06-17-2010 10:34 PM
Hi
I have seen security documents and couple of links and tested with dircect analysis authorization to user and also checked with Pfcg role with s_rs_authobject assginment both are working . i have seen some docs assign users via role is more flexible to maintain is it correct .
Analysis authorizations can be assigned
Directly to users
To users via roles
what will be best to design and maintain the analysis role ? any suggestions will be appreciate
Thanks rao
06-17-2010 11:32 PM
I have found that assigning analysis auths to users via roles is generally a much cleaner solution.
06-18-2010 12:00 AM
Ram,
You have flagged characteristics that you want to protect as authorization-relevant in InfoObject maintenance.
In principle, all authorization-relevant characteristics are checked for existing authorizations if they occur in a query or in an InfoProvider that is being used. For this reason, you should avoid flagging too many characteristics as authorization-relevant so you keep the administrative efforts to a minimum and keep performance good.
We recommend that you include a maximum of 10 authorization-relevant characteristics in a query, since performance is otherwise negatively impacted. Authorization-relevant characteristics with asterisk (*) authorization are an exception to this; you can include more authorization-relevant characteristics of this type in a query.
These are the option; In this best option will be to users vis role.
Analysis authorizations can be assigned
Directly to users
To users via roles
Thanks,
Sri
06-18-2010 5:36 AM
Hi Rao,
Even I would recommend to go for assignment by role, because in this case you can take help of SE16 standard table for e.g agr_1251 or SUIM for pulling out reports from SAP. Also you will have a better control over the security issues as the trouble shooting would be quite easy )
06-18-2010 4:39 PM
hi
thanks for your suggestions, it is good toassign with role assignment . is there any pros and cons that we should not do .
as sri mentioned it is easy to track through se16/agr_1251, but we also have a tables where we can track analysis assigned to user s
RSECBIAU Changes to Authorization (Last Changed By
RSECUSERAUTH BI Analysis authorization ? assignment to users
RSECUSERAUTH_CL BI Analysis authorization ? assignment to users
any ideas or suggestions please
06-18-2010 4:52 PM
Hi Rao,
I would say, its basically your choice to go about it and also how much you are comfortable with BW tables/ R3 tables.
There doesn't seems to be any pros and cons as such neither I have found any mentioned by SAP. However if you want to compare the access of two users , or roles etc, you can use SUIM more effectiviely if you have used role based methodology.
Also you might miss good and meaningful reports from SUIM:-))
06-18-2010 5:28 PM
Hi Rao,
Assigning the Analysis Authorizations via roles is advantageous over directly assigning them as per my experience due to the following reasons:
1. Consistent design through out the system.
2. Less confusion for the end users. They might have to keep track of roles and analysis authorizations if you have both ways.
3. Less maintenance when there are large number of users. If you are changing or renaming the analysis authorizations you do not have to reassign all the users but just change the role and the user assignments will be still fine.
Overall assigning via roles will be a cleaner design and will be much easier for your reports.
Thanks,
Karthik.
08-10-2010 2:52 AM