Creation of Analysis Auth from SU21

Former Member · ‎07-16-2007

Hi All,

I gave a try to one auth. Just wanted anyone of you to clarify this.

I created one customised object from SU21, and created the field, which we have used in the Analysis Auth (rsecadmin) like, Compcode, salesorg, co area, etc.

I have entered the field values and generated. Now included this in a role for a reporting user which contains the objects s_rs_comp and s_rs_comp1 for which Comp1 given full *.

Now the test user is able to create the queries based on the restrictions assinged, like company code. But he is not able to execute his own query, where he was given full access. SU53 shows that he doesn't have the access to Execute in S_rs_comp1, where I have maintained * for that.

Does this mean that, the Charateristics for Analysis Auth will not work if assigned through the objects created from SU21. / or do i need to do something more.

Can anybody help please.

Thanks for the help.

Regards,

Venkat

Former Member · ‎07-17-2007

If you are using analysis authorizations you don't create the customized

object in SU21 but you create it in rsecadmin - the object you create

will already have been set up as a characteristic that has been flagged

as authorization relevant.

Former Member · ‎07-17-2007

Hi JC,

thanks for the message. I understand we have can create in rsecadmin.

What i say is, if i can bring few characteristics like company code, controlling area and sales org into , one customized object and can use it in the roles.

this would help me to minimize the no. of analysis authorizations..

what do u you say..

regards,

Former Member · ‎07-17-2007

OK I understand. I think if you want to reduce the number of analysis

auth you have to maintain and you have a set of characteristics that are

common to all users then what you can do is create an analysis auth with

those set of characteristics and then create a role and in the role under the

auth object S_RS_AUTH you assign the analysis auth object that you just created.

That way all users will get those "common values".

Hope that makes sense.

Former Member · ‎07-17-2007

Fine.

Now I'll tell u. Following are being maintained in my Analysis Auth.

0BILLTOPRTY

0CALYEAR

0COMP_CODE

0COSTCENTER

0COSTELMNT

0CO_AREA

0CUSTOMER

0SALESORG

0SOLD_TO

0TCAACTVT

0TCAIPROV

0TCAKYFNM

0TCAVALID

The very frequently restricted one per InfoProvider is CompCode and later Co Area.

suppose i have 40 info providers including ODS,cubes and Mproviders.

How would u suggest to go for it..!!

Thanks,

Former Member · ‎07-17-2007

OK take out all of the characteristics that don't change - like

0TCAACTVT

0TCAIPROV

0TCAKYFNM

0TCAVALID

are common to all - aren't they - and assign to another analysis auth

and input this into your role under auth object - S_RS_AUTH.

If the only values that are restricted are company code and co area - then

perhaps the other characteristics can be added to this common one as well.

Former Member · ‎07-18-2007

Hi JC,

The idea given by you is good. I tried, it. But its not working securely.

I created one analysis auth for all common characteristics. and dvarious for different company codes and controlling areas.

like grouped the following as one

Company Code, Controlling Area, Keyfigues.

I assigned a user a role like this. Take for example ODS A and B. Comp Codes, CC1 and CC2, Controling areas CA1 and CA2.

assigned the Reporting roles like this. where

1) ODS A > CC1 (CA ) (KF)

2) ODS B > CA2 (CC) (KF)

when checked user is able to see all the controlling areas on ODS B,where i gave him only CA2.

That is the problem..

Former Member · ‎07-18-2007

Did you include 0TCAIPROV and restrict your authoriztion. This tells the authorization what infocube to restrict it to. So you would combine this with your company code and controlling area. You can leave it wide open for certain cubes while restricting others.

Former Member · ‎07-18-2007

So,

Do you mean say. if we hv 40 inforproviders and 10 company codes each... then u'll havev 40 * 10 = 400 authorizations.

for 2 cubes the restriction is Controlling area

For 1 ODS there is Key figure restrication.

is there any way . we can minimize the authorizations.

thanks.

Former Member · ‎07-18-2007

OK if I am understanding you right. You have certain cubes that you do not care of the have open access to and infoobject such as controlling area and company code. What you would do is list all of you cubes under the 0TCAIPROV and then leave select all for controlling area for those cubes. This is only one authorization that you will give to users who u do not care if they have unrestricted to those cubes.

To trace to find out if it is working or what is not workinguse the anaylsis tab in RSECADMIN. You have to add the user you will be tracing under configure log recording under the error log button.

Former Member · ‎07-18-2007

Hi Mary,

thanks for the response, I accept with what you say. But, I hope still you hv to understand my requirement completely. I shall discuss, if you are online on on messenger / voice. The requirement looks a bit complex. my messenger ids.

"seekvenki" on yahoo, gmail and msn. anybody can. I am still trying on this for solution. Thanks for your efforts.

Thanks.

Former Member · ‎07-17-2007

If you are not restricting some of these then I would remove the auth relevant selection.

Former Member · ‎07-18-2007

Hi Mary,

I have removed all which are not required. But SAP recommends to keep few mandatory. So those things I kept in common.

Also, I request you to go through this complete thread and let me know if you have any idea to solve this..

Thanks for the same.

regards,

Former Member · ‎07-18-2007

You can test the analysis auth in rsecadmin under the analysis tab.

I assume that all of the characteristics were made authorization relevant.