cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BEx Query Authorization object issue

Go to solution
former_member199935
Participant

on ‎07-15-2016 11:48 PM

0 Kudos

Hi,

We are on BW 7.4 HEC.

I've an authorization object ZAUTH created on characteristic 0COMPANY and activated this on infocube Z_COMPIC.

Then, i created a role ZROLE123 with a value "123" for above authorization object and restricted BEx query ZQUERY1 with a authorization variable created on characteristic 0COMPANY.

We've a user XXXXX assigned to role ZROLE123 yet when this user execute above query, all companies are coming up instead of just "123" data. Could someone guide on what i may have missed or how to analyze this issue.

User XXXXX also assigned to authorization object 0BI_ALL. (if i remove this from user, BEx query doesn't execute and SU53 shows "missing authorization 0BI_ALL").

Appreciate any insights.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Loed
Active Contributor
‎07-17-2016 1:05 PM
0 Kudos

Hi,

I think you forgot something..You need to replace the 0BI_ALL with the auth you have created which is ZAUTH..

Regards,

Loed

Show replies
Show replies
former_member199935
Participant
‎07-17-2016 2:11 PM
0 Kudos

Hi Loed,

thanks for your reply. User already have ZAUTH, as I've assigned ZAUTH authorization object in role ZROLE123 that was assigned to user. Is this what you are referring?

Loed
Active Contributor
‎07-17-2016 2:23 PM
0 Kudos

Hi,

What are the authorizations assigned on the user? May I see the ZAUTH and ZROLE123? Did you add all the needed infoobjects in your auth management like the auth object for 0TCAACTVT, 0TCAIPROV, 0TCAVALID, etc?

Did you follow any doc? Try these docs..

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/101fb4f5-eb7c-2c10-5daa-b479c47f0...

Regards,

Loed

former_member199935
Participant
‎07-17-2016 4:32 PM
0 Kudos

Hi Loed,

thanks for pointing to helpful document. Looks like i've not added 3 mandatory characteristics as per your document. But, when i try to add, getting message "

Characteristic 0TCAACTVT not authorization relevant".

Should i make these 3 chars "authorization relevant"? if yes, does it affect any other info areas because, we've other things already in production. As this seems like a business content, wondering if changing this affects authorizations for any other objects in the system. FYI that we are implementing BI relevant authorizations for the 1st time.

Loed
Active Contributor
‎07-18-2016 1:53 AM
0 Kudos

Hi,

Yes you need to tick the 3 mandatory objects as AUTH RELEVANT..It will not affect anything..

Anyway, implement it first in your DEV server to test it..

Regards,

Loed

Former Member
‎07-19-2016 3:01 AM
0 Kudos

Hi,

I flagged all mandatory chars as "Auth relevant". Now, values populated in ZAUTH are getting passed to "Authorization variable" for Query. But, i'm getting error that "No authorization" after executing the query. SU53 reveals that user needs "0BI_ALL". When i assign this authorization object, no values from ZAUTH are being passed to variable and user is able to run for all values not just 123. Any other thoughts?

Loed
Active Contributor
‎07-19-2016 7:53 AM
0 Kudos

Hi,

I need to see your config with ZAUTH and ZROLE123..

Or test the query first in RSECADMIN, 3rd tab just enter the username you wanted then enter query and run..You will get the authorization error message..Check if it's the same with SU53..

Regards,

Loed

former_member199935
Participant
‎07-19-2016 6:06 PM
0 Kudos

Hi Loed,

i tested query in RSECADMIN and got below error message.

Then, I tried SU53, and see below info.

I tested query in BEx and got error message "No Authorization".

Then, SU53 has below info.

Here is role definition.

Here is ZAUTH authorization object definition.

Loed
Active Contributor
‎07-20-2016 2:14 AM
0 Kudos

Hi,

Login to your BW system using YOUR username..In RSECADMIN, go to ANALYSIS tab, then EXECUTION AS..Type the name of the user you wanted to test the auth, check WITH LOG, click RSRT in the POSSIBLE TRANSACTIONS, then click START TRANSACTION..Type the name of the query then execute..After showing the NO AUTH error message, just click the back button (GREEN ARROW) until you reach the 3rd tab again of RSECADMIN..Then click the DISPLAY LOG and post check your missing authorization..

Regards,

Loed

former_member199935
Participant
‎07-20-2016 6:17 AM
0 Kudos

Perfect. DISPLAY LOG has shown "what is missing on a different characteristic". it's strange, SU53 is giving something else that is not relevant and contrary to RSECADMIN log. issue is now resolved. thanks a lot Loed for your help from beginning to the end in identifying and fixing it. greatly appreciate it.

on a sideline, i've another question. We need to create around 50 roles for 50 companies. Does it mean, i need 50 of ZAUTH objects 1 for each company? can this be done via upload as opposed to manually create each one? Or any other means of creating mass authorization objects?

Loed
Active Contributor
‎07-20-2016 6:35 AM
0 Kudos

Hi,

Good to know that your problem was already solved..

About the 50 auths, you may use the tcode LSMW..Just ask any of your colleague or an ABAP member on how to use it..I'm using the tcode LSMW if I need to do routinary tasks..So I think you can also apply it in your scenario..I used it before to change the initial password of 1000+ users..

Regards,

Loed

former_member199935
Participant
‎07-27-2016 6:27 PM
0 Kudos

Hi Loed,

How do i do "info-provider" specific authorizaions. (in older BI systems, we did it in RSSM where we create auth object and then assign infoproviders". But,in RSECADMIN, i'm not getting option where i can specify InfoProviders for corresponding auth object. I wanted to restrict "authorizaion effect" only on certain infoproviders.

I see option "Infoprovider" in RSECADMIN but it is only helping to filter BW characteristics specific to that infoprovider not necessariry "infoprovider specific authorizations". Any thoughts?

Loed
Active Contributor
‎07-28-2016 2:27 AM
0 Kudos

Hi,

I think you may use 0INFOPROV infoobject..or try to check it in the authorization of the user in the PFCG..There is an infoprovider option there..

Regards,

Loed

former_member199935
Participant
‎07-28-2016 2:50 AM
0 Kudos

Loed,

thanks for your prompt reply. Not sure how to use 0INFOPROV that is not authorization relevant. Changing this will have a very big impact on many things.

This is what i'm trying to do.

I want userA be able to see COMPANY 123 data on Z_IP1 info provider.

At the same time,

I want userA be able to see all COMPANY data on Z_IP2 info provider.

Problem is that I can't specify combinations of (company 123 and Z_IP1) & (all companies and Z_IP2) in Z_AUTH.

Hope i'm clear. (In obsolete methods, RSSM gives option to have Z_AUTH only active on Z_IP1 and not Z_IP2 that way it served my purpose in the past).

Loed
Active Contributor
‎07-28-2016 6:52 AM
0 Kudos

Hi,

How about activating the AUTH RELEVANT in DEV and test it for possible problems? Else, you may just open another thread so that others would see this other scenario of yours..

Regards,

Loed

Answers (0)

Ask a Question