09-24-2010 9:26 AM
Hi Friends
I have come across a situation in BI security which I would like to share with you guys. Appreciate if you can share your expert opinion regarding the same...
We have a info object X & info object Y. Security applied through RSECADMIN restricts the user to view the data for info object X for specific values...
Based on the security access provided to the user, user is able to view the data of both X & Y as a info object .
Now the user has raised a requirement of viewing the data for info object X as an attribute of info object Y. Till the time the value of info object X is restricted to specific values, user is not able to add info object X as an attribute of info object Y. The moment we change the value of info object X to " * " in Analysis Authorization, user is able to add info object X as a attribute of info object Y.
Has anyone come across this situation. If yes do you know why this is happenning. Any clue.
We donot want to make info object X as a navigational attribute of info object Y.
Thanks
Anjan Pandey
09-25-2010 6:30 PM
Hi Anjan,
This is standard behavior for display attribute security and to my mind is justifiable to a large extent. When you add a field as display attribute of another characteristic to a query, any restriction if used, is on the base attribute. So the query can potentially return any value for the display attribute and is hence checking for * access makes sense.
Does your security requirements allow you to return any value of object X when its appearing as an attribute of Y? To me individual value level security for X and Y is contradictory to what you are trying to do for display attributes.
There is however a way to give full access to display attributes without opening up full access for it in the cube. Create a new analysis authorization for X with value * and 0TCAIPROV as ZTEST (you can use dummy value here). Use this with your existing authorizations. This will give access to X in any case where it appears as a display attribute of another characteristic.
Regards,
Aninda
09-27-2010 9:29 AM
Thanks for your response.
> Does your security requirements allow you to return any value of object X when its appearing as an attribute of Y? To me individual value level security for X and Y is contradictory to what you are trying to do for display attributes.
As per the requirement only the recent most value for info object X should be displayed when viewed as an attribute. This conditioned is fulfilled only when value for info object X is maintained as " * " in the Analysis authorization.
> There is however a way to give full access to display attributes without opening up full access for it in the cube. Create a new analysis authorization for X with value * and 0TCAIPROV as ZTEST (you can use dummy value here). Use this with your existing authorizations. This will give access to X in any case where it appears as a display attribute of another characteristic.
I agree with the solution sugegsted, however as per standards this solution should not be used as there has to be a justification for new Analysis Authorization created.
I will still keep the thread open for few more days if someone else has some other opinion regarding the issue.
Thanks.
Anjan Pandey