on 05-29-2007 3:23 PM
Hi All,
I am trying to set up security using the new security concept 'Manage Analysis Authorisation'. The authorisation requirement was to allow users to read all data however only able to plan for certain company code, version and at certain level in contract hierarchy.
A single analysis authorisation profile was created which gave read access to all data. This works OK, if you only assign this authorisation profile to the users, then they are only able to display data. Two analysis profiles were created (both included special chars) one defines the write access for selective company code and contract hierarchy level another analysis profile gives write access to selective Versions. However, the issue is that when I assign three profiles (one to give read access and two profiles to give write access) I encounter the authorisation issue.
But strangely if I only create one write profile giving access to the relevant company code, contract hierarchy and version then assign one write prfile and one read all profile t the user, I get no issues and authorisation works as intended.
<b>Example of Authotisation Profiles</b>
Auth1 (All read Access)
0TCAACTVT I EQ 03
0TCAIPROV I CP *
0TCAKYFNM I CP *
0TCAVALID I CP *
0CALYEAR I CP *
0FISCYEAR I CP *
0COMP_CODE I CP *
0VERSION I CP *
ZCONTPL I CP *
Auth 2
0TCAACTVT I EQ 03
0TCAIPROV (Restricted to planning cubes)
0TCAKYFNM I CP *
0TCAVALID I CP *
0CALYEAR I CP *
0FISCYEAR I CP *
0COMP_CODE I EQ 110
ZCONTPL I(Node within Hierarchy)
Auth 3
0TCAACTVT I EQ 03
0TCAIPROV (Restricted to planning cubes)
0TCAKYFNM I CP *
0TCAVALID I CP *
0CALYEAR I CP *
0FISCYEAR I CP *
0VERSION I EQ FOR
Not sure what is making the authorisation not work when I use multiple Authorisation profiles to define write access. Could anyone please tell me what I am doing wrong.
Regards
Mohammed
Hi Andreas,
Many thanks for the reply, my issues is with the way system merges the Authorisations. I can see that system merges the two write profiles into one and has another profile for the read access. However I have issue with the way it merges the two write profiles. Prior to merging I have set the write authorisation to restricted set of company code, contract hierarchy and version. However after merging I get following two profiles.
<b>Auth1 (system Merged two write auths</b>
ZCONTPL Node 1
0COMP_CODE I EQ 110
0TCAACTVT I EQ 02
0VERSION I CP *
Auth 2
ZCONTPL I CP *
0COMP_CODE I CP *
0TCAACTVT I EQ 03
0VERSION I CP *
It seems that when my Version field was merged between the profiles,rather than copying version value from the change profile (FOR) it has copied the version value from my display profile (*). Result is that I endup with greater write access then I specified in my profile. Is there an issue when system copies the empty value and more then one profile has the available value, eventhough they are not doing the same opration i.e change and display.
Regards
Mohammed
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Assuming I understand your problem correctly it may be worth trying the following:
Create a multi provider with your real time infoprovider as a sinlge Infoprovider.
Create an authorisation for your multi provider with full display access.
Create 2 authorisation for your real time planning info provider as per your requirements to restrict.
1. Co Code and Contract
2. Version
If you try this option please let us know the outcome.
Good luck.
Hi, Thanks for your workaround solution.
But, I think SAP handles the analyse authorization in my case wrong. (we are at support package 12). I think you all agree that SAP should not merge authorizations which have different values for activity (02 vs 03).
question: Do you all agree that this is a bug in SAP, and do you know if a support package handles this bug?
Thanks!
Hi,
it is not a bug. Please read throught the various threads in this forum concerning merging, combining of analysis authorisations.
Basically, authorisation can only be merged if they are different only in a single dimension (character). If you have 2 analysis authorisation with more than 1 dimension with different values, the system cannot merge them. How should it? Think about a mutli-dimensional area or a cubicle. There would be a combination of characteristic values that you actually didn't want to protect initially, yet are only protected by way the system merges / combnines. This would not be a very confusing bevavior.
If you need further examples, please use the analysis tool in the transaction RSECADMIN. If you record a log, you will see in the log how authorisation are merged / combined.
Cheers
SAP NetWeaver BI Organisation
The workaround is to use a user exit as variable value (starting with *) in the analysis authorisations (RESCADMIN) and code the authorisation combinations from the infoprovider(s).
I'm still stunned to use ABAP because a combination of BI profils can't work on the new BI concept.
Please update this thread if any news.
Edited by: Erik Jorgensen on Apr 2, 2008 2:42 PM
Hi Erik,
to answer your initial question: it is currently not possible to do a mass assignments of authorizations to profiles, neither with a report / tool nor with the generation via DataStore Objects. The latter one might be an opiton in the future.
To answer your doubts about dimensions, I assume you understand the difference in the term dimension of an InfoCube compared to the ones used in authorization. If not, please have at the underneath link from the online documentation
[http://help.sap.com/saphelp_nw70/helpdata/DE/b1/0c9441b8972e7be10000000a1550b0/frameset.htm zu |http://help.sap.com/saphelp_nw70/helpdata/DE/b1/0c9441b8972e7be10000000a1550b0/frameset.htm zu ]
Cheers
SAP NetWeaver BI Organisation
Hi Mohammed,
If you create 2 additional authorisations, the system is not able to merge / combine them (yet if you create a single one). In combining the system combines mutliple authorisations if they only differ in one dimension (InfoObject). In merging the system combines mutliple authorisations if one dimension is populated in one authorisation yet not in the other.
For more information about the topics please search the forum, view the thread
<a href="https://forums.sdn.sap.com/click.jspa?searchID=2869053&messageID=3147616//">https://forums.sdn.sap.com/click.jspa?searchID=2869053&messageID=3147616</a>
and analyse the authorisation by running a transaction with a specified user in transaction RSECADMIN (this generates you a log where you can see whether the system merges the authorisations or not).
Cheers
SAP NetWeaver BI Ogranisation
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
87 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.