Skip to Content
0
Former Member
Mar 07, 2016 at 07:48 AM

BI-IP Roles and Authorisation conflict

83 Views

Dear all, Can anybody help me out by suggesting the solution. We have two roles one is planner and another is view only roles. The planner has given access at combination of members of character A & character B lets say A1 and B1 only. The view only roles have access at multiple members of these character A & B, i.e. A1, A2, A3 ...... & B1, B2, B3..... So When We attach the both roles to user X he gets unauthorised access for writing (02-change) access also for other than planner combinaiton i.e. A1&B1 that means user is able to change data for A1 & B2, A1 & B3 ....etc. Details of authorisaiton. Created a USR Role ="P" Included Authorisations of type object "V1" in the "P" Created a USR role = "D" Included the authorisation of type object "V2" in the "D" Object uses S_RS_AUTH for analysis authorisations we created analysis authorisations as below: "EM001" which defines values for Character A(A1) with Activity type 03 but doesnt define value for character B (Empty dimension). "EM002" which defines values for Character B(B1) with activity type 02 but doesnt define value for character A (Empty dimension). "EM101" which defines values for Character A(A1, A2, A3 ....) with Activity type 02 but doesnt define value for character B (Empty dimension). "EM102" which defines values for Character A( B1, B2, B3....) with activity type 02 but doesnt define value for character A (Empty dimension). EM001 & EM002 are used for Planner(P) for change data at only A1 & B1 level of combination. EM101 & EM102 is used for view only access(D) at combination of A1, A2, A3 .....& B1, B2, B3...... level of combination Reason for defining Character A & Character B in different analysis authorisations is there are hundreds values in Character A and Character B, so if I combine both the authorisations into one I may need to create those many times of authorisations for each combination of A&B values. To avoid that we created Character A values and character B values and combination of these attached in USR Both the roles are wokring fine in isolated. But when both roles (P&D)are given to user then user gets unauthorized access with activity (02-change) for other combinations like A1 & B2 which is not expected. It is come to known that both(P&D) authorizations are defined under common S_RS_AUTH transaction. hence the empty dimensions in analysis authorization are taking values from all other authorizations which are also under same transaction (S_RS_AUTH) Can anybody help how to meet this business requirement and if a user is given a planner (P) role and View only Roles (D) then roles should work independently. there should not be any intermingling. Or do I need need to change the structure of the authorisations.