Solved: BW authorization issue. - SAP Community

Application Development Discussions

Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.

Hi Guru's,

I have an issue with BW authorizations and I can't find an acceptable solution for it. Can you advise?

We run BW 7.0.

I have created analysis profiles with RSECADMIN and I have inderted them in object SRS_AUTH.

0CO_AREA and 0COMP_CODE are set to be authorisation relevant.

Query is set to retreive allowed values from authorizations.

0COMP_CODE is based on hierarchy.

All roles work just as designed: they restrict users to their own Business unit.

But!! Now I have some users who need to be assigned authorisations to 2 business units.

And they are the only two in their Business unit who needs this, so I just assigned them the relevant role for both Business units.

Thus, they have role A (0CO_AREA 2100, 0COMP_CODE 2138) and role B ((0CO_AREA 5400, 0COMP_CODE 5478)

Everything else in the role is the same for both.

No, when these users select e.g. CompCode 2138, they get a message : No authorisation. Same for 5478.

When I assign just one of these roles, they work just fine. When conbined, all ends in error.

Does anybode know how to solve this, other than create new analysis profile?

Many thanks in advance!

Regards, Luisella.

SAP Managed Tags:
Security

1 ACCEPTED SOLUTION

Hi,

First of all I should tell you that BI reports and analysis authorization doesn't work on similar lines as ECC Authorization Objects.

The basic reason being in BI, there is nothing called reports but they are queries and therefore authorization check happens through AND logic both intrinsic and extrinsic. However in ECC, check happens through OR logic between two nodes of same auth object and through AND logic within set of fields in the same node of auth object.

Therefore for BI queries, we will have to be very particular about the set of values we pass and dealing with multiple AA at the same time. So it is always advisable to keep AA as singular as possible from user assignment perspective.

To resolve this issue, I need to understand what values are being passed while executing reports?

1. Is there any input selection field for 0CO_AREA in the report? If yes, while passing Company Code - 2138 or 5478, what is the 0CO_AREA value passed? Ensure that it is not kept blank.

Can you check by passing the following set of values in the report :

(0CO_AREA 2100, 0COMP_CODE 2138) OR (0CO_AREA 5400, 0COMP_CODE 5478)

2. Also trace out AA while executing the report through RSECADMIN and check the authorization log for errors.

Let me know how it comes up.

Thanks,

Deb

SAP Managed Tags:
Security

7 REPLIES 7

Hi,

First of all I should tell you that BI reports and analysis authorization doesn't work on similar lines as ECC Authorization Objects.

The basic reason being in BI, there is nothing called reports but they are queries and therefore authorization check happens through AND logic both intrinsic and extrinsic. However in ECC, check happens through OR logic between two nodes of same auth object and through AND logic within set of fields in the same node of auth object.

Therefore for BI queries, we will have to be very particular about the set of values we pass and dealing with multiple AA at the same time. So it is always advisable to keep AA as singular as possible from user assignment perspective.

To resolve this issue, I need to understand what values are being passed while executing reports?

1. Is there any input selection field for 0CO_AREA in the report? If yes, while passing Company Code - 2138 or 5478, what is the 0CO_AREA value passed? Ensure that it is not kept blank.

Can you check by passing the following set of values in the report :

(0CO_AREA 2100, 0COMP_CODE 2138) OR (0CO_AREA 5400, 0COMP_CODE 5478)

2. Also trace out AA while executing the report through RSECADMIN and check the authorization log for errors.

Let me know how it comes up.

Thanks,

Deb

SAP Managed Tags:
Security

Hi Deb,

Thanks for your reply!

When I deactivate one role, it works.

When I deactivate the other, it works too.

When I combine both roles, it fails.

When I run the query as user via RSECADMIN, al goes well. I get results and the report shows no failed checks.

But when user executes query, he gets a "Not Authorised" message. No variants, no filters.

We fill in CO_area and correspronding Comp_code.

Hope this makes sense to you...

Regards, Luisella.

SAP Managed Tags:
Security

Then I would say, don't worry much on the authorization front. Your design is alright.

Please ask the BI team to look into the issue. Please ask them to check the design of the report and the way they have configured to work with Variants (Input selections).

How is the i-step configuration done? (i-step 1, 2 and 3).

As you said you are entering CO_AREA and corresponding Company Code in the Input selection, what does the query do with that? Is there any i-step configured to validate the input values with what user has access to?

Based on your reply, I feel the query is not designed in the front end to handle such scenarios.

Thanks,

Deb

SAP Managed Tags:
Security

Hi Deb,

I checked with our BW consultants and they explained to me that since we are using authorization variables it is not necessary to configure the i-step. Since i-steps are used for user-exits variables. Do you suggest to create user exits for authorizations?

Surely there should be a less invasive solution?

Thanks, Luisella.

SAP Managed Tags:
Security

Ok..So how BI Team is planning to handle multiple analysis authorizations assigned to an user using authorization variable?

What is the level of check they have incorporated in their queries when user have access to multiple combination of values.

What I have understood from your replies is that there is no issue with your analysis auth design. Also if an user is passing a set of values like correct combination of CO_AREA and Company Code then the query should check whether the user has access to this combination or not.

Please request BI team to take this up and handle such scenarios where multiple analysis auths are assigned. Otherwise for all such cases you will have to create a new role and new AA which will have both these values.

Ideally I feel this requirement can be fulfilled by BI Team, not Security.

Thanks,

Deb

SAP Managed Tags:
Security

As mentioned earlier by Deb, BI authorization works in combination (AND function). So you have assign both of them then it is looking for the cross combination I believe. This is a very strange thing in BI, like if you give S_RS_FOLD then there is a question of restriction otherwise user get access to role folder by default. Anyway, I think you require to combine these two AA into one or modify the query for specific authorization combination.

Regards,

Arpan Paik

SAP Managed Tags:
Security

Hi Deb,

I did some testing with the BI team: we will adjust queries where relevant.

We have already set 0COMP_CODE and 0CO_AREA to be filled from authorisations. We will now also set the query to display this data as soon as user opens query. This way we prevent either of these values to be left blank, which will cause the AND logic to fail the check. If user wants to see only subset of what he is authorized to see, he can adjust after initial filling.

this seems to work.

Thank you very much for your help and expelantion.

Regards, Luisella.

SAP Managed Tags:
Security