on 07-15-2016 11:48 PM
Hi,
We are on BW 7.4 HEC.
I've an authorization object ZAUTH created on characteristic 0COMPANY and activated this on infocube Z_COMPIC.
Then, i created a role ZROLE123 with a value "123" for above authorization object and restricted BEx query ZQUERY1 with a authorization variable created on characteristic 0COMPANY.
We've a user XXXXX assigned to role ZROLE123 yet when this user execute above query, all companies are coming up instead of just "123" data. Could someone guide on what i may have missed or how to analyze this issue.
User XXXXX also assigned to authorization object 0BI_ALL. (if i remove this from user, BEx query doesn't execute and SU53 shows "missing authorization 0BI_ALL").
Appreciate any insights.
Hi,
I think you forgot something..You need to replace the 0BI_ALL with the auth you have created which is ZAUTH..
Regards,
Loed
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
What are the authorizations assigned on the user? May I see the ZAUTH and ZROLE123? Did you add all the needed infoobjects in your auth management like the auth object for 0TCAACTVT, 0TCAIPROV, 0TCAVALID, etc?
Did you follow any doc? Try these docs..
Regards,
Loed
Hi Loed,
thanks for pointing to helpful document. Looks like i've not added 3 mandatory characteristics as per your document. But, when i try to add, getting message "
Should i make these 3 chars "authorization relevant"? if yes, does it affect any other info areas because, we've other things already in production. As this seems like a business content, wondering if changing this affects authorizations for any other objects in the system. FYI that we are implementing BI relevant authorizations for the 1st time.
Hi,
I flagged all mandatory chars as "Auth relevant". Now, values populated in ZAUTH are getting passed to "Authorization variable" for Query. But, i'm getting error that "No authorization" after executing the query. SU53 reveals that user needs "0BI_ALL". When i assign this authorization object, no values from ZAUTH are being passed to variable and user is able to run for all values not just 123. Any other thoughts?
Hi,
Login to your BW system using YOUR username..In RSECADMIN, go to ANALYSIS tab, then EXECUTION AS..Type the name of the user you wanted to test the auth, check WITH LOG, click RSRT in the POSSIBLE TRANSACTIONS, then click START TRANSACTION..Type the name of the query then execute..After showing the NO AUTH error message, just click the back button (GREEN ARROW) until you reach the 3rd tab again of RSECADMIN..Then click the DISPLAY LOG and post check your missing authorization..
Regards,
Loed
Perfect. DISPLAY LOG has shown "what is missing on a different characteristic". it's strange, SU53 is giving something else that is not relevant and contrary to RSECADMIN log. issue is now resolved. thanks a lot Loed for your help from beginning to the end in identifying and fixing it. greatly appreciate it.
on a sideline, i've another question. We need to create around 50 roles for 50 companies. Does it mean, i need 50 of ZAUTH objects 1 for each company? can this be done via upload as opposed to manually create each one? Or any other means of creating mass authorization objects?
Hi,
Good to know that your problem was already solved..
About the 50 auths, you may use the tcode LSMW..Just ask any of your colleague or an ABAP member on how to use it..I'm using the tcode LSMW if I need to do routinary tasks..So I think you can also apply it in your scenario..I used it before to change the initial password of 1000+ users..
Regards,
Loed
Hi Loed,
How do i do "info-provider" specific authorizaions. (in older BI systems, we did it in RSSM where we create auth object and then assign infoproviders". But,in RSECADMIN, i'm not getting option where i can specify InfoProviders for corresponding auth object. I wanted to restrict "authorizaion effect" only on certain infoproviders.
I see option "Infoprovider" in RSECADMIN but it is only helping to filter BW characteristics specific to that infoprovider not necessariry "infoprovider specific authorizations". Any thoughts?
Loed,
thanks for your prompt reply. Not sure how to use 0INFOPROV that is not authorization relevant. Changing this will have a very big impact on many things.
This is what i'm trying to do.
I want userA be able to see COMPANY 123 data on Z_IP1 info provider.
At the same time,
I want userA be able to see all COMPANY data on Z_IP2 info provider.
Problem is that I can't specify combinations of (company 123 and Z_IP1) & (all companies and Z_IP2) in Z_AUTH.
Hope i'm clear. (In obsolete methods, RSSM gives option to have Z_AUTH only active on Z_IP1 and not Z_IP2 that way it served my purpose in the past).
User | Count |
---|---|
95 | |
11 | |
11 | |
10 | |
9 | |
8 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.