Skip to Content
0

Do not allow a user to send data via input form (BPC 10.1 Embedded)

Feb 09, 2017 at 03:30 PM

692

avatar image
Former Member

Hello,

Edit: I have use an analysis authorization and now I am able to visualize the data that is assigned in the DAP. However, I can not change to 'Edit Mode', it says that I do not have enough autorization. More strange thing is that if I change my DAP to 'All members' with access 'write' I am able to change to 'Edit Mode'.

Refer to this comment:

http://answers.sap.com/comments/152129/view.html

I have created a user with the minimum authorization objects:

However when the user logs in EPM, he can still press the "Edit Mode" button and save data:

What can I do so the user cannot save data?

Thank you.

test.png (73.9 kB)
capture.png (24.8 kB)
capture2.png (38.9 kB)
10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

4 Answers

Marc Alexander Roeder
Feb 14, 2017 at 12:13 PM
2

seems I'm running out of comment depth...

I'm not so worried about the generated role. BPC will know how to interpret the !!!

But slowly, I'm running out of ideas. If the authorization log looks the same for your DELTEST2, you can try to look at the place where the DAP and the backend authorizations are merged.

Go to transaction SE37 and open function module "RSEC_INTERSECTION_BPC". Set an external break-point at the first loop (as the restricted user). When you open your workbook (also as restricted user) the debugger will come up and you can inspect the variables i_thx_bw_auts (the BW-sided authorizations) and i_thx_bpc_auths (the DAP authorizations).

These two sets of authorizations will be intersected to produce the effective authorization. Maybe that gives you a hint what's going on.

If that doesn't help, the only thing I can recommend is opening a ticket -- the support coleagues will have better chances when they can look at the system directly.

Best regards,
Marc

Show 5 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Thanks for sharing this Marc!

0
Former Member

Hi Marc,

Thank you so much for your answer.

We have our user DELTEST2 assigned to the DAP "ALL", as you can see:

The problem seems to be in the BPC-side authorizations, because when we inspect the function module "RSEC_INTERSECTION_BPC", the internal table "i_thx_bpc_auths" does not contain the dimensions "ZDATATYPE" and "ZENTITY", as it can be shown in the next figure:

Where this internal table "i_thx_bpc_auths" obtains its values from? We thought it was from DAP in the BPC-size but it does not seem that.

Thanks.

capture07.png (42.9 kB)
imagen02.png (16.8 kB)
imagen01.png (10.9 kB)
imagen02.png (16.8 kB)
0

Hi,

the table is called RSBPCE_DAP_DET.

It's read in function module RSEC_READ_BPC_AUTHS. In the same Function group you will find more suggestively-named functions handling authorization questions.

By the way: if you added your provider to the model after you defined the DAP, you might have to save the DAP again (there' a provider column in the DAP table).

Best regards,
Marc

0
Former Member
Marc Alexander Roeder

Hi Marc,

It seems the authorization S_USER_GRP was missing. We have added it and now we are able to see just the members assigned to the DAP.

However, we still have a problem. For instance, I have added my user the DAP SLOVAKIA:

And when I log into EPM I am able to see just these two entities. However, when I click in "Edit Mode" in order to be able to send data; it says that I do not have enough authorizations.

This is my analysis authorization:

And I have added the activity change:

I have notice that if I change the Slovakia DAP to 'All members' with 'write' access, I am able to change to 'Edit Mode' and send data. But only if I select 'All members'; when I select just a few (like in the image) I can not do it.

Any ideas?

Thank you.

0

Hi,

if it explicitly states that you have no authorization, a good starting point is transaction RSECPROT. There you will see why you were refused to write.

Of course, you need to make sure the cells you want to enter are also input-enabled. If you change a value on the lowest level and the cell was marked as input-ready, then you should be able to write with your configuration.

Best regards,
Marc

0
Vadim Kalinin Feb 09, 2017 at 03:53 PM
0

Please read: http://service.sap.com/~sapidb/011000358700001239962013E

6.8 Authorization Levels and Their Precedence (Embedded only)

Show 2 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Hi Vadim,

Thank you for your answer.

I have already read the security guide, but I don't understand why you told me to read the section 6.8. As I said I have already created the authorization objects, the problem is that the user can use the "Save Data" input and that is something I want to restrict.

Maybe, I should use a Data Access Profile and set all dimensions to just read in order to avoid the user to write?

0

"Maybe, I should use a Data Access Profile and set all dimensions to just read in order to avoid the user to write?" Something like :)

0
Marc Alexander Roeder
Feb 09, 2017 at 05:57 PM
0

Hi Christina,

the issue might be that you selected * for "BI Analysis Authorizations". That means you assigned all analysis authorizations to the role. This includes 0BI_ALL, which is the super-authorization granting access to everything and overrules the DataAccessProfile.

You might want to create an explicit analysis authorization and assign this one instead. If you want to maintain your authorizations on the BPC side, you can be generous with this analysis authorization because it will be intersected with the DAP at runtime.

Best regards,
Marc

Show 9 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Thank you for your answer Marc,

But I am still a bit loss with this "BI Analysis Authorizations" object.

At the bottom, I have the six analysis authorizations that I have created in order to restrict the user to view some dimensions:

For example for ZPVFORECAST

But if I select this 6 authorizations, (3 for the cubes and 3 for the aggregation cubes), when I try to log in EPM it says that the query is invalid (I suppose that this is because I do not have enough authorizations).

Thanks in advance.

capture.png (52.8 kB)
capture2.png (37.0 kB)
0

In general when you work with BPC it's better to use BPC authorization logic by DAP.

0

It looks like your analysis authorizations are missing the Activity, Provider, Validity fields to work.
You can add them using the Insert Special Characteristics-button.

You may want to check the help page for more details on defining analysis authorizations.

Best regards,
Marc

0
Former Member
Marc Alexander Roeder

I have changed the 6 analysis authorizations, but when I add them to the "BI Analysis Authorizations" object (just them, I deselect the other options):

I received the error when I log into EPM:

Thank you again.

capture3.png (8.5 kB)
capture4.png (8.7 kB)
0

a few ideas what you could check:

  • check the query in transaction RSRT to see whether it works there. This can help to decide whether the issue is more on the BW authorization side or more on the BPC/EPM side
  • if the query works as expected in RSRT, try the query in a different BPC-enabled frontend. Analysis Office usually is a bit more generous when it comes to showing error messages than EPM. You can specify the BPC environment/model in Analysis Office under "Planning Model" of the "Components" tab of the "Design" panel.
    In RSRT, you can specify the environment/model like this (no blanks between the tokens!):

  • check the authorization trace (transaction RSECPROT -- you need to add the restricted user to the table under "Configure Log Recording" first to enable logging)
rsrt-env-mod.png (27.9 kB)
0
Former Member
Marc Alexander Roeder

Hi Marc,

First of all, thank you for your answer.

1. Your colleague Gersh Voldman told me the same, I have answer in the post below this one. The query works as expected.

2. I tried Analysis Office but the error message was exactly the same:

3. I add my user (DELTEST) to the resctricted users and I tried to log into EPM again.Then I checked the DIsplay Error Log and this is the message I have received:

Activity 03 is display, but I have already selected the authorization objects "Manage environment" and "Grant user access to a BPC environment".

Also in Analysis Authorizations I have the following:

What I am doing wrong?

Thank you!

capture4-2.png (21.5 kB)
capture7.png (57.8 kB)
capture8.png (41.3 kB)
capture9.png (26.5 kB)
capture10.png (32.5 kB)
0

From what you describe here, it seems that the issue is on the DAP-side.

The query executes ok with all authorizations green if you use RSRT (as seen in the sceenshot you used to answer Gersh). This means that without environment/model context, the authorization is sufficient.

Are you sure you have the right environment/model combination for your user? An did you maintain a DAP (data access profile) in BPC? Without DAP, you will have no analysis authorizations at all when running in BPC context.

Maybe kb article 2403016 helps...

Best regards,
Marc

0
Show more comments
Gersh Voldman
Feb 11, 2017 at 03:01 AM
0

In same t/a RSECADMIN you can run any query with selected user. Run it with log and it will show you what authorizations you are missing.

Show 1 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Thank you Gersh for your answer,

With only the 6 authorizations (3 for the cubes and 3 for the aggregation cubes):

I have done what you told me, but it seems everything is correct:

However, I get the message when I log into EPM:

Thank you again.

capture3-2.png (62.7 kB)
capture5.png (46.0 kB)
capture6.png (61.2 kB)
capture4.png (8.7 kB)
0