Analysis assignment

Former Member · ‎06-17-2010

Hi

I have seen security documents and couple of links and tested with dircect analysis authorization to user and also checked with Pfcg role with s_rs_authobject assginment both are working . i have seen some docs assign users via role is more flexible to maintain is it correct .

Analysis authorizations can be assigned

Directly to users

To users via roles

what will be best to design and maintain the analysis role ? any suggestions will be appreciate

Thanks rao

Former Member · ‎06-17-2010

I have found that assigning analysis auths to users via roles is generally a much cleaner solution.

Former Member · ‎06-18-2010

Ram,

You have flagged characteristics that you want to protect as authorization-relevant in InfoObject maintenance.

In principle, all authorization-relevant characteristics are checked for existing authorizations if they occur in a query or in an InfoProvider that is being used. For this reason, you should avoid flagging too many characteristics as authorization-relevant so you keep the administrative efforts to a minimum and keep performance good.

We recommend that you include a maximum of 10 authorization-relevant characteristics in a query, since performance is otherwise negatively impacted. Authorization-relevant characteristics with asterisk (*) authorization are an exception to this; you can include more authorization-relevant characteristics of this type in a query.

These are the option; In this best option will be to users vis role.

Analysis authorizations can be assigned

Directly to users

To users via roles

Thanks,

Sri

Former Member · ‎06-18-2010

Hi Rao,

Even I would recommend to go for assignment by role, because in this case you can take help of SE16 standard table for e.g agr_1251 or SUIM for pulling out reports from SAP. Also you will have a better control over the security issues as the trouble shooting would be quite easy )

Former Member · ‎06-18-2010

hi

thanks for your suggestions, it is good toassign with role assignment . is there any pros and cons that we should not do .

as sri mentioned it is easy to track through se16/agr_1251, but we also have a tables where we can track analysis assigned to user s

RSECBIAU Changes to Authorization (Last Changed By

RSECUSERAUTH BI Analysis authorization ? assignment to users

RSECUSERAUTH_CL BI Analysis authorization ? assignment to users

any ideas or suggestions please

Former Member · ‎06-18-2010

Hi Rao,

I would say, its basically your choice to go about it and also how much you are comfortable with BW tables/ R3 tables.

There doesn't seems to be any pros and cons as such neither I have found any mentioned by SAP. However if you want to compare the access of two users , or roles etc, you can use SUIM more effectiviely if you have used role based methodology.

Also you might miss good and meaningful reports from SUIM:-))

Former Member · ‎06-18-2010

Hi Rao,

Assigning the Analysis Authorizations via roles is advantageous over directly assigning them as per my experience due to the following reasons:

1. Consistent design through out the system.

2. Less confusion for the end users. They might have to keep track of roles and analysis authorizations if you have both ways.

3. Less maintenance when there are large number of users. If you are changing or renaming the analysis authorizations you do not have to reassign all the users but just change the role and the user assignments will be still fine.

Overall assigning via roles will be a cleaner design and will be much easier for your reports.

Thanks,

Karthik.

Former Member · ‎08-10-2010

answered