cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BI Analysis Authorisation. IP Security Restriction Not Working

Former Member

on ‎05-29-2007 3:23 PM

0 Kudos

Hi All,

I am trying to set up security using the new security concept 'Manage Analysis Authorisation'. The authorisation requirement was to allow users to read all data however only able to plan for certain company code, version and at certain level in contract hierarchy.

A single analysis authorisation profile was created which gave read access to all data. This works OK, if you only assign this authorisation profile to the users, then they are only able to display data. Two analysis profiles were created (both included special chars) one defines the write access for selective company code and contract hierarchy level another analysis profile gives write access to selective Versions. However, the issue is that when I assign three profiles (one to give read access and two profiles to give write access) I encounter the authorisation issue.

But strangely if I only create one write profile giving access to the relevant company code, contract hierarchy and version then assign one write prfile and one read all profile t the user, I get no issues and authorisation works as intended.

<b>Example of Authotisation Profiles</b>

Auth1 (All read Access)

0TCAACTVT I EQ 03

0TCAIPROV I CP *

0TCAKYFNM I CP *

0TCAVALID I CP *

0CALYEAR I CP *

0FISCYEAR I CP *

0COMP_CODE I CP *

0VERSION I CP *

ZCONTPL I CP *

Auth 2

0TCAACTVT I EQ 03

0TCAIPROV (Restricted to planning cubes)

0TCAKYFNM I CP *

0TCAVALID I CP *

0CALYEAR I CP *

0FISCYEAR I CP *

0COMP_CODE I EQ 110

ZCONTPL I(Node within Hierarchy)

Auth 3

0TCAACTVT I EQ 03

0TCAIPROV (Restricted to planning cubes)

0TCAKYFNM I CP *

0TCAVALID I CP *

0CALYEAR I CP *

0FISCYEAR I CP *

0VERSION I EQ FOR

Not sure what is making the authorisation not work when I use multiple Authorisation profiles to define write access. Could anyone please tell me what I am doing wrong.

Regards

Mohammed

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎05-30-2007 11:53 AM
0 Kudos

Hi Andreas,

Many thanks for the reply, my issues is with the way system merges the Authorisations. I can see that system merges the two write profiles into one and has another profile for the read access. However I have issue with the way it merges the two write profiles. Prior to merging I have set the write authorisation to restricted set of company code, contract hierarchy and version. However after merging I get following two profiles.

<b>Auth1 (system Merged two write auths</b>

ZCONTPL Node 1

0COMP_CODE I EQ 110

0TCAACTVT I EQ 02

0VERSION I CP *

Auth 2

ZCONTPL I CP *

0COMP_CODE I CP *

0TCAACTVT I EQ 03

0VERSION I CP *

It seems that when my Version field was merged between the profiles,rather than copying version value from the change profile (FOR) it has copied the version value from my display profile (*). Result is that I endup with greater write access then I specified in my profile. Is there an issue when system copies the empty value and more then one profile has the available value, eventhough they are not doing the same opration i.e change and display.

Regards

Mohammed

Show replies
Show replies
Former Member
‎02-15-2008 3:32 PM
0 Kudos

HI, how did you solve this Issue. I have the same issue at my client

analyser 1:

change rights for company 1000

analyser 2:

display rights for company *

Result: display and change for company *.

DO WE NEED A SUPPORT PACKAGE?

thank you very much!

Former Member
‎02-18-2008 5:08 AM
0 Kudos

Assuming I understand your problem correctly it may be worth trying the following:

Create a multi provider with your real time infoprovider as a sinlge Infoprovider.

Create an authorisation for your multi provider with full display access.

Create 2 authorisation for your real time planning info provider as per your requirements to restrict.

1. Co Code and Contract

2. Version

If you try this option please let us know the outcome.

Good luck.

Former Member
‎02-18-2008 10:40 AM
0 Kudos

Hi, Thanks for your workaround solution.

But, I think SAP handles the analyse authorization in my case wrong. (we are at support package 12). I think you all agree that SAP should not merge authorizations which have different values for activity (02 vs 03).

question: Do you all agree that this is a bug in SAP, and do you know if a support package handles this bug?

Thanks!

former_member192700
Active Contributor
‎02-18-2008 2:57 PM
0 Kudos

Hi,

it is not a bug. Please read throught the various threads in this forum concerning merging, combining of analysis authorisations.

Basically, authorisation can only be merged if they are different only in a single dimension (character). If you have 2 analysis authorisation with more than 1 dimension with different values, the system cannot merge them. How should it? Think about a mutli-dimensional area or a cubicle. There would be a combination of characteristic values that you actually didn't want to protect initially, yet are only protected by way the system merges / combnines. This would not be a very confusing bevavior.

If you need further examples, please use the analysis tool in the transaction RSECADMIN. If you record a log, you will see in the log how authorisation are merged / combined.

Cheers

SAP NetWeaver BI Organisation

Former Member
‎03-31-2008 1:06 PM
0 Kudos

The workaround is to use a user exit as variable value (starting with *) in the analysis authorisations (RESCADMIN) and code the authorisation combinations from the infoprovider(s).

I'm still stunned to use ABAP because a combination of BI profils can't work on the new BI concept.

Please update this thread if any news.

Edited by: Erik Jorgensen on Apr 2, 2008 2:42 PM

former_member192700
Active Contributor
‎04-03-2008 8:53 AM
0 Kudos

Hi Erik,

to answer your initial question: it is currently not possible to do a mass assignments of authorizations to profiles, neither with a report / tool nor with the generation via DataStore Objects. The latter one might be an opiton in the future.

To answer your doubts about dimensions, I assume you understand the difference in the term dimension of an InfoCube compared to the ones used in authorization. If not, please have at the underneath link from the online documentation

[http://help.sap.com/saphelp_nw70/helpdata/DE/b1/0c9441b8972e7be10000000a1550b0/frameset.htm zu |http://help.sap.com/saphelp_nw70/helpdata/DE/b1/0c9441b8972e7be10000000a1550b0/frameset.htm zu ]

Cheers

SAP NetWeaver BI Organisation

former_member192700
Active Contributor
‎05-30-2007 10:13 AM
0 Kudos

Hi Mohammed,

If you create 2 additional authorisations, the system is not able to merge / combine them (yet if you create a single one). In combining the system combines mutliple authorisations if they only differ in one dimension (InfoObject). In merging the system combines mutliple authorisations if one dimension is populated in one authorisation yet not in the other.

For more information about the topics please search the forum, view the thread

<a href="https://forums.sdn.sap.com/click.jspa?searchID=2869053&messageID=3147616//">https://forums.sdn.sap.com/click.jspa?searchID=2869053&messageID=3147616</a>

and analyse the authorisation by running a transaction with a specified user in transaction RSECADMIN (this generates you a log where you can see whether the system merges the authorisations or not).

Cheers

SAP NetWeaver BI Ogranisation

Show replies
Show replies
Ask a Question