03-14-2008 10:16 PM
Hi Gurus,
After switching the system the user is unable to execute LISTCUBE, system trace shows that user is missing 0BI_ALL?
Please help.
03-14-2008 10:38 PM
I think the new authorization concept requires S_RS_AUTH with authorization 0BI_ALL to overcome this.
03-15-2008 10:59 AM
Hi Asghar,
use the Transaction RSU01 give the user name>>>click on changed in the Name(Tech) give 0BI_ALL
click on insert and save
hope this helps
thanks
kishore
03-15-2008 6:55 PM
Hi Gurus,
Actually that is the problem users had 0BI_ALL and we want to take it away from the users, plus as far as I understand listcube should not have problem from not having 0BI_ALL. Listcube is a standard transaction and 0BI_ALL is just about analysis authorizations and is not used for anything other than query execution. So looking at this listcube should not be failing for 0BI_ALL as user has other analysis authorizatiosn assigned.
your help will be greatly appreciated <removed_by_moderator>
Edited by: Julius Bussche on Mar 19, 2008 7:05 PM
03-17-2008 1:55 PM
the RSECADMIN trace always starts with a check for 0BI_ALL, regardless of the assignment to users. this is because the authorization check stops when 0BI_ALL is found.
this means that for your LISTCUBE issue you can disregard the message that 0BI_ALL is missing.
03-17-2008 9:45 PM
03-17-2008 9:51 PM
Hi rohan
You can create one new authorization say with name "req_cubes" using transaction RSECADMIN and
then create one role with the authorization object s_rs_auth and assign the value req_cubes to this role.
Now put the cube names which you need to give the access to users in the infoobject related to infoproviders ( since i don't have system as of now so cannot tell exact name of related infoobject may be infoprov etc") and then generate the respective profiles for this role and now assign this role to the users you need to provide and then they will have access for only those infoproviders which you need and then list cube will work properly for the respective cubes,
Allways trace show 0BI_ALL as this is first check from sap but then it looks for lower level checks for example check for custom authorizations which are created to give seperate authorizations and if they are also not successfull then it shows just 0BI_ALL as others are not in system unless created.
I hope this helps
regards
Vishal
03-17-2008 9:53 PM
hi
the name of the infoproviders is given in the infoobject which is shown in the window below the created authorization using resecadmin transaction, by default you can find the value to be *.
regards
vishal
03-19-2008 6:34 PM
Hi Gurus,
Thanks for your suggestions , I understand that 0BI_ALL msg in SU53 and trace doesn't mean much and then I have tried giving the cube name in 0TCAIPROV but it doesn't work. The log still shows that user is missing restricted key figs although 0TCAIPROV = * and 0TCAKYFNM = restricted key fig is already in the user profile.
Please advice , <removed_by_moderator>
Edited by: Julius Bussche on Mar 19, 2008 7:06 PM
03-20-2008 9:01 AM
Hi
First you should check about the three special characteristics:
0TCAACTVT -
03
0TCAIPROV --- *
0TCAVALID --- *
Now you can try to take authorization trace st01 and can see what is not ok while you run the query.
May be you can request for one test user on the system and then can try to run the query and trace and then kindly analyze
what is not ok in your case .
You can look in system log also for some activity which you did ( just another try to see if it also gives something to you which might be helpful to guess what authorizations are missing).
Imp. Please see if the created authorization is assigned to the role (having object S_RS_AUTH) and that role is assigned to the user ( who is running the query).
regards
Vishal