- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- S_RS_AUTH versus S_RS_COMP, S_RS_ICUBE
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
S_RS_AUTH versus S_RS_COMP, S_RS_ICUBE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-12-2011 5:43 PM
Hi
I've a question regarding if I have a single role i BI that includes S_RS_AUTH with value "0BI_ALL" and some other objects in the same role like S_RS_COMP and S_RS_ICUBE are limited with some specific infoobject and reports.
Which effect comes out of this case??
From my view, this is like you have a "star" in the comp and icube object
Anyone who can tell??
Or, what do you use in which case??
reg. Jacob
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-12-2011 7:14 PM
Hi Jacob,
BI that includes S_RS_AUTH with value "0BI_ALL"
This gives access to all the analysis authorizations which are under the infoareas/infocubes that you define in S_RS_COMP.
and some other objects in the same role like S_RS_COMP and S_RS_ICUBE are limited with some specific infoobject and reports.
This gives access to only those queries/reports under the InfoArea/InfoCube.
Which effect comes out of this case??
As mentioned, it gives authorization to all Analysis authorizations under the InfoAreas/InfoCubes that you define in S_RS_COMP.
From my view, this is like you have a "star" in the comp and icube object Anyone who can tell??
Or, what do you use in which case??
You are partially correct. It gives complete access when you maintain * at S_RS_COMP too.
Hope this helps!
Regards,
Raghu
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-12-2011 7:14 PM
Hi Jacob,
BI that includes S_RS_AUTH with value "0BI_ALL"
This gives access to all the analysis authorizations which are under the infoareas/infocubes that you define in S_RS_COMP.
and some other objects in the same role like S_RS_COMP and S_RS_ICUBE are limited with some specific infoobject and reports.
This gives access to only those queries/reports under the InfoArea/InfoCube.
Which effect comes out of this case??
As mentioned, it gives authorization to all Analysis authorizations under the InfoAreas/InfoCubes that you define in S_RS_COMP.
From my view, this is like you have a "star" in the comp and icube object Anyone who can tell??
Or, what do you use in which case??
You are partially correct. It gives complete access when you maintain * at S_RS_COMP too.
Hope this helps!
Regards,
Raghu
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2011 7:52 PM
Hi Jacob,
I know this question is marked as answered, but I just wanted to add some additional information that might help.
S_RS_AUTH is the authorization object used to specify analysis authorizations within a role. In your example, you're giving the analysis auth equivalent of SAP_ALL by assigning 0BI_ALL. Analysis authorizations say what data the user is allowed to see when running queries / reports.
S_RS_COMP is the authorization object used to control what a user can do with BEx queries. The infocubes specified in this auth obejct are the ones that the user is authorized to create queries against for instance. So it would be possible to allow a user to execute queries against all infocubes with analysis auth 0BI_ALL but only create queries against the infocubes listed in S_RS_COMP.
S_RS_ICUBE is the authorization object under the old security model in BW that you use to restrict a user to certain infocubes when executing queries. It is checked in BW 7.0 during query processing but will no longer be checked in BW 7.3. That version will use the new security model (analysis auths) only. To keep your security model clean, you should be using either the new or old model but not both.
In your example, the system should check S_RS_ICUBE and limit the user to the infocubes specified there. If you want to be 100% sure of what is getting checked, though, you can put an authorization trace on the user in ST01. If you want more detail on how the analysis auth is getting checked, you can go to the Analysis tab in rsecadmin and execute a query as your user to get a detailed log of what is getting checked in the anaylsis auth.
Regards,
Krysta
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-20-2011 8:47 AM
this in reply to your message
"S_RS_ICUBE is the authorization object under the old security model in BW that you use to restrict a user to certain infocubes when executing queries. It is checked in BW 7.0 during query processing but will no longer be checked in BW 7.3. That version will use the new security model (analysis auths) only. To keep your security model clean, you should be using either the new or old model but not both. "
I have tried providing S_RS_ICUBE and i got authorization error. The setting is Analysis Authorization in SPRO. So, S_RS_ICUBE is NOT checked in BW 7.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-19-2011 2:42 PM
Hi
When you have 0BI_ALL then you are having access to all infoobjects(authorization relevant only) and their value is *
When you have limited access to S_RS_COMP & S_RS_ICUBE they are still limited only.
The above authorization that you have the user can have access to limited queries which is mentioned in S_RS_COMP with able to display all the records.
Regards
Hari
- SAP Managed Tags:
- Security
