cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Binding members security in BPC 75 NW

Go to solution
Former Member

on ‎07-22-2010 10:16 AM

0 Kudos

Hi experts,

I'm meeting a serious problem while setting my BPC's user security. From what i understand, the BPC 75 NW support user's behavior and permission by using Task Profiles and Member Access Profiles. However, I don't know how to handle the following situation:

Suppose we have these two dimensions in the application: Entity and Product (I omit other dimensions for simplicity); In Entity there're two members DeptA and DeptB; In Product there're two members Apple and Banana.

During system realization I want an user to have the read permission for data dimensioned by (DeptA and Apple), and (DeptB and Banana); However, I don't want this user to have any permission to read data in (DeptA and Banana) or (DeptB and Apple). By using Member Access Profile in BPC 75 NW I don't know how to realize that.

Thanks in advance,

Tony

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎07-22-2010 10:47 AM
0 Kudos

Hi Tony,

This cannot be done using a single member access profile. You need 2 separate profiles. And after creating these profiles, assign both of them to the user.

You need to create 2 different member access profiles - 1. for Dept A and Product Apple and 2. for Dept B and Product Banana. In both the profiles, give the appropriate rights to the members.

Hope this helps.

Show replies
Show replies
Former Member
‎07-22-2010 10:54 AM
0 Kudos

Hi nilanjan,

I tried that and it turned out the user can get 4 pieces data back while 2 of them expected:

(DeptA, Apple) - expected.

(DeptA, Banana) - don't expected.

(DeptB, Apple) - don't expected.

(DeptB, Banana) - expected.

Thanks,

Tony

Former Member
‎07-22-2010 11:46 AM
0 Kudos

Hi Tony,

I am sorry for the previous post.

Yes, you are right. That is how it will behave. The first thing, we need to understand is that there is no characteristic relationship in BPC.

In the first profile, when we say that, Dept A and Product Apple., then it is only this combination.

However, when we defined another profile with Dept B and prod banana, then the combination of both the profiles is applied to the user. What I mean to say is that the user can read Dept A and B, product apple and banana (irrespective of the relationship between product and dept).

Actually the 2 profiles will mean the below:

1. First profile:

Access to Dept A

Access to Apple

2. Second profile:

Access to Dept B

Access to Banana

The above 2 profiles doesnt say anything about the combination.

Hope you got my point.

Former Member
‎07-22-2010 12:14 PM
0 Kudos

Hi nilanjan,

From what i understand from your reply, the 2 profiles you mentioned are just the same with the following 1 profile, that is:

Read Entity DeptA, DeptB

Read Product Apple, Banana

then my question is not solved yet... i'm thinking if the member access profile doesn't work, can we write some ABAP code to support that?

Thanks,

Tony

Former Member
‎07-22-2010 1:12 PM
0 Kudos

Hi Tony,

You got it completely right. However, I am not very sure whether this can be achieved using any ABAP code or not.

esjewett
Active Contributor
‎07-22-2010 2:26 PM
0 Kudos

Hi Tony,

This is correct, as Nilanjan said. You cannot realize your requirement using BPC member access profiles.

You can do this using the Shared Query Engine Post Processing BADI and there is a howto guide that addresses exactly your requirement: [http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/004406b3-804f-2d10-a685-b024a0142820]

Hopefully this meets your needs, although admittedly it would be pretty nice if you could manage this without having to implement a BADI!

Ethan

Former Member
‎07-22-2010 4:57 PM
0 Kudos

Hi Ethan,

that is an amazing document which fits my question. Thank you so much!

P.S. I'm wondering how can you find this document... did your colleague or friend write that? Great solution!

esjewett
Active Contributor
‎07-22-2010 5:23 PM
0 Kudos

Hi Tony,

No, I've never met Rich Heilman (the author), but he does make appearances on the BPC NW forums from time to time and is quite the ABAP celebrity.

I find out about new HowTo guides for BPC by subscribing to the EPM HowTo guide wiki page at [http://wiki.sdn.sap.com/wiki/display/BPX/EnterprisePerformanceManagement%28EPM%29How-to+Guides]. Click the little envelope in the upper-right area of the page to subscribe. The EPM group at SAP does a good job of keeping this page up to date when new guides come out.

By the way, I haven't tried implementing the guide, so I haven't rated it, but if you like it, go ahead and review it and give it some stars. That will help other people who are looking for it in the future.

Cheers, and good luck with the BADI!

Ethan

RichHeilman
Developer Advocate
Developer Advocate
‎07-22-2010 5:30 PM
0 Kudos

Hi, Just wanted to let you know that the code delivered in the guide works for that specific case, it may need to be enhanced depending on your specific requirement. The matrix security example in the guide was just that, an example. For full matrix security support, you would also have to implement something similar using the Write Back BAdI, so that the end user could only write back to those specific cells. I think the coding might be similar to what is implemented in the SQE BAdI guide, but not really sure.

Also, this type of security, matrix security is being planned for a future release of BPC.

Regards,

Rich Heilman

Former Member
‎07-23-2010 3:00 AM
0 Kudos

Hi Ethan,

This is a really awesome site that group experiences together. I'm checking them out to review and feeling i will definitely benefit a lot from them.

Thanks again, Tony

Former Member
‎07-23-2010 12:28 PM
0 Kudos

Hi Tony,

We got a very useful document regarding your querry. But I got an idea please could you try on it?

You please create 4 Member Access Profiles :

USER : X

1) Entiy Dim., Dept A READONLY

Product Dim Apple READONLY

2) Entity Dim., Dept A READONLY

Product Dim Banana DENIED

USER : Y

3) Entiy Dim., Dept B READONLY

Product Dim Banana READONLY

4) Entity Dim., Dept B READONLY

Product Dim Apple DENIED

Please try the above, as I donot have BPC system now, hence I have not tried, please could you let me know the

status.

RAGHU B.S.

Edited by: Raghu B.S. on Jul 23, 2010 4:59 PM

Former Member
‎07-26-2010 9:08 AM
0 Kudos

Hi Raghu,

Under your setting we got X could read (DeptA, Apple) and Y could read (DeptB, Banana); meanwhile, X could not read (DeptA, Banana) and Y could not read (DeptB, Apple).

However, my question was about ONE user say Z could read both (DeptA, Apple,) and (DeptB, Banana) - not the TWO users X and Y you mentioned that read these data separately.

We might consider a workaround that the Z user owns two user accounts X and Y... but this solution somehow is out of the initial requirement of my question.

Best regards,

Tony

Answers (1)

Answers (1)

former_member190501
Active Contributor
‎07-22-2010 10:38 AM
0 Kudos

Hi,

follow the below steps to achieve your requirement.

1.Create a member access profile with DeptA and Apple.

Step 1. Enter Profile name and Description

Step 2:Under required application tab select acess as Read only dimension as Entiry and member as Depta

select acess as Read only dimension as Product and member as apple

Step 3: Select View by as Users move the requried user to right window

Step 4: Clikc Finish.

2. Create Task profile with eAnalyze to just run reports and assign to required user under step 3

Hope it helps..

regards,

Raju

Show replies
Show replies
Former Member
‎07-22-2010 10:46 AM
0 Kudos

Hi Raju,

Thanks for your reply. However my question is not solved yet...

In my question I meant I want this user to have the read permission against the data under (DeptA, Apple) and (DeptB, Banana). HOWEVER, I DON'T want this user to get any data back while exhibiting (DeptA, Banana) or (DeptB, Apple).

I tried to set up two Member Access Profiles: one with DeptA and Apple, the other with DeptB and Banana; then I assigned these two Member Access Profiles to this user. The result is the user definitely can read data (DeptA, Apple) and (DeptB, Banana), however, the user can also read data (DeptA, Banana) and (DeptB, Apple) - that what I DON'T expect...

Hope I get my question clarified,

Thanks,

Tony

Ask a Question