similar Messages

• Restricting access of to auth relevant characteristics

  Hello Experts,
  We have a requirement wherein I have to restrict access for a user by which the user would not be able change the poroperties of characteristics even in the local view in the query designer.
  The requirement is like the user should be able to go into change query (local view) and change rows and columns but the user should not be able to change the properties of any characteristic.
  In our case the user is trying to change the properties of a authorisation relevant characterstics which the user should not.
  Thanks in advance.
  Best Regds,
  Suyog.

  Hi Suyog,
  As per my knowldge, you cant control change acceess only to rows and column only in query designer. Also please note that maintaining auth. relevant charactristics as processing type authrization or customer exit is BW developers job, as BI security consultant you can give suggestions to maintain such varaiables.
  Hence you give change  query access in Dev and  give only display in QA & production.
  Best Regards
  Imran

• Implement Hierarchy's On InfoObject that is Not Auth Relevant.

  Hello Friends,
  Please Advice me in this issue.
  I am Upgrading from 3.1 to 7.0.I am able to implement hierarchies when the Infoobject is auth relevant.
  There are hierarchies in 3.1 on Infoobjects which are Not Auth Relevant.
  Like 0PLANT ..I don't know how to implement using this.
  Is there any way to implement hierarchies on InfoObjects which are not auth relevant in BI 7.0 using Analysis authorizations.
  Or Do i need to make thes non auth relevant InfoObjects of 3.1 to auth relevant in 7.0 and implement hierarchies.
  Please advice.
  Thanks,
  Ram

  Hi Keerti,
  Can you please tell me how to implement hierarchy with out making 0PLANT auth relevant.
  We are upgrading from 3.1 to 7.0.
  0PLANT is not auth relevant in 3.1 but it has Hierarchies.
  So business team wants to have the same in 7.0 with out making it auth relevant.
  Please help me in doing this.
  Thanks
  Ram

• Wanted: Dictionary-/ Metadatatable for the Mapping of the (old,3.5.) Authorization Object to the (Auth.relevant) InfoObject

  Hi,
  I am looking for the concrete BW's dictionary-/ metadatatable(s)
  which contain/describe the
  Mapping of the (old,3.5.) Authorization Object to the (Auth.relevant) InfoObject
  of  the transaction "RSSM-Authorization for Reporting"
  For example:
  I got 3.5 Auth.Object ZCOMP_CODE and want to know to which   (Auth.relevant) InfoObject
  this is mapped, basically what's in the usage of this Authorization Object.
  ThanXs
  Martin

  Hi,
  As of now, your authorizations still in 3.x. so please check the below tables.
  RSSBAUTHGEN - it holds info provider and authorization object
  RSSBAUTHGENERATD - it have user name and info provider
  RSSBAUTHTRACE
  RSSBAUTHTRUSER
  RSSBAUTVAL
  RSSAUTHHIER
  RSSAUTHHIERNODE
  Coming to 7.x , Above mentioned T code kumar is enough to handle authorization concepts.
  There is best document about 3.x and 7.x comparison on Google.
  please search for it by using search term "An Expert Guide to new SAP BW Security Features"
  Written by Marc Bernard
  Thanks

• Auth relevant Objects in a Infoprovider

  Hello,
  Is there a way to findout list of Authorization Relevant Objects in a Infoprovider? instead of going through all the Objects?
  Thanks,
  KK

  Hello Kris Kamal,
  If you're in the new Authorization Analysis of BI 7, then all of InfoObjects marked as AuthorizationRelevant in rsd1->tab Business Explorer that exist for that InfoProvider the query is built are check during reporting. To see what are these InfoObjects go to transaction RSECADMIN create a new authorization from scratch in "Maintenance" give a short text description and push the button "InfoCube Authorization". Insert your InfoProvider where the query is built push enter and you'll see a list of InfoObjects. Those InfoObjects are checked for that query.
  Please assign points,
  Diogo.

• Authorization Issue - Very Urgent

  Hello Guys,
  I have a requirement where in I need to restrict the BI report users based on company code ( 0comp_code ).
  In short, how to make the company code and plant ( 0plant ) as the authorization object and assign those to roles created.
  We are using SAP BI 7.0 2004s and users will be using EP to view the reports.
  I have all the roles in places for each module reports for the users.
  Now I need to provide the required access authorisation based on company code and plant.
  Could you please help me.
  THanks and Kind Regards,
  Shekar.

  Authorizations - Reporting
  Make 0comp_code as auth relevant from rsd1 tcode and then create auth object using RSECADMIN tcode
  Hope it Helps
  Chetan
  @CP..

• Auth. Relevant InfoObject not showing in OBI security

  Hi experts,
  I have a cube with  two costcenter infoObject, both are Auth. relevant. But only one shows in OBI in Security. Could any one tell me How to solve this problem.
  Thanks

  After discussing this issue with local Cisco folks, TAC and colleagues, it seems that locally authenticated user names are not passed to the controller (or NCS). It's not a bug, it's just the way it is.
  If you want the AP to authenticate and locally switch users while communication to the controller is down (i.e. loss of WAN link), no usernames are sent to the controller for logging or troubleshooting... even when AP to WLC communication is working fine. It's a trade-off of information (usernames) for uptime.
  If any Cisco wireless development folks are browsing, consider this a 'feature' I would like to see. Thanks.

• Restricting Authorization for a specific Info-object

  Dear All,
  I have a scenario where I have to restrict the account managers by specific channels.
  I have 2 info-objects, Sold-to party and Sales Channel. Sales Channel is defined as attribute of the the Sold-To Part info-object.
  I was exploring the BI authorizations concept in SCM 2007.
  I created a authorization called "Test" and assigned the info-object Sales Channel in the authorization and restricted it for one value. This authorization along with 0BI_ALL I have added to the role under BI authorizations.
  However in interactive demand planning, I cannot restrict by the sales channel. It allows me to load data for all the channels.
  If I remove 0BI_ALL object, then I cannot load anything in interactive planning.
  Does anyone have a step by step proceedure for using the BI authorization concept?
  Regards,
  Kedar

  Yes, 0TCAACTVT (activity), 0TCAIPROV (InfoProvider) and 0TCAVALID (validity) have to be made authorization relevant. For the info objects you want to use to control security, also make them authorization relevant in RSD1, imagine the object you want relevant is ZZ_VKORG (sales organization).
  Then use RSCEADMIN transcation and 0BI_ALL will include the objects from above, copy 0BI_ALL into a object such as Z_1000 and then change the value for the specific info object that you want to control, imagine that you want sales org 1000 only to be allowed within Z_1000.
  Now, you have 2 choices: You can use the normal security maintenance (SU01, PFCG) and you can asssign RSRS_AUTHBIAUTH and set BIAUTH requal to Z_1000 or you can use user maintenance directly within RSCEDAMIN and assign Z_1000 to the user. Either way, it becomes part of the authorization of the user.
  You may find that you need to introduce colon authorization concept ( for mixed levels of data and that is just a matter of adding a second line to the allowable values and setting it like "EQ :".
  Things to consider:
  1. This authorization concept is water tight and will do everything you need, but will do at the expense that if you don't model it first, you will kill yourself trying to make it right. This becomes evident when you trace a security issue (via RSCEADMIN) because the way BI7.0 works is that it will build a minimized superset of authorizations, so it is best to know where you want to get to, rather than starting off by where you know you need to go.
  2. To control change or display mode, you will need to influence 0TCAACTVT, even though you might think to use C_APO_SEL3 for ACTVT, the BI7.0 concept works within the BI space and 0TCAACTVT doesn't impact it.
  3. If you activate more info objects, 0BI_ALL will get updated automatically but your custom  authorization objecst will not. So, it is best to activate them all at the same time so that you don't have to manually change them.
  4. Do the work in development and transport it to the TEST/QA/PROD environments, there are transprt tools within the RSCEADMIN.
  This is probably enough to get you going, reply back if you have specific questions or issues.
  I've been thru this in a painful way, sometimes the best things learned are learned the hard way

• SAP BI authorization relevant

  All,
  I tried to create a custom authorization object for an infoobject otcaactivity (just for eg) .Before that I used RSD1 to make that infobject authorizartion relevant.But after that I inserted the infobject which is made as auth.relevant to the custom object and tried to assign value for the intervals.I got an message as the characteristic value is not authorization relevant...why is that?I tried in sand box..is it any way related to info cube which is not yet created for the particular info object in the sand box thats the reason I get error message ?
  Whats the reason to secure characteristics and key figure values?

  Hey,
  Activating business content mean making authorization relevant?
  For BW3.5 there is no need of the mandatory info objects?(0TCAACTVT ,0TCAIPROV ,0TCAVALID ,0TCAKYFNM)
  Whats the difference between securing through reporting authorization object and securing through BI specific object??
  Thanks

• Restrict HR tables

  Hi
  Could you pls tell me How to restrict HR tables in S_TABU_DIS and display all other
  thanks in Advance

  Hi Prasad,
  As I said, identify all the authorisation groups placed on the HR tables and make sure that these are <i>not</i> included in S_TABU_DIS for the normal users.
  Your HR team will tell you exactly which tables contain sensitive data.  All the tables that don't have an authorisation group assigned to them (you can see this in table TDDAT) should have an authorisation group assigned against them.  Not all HR tables are just in the H* and P* name spaces so you need to get the input from someone who properly understands the tables (you may be able to find a list somewhere here: SAP ERP Human Capital Management (SAP ERP HCM))
  This way you can split table access between Non-HR (They don't have any HR relevant table auth groups in S_TABU_DIS field DICBERCLES) and HR (They have access to the restricted auth groups).
  It's not a straightforward piece of work as access to tables via SE16 etc (I assume that's why you need to protect the data) is not designed for granular access without a considerable amount of additional work being involved.
  I hope that answers your question

• Restrict employee postion to current based on Org Unit

  Hi,
  We have recently implemented structural Authorization and I am now trying to create a query based on Org Unit.
  The query is to show employee by position based on org unit. I have made org unit auth relevant and created a hierarchy variable as the restriction. In the row/columns I have included Org unit with hierarchy activated, position and employee. The KF is Actual time.
  When I execute the report it is bringing leavers and people in old positions. To remove leavers I included a restriction on person to remove anyone in the position 99999999.
  But this is still showing people in old postions. These positions have been end dated in the system and current positions have date 31/12/9999.
  Does anyone know how I can restrict position to only show current positions?
  Thanks

  Hi,
  as suggested i have made the query time dependant be selecting "key date" in the proerties, but this still brings in postions that have been end dated.
  Is there a way to restrict postions by validity. The query is based on time management info cube
  thanks

• Authorization checked for infoObjects even though not relevant to report

  Hello guys,
  I am facing a problem in BI 7.0 authorization checks.
  For a given report the BI team has placed a restriction in the query only for infoObject 0Comp_code (company code) and 0SOLD_TO (sold to party). Accordingly i have created authorization in RSECADMIN and assigned to role--> user.
  But when the user runs the report, he gets as authorization error and during analysis in RSECADMIN i see that "list of Authorization relevant charecteristics(infoObjects) for info provider xxxx" contain other infoObjects as well.
  Is it a case where infoObjects can be made authorization relevant for the whole  info provider eg-ZSD_M42" (where this is a multi provider)apart from being checked for specific reports eg- ZSD_M42_Q0001?
  How do i get around this problem?
  Regards,
  Prashant

  Hi Prashanth,
  What Zaheer said was exactly correct.Make sure all the Auth relevant Chaaracteristics of an Infoprovider  are properly authorized through your Analysis Authorization.Suppose if you don't need security on other Characteristics of an InfoProvider give * in your AA which will byepass check on that particular Auth relevant Characteristics..
  More over,See to that all the key figures are properly authorized as all the keyfigures are by default auth relevant in BI.
  Cheers,,
  Ramkumar C

• Making 0PROFIT_CTR Authorization Relevant (RSECADMIN)

  I am in need on restricting certain queires to run, based on specific Company Codes and Profit Centers.
  I have made so far, only Company Code (0COMP_CODE) authorization relevant.
  If I make Profict Center (0PROFIT_CTR) authorization relevant, should the existing queries be affected ?
  In other words, when a user runs existing queries (which require to pass a Company Code), could it be
  asked to provide the Profit Center as well  [I won't insert the Profit Center (characteristic 0PROFIT_CTR) in the authorization ] ?
  Best regards,
  Tom

  If you are on BW3.5 authorization concept, all the queries should not be impacted if those are on different multiproviders (as in BW3.5 concept you can select which object is to be authorization relevant for a multiprovider). If you need profit center to be authorization relevant for one query, all other queries on the same multiprovider will be impacted and if you do not want to add profit center characteristic in all the queries, you will need to create a role with : (colon) access and assign it to the users.
  In 7.0 authorization concept, a authorization relevant info object will impact all the queries on all multiproviders. If you dont want to use profit center as auth relevant for some multiproviders, you will have to take care of it with functional role for that multiprovider or you can use : (colon) data access role.
  Regards,
  Gaurav

• Mark InfoObject authorization relevant

  Dear Community,
  we've activated "authorization relevance" in one of our frequently used InfoObject and added it to an authorization object.
  We've the situation that the field information of this InfoObject disappears in reports.
  (The authorization object is nowhere marked as relevant for a DataProvider)
  Am I right that this isn't an expected bw system behavior??!
  Thx for some tips or remarks in advance.
  br, michael

  Sounds very peculiar...
  Did you add the authorization object to any roles? Did you specify any restrictions on values?
  For an overview of how we chose to implement security, see the following thread:
  Re: Auth Relevancy Not Working
  Hope this helps...
  Bob

• BI Security Implementation and restrictions at Infocube levels

  Dear all,
  I am trying to update myself on BI security and practical implementations. I read expert guide and other relevant documentation. We have BW security integrated with CRM and Portal.
  Please explain or provide me some direction in understanding how BI security works at key figure level.
  <b>Is it necessary to set the following InfoObjects as “authorization-relevant” . Is it MANDATORY to make the following settings as "Authorization-Relevant" before we start the BI Security
       0TCAACTVT
       0TCAIPROV
       0TCAVALID
       0TCAKYFNM</b>
  and
       Add 0TCAIFAREA as an external hierarchy characteristic to 0INFOPROV
  When I changed above infoobjects to Authorization relevant, BI Portal Users are complaining that they have Access issues. I have to change this setting back.
  Can someone explain me the implication of making the above objects as Authorization Relevant. What making these objects, Do I need to complete some steps to make it work.
  All users have 0BI_ALL object defined in S_RS_AUTH. I don't know how 0BI_ALL works for users.
  I greatly appreciate if anyone can explain how I can achieve the following scenarios:-
  1. How Can I restrict user access to all the Characteristics and Key Figures of Infocube ZEN_XXX1 except for Characteristic 0CRM_SALORG.
  2. How can I restrict User access to all the Characteristics and Key Figures of Infocube ZEN_XXX1 except for Characteristic 0CRM_SALORG (Sales Organization CRM) and Key Figure ZVOLSU.
  3. How can I restrict User Access to all Infocubes EXCEPT ZEN_T001 infocube.
  I tried using PFCG but it does not work. 3rd scenario worked fine. I really need help in resolving scenario 1 and 2.
  please eMail me if I need to go thru any other step-by-step procedure.
  I am trying my best to resolve and at the same time reading other documentation and experimentation.
  Waiting for a Positive Reply
  Kumar

  Hello Kumar,
  <b>here are my statements:</b>> Is it necessary to set the following InfoObjects
  > as “authorization-relevant” . Is it MANDATORY to make
  > the following settings as "Authorization-Relevant"
  > before we start the BI Security
  >      0TCAACTVT
  >      0TCAIPROV
  >      0TCAVALID
  >      0TCAKYFNM
  <b>Be careful when checking 0TCAKYFNM. If you do so EVERY user will be influenced because reporting is based on key figures. But as you need to restrict to certain key figures you will have to check 0TCAKYFNM  authorization relevant. As a consequence every user will need key figure authorizations.</b>> 
  > and
  > Add 0TCAIFAREA as an external hierarchy
  > characteristic to 0INFOPROV
  <b>This is not mandatory but may be helpful if you want to restrict authorizations on InfoArea Level.</b>
  > When I changed above infoobjects to Authorization
  > relevant, BI Portal Users are complaining that they
  > have Access issues. I have to change this setting
  > back.
  <b>They might complain because they do not have authorizations for any key figure.As I explained above checking this object has impact on every query because every query contains key figures and when you check 0TCAKYFNM users will need the authorizations for this object.</b> >
  > Can someone explain me the implication of making the
  > above objects as Authorization Relevant. What making
  > these objects, Do I need to complete some steps to
  > make it work.
  >
  > All users have 0BI_ALL object defined in S_RS_AUTH. I
  > don't know how 0BI_ALL works for users.
  <b>0BI_ALL is SAP_ALL on analysis level - you must not assign this to your reporting users!</b>>
  > I greatly appreciate if anyone can explain how I can
  > achieve the following scenarios:-
  >
  > 1. How Can I restrict user access to all the
  > Characteristics and Key Figures of Infocube ZEN_XXX1
  > except for Characteristic 0CRM_SALORG.
  <b>Figure out if characteristic 0CRM_SALORG has to be marked as authorization relevant or not. If not - there's nothing to do. If yes - you will have to setup analysis authorizations.
  Create an analysis authorization in RSECADMIN like:
  ZEN_XXX1_ALL
  0CRM_SALORG  = *
  specify your other auth. relevant characteristics and enter ":" as values
  0TCAIPROV = ZEN_XXX1
  0TCAACTVT = 03
  0TCAVALID = *
  Do not forget to allow authorizations for these auth. relevant characteristics in your other infoproviders (where applicable).
  Assign the authorization to the users in RSU01 or create a role containing S_RS_AUTH with the analysis auth. as value.
  </b>
  >
  > 2. How can I restrict User access to all the
  > Characteristics and Key Figures of Infocube ZEN_XXX1
  > except for Characteristic 0CRM_SALORG (Sales
  > Organization CRM) and Key Figure ZVOLSU.
  <b>Create an analysis authorization in RSECADMIN like:
  ZEN_XXX1_KEY
  0CRM_SALORG  = CRM
  specify your other auth. relevant characteristics and enter ":" as values
  0TCAIPROV = ZEN_XXX1
  0TCAACTVT = 03
  0TCAVALID = *
  0TCAKYFNM = ZVOLSU
  And also do not forget to allow authorizations for these auth. relevant characteristics and all key figures in your other infoproviders.
  Assign the authorization to the users in RSU01 or create a role containing S_RS_AUTH with the analysis auth. as value.</b>
  > 3. How can I restrict User Access to all Infocubes
  > EXCEPT ZEN_T001 infocube.
  <b>Enter in auth object (PFCG) S_RS_COMP and S_RS_COMP1 your cube ZEN_T001 in field RSINFOCUBE,  RSZCOMPTP =  REP, ACTVT =  16
  </b>
  >
  > I tried using PFCG but it does not work.
  <b>Why? What was the problem? Keep in mind that you always will need the three special dimensions since BI 7.0</b>
  3rd scenario
  > worked fine. I really need help in resolving scenario
  > 1 and 2.
  >
  > please eMail me if I need to go thru any other
  > step-by-step procedure.
  >
  > I am trying my best to resolve and at the same time
  > reading other documentation and experimentation.
  >
  > Waiting for a Positive Reply
  >
  > Kumar