Not possible to restrict BI content installation?

Former Member · ‎01-29-2009

In my attempts to restrict RSA1 to display access, I have created an empty role and provided only 2 transaction codes: RSA1 and SU53 (for analysis). Having given this bare minimum, practically everything is "restricted" or display-access only in RSA1 except BI Content.

When I click "BI Content", and choose an InfoPackage under "Object Types", I am able to install this InfoPackage. Is there anyway to restrict the installation of BI Content at all? Keeping in mind my role has only provides access to RSA1 and SU53, it should NOT allow me to install any content.

Any suggestions are greatly welcome! As an aside, I did not even add S_RS_ADMWB and still, I can execute RSA1 and run okay.

Former Member · ‎01-29-2009

Is it also possible that S_RS_ADMWB has been set to not be checked when I execute RSA1?

I went into SU24 and displayed transaction RSA1 and in the list of authorization objects, I do not see S_RS_ADMWB. If that is the case, does it mean that even if I give the user S_RS_ADMWB in the user buffer that RSA1 will not check this authorization object, thereby giving users more access than what is being restricted in S_RS_ADMWB?

Former Member · ‎02-01-2009

Hi Benjamin,

I am also surprised to read whatever you have mentioned, its nice information you have shared.

I think all this access is through package. Goto SE93> give tcode RSA1> you will see package name "RSAWB"> double click > properties tab you will see Allowed object types. I guess if you change this to some restrictions, it wont allow to do all tasks. But i doubt it will be user indepedentant and will stop access for all other users also who has full access.

if you find anything else please share.

Former Member · ‎02-02-2009

Are you saying that when you execute RSA1, even though you do not have auth object S_RS_ADMWB in your user buffer, you are able to execute it.

Also in SU24, when you check Authorization objects for RSA1, you do not see this object in any of these states Unchecked, No check, Check or Check/Maintain.

Normally it seems this object is in check state for this t-code and when this t-code is executed in the command line, you need access to this object.

Even if we assume, this object is in No check state for RSA1, it should then allow you to do all kind of stuff like creating/maintaining info objects and not just BI content installation.

Please advise.

Former Member · ‎02-02-2009

Imran and Nishant, thank you for your interest. To start off, please ignore my 2nd post as I had neglected to scroll up/down and indeed - in SU24 for t-code RSA1, object S_RS_ADMWB is Check.

Imran - Thank you for your advice on checking the RSAWB package. I checked and under "Allowable object types", "No restrictions" is selected.

Nishant - Yes, that is correct. I create an empty role and add RSA1 through the role menu. I then go to maintain the profile to find only object S_TCODE with no other authorization objects. I then generate and assign this role to a new user ID (who only has this new role). With this new user ID, I am able to execute RSA1 even without S_RS_ADMWB in my user buffer (confirmed with SU56). Furthermore, I was able to access the BI Content tab and install an InfoPackage (there is now a green square beside that InfoPackage that says it is Activated, whereas before there was not).

It is worth noting that other areas of RSA1 do seem to check S_RS_ADMWB (i.e. the BEx and Object Changeability buttons at the top) but it seems the installation and activation of BI Content by-passes any authorization checks. Therefore, I am assuming that the BI Content area of RSA1 cannot be restricted with SAP authorization concept?

Initially I thought this was only on one system but I tried the same exercise on my company's demo system and the results are the same!

Former Member · ‎02-02-2009

>


> 
> It is worth noting that other areas of RSA1 do seem to check S_RS_ADMWB (i.e. the BEx and Object Changeability buttons at the top) but it seems the installation and activation of BI Content by-passes any authorization checks.  Therefore, I am assuming that the BI Content area of RSA1 cannot be restricted with SAP authorization concept?
> 
>

I think you are correct. If you have access to sandbox system, you can try to change the proposal to Check/maintain for this object, so that when you add RSA1 in the menu, S_RS_ADMWB is pulled and then try to restrict it.

Former Member · ‎02-02-2009

I did try to add S_RS_ADMWB and in that authorization object, there are 2 fields:

ACTVT = '03' (Display)

RSADMWBOBJ = ....


APPLCOMP	Application Component
BIA_ZA	        BI Accelerator Monitor Checks and Actions
BR_SETTING	Broadcasting Settings
CNG_RUN	Attribute Change Run
CONT_ACT	Activation of BI Content
CONT_ADMIN	Administration (Customer) Content System
DOC_ADMIN	Administration of Document Store
DOC_HIER	Hierarchy Documents
DOC_MAST	Master Data Documents
DOC_META	Meta Data Documents
DOC_TRAN	Transaction Data Documents
IMG_BI	Changes to IMG (for BI)
INFOAREA	InfoArea
INFOOBJECT	InfoObject
INFOPACKAG	InfoPackage
METADATA	Metadata
MONITOR	Monitor
NAMESPACE	BI Namespaces
OLAP_CACHE	OLAP Cache Objects
RA_PACKAGE	Reporting Agent packet
RA_SETTING	Reporting Agent setting
REMOD_RULE	Remodeling Rule
SETTINGS	Settings
SOURCESYS	Source System
USE_DND	Drag&Drop to InfoAreas and Application Components
WORKBENCH	Workbench

To me, the objects that seem to require restriction under BI Content would be: CONT_ACT and CONT_ADMIN. Including these objects and setting the ACTVT to '03' still yields the same result. Even when I set ACTVT to '03' and include '*' for all objects - still the same, I am able to install and activate BI Content (InfoPackages).

Former Member · ‎02-03-2009

>


> > > 
> To me, the objects that seem to require restriction under BI Content would be:  CONT_ACT and CONT_ADMIN.  Including these objects and setting the ACTVT to '03' still yields the same result.  Even when I set ACTVT to '03' and include '*' for all objects - still the same, I am able to install and activate BI Content (InfoPackages).

Hi Benjamin,

I just read documentation on the object S_RS_ADMWB and it clearly mentions that activity 63 has to be used to Install BI Content but it gives in the Caution field that The "Install BI Content" activity is not active in the current release (there is no authorization check).

Go to Suim -> Authorization object by complex selection criteria -> give the object S_RS_ADMWB and read the documentation about it.

It answers your question that why there is no check. Hopefull you can raise a message to SAP to know when are they going to update this.

Former Member · ‎02-06-2009

Nishant, you are right. I verified in the documentation that it is not active. However, do you know if there is a way I can verify this technically in the system?