- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- BI Authorization Issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
BI Authorization Issue
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2011 4:50 AM
Hi Gurus,
We are having problem with analysis authorizations for a particular query. The report is for the vendor balance, it has balance, cumulative balance as key figures and vendor as characteristics. We wanted to restrict the report by account group level. we have 4 account groups. The account group is a navigational attribute of creditor account group. account group [char] is auth relevant but the creditor account group [char] is not. so we gave respective auth group for accnt grp [char] but the query fails. The analysis log is follows, any help will be appreciated
Authorization Check
Detail Check for InfoProvider ZFIAP_S01
Preprocessing:
Selection Checked for Consistency, Preprocessed and Supplemented As Needed
Subselection (Technical SUBNR) 1
Check Node Definitions and Value Authorizations...
Node- and Value Authorizations Are OK
End of Preprocessing
-
Filling the Buffer...
...Buffer Filled
Main Check:
-
Subselection (Technical SUBNR) 1
Supplementation of Selection for Aggregated Characteristics
No Check for Aggregation Authorization Required
Following Set Is Checked Comparison with Following Authorized Set Result Remaining Set
Characteristic Content in SQL Format
0ACCNT_GRPV
0TCAACTVT
0TCAACTVT = '03'
AND 0ACCNT_GRPV LIKE *
Characteristic Content in SQL Format
0ACCNT_GRPV I EQ :
I EQ ZCON
I EQ ZCOR
I EQ ZFRN
I EQ ZGAR
0TCAACTVT I CP *
Partially or Fully Authorized (Intersection) Characteristic Content in SQL Format
0ACCNT_GRPV
0TCAACTVT
NOT 0ACCNT_GRPV IN ('ZCON','ZCOR','ZFRN','ZGAR')
AND 0TCAACTVT = '03'
Value selection partially authorized. Check of remainder at end
Following Set Is Checked Comparison with Following Authorized Set Result Remaining Set
Characteristic Content in SQL Format
0ACCNT_GRPV
0TCAACTVT
NOT 0ACCNT_GRPV IN ('ZCON','ZCOR','ZFRN','ZGAR')
AND 0TCAACTVT = '03'
Characteristic Content in SQL Format
0ACCNT_GRPV I EQ :
I EQ ZCON
I EQ ZCOR
I EQ ZFRN
I EQ ZGAR
0TCAACTVT I CP *
Not Authorized
All Authorizations Tested
Message EYE007: You do not have sufficient authorization
No Sufficient Authorization for This Subselection (SUBNR)
Following CHANMIDs Are Affected:
2596 ( ZFIAP_S01___F2 )
Authorization Check Complete
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2011 5:56 AM
Hi,
As per SAP Note 642072 (Authorization check on : for char./navigation attribute):
In new BI 7.x releases, the authorization logic has been enhanced and navigation attributes have the same status as 'normal' characteristics. An overlay of characteristic A and navigation attribute B__A no longer occurs. They are now treated as completely seperate objects.
As you said, account group (0ACCNT_GRPV) is a navigational attribute of creditor account group (say 0CREDITOR), so the characteristics here becomes 0CREDITOR__0ACCNT_GRPV. So you have to mark 0CREDITOR__0ACCNT_GRPV as auth relevant by tcode RSD1> go to 0CREDITOR> in attribute tab check 0ACCNT_GRPV as auth relevant and activate it.
As per the trace you posted, it seems currently its just checking for 0ACCNT_GRPV and not 0CREDITOR__0ACCNT_GRPV which is treated as separate entity in BI7.x versions.
Also, for restriction on navigational attributes, you need to create an authorization variable on your navigational attribute (i.e 0CREDITOR__0ACCNT_GRPV ) and make it input ready in your query. This will pull the user's authorized values and input them into the query. Also, maintain the desired authorized values for your navigation attribute (0CREDITOR__0ACCNT_GRPV) in the Analysis authorization assigned to the user. Leaving it blank or no values entered will make the query check for "*".
P.S (edited): Most importantly, the query should have a check on auth relevant characteristics (in your case 0CREDITOR__0ACCNT_GRPV) otherwise it is not possible to restrict the characteristics to specific values and BI will by default check for "*" and atleast ":" has to be added to the analysis authorization for successful execution of query but that does not serve the purpose as ":" shows aggregated data for all account groups. Please see note # 1140831
Hope this helps!
Sandipan
Edited by: Sandipan Choudhury on Mar 11, 2011 12:36 PM
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2011 5:36 AM
Hi,
1) Make sure that you use the objects 0TCAACTVT, 0TCAIPROV and 0TCAVALID in your analysis authorization.
2) Make sure that you also have assign to this analysis authorization all characteristics that are "Authorization relevant" .
3) If the consolidation group is authorization relevant, always put " * ".
Regards
Siva
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2011 5:56 AM
Hi,
As per SAP Note 642072 (Authorization check on : for char./navigation attribute):
In new BI 7.x releases, the authorization logic has been enhanced and navigation attributes have the same status as 'normal' characteristics. An overlay of characteristic A and navigation attribute B__A no longer occurs. They are now treated as completely seperate objects.
As you said, account group (0ACCNT_GRPV) is a navigational attribute of creditor account group (say 0CREDITOR), so the characteristics here becomes 0CREDITOR__0ACCNT_GRPV. So you have to mark 0CREDITOR__0ACCNT_GRPV as auth relevant by tcode RSD1> go to 0CREDITOR> in attribute tab check 0ACCNT_GRPV as auth relevant and activate it.
As per the trace you posted, it seems currently its just checking for 0ACCNT_GRPV and not 0CREDITOR__0ACCNT_GRPV which is treated as separate entity in BI7.x versions.
Also, for restriction on navigational attributes, you need to create an authorization variable on your navigational attribute (i.e 0CREDITOR__0ACCNT_GRPV ) and make it input ready in your query. This will pull the user's authorized values and input them into the query. Also, maintain the desired authorized values for your navigation attribute (0CREDITOR__0ACCNT_GRPV) in the Analysis authorization assigned to the user. Leaving it blank or no values entered will make the query check for "*".
P.S (edited): Most importantly, the query should have a check on auth relevant characteristics (in your case 0CREDITOR__0ACCNT_GRPV) otherwise it is not possible to restrict the characteristics to specific values and BI will by default check for "*" and atleast ":" has to be added to the analysis authorization for successful execution of query but that does not serve the purpose as ":" shows aggregated data for all account groups. Please see note # 1140831
Hope this helps!
Sandipan
Edited by: Sandipan Choudhury on Mar 11, 2011 12:36 PM
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-21-2011 9:28 PM
Hey siva & sandipan,
Both of your answer's helped a lot. Finally the BI team has to tweak their query to fix the issue. It seem's that the navigational attribute was not really necessary. Thanks for the help. Assigning points for both of you and closing this thread
Edited by: saranya.j on Mar 21, 2011 10:29 PM
Edited by: saranya.j on Mar 21, 2011 10:29 PM
- SAP Managed Tags:
- Security
