on 09-24-2012 2:31 PM
Hi Gurus,
I wish to restrict my end users with access to BI content queries defined over the DSO 0LIV_DS01.
I created a role in PFCG and i have manually added the authorization Object S_RS_COMP & S_RS_COMP1 to my role.
I have included the following to S_RS_COMP
Activity Display, Execute
InfoArea 0MMLIV
InfoCube 0MMLIV*
Name (ID) of a reporting compo 0LIV_*
Type of a reporting component Calculated key figure, Query View, Query, Restricted key figure <...>
also added the following to my authorization object S_RS_COMP1
Activity Display, Execute
Name (ID) of a reporting compo 0LIV_DS01*
Type of a reporting component Calculated key figure, Query View, Query, Restricted key figure <...>
Owner (Person Responsible) for *
When i execute the query, 0LIV_DS01_Q0001 neither the variable popup comes nor the report displays data.
But the same report displays data for the user with all of the authorizations.
Why so? am i missing something?
I am assuming you are using BW 7.0 version. If yes, you should be using analysis authorisations.
You need to use provide authorisations for the following objects through analysis authorisations(either directly to the user or through a role) and, in addition, to any infoobject that is part of your DSO, which is already marked as authorisation relevant.
-
0TCAACTVT
0TCAIPROV
0TCAKYFNM
0TCAVALID
Read up more about this concept here - http://help.sap.com/saphelp_nw70ehp2/helpdata/en/66/019441b8972e7be10000000a1550b0/content.htm
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi sidharth,
You are right. i am in BI 7.3 version. I have started to use RSECADMIN t-code.
As you had mentioned earlier, "You need to use provide authorisations for the following objects through analysis authorisations(either directly to the user or through a role)"
1. In the RSECADMIN t-code i have copied, 0BI_ALL to ZBI_ALL and i have restricted the infoprovider 0TCAIPROV(infoprovider) to 0LIV_DS01 & 0TCAACTVT (Activity in Analysis Authorizations) to 3(display). But i am unable to restrict reports here, i need the user to access only the reports 0LIV_DS01_Q0001, 0LIV_DS01_Q0002 and 0LIV_DS01_Q0003. Do we have to use 0TCTELEMTYP & 0TCTSTATOBJ ? if yes, how to use them?
2. I have created a role and i have restricted the queries using S_RS_COMP and S_RS_COMP1. I have added the analysis authorization object ZBI_ALL via S_RS_AUTH. Now the user is able to access only the queries i have mentioned in the S_RS_COMP & S_RS_COMP1. Is this approach right?
3. How to find the authorization enabled infoobject used in the dso? do we have any table for it?
Hi,
Ans 2: You have to restrict queries in S_RS_COMP and S_RS_COMP1 with query names or pattern, this approach is right. If you want to restrict user with values of any infoobject then you have to maintain it in
analysis authorization object ZBI_ALL* (Your custom analysis authorization created using RESECADMIN)
Ans. 3:You can find authorization relevant infoobjects used in infoproviders in RESECADMIN T code
rsecadmin T code -> Maintain authorization -> Infocube authorization -> select infoprovider (DSO Cube etc)-> you will get list of authorization relevant infoobjects used in that infoprovider.
Regards,
Avinash
Hi,
Along with S_RS_COMP and S_RS_COMP1 include S_RS_AUTH in defined Role here you have to include Analysis auth. object (In BI 7.0, Create Analysis auth object using RSECADMIN and follow steps given in above post by Sidharth)
Note: 0BI_ALL analysis auth. object will have all the BI objects authorization which is generally used user with all of the authorizations in S_RS_AUTH.
Regards,
Avinash
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
any updates please?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Please give it some time before bumping your thread. It might also help to post your thread in the correct space
Since this question is about BW, it belongs in the BW space. I have moved it, but please try to use the BW space for these types of questions in the future. For this particular question, one of the security spaces may also be a good option.
Thanks,
Ethan
(moderator)
User | Count |
---|---|
88 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.