on 12-10-2013 2:25 PM
Hello,
I have the following requirement according to analysis authorizations, but after reading several discussion, help documents and notes I think it is insolvable - or has anyone an idea? We are on BI 7.0
I have two authorization relevant info objects in an Info Provider, info object 0FUNDS_CTR and 0PU_MEASURE. Now it should be possible, that a user has, for example, authorization for 0FUNDS_CTR value 10 and on this funds center a restriction on 0PU_MEASURE values L1,L2, L3.
He should also have authorization for 0FUNDS_CTR value 20, but on this he should only see 0PU_MEASURE value L4 (and not L1,L2 and L3).
So I defined two analysis authorizations:
AUTH1:
0FUNDS_CTR: 10
0PU_MEASURE: L1, L2, L3
AUTH2:
0FUNDS_CTR: 20
0PU_MEASURE: L4
I assigned this two analysis authorizations to the user.
In the query on the Info Provider, I defined selections on 0FUNDS_CTR and 0PU_MEASURE with authorization variables.
But when executing the query for the user, authorization check fails.
Reading note 1233793, 1000004, 1234567 I understood why this happens:
First, the following is analyzed:
0FUNDS_CTR IN ('10','20')
AND 0TCAACTVT = '03'
AND 0PU_MEASURE LIKE *
It is proved against AUTH1 and a remaining set that is not yet authorized is determined for L4.
No authorization for 0FUNDS_CTR 10 and 0PU_MEASURE L4 is found, so the authorization check fails (some other following checks fail, too).
So, has anybody an idea whether it is possible to implement a query, so that for the first funds center 10 only L1,L2,L3 is authorized for this user and for the second funds center 20 only L4 is displayed? We have a lot of 0FUNDS_CTR/0PU_MEASURE combinations and assignments to users, so that a authorization based solution seems to be the only way....
Best Regards
Beate
Hi,
Thanks for your advices, but they don't help.
I tested the different role solution, although it is not practicable for us as we have a lot of funds centers and we want to generate the analysis authorizations - nevertheless, it didn't work.
So, the problem is that beside having a lot of 0FUNDS_CTR/0PU_MEASURE combinations, every user can have the authority for a lot of funds centers.
I think, the main problem is, that in a query I can't select on characteristic combination (in the sense of: if you have fundscenter A then select 0PU_MEASURE values L1 and L2, if you have fund center B, then choose L3 and L4...). Defining this in a structure with selection for each fund center would be a hard work, also working with different variables seems to be no solution for me...
So, the result of the rsecadmin check looks like this:
I have two analysis authorizations assigned to my test user:
AUTH1:
0FUNDS_CTR: 101250
0PU_MEASURE:H1705, L01, L61
0TCAACTVT = '03'
AUTH2:
0FUNDS_CTR: 324600
0PU_MEASURE:H0066,L35
0TCAACTVT = '03'
-------------------------------------------------------------------------------------
Protokoll der Berechtigungsprüfung
Eine allgemeine Beschreibung finde Sie in Hinweis1234567
Datum und Ausführungszeit (auf lokalem Server)
Ausführungsdatum:11.12.2013
Ausführungszeit: 08:17:53
Ausgeführte Query: C_0PU_KLE/YREP_KTO_LHH_EINZEL
Transaktion RSRT ( BW - Test der Ausgabe )
Ausgeführt durch Benutzer BQUESTER
Ausgeführt mit Analyseberechtigungen eines anderen Benutzers PRTUSR1
Softwarekomponente | Release | Level | Support Package |
SAP_BASIS | 700 | 0029 | SAPKB70029 |
SAP_ABA | 700 | 0029 | SAPKA70029 |
SAP_BW | 700 | 0031 | SAPKW70031 |
InfoProvider-Prüfung
...Puffer aufgebaut
Gibt es Berechtigungen für den Zugriff auf InfoProvider C_0PU_KLE mit Aktivität 03?
Berechtigung für allgemeinen Zugriff auf InfoProvider C_0PU_KLE mit Aktivität 03 vorhanden
Relevante Merkmale für die detaillierte Berechtigungsprüfung
(Merkmale mit voller Berechtigung werden nicht aufgelistet!)
Liste der effektiv berechtigungsrelevanten Merkmale für InfoProvider C_0PU_KLE:
Merkmal |
0FUNDS_CTR |
0PU_MEASURE |
Berechtigungsprüfung Detail-Prüfung für InfoProvider C_0PU_KLE Vorverarbeitung: Selektion wird auf Konsistenz überprüft, vorverarbeitet und eventuell ergänzt Teilselektion (technisch SUBNR) 1 Überprüfe Knotendefinitionen und Werteberechtigungen... Knoten- und Werteberechtigungen sind in Ordnung Ende der Vorverarbeitung Füllen des Puffers... ...Puffer gefüllt Hauptprüfung: Teilselektion (technisch SUBNR) 1 Ergänzung der Selektion für aggregierte Merkmale Keine Prüfung auf Aggregationsberechtigung notwendig
Alle Berechtigungen getestet ---------------------------------------------------------------------------------------------------------------------------------------- Regards Beate |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Beate
May be one crude way of doing it would be to maintain data in 2 seperate cubes. That is for data combination of 0FUNDS_CTR value 10 and 0PU_MEASURE values L1,L2, L3 in one cube &
another for 0FUNDS_CTR value 20 &0PU_MEASURE value L4 .And then report to be made on a multiprovider.
Now have a exit variable for Infoprovider selection which checks for the inputs and directs then to the correct infoprovider.
Regards
Gajesh
Hi
Have you checked in RSECADMIN what the authorization log suggests the issue is? I believe this should be possible and work. Try to define the variables differently or assign the ":" value to allow the aggregated values.
hope that helps
Martin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I suggest you to create:
1st Auth object using RSECADMIN - with values -
0FUNDS_CTR: 10
0PU_MEASURE: L1, L2, L3
0TCAACTVT = '03'
Then assign this object to ROLE1(lets say) and assihn this ROLE1 to User.
2nd Authorisation Objcet using RSECADMIN - with values -
0FUNDS_CTR: 20
0PU_MEASURE: L4
0TCAACTVT = '03'
Then assign this Auth object (2nd) to ROLE2(lets say) and assihn this ROLE2 to User.
Regards,
Vijay
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Did you execute report using RSECADMIN and verify logs. Kindly paste those logs here.
While creating authorization object using T code RSECADMIN - check whether you have restricted values proper or not.
Here you need to assign authorization object to Roles , right. How come you assigned created authorization abject to directly user?
Best Wishes.Vijay
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
95 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.