cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

"*" Authorization on Navigational Attribute throws an error...

Former Member

on ‎08-27-2012 10:52 AM

0 Kudos

Dear Gurus,

I am getting an error when I assign * authorizations on a navigational attribute of 0PLANT characteristic.  When I assign single or multiple values I am not getting any error message. 

The message says .  You do not have authorizations to any values of Characteristic 0PLANT_XXXXXXXX.  Has anyone got any idea about what could be the reason for this error.

Do I need to restrict any values along with ' * ' in the RSECADMIN transaction.  Please throw some light on this issue.

I tried posting the same question in the Security forum which was of no help.  So thought of posting it here.,

Thanks in Advance

Mohan Kumar

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

jagadeesh_mandepudi2
Active Contributor
‎08-28-2012 11:17 AM
0 Kudos

Hi

Seems to be you are using 0PLANT varible instead of 0PLANT__YAUTHPLNT, because in authorizations if you are using navigational attribute then have to create separate variable for that object and info object level in attributes tab you need to enable authorization relavent for that attribute. so please do abobe chanegs and it will work,

Jagadeesh

Show replies
Show replies
Former Member
‎08-28-2012 12:54 PM
0 Kudos

Hi Jagadeesh,

Thank you for sparing your valuable time.  I don't have any variable on 0PLANT in the query.  I only have a variable with processing type Authorization relevant on the Navigational Attribute.  And if we don't flag a Navigational Attribute in Attributes tab of Info Object as auth relevant we will not be able to restrict any values of it in RSECADMIN.

- Mohan

former_member182516
Active Contributor
‎08-27-2012 11:11 AM
0 Kudos

Hi Mohan,

error clearly says that you don't have authorizations.

there might be some authorization object created for plan which is not part of your roles.

do one thing inorder find the missing auth object, perform what you were doing. you will get the error message.

now run the transaction SU53. this will display the missing Authorization object.

or

run the Authorization trace using ST01 transaction.

Regards

KP

Show replies
Show replies
Former Member
‎08-27-2012 12:25 PM
0 Kudos

Hi KP,

Thanks for your valuable time.  I am the administrator here.  I am running a query in order to test authorizations of an user using the analyse option available in RSSECADMIN transaction.

-Mohan

Former Member
‎08-27-2012 12:27 PM
0 Kudos

Hi Mohan,

Have you executed the report as I said above?

Br,

H

Former Member
‎08-28-2012 8:48 AM
0 Kudos

Hi Harish,

I have executed the report but there was no much help from doing it.  Another important thing is the 0BI_ALL authorization is working fine from the beginning.

We have actually upgraded our system from 3.5 to 7.2 and I am getting this issue after migrating the authorizations to the new concept.  The " * " auths worked fine in the development system previously.

- Mohan

Former Member
‎08-28-2012 9:08 AM
0 Kudos

Hi Mohan,

After you got the error message, can you navigate to transaction SU53 and check for the missing values and authorizations, nevertheless you are the admin.

Br,

H

Former Member
‎08-28-2012 11:00 AM
0 Kudos

Hi Harish,

I am actually executing the report using the Execute as option in the RSECADMIN transaction.  And this user has got full authorization ( * ) for the 0PLANT_YAUTHPLANT (navigational attr).  But still the system throws the following error...

I am pasting below the Authorization check log which is generated in RSECADMIN.  I also have attached the screenshot or SU53 right below the log.

Thanks

Mohan

Authorization Check Log

For a general description see the Note 1234567

Date and Execution Time (Local Server)

Execution Date: 28.08.2012

Execution Time: 11:44:12

Executed Query: SDC_001_M/IT_SD_UP_Q0013

Transaction RSRT ( BW - Output Test )

Executed by User VMARACHI

Executed with Analysis Authorizations of Another User REPTEST101

Software Component Release Level Support Package
SAP_BASIS 702 0009 SAPKB70209
SAP_ABA 702 0009 SAPKA70209
SAP_BW 702 0009 SAPKW70209

  InfoProvider Check 

Building the Buffer...

...Buffer Built

Are there authorizations for accessing InfoProvider SDC_001_M with activity 03?

Authorization exists for general access to InfoProvider SDC_001_M with activity 03

  Relevant Characteristics for Detailed Authorization Check 

(Characteristics with Full Authorization Are Not Listed!)

  List of Effective Authorization-Relevant Characteristics for InfoProvider SDC_001_M: 

Characteristic
0PLANT__YAUTHPLNT
ZUP_PTYPE
0TCAACTVT

  Authorization Check 
  Detail Check for InfoProvider SDC_001_M 

  Preprocessing: 
Selection Checked for Consistency, Preprocessed and Supplemented As Needed
Subselection (Technical SUBNR) 1
Check Node Definitions and Value Authorizations...
Node- and Value Authorizations Are OK
End of Preprocessing

Filling the Buffer...
...Buffer Filled
  Main Check: 

  Subselection (Technical SUBNR) 1 
Supplementation of Selection for Aggregated Characteristics
  Check Added for Aggregation Authorization:    0PLANT__YAUTHPLNT 

  Authorizations missing for aggregation (":") 

Char. Y_IPROV_ALL
0PLANT__YAUTHPLNT   Empt 



Entries marked with red do not have aggregation authorization
You can find more information about checking aggregation authorization in Note: 1140831

  The authorization check stops here as this selection is no longer needed 

  Message EYE007: You do not have sufficient authorization 
  No Sufficient Authorization for This Subselection (SUBNR) 
Following CHANMIDs Are Affected:
492 ( ZUP_PTYPE )
  Authorization Check Complete 

Former Member
‎08-28-2012 11:44 AM
0 Kudos

Hi Mohan,

Thanks for taking your time in explaining your issue with screen captures.

Are both VMARACHI and REPTEST101 has same authorizations?

If so, have you created a separate authorization value for 0PLANT_YAUTHPLANT hierarchy?

If not, create an authorization value for this, and assign it to a Role via an authorization object.

Now assign this role to the user REPTEST101 and check whether it's working.

Br,

H

Former Member
‎08-28-2012 12:50 PM
0 Kudos

Hi Harish,

VMARACHI is my ID which is having SAP_ALL and 0BI_ALL authorizations which means if I try to open any report it gives me the results without throwing any authorization errors.

REPTEST101 is a test user which has " * " authorizations to 0PLANT_YAUTHPLANT   which is an attribute of 0PLANT characteristic.  0PLANT has hierarchies and maintaining authorizations on 0PLANT characteristic values and Hierarchies was a big challenge for us.  So, we came up with a solution of creating a navigational attr on plant and assign authorizations based on that which will inturn control the Hierarchy authorizations according to values as well.,

 

The only issue that I have now is assigning individual values (e.g 0001, 0002, 0003 etc using analysis authorizations (RSECADMIN))of plant to the user 0REPTEST101 using adifferent role does not throw any error.  And when I created an analysis authorization on plant all values i.e * throws an error.  And that too the error description the log shows is "" Authorizations Missing Aggregation (:) is definitely unexpected.  In normal scenarios the individual values authorizatoins throw lots of errors like this not the ones with * .

Regards

Mohan

Former Member
‎08-27-2012 11:04 AM
0 Kudos

Hi Mohan,

Might be an issue with 0BI_ALL authorization.

Execute the report RSEC_GENERATE_BI_ALL to complete the authorizations and check again.

Br,

H

Show replies
Show replies
Former Member
‎08-27-2012 12:27 PM
0 Kudos

Hi Harish,

Thank you for the reply.  I tried to run the report but there was no help. It still shows the same error.

Regards

Mohan

Ask a Question