Skip to Content
0

Authorization Object Issue

Apr 05, 2017 at 04:11 PM

150

avatar image

Hello,

We are facing a very strange issue for authorization object. We want to restrict a division for a particular user who has given a particular query. Following steps I did :

1. Assigned s_rs_auth and auth object to user's pfcg. also in s_rs_comp/comp1 relevant query and infocube and with own responsible as * is given.

2. It gave error for colon, so two more infoobjects were added to auth object with I EQ :

3. After that further it said you don't have authorization for infoprovider, so another infobject was added ( OTKEYFNM ) as * in auth object.

4. A variable as authorization type was create i query ( not input ready ).

But user is able to access to all division and not the two division that were assigned on 0Division in auth object. Tried everything but data is not getting restricting.

Please help.

warm regards,

Am

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Best Answer
Aman Sharma Apr 06, 2017 at 05:13 PM
0

Hi,

Assigned the mentioned four but still authorization is not working, still user can access all the data. No Luck.

warm regards,
AM

Show 2 Share
10 |10000 characters needed characters left characters exceeded

Hi,

check as well he has no other roles. Otherwise, make a dummy user and assign only your new role to the dummy and start from that point, so you know the new role is working or not, start the role as little as needed.

Grtz

Koen

1

Hi Koen,

It finally worked. At RSECADMIN when I was checking from any 'authorization relevant' infobjects for the cube, it was only showing 1 IObj. Now I reactivated the cube again and again checked in RSECADMIN, it finally showed two more authorization relevant infoobjects ( division and sales org ), I included them also in the same auth object with parameters I CP * and I EQ : for both. Now finally the authorization worked at query level and BO dashboards level.

thanks for the time and help

warm regards,

AM

0
Koen Hesters Apr 06, 2017 at 06:39 AM
0
Show 4 Share
10 |10000 characters needed characters left characters exceeded

Hi Koen,

I have already checked, user running the query has no access to 0BI_ALL ( checked in rsecadmin ), authorization object assigned correctly but still he is able to access all the data.

Double checked role etc, no sap_all assigned or any other role.

What could be the possible reason ?

warm regards,

AM

0

Hi,

Flag the infoobject as authorization relevant

create in rsecadmin an authorization object with structure: (company code --> division)

  • people only to see aggregated data: set colon
  • people only to see a particular division: set division
  • people who can see all, aggrageted and detailed: set *

You have to make a choice from above options and for each option you have to create an auth. object.

Include the auth objects in the required roles and it should work.

grtz

Koen

0

I have switched on the trace for the user and it's picking 0BI_ALL in S_rs_auth instead of our authorization object. 0BI_ALL is inactive in system and it's linked to the assigned role to that user as we have checked. What could be the reason and I guess because of this it is showing all the values.

0

hi,

you only need

  • S_RFC: (Authorization Check for RFC Access) requires for execution of query in Analyzer.
  • S_RS_AUTH: (BI Analysis Authorizations in Role) Analysis Authorizations objects can be added. E.g. your authorization object
  • S_RS_COMP: (Business Explorer - Components), used for reporting relevant components.
  • S_RS_COMP1 (Business Explorer - Components: Enhancements to the Owner) used for reporting relevant components.

0