Problem defining two analysis authorizations for o...

BeateQ · ‎12-10-2013

Hello,

I have the following requirement according to analysis authorizations, but after reading several discussion, help documents and notes I think it is insolvable - or has anyone an idea? We are on BI 7.0

I have two authorization relevant info objects in an Info Provider, info object 0FUNDS_CTR and 0PU_MEASURE. Now it should be possible, that a user has, for example, authorization for 0FUNDS_CTR value 10 and on this funds center a restriction on 0PU_MEASURE values L1,L2, L3.

He should also have authorization for 0FUNDS_CTR value 20, but on this he should only see 0PU_MEASURE value L4 (and not L1,L2 and L3).

So I defined two analysis authorizations:

AUTH1:

0FUNDS_CTR: 10

0PU_MEASURE: L1, L2, L3

AUTH2:

0FUNDS_CTR: 20

0PU_MEASURE: L4

I assigned this two analysis authorizations to the user.

In the query on the Info Provider, I defined selections on 0FUNDS_CTR and 0PU_MEASURE with authorization variables.

But when executing the query for the user, authorization check fails.

Reading note 1233793, 1000004, 1234567 I understood why this happens:

First, the following is analyzed:

0FUNDS_CTR IN ('10','20')

AND 0TCAACTVT = '03'

AND 0PU_MEASURE LIKE *

It is proved against AUTH1 and a remaining set that is not yet authorized is determined for L4.

No authorization for 0FUNDS_CTR 10 and 0PU_MEASURE L4 is found, so the authorization check fails (some other following checks fail, too).

So, has anybody an idea whether it is possible to implement a query, so that for the first funds center 10 only L1,L2,L3 is authorized for this user and for the second funds center 20 only L4 is displayed? We have a lot of 0FUNDS_CTR/0PU_MEASURE combinations and assignments to users, so that a authorization based solution seems to be the only way....

Best Regards

Beate

BeateQ · ‎12-11-2013

Hi,

Thanks for your advices, but they don't help.

I tested the different role solution, although it is not practicable for us as we have a lot of funds centers and we want to generate the analysis authorizations - nevertheless, it didn't work.

So, the problem is that beside having a lot of 0FUNDS_CTR/0PU_MEASURE combinations, every user can have the authority for a lot of funds centers.

I think, the main problem is, that in a query I can't select on characteristic combination (in the sense of: if you have fundscenter A then select 0PU_MEASURE values L1 and L2, if you have fund center B, then choose L3 and L4...). Defining this in a structure with selection for each fund center would be a hard work, also working with different variables seems to be no solution for me...

So, the result of the rsecadmin check looks like this:

I have two analysis authorizations assigned to my test user:

AUTH1:

0FUNDS_CTR: 101250

0PU_MEASURE:H1705, L01, L61

0TCAACTVT = '03'

AUTH2:

0FUNDS_CTR: 324600

0PU_MEASURE:H0066,L35

0TCAACTVT = '03'

-------------------------------------------------------------------------------------

Protokoll der Berechtigungsprüfung

Eine allgemeine Beschreibung finde Sie in Hinweis1234567

Datum und Ausführungszeit (auf lokalem Server)

Ausführungsdatum:11.12.2013

Ausführungszeit: 08:17:53

Ausgeführte Query: C_0PU_KLE/YREP_KTO_LHH_EINZEL

Transaktion RSRT ( BW - Test der Ausgabe )

Ausgeführt durch Benutzer BQUESTER

Ausgeführt mit Analyseberechtigungen eines anderen Benutzers PRTUSR1

Softwarekomponente	Release	Level	Support Package
SAP_BASIS	700	0029	SAPKB70029
SAP_ABA	700	0029	SAPKA70029
SAP_BW	700	0031	SAPKW70031

InfoProvider-Prüfung

Aufbau des Puffers...

...Puffer aufgebaut

Gibt es Berechtigungen für den Zugriff auf InfoProvider C_0PU_KLE mit Aktivität 03?

Berechtigung für allgemeinen Zugriff auf InfoProvider C_0PU_KLE mit Aktivität 03 vorhanden

Relevante Merkmale für die detaillierte Berechtigungsprüfung

(Merkmale mit voller Berechtigung werden nicht aufgelistet!)

Liste der effektiv berechtigungsrelevanten Merkmale für InfoProvider C_0PU_KLE:

Merkmal

0FUNDS_CTR

0PU_MEASURE

Berechtigungsprüfung
Detail-Prüfung für InfoProvider C_0PU_KLE

Vorverarbeitung:
Selektion wird auf Konsistenz überprüft, vorverarbeitet und eventuell ergänzt
Teilselektion (technisch SUBNR) 1
Überprüfe Knotendefinitionen und Werteberechtigungen...
Knoten- und Werteberechtigungen sind in Ordnung
Ende der Vorverarbeitung

Füllen des Puffers...
...Puffer gefüllt
Hauptprüfung:

Teilselektion (technisch SUBNR) 1
Ergänzung der Selektion für aggregierte Merkmale
Keine Prüfung auf Aggregationsberechtigung notwendig

Folgende Menge wird geprüft

Vergleich mit folgender berechtigten Menge

Ergebnis

Restmenge

Merkmal	Inhalt (in SQL-Format)
0FUNDS_CTR 0PU_MEASURE 0TCAACTVT	0FUNDS_CTR IN ('101250','324600') AND 0PU_MEASURE IN ('H0066','H1705','L01','L35','L61') AND 0TCAACTVT = '03'

Merkmal	Inhalt
0FUNDS_CTR	I EQ 101250
0PU_MEASURE	I EQ H1705 I EQ L01 I EQ L61
0TCAACTVT	I CP *

Teilweise oder ganz berechtigt (Schnittmenge)

Merkmal	Inhalt (in SQL-Format)
0FUNDS_CTR 0PU_MEASURE 0TCAACTVT	0FUNDS_CTR = '101250' AND 0PU_MEASURE IN ('H0066','L35') AND 0TCAACTVT = '03' OR 0FUNDS_CTR = '324600' AND 0PU_MEASURE IN ('H0066','H1705','L01','L35','L61') AND 0TCAACTVT = '03'

Werte-Selektion teilweise berechtigt. Prüfung Rest(e) am Ende.

Folgende Menge wird geprüft

Vergleich mit folgender berechtigten Menge

Ergebnis

Restmenge

Merkmal	Inhalt (in SQL-Format)
0FUNDS_CTR 0PU_MEASURE 0TCAACTVT	0FUNDS_CTR = '101250' AND 0PU_MEASURE IN ('H0066','L35') AND 0TCAACTVT = '03' OR 0FUNDS_CTR = '324600' AND 0PU_MEASURE IN ('H0066','H1705','L01','L35','L61') AND 0TCAACTVT = '03'

Merkmal	Inhalt
0FUNDS_CTR	I EQ 101250
0PU_MEASURE	I EQ H1705 I EQ L01 I EQ L61
0TCAACTVT	I CP *

Nicht berechtigt

Folgende Menge wird geprüft

Vergleich mit folgender berechtigten Menge

Ergebnis

Restmenge

Merkmal	Inhalt (in SQL-Format)
0FUNDS_CTR 0PU_MEASURE 0TCAACTVT	0FUNDS_CTR = '101250' AND 0PU_MEASURE IN ('H0066','L35') AND 0TCAACTVT = '03' OR 0FUNDS_CTR = '324600' AND 0PU_MEASURE IN ('H0066','H1705','L01','L35','L61') AND 0TCAACTVT = '03'

Merkmal	Inhalt
0FUNDS_CTR	I EQ 324600
0PU_MEASURE	I EQ H0066 I EQ L35
0TCAACTVT	I CP *

Teilweise oder ganz berechtigt (Schnittmenge)

Merkmal	Inhalt (in SQL-Format)
0FUNDS_CTR 0PU_MEASURE 0TCAACTVT	0FUNDS_CTR = '101250' AND 0PU_MEASURE IN ('H0066','L35') AND 0TCAACTVT = '03' OR 0FUNDS_CTR = '324600' AND 0PU_MEASURE IN ('H1705','L01','L61') AND 0TCAACTVT = '03'

Werte-Selektion teilweise berechtigt. Prüfung Rest(e) am Ende.

Folgende Menge wird geprüft

Vergleich mit folgender berechtigten Menge

Ergebnis

Restmenge

Merkmal	Inhalt (in SQL-Format)
0FUNDS_CTR 0PU_MEASURE 0TCAACTVT	0FUNDS_CTR = '101250' AND 0PU_MEASURE IN ('H0066','L35') AND 0TCAACTVT = '03' OR 0FUNDS_CTR = '324600' AND 0PU_MEASURE IN ('H1705','L01','L61') AND 0TCAACTVT = '03'

Merkmal	Inhalt
0FUNDS_CTR	I EQ 101250
0PU_MEASURE	I EQ H1705 I EQ L01 I EQ L61
0TCAACTVT	I CP *

Nicht berechtigt

Folgende Menge wird geprüft

Vergleich mit folgender berechtigten Menge

Ergebnis

Restmenge

Merkmal	Inhalt (in SQL-Format)
0FUNDS_CTR 0PU_MEASURE 0TCAACTVT	0FUNDS_CTR = '101250' AND 0PU_MEASURE IN ('H0066','L35') AND 0TCAACTVT = '03' OR 0FUNDS_CTR = '324600' AND 0PU_MEASURE IN ('H1705','L01','L61') AND 0TCAACTVT = '03'

Merkmal	Inhalt
0FUNDS_CTR	I EQ 324600
0PU_MEASURE	I EQ H0066 I EQ L35
0TCAACTVT	I CP *

Nicht berechtigt

Alle Berechtigungen getestet
Meldung EYE007: Sie haben keine ausreichende Berechtigung

Keine ausreichende Berechtigung für diese Teilselektion (SUBNR)
Folgende CHANMIDs sind betroffen:
41 ( 0FUNDS_CTR )
48 ( 0PU_MEASURE )
Berechtigungsprüfung abgeschlossen

----------------------------------------------------------------------------------------------------------------------------------------

Regards

Beate

MGrob · ‎12-10-2013

Hi

Have you checked in RSECADMIN what the authorization log suggests the issue is? I believe this should be possible and work. Try to define the variables differently or assign the ":" value to allow the aggregated values.

hope that helps

Martin

former_member182343 · ‎12-10-2013

I suggest you to create:

1st Auth object using RSECADMIN - with values -

0FUNDS_CTR: 10

0PU_MEASURE: L1, L2, L3

0TCAACTVT = '03'

Then assign this object to ROLE1(lets say) and assihn this ROLE1 to User.

2nd Authorisation Objcet using RSECADMIN - with values -

0FUNDS_CTR: 20

0PU_MEASURE: L4

0TCAACTVT = '03'

Then assign this Auth object (2nd) to ROLE2(lets say) and assihn this ROLE2 to User.

Regards,

Vijay

former_member182343 · ‎12-10-2013

Hi,

Did you execute report using RSECADMIN and verify logs. Kindly paste those logs here.

While creating authorization object using T code RSECADMIN - check whether you have restricted values proper or not.

Here you need to assign authorization object to Roles , right. How come you assigned created authorization abject to directly user?

Best Wishes.Vijay

Problem defining two analysis authorizations for one user

Accepted Solutions (0)

Answers (4)

Answers (4)

Vendor Invoice Screen 'Payment' tab screen field '...

I have data like Date, Net, Gross. I want to deriv...

Re: Re Generate Co files and data files

Re: error during install SAP S/4HANA Server 2022

Re: BODS Job Stored Procedure