Two analysis authorisation
Dear Gurus,
I have the turned two navigation attributes as auth. relevant,
global cost center: this is based on hierarchy authorisation
local cost center: this is based on value authorisation.
There is one-to-one mapping between glocal cost center and local center. Users would request authorisation on either of them but they can ask for authorisation for more than one role with different combination.
I have created three analysis authorisation for the below scenarios:
1: Role_1 has Auth_1 with the below values
global cost center: X (node)
local cost center: * (as users have no knowledge about the mapping)
This works fine.
2: Role_2 has Auth_2 with the below values
global cost center: * (as users don't know the mapping)
local cost center: A
This works fine as well.
3: Role_3 has auth_1 and auth_2.
This doesn't work. It throws authrisation error.
Can you please suggest how can scenario 3 work.
Thanks in advance
Regards
Hi Max,
Unlike ECC Auth Objects, Analysis Auths always work on the concept of Intersection. Which means when you run query for a particular input selection and you have multiple analysis auth assigned, then queries will only be executed if input selection falls within the intersected region for the characteristics in two analysis auths.
Therefore effectively when you assign auth_1 and auth_2 to an user, user gets the following access:
global cost center: Node
local cost center: A
Can you confirm if the user is selecting the above values while executing queries and still getting authorization error?
I didn't understand the requirement of Role_3 = Auth_1+Auth_2 though, but if you can explain the requirement, I can try to suggest some solution.
Thanks,
Deb
Similar Messages
-
BI7 Analysis Authorisations - relationship between value & hierarchy auths
Hi all
Does anybody know how we can set up the new analysis authorisations to allow a user to use a Query selection for cost centre based upon a hierarchy and yet restrict the cost centre data they can display by value authorisations?SDN is the place to discuss technical problems..
Please avoid such weird post.
G@urav. -
Hierarchy Analysis Authorisation
Hi All
We are trying to limit the output of a HR Sickness report depending on the user's position in the Org Structure hierarchy. We can't use structural authorisation as its not maintained in ECC.
We have the org struct in BI and we want to setup dynamic Analysis Authorisation (AA). So we want to create AA with hierarchy restriction on 0orgunit based on a variable. Then at runtime the variable is populated by ABAP with the user's org unit. The report then shows the data for the user's org unit (and all other org units below in the org structure).
In RSECADMIN I can create a new authorisation object and add 0orgunit to it. On the Hierarchy Authorisations tab I hit the create button and select orgeh hierarchy . Then I press the 'select variable' button and I get the error message 'No variable of type Customer/SAP exit for characteristic 0ORGUNIT exists'.
What am I doing wrong? Where do I specify a variable for 0ORGUNIT so that it can be available in the selection screen?
Thanx
Asifhttps://wiki.sdn.sap.com/wiki/display/BI/AuthorizationinSAPNWBI
http://www.sdn.sap.com/irj/scn/events?rid=/library/uuid/ded59342-0a01-0010-da92-f6b72d98f144&overridelayout=true
Go through these links. Hope this would help you. -
BI analysis authorisations direct assign to user in RSECADMIN
Hello,
In RSECADMIN it is possible to directly assign the 'analysis authorisations' to user-id's
It is also possible to assign the 'analysis authorisations' to a role via the authorisation object S_RS_AUTH
Can somebody tell me
- what are the pros and cons of directly assigning the analysis autorisations to the users in the RSECADMIN ?
- In which situation is direct assigning in RSECADMIN used ?
- IS dirtectly assigning to users in RSECADMIN in a production environment critical?
- what does SAP propose: directly assigning in analysis authorisations our via a role
In our case we have the situation of
BI system with a large number of analysis authorisations. The values of the analysis authorisations should be
maintainable in production environment.
We have also to take in mind:
- Roles are added to users via CUA ( RSECADMIN is not maintainable via CUA)
- Business Objects is coming. So set up the authorisations that they can be used for Business Objects
- Flexible ( new autorisation relevant info Objects) should be easy adeptable.
What we want to use is
- assigning analysis authorisations via a single role ( in a composite ) to the user
- a variable in the analysis authorisations as field value of a characteristic. In that case the values can be
assigned dynamically in production.
the data access role has the link to the analysis autorisations in the RSECADMIN.
this analysis authorisation contains variables instead of a fixed field value.
The values of the variables are maintained in a table in a production environment
Is using directly assigning analysis authorisations to users in the RSECADMIN in the production environment an alternative ?
Thanks for your answers
With Kind Regards,
Vincent
Edited by: Vincent Willems on Apr 7, 2011 10:37 AMHello Vincent,
My way of working is to follow the structure you have in the providing systems. If you have created a role for a production employee then try to translate the roles for the production analysis the same way in BI. You can use the s_rs_auth object. In HR you can use structural authorizations, you can use some programs to set the structural authorizations in BI and that will be done by creating an analysis object and add this to the user involved. Also updates from structural authorizations will be done automatically by these programs. I should not add your own objects to single users, that is a lot of maintenance you do not want. Use in BI the same concept as in the providing systems, it is more clear for anyone who has to work with it.
Have fun
Bye
Jan van Roest
PS. Did you solve your problem? If so please close your question
Edited by: J. van Roest on Jul 7, 2011 12:51 PM -
Hi,
Query regarding Analysis Authorisation.....
I had a 3 Queries based on a Multiprovider which is a combination of 10 Info Cubes....
Where do i need to implement my authorisation on Multiprovider level or at the cube level..as data is avaliable in cube
ThanksHi there,
You need at MultiProvider level.
Assign points if helpfull.
Diogo. -
Doubt in Analysis authorisations
i have implemented analysis authorisations in BW 7.0 System
After that when i login to the query using a user id where analsysis authorisation is implemented,
I could not see the Report directly. I have to apply filter and then only i was able to view the report.
My question is, when u implement analysis authorisations , you will be able to view the report direcly or you will be able to view the report only after applying filters> You need a authorization-variable in your filter for
> the infoobject IO_DEPT.
Be aware that there is no need to use authorization variables in SAP BI 7.0!!!
This is one of the great GREAT advantadges of using analysis of authorizations.
What you need is to define the adequate authorizations to access query/workbook and funcionality. Analysis authorizations does not relate with funcionality access, only with providers and data access.
Q: "When ever u implement Analyis Auth, you will be able to see filtered data directly or you have to do that Filter changes and only view the data. "
A: You only view the data, no need to filter. Once again, use the log from the analysis authorization to see the information the system provides.
I defined the following technical objects in a
separate "technical authorization":
0TCAACTVT Activity in Analysis Authorizations
0TCAIPROV Authorizations for InfoProvider
0TCAKYFNM Key Figure in Analysis Authorizations
0TCAVALID Validity of an Authorization
Message was edited by:
Miguel Costa -
Looking to Migrate to Analysis Authorisation from 3.x Migration
Hi Masters,
we are migrating our system from Old Authoristaion to new Analysis Authorisation.
Need some information like:-
1) What should be checked as a part of Impact Anaylsis at the start.
2) What will be the Impact on the existing Authorisation
3) Whether We have to create new roles or the existing Role will work.
Please respond quickly so that I can Start working on that.
TIA.
Regards,
Amit Kumar TrivediHi,
Have a look at below threads for similar query, hope it helps.
Analysis Authorization - Problem with navigation attribute
BI Authorizations : Regarding Analysis Authorization
Analysis Authorization & its compaitbility with BW 3.5 Query
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/9000928e-dd3d-2e10-9ca1-a00f249305b7?QuickLink=index&overridelayout=true
Regards,
Mani -
":" in analysis authorisation objects
Hi,
We made 0DEPARTMENT as authorisation relevant.
In one of our Analysis Authorisation Objects(Rsecadmin) Settings for 0DETARTMENT IS = :
What exactly ":" represents
Thanks in advanceHi,
The colon( value is used in BW to authorise display of aggregates. If you are using company code in the free characteristics and do not restrict on it to authorised values, you need to maintain : for it. Once you drill down on it (or equivalently put it in the rows) you need the actual values to be maintained in the authorisations as well.
Have you investigated the use of authorisation variables? You can maintain the values 1000 and 3000 in the authorisation and restrict the characteristic with an authorisation variable. This will ensure that the query is run for only the authorised values. This will work irrespective of whether you use company code in the rows or free characteristics.
Thanks,
Venkat -
Dear all,
i have the following question:
I would like to restrict a user for the following settings:
1. The user is allowed to access the following infoobjects:
Version 100 on Infocube 1 and Posting level 00 -10
2. The same user is allowed to access
Version 101 on Infocube 2 and Posting level 00 - 30
For both requirements i created 2 analysis authorisations:
But after assigning both authorisations the following happens:
The user has access on each infocube to all versions and all Posting level.
How i have to handle this problem???Hi Christina,
The concept of Analysis Authorization is newer Authorization concept in BI 7.0. As per this concept system first checks the following three Characteristics:
0TCAIPROV
0TCAACTVT
0TCAVALID
And all these three characteristic must satisfy the users authorization then only system will check the other authorization for that user.
So for your issue you have to define these three characteristics first
0TCAIPROV: Name of your infoprovider
0TCAACTVT: Activity for which you want to authorize the user
such as 1 - Create
2 - Change
3 - Display
- For all Activity
So as per the need you can give the authorization to the user (1,2,3 or *)
0TCAVALID: If you want to give a validity then specify here or
give * value
So as per these guidelines you have to define both the analysis authorization.
Kindly make sure that the user does not have the BI_ALL or SAP_ALL Authorization as this authorization give the full access to the user and ignore any other restriction given by other authorization.
Hope I could help you in this regard.
Kindly Asign points if useful...
Regards,
Abhi -
Hi all,
I've just started working on a new project and am familiarising myself with the build. Part of this is the BI analysis authorisations, of which there are over a hundred. Rather than attempt to view these inividually is there a table that can give me this info, rather like AGR_1251 but for analysis auths?
Thanks,
Nick.Hi,
tables of analysis authorization for RSECADMIN are
RSECHIE_CL Change log of hierarchy authorizations
RSECUSERAUTH BI Analysis authorization assignment to users
RSECUSERAUTH_CL BI Analysis authorization assignment to users
RSECTXT_CL Change log of authorization texts
RSECVAL_CL Change log of Authorization Value Status
RSECBIAU Changes to Authorization (Last Changed By]
You can find more table start with RSEC* just check with F4 in SE16.
Hope this helps
Edited by: connecpk on Feb 1, 2010 4:49 PM -
Hi, is there any table I can use to determine the content of analysis authorisations assigned to users rather than look individually in each user via RSECADMIN? Thanks, Mark.
Hi Mark,
I hope you have posted the question in multiple areas. Please post all the BI related questions in BI forums. However, you can refer all the RSEC* tables. Below are the tables that stores analysis authorizations information:
RSECHIE - Status of hierarchy authorizations
RSECTXT - Authorization text
RSECVAL - Authorization Value Status
RSECBIAU - Changes to Authorization (Last Changed By]
RSECUSERAUTH - BI Analysis authorization u2013 assignment to users
Change log tables:
RSECUSERAUTH_CL - Assignment of users
RSECHIE_CL - Change log of hierarchy authorizations
RSECTXT_CL - Authorization texts
RSECVAL_CL - Authorization Value Status
Hope this helps!!
Rgds,
Raghu -
Analysis authorisation settings
Hi All
When using the standard business content characteristics , 0TCAACTVT,0TCAIPROV,and 0TCAVALID, within analysis authorisations. Do these characteristics need flagging as authorisation relevant in all clients, Dev Uat and Prodn, as at present they are only authorisation relevant in our Dev client, even though the authorisation exists in all clients.
Thanks
SimonHi,
Yes, these characteristics need to remain flagged as authorization relevant in all systems and clients. If not, please ensure to transport these characteristics from DEV first before transporting analysis auths.
Thanks,
Deb -
Deleting Automatic Generated Analysis Authorisation
Dear All,
We are generating Value and Hierarchy analysis authorisation automatically with the help of DSOs 0TCA_DS01 and 0TCA_DS02.( through RSECADMIN )
Upon generation everytime, it first deletes all the previously generated analysis authorisation ( for the users that are available in these DSOs ) and creates new ones with the name starting as RSR_*.
If the username for a particular user is not present in these DSOs, system will not delete / create anything for those users.System deletes / creates analysis authorisations only for those users that are available in these DSOs.
Suppose a user a going out from the organisation, in that case we need to manually find out all the analysis authorisations ( RSR_* ) that were previously generated for that user and delete the analysis authorisations manually.
This is time consuming process.
Could you please advise any automatic / simpler way for deleting previously generated analysis authorisations for such users.
Assume that these users are not available in the new data loaded in these DSOs.
Thanking You,
Tarun Brijwani.Hi Tarun,
If a data record with the user name 'D_E_L_E_T_E' is loaded into the DataStore object 0TCA_DS01, first the generated authorizations for all users in the BI system for the DataStore object record are completely deleted (separated by the first part of the name before the digits) and then generated for the rest of the data.
Please refer the following link for more information.
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/55/46eb411a7f6324e10000000a1550b0/frameset.htm
Thanks,
Krishnan -
Sharing one navigation item to two analysis items
Hello Experts,
I want to use only one navigation pane for two analysis items. Any body is having an idea how to integrate one navigation item to two analysis items.
Regards,
AbhiIf I got it, you want to have one filter affecting two tables.
In workbook, create two analysis grids and one navigation pane.Then assign the same data providers to navigation pane and two analysis tables(and give the same names).Then, when you change something in navigation pane, two tables will be affected.
Step by step document for workbook:
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d032116a-1ba6-2e10-8db6-d84e7dcc9975?QuickLink=index&overridelayout=true -
OBIEE lookup between two analysis?
Is it possible to create an excel 'vlookup' style linkage between two analysis in OBIEE?
For example:
Analysis A has a list of customer ID's and their YTD revenue.
Customer_Id
YTD_Revenue
1234
$54321
4321
$12345
Analysis B has a customer ID's and total AR billings for the year:
Customer_Id
YTD_Billings
1234
$231
4321
$894
Is it possible to "lookup" the YTD revenue by Customer_Id from the first analysis and use it in the second? I know this can be accomplished in SQL with sub-queries, but I'm not sure if I can do this in the OBIEE.It depends on what you would like to accomplish. You have three options:
1) Create a union all request. Create 3 columns: Customer_id, YTD_Billings and YTD_Revenue. In the first part of the union use Customer_Id and YTD_Billings and a surrogate column (''). The second part of the union has Customer_Id, a surrogate column and the YTD_Revenue column.
2) create an Advanced filter - Sub query. Filter the report on the results of the other report.
3) Direct Database request. Use a query as you like as a source for your report.
Maybe you are looking for
-
web page automatically loads up each time and the exist bottom is disabled on the screen.
-
Windows task bar no longer auto hides when I fullscreen a flash video.
Like the question reads, my task bar is no longer auto hiding when I full screen flash videos in firefox. Other than the obvious issue of it just being unsightly and annoying, It also causes a few other problems. One being that the computer no longer
-
Nokia X6 - In-car holder advice ...
Hi chaps, I had a go at sat nav over the weekend and was really impressed with it. I am going to get the nokia X6 car holder (CR-120) as it looks the part. However, I just have 2 questions :- a) I have a silicon cover over my X6 making it about 53mm
-
Is there a way to show banners (in the lock screen) to notify of a new message withough showing the name of the sender, as for business purposes this can sometimes be confidential? Ie. I want it to just say for example 'whatsapp message', rather than
-
Our corporation is mandated by privacy laws within provincial legislation that prevents us from using cloud based storage outside of our province for the storage of data. We are unable to continue using Adobe products based on the new subscription b