Skip to Content

BW security : why UNION do not work authorization issue

Hello,

I need your help in other to understand one point on BW security.

On SAP site, it is written that with BW 7.x it is possible to do « UNION » on authorization Objects ( page 94 on this Link:

https://archive.sap.com/kmuuid2/10ac515c-a04d-2a10-799f-e1641a88ff49/SAP%20NetWeaver%202004s%20Enterprise%20Data%20Warehousing.pdf. )

But in my case, i do not manage to do UNION. In my case, i have :


ROLE 1 with authorization object ZOBJ1, this authorization object contains :

ZSOC = SAP

ZDIR = 01

ZCTR = 111, 112, 113

ZACC = *


ROLE 2 with authorization object ZOBJ2, this authorization object contains :

ZSOC = SAP

ZDIR = 02

ZCTR = 211, 222, 223

ZACC = *


User A have ROLE 1 => it is working good

User B have ROLE 2 => it is working good

User C have ROLE 1 and ROLE 2 => it is not working because it not do UNION as expected, it do INTERSECTION so i have an authorization error .


Can you explain me please why the UNION do not work ? I want to affect to User 3 the combinaison of the two authorizations objects (ZOBJ1 , ZOBJ2).

I really do not understand this issue and how to make UNION work.

Thank you very much.

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

4 Answers

  • Jun 04 at 07:10 AM

    I can confirm you BW is doing an union. Maybe we can help if you explain where do you encounter an error for user C (BW query ? For which selections ?).

    Regards

    Add comment
    10|10000 characters needed characters exceeded

    • Thank you Frédéric for your help.

      User 3 has ROLE 1 and ROLE 2.

      I have a bex query on a multiprovider.

      On the prompt per default , for the user 3, it shows :

      ZSOC = SAP

      ZDIR = 01,02

      ZCTR = 111, 112, 113, 221, 222, 223

      ZACC = *

      That is ok.

      But when i execute i have user not authorized error.

      And on the log, it shows intersection.

      The union do not work.

      Thank yo

  • Jun 04 at 08:51 AM

    This is a normal behavior. To be able to execute this query the user misses the authorizations :

    DIR 02 for ZCTR 111, 112, 113

    and DIR 01 for ZCTR 211, 222 ,223

    If you execute the query for USER 3 on the following selections

    ZSOC = SAP

    ZDIR = 01

    ZCTR = 111, 112, 113,

    ZACC = *

    or

    ZSOC = SAP

    ZDIR = 02

    ZCTR = 221, 222, 223

    ZACC = *

    You should not encounter any error (union of all its authorizations).

    Add comment
    10|10000 characters needed characters exceeded

    • If i have understand.So do you say that i have the create as bellow ?

      ROLE 1 with authorization object ZOBJ1, this authorization object contains :

      ZSOC = SAP

      ZDIR = 01

      ZCTR = 111, 112, 113, 221, 222, 223

      ZACC = *

      ROLE 2 with authorization object ZOBJ2, this authorization object contains :

      ZSOC = SAP

      ZDIR = 02

      ZCTR = 211, 222, 223,111, 112, 113

      ZACC = *

      Thank you.

  • Jun 04 at 09:49 AM

    Yes, then it should work. But your user may have too much authorization if you don't want him to have access to ZDIR 01 for ZCTR 221 (for instance).

    Add comment
    10|10000 characters needed characters exceeded

    • Thank you for your answer.

      But i do bot understand this point : « But your user may have too much authorization if you don't want him to have access to ZDIR 01 for ZCTR 221 (for instance). »

      Do you say that , the user 1 who have ROLE 1 may with this modification acces to much autorisation.

      That is not good for me now.

      In fact, the union is not a TRUE union ?

      Thank you Frédérick.

  • Jun 04 at 11:48 AM

    You agree that if you do the following modification:

    ROLE 1 with authorization object ZOBJ1, this authorization object contains :

    ZSOC = SAP

    ZDIR = 01

    ZCTR = 111, 112, 113, 221, 222, 223

    ZACC = *

    You gave the user (assigned to this role) access to ZDIR 01 / ZCTR 221 ?

    Depending on your data that may be an issue or not.

    There is a true union of the authorizations. Here, your issue is more a selection issue (you can't ask for the union of the result for ZDIR 01 / ZCTR 111 and ZDIR 02 / ZCTER 221) than an authorization one.

    Add comment
    10|10000 characters needed characters exceeded

    • Thank you Frédérick.

      Concerning your first point :You gave the user (assigned to this role) access to ZDIR 01 / ZCTR 221 ?

      This combinaison do not exists So it will not shows data.

      Concerning your second point : yes i understand now the problematic. For me, as you say it is a sélection issue. In bex query, i use authorization variable So by default when user has 2 ROLE it shows on the prompt all the values exsiting on thèse 2 ROLE. So how can i do what i want ?

      The ultime solution is to applied has you said before ?

      ZSOC = SAP

      ZDIR = 01

      ZCTR = 111, 112, 113, 221, 222, 223

      ZACC = *

      Best regards.