https://community.sap.com/t5/application-development-and-automation-discussions/interpreting-rsecadmin-trace-bi-analysis-authorizations/m-p/5694785#M1293836 <HTML><HEAD></HEAD><BODY><P>Hi Benjamin,</P><P></P><P>I asked the same question [here|<A class="jive_macro jive_macro_message" href="https://community.sap.com/" __jive_macro_name="message" modifiedtitle="true" __default_attr="6432926"></A>;</P><P>Apparently nobody knows what these figures are representing <SPAN __jive_emoticon_name="sad"></SPAN></P><P></P><P>If do find the answer though, please share it here.</P><P></P><P>Kind regards,</P><P></P><P>Lodewijk Borsboom</P></BODY></HTML> Fri, 03 Jul 2009 09:24:30 GMT l_borsboom 2009-07-03T09:24:30Z https://community.sap.com/t5/application-development-and-automation-discussions/interpreting-rsecadmin-trace-bi-analysis-authorizations/m-p/5694783#M1293834 <HTML><HEAD></HEAD><BODY><P>Dear Experts,</P><P></P><P>Recently, one of the users ran a query and encountered an authorization issue. I logged his ID into RSECADMIN and after he re-ran the query with authorization issues, I took a look at the trace logs and found a section with errors:</P><P></P><P><STRONG>Following Set Is Checked</STRONG> </P><P>Characteristic Contents </P><P>0CS_GROUP Node 3 12 0 1185 7 </P><P></P><P><STRONG>Comparison with Following Authorized Set</STRONG></P><P>Characteristic Contents </P><P>0CS_GROUP Node 1 Node 2 Node 3 Node 4 Node 5</P><P></P><P>My interpretation is that this user has authorizations for Node 1 - 5, but what I do not understand is:</P><P></P><P>0CS_GROUP Node 3 12 0 1185 7</P><P></P><P>I know it is checking for the characteristic 0CS_GROUP but what does the "Node 3 12 0 1185 7" represent?</P><P></P><P>Any help in interpreting this is greatly appreciated!</P></BODY></HTML> Fri, 05 Jun 2009 16:56:38 GMT https://community.sap.com/t5/application-development-and-automation-discussions/interpreting-rsecadmin-trace-bi-analysis-authorizations/m-p/5694783#M1293834 Former Member 2009-06-05T16:56:38Z https://community.sap.com/t5/application-development-and-automation-discussions/interpreting-rsecadmin-trace-bi-analysis-authorizations/m-p/5694784#M1293835 <HTML><HEAD></HEAD><BODY><P>Confusing: Up to know I had know the <STRONG>report</STRONG> RSECADMIN which deals with the secure storage, but this questions is about <STRONG>transaction</STRONG> RSECADMIN, which manages the analysis authorizaions in BI... I've added a note about the component into the heading of this thread.</P><P></P><P>Kind regards</P><P>Frank</P></BODY></HTML> Thu, 02 Jul 2009 14:14:33 GMT https://community.sap.com/t5/application-development-and-automation-discussions/interpreting-rsecadmin-trace-bi-analysis-authorizations/m-p/5694784#M1293835 Frank_Buchholz 2009-07-02T14:14:33Z https://community.sap.com/t5/application-development-and-automation-discussions/interpreting-rsecadmin-trace-bi-analysis-authorizations/m-p/5694785#M1293836 <HTML><HEAD></HEAD><BODY><P>Hi Benjamin,</P><P></P><P>I asked the same question [here|<A class="jive_macro jive_macro_message" href="https://community.sap.com/" __jive_macro_name="message" modifiedtitle="true" __default_attr="6432926"></A>;</P><P>Apparently nobody knows what these figures are representing <SPAN __jive_emoticon_name="sad"></SPAN></P><P></P><P>If do find the answer though, please share it here.</P><P></P><P>Kind regards,</P><P></P><P>Lodewijk Borsboom</P></BODY></HTML> Fri, 03 Jul 2009 09:24:30 GMT https://community.sap.com/t5/application-development-and-automation-discussions/interpreting-rsecadmin-trace-bi-analysis-authorizations/m-p/5694785#M1293836 l_borsboom 2009-07-03T09:24:30Z https://community.sap.com/t5/application-development-and-automation-discussions/interpreting-rsecadmin-trace-bi-analysis-authorizations/m-p/5694786#M1293837 <HTML><HEAD></HEAD><BODY><P>Frank: Thanks for adjusting the title.</P><P></P><P>Lodewijk: It seems there is no sense in those node numbers. When I first ran RSECADMIN trace, I was figuring it would be just as straightforward as SU53 - at least that would tell you EXACTLY what you are missing. However, RSECADMIN trace is cryptic sometimes and it's very difficult with no official documentation. Not even the experts here seem to know. About the only thing that helps is when they tell you 'EYE007' (authorization error) and the node/characteristic that the error is happening on. Then you can sort of look through the user's roles and compare against the variable selection criteria.</P><P></P><P>Anyhow, I would love to find out what those Node numbers mean as well. I asked a fellow BI Security consultant doing this for a couple of years and he was unable to tell me as well.</P></BODY></HTML> Fri, 03 Jul 2009 15:01:50 GMT https://community.sap.com/t5/application-development-and-automation-discussions/interpreting-rsecadmin-trace-bi-analysis-authorizations/m-p/5694786#M1293837 Former Member 2009-07-03T15:01:50Z https://community.sap.com/t5/application-development-and-automation-discussions/interpreting-rsecadmin-trace-bi-analysis-authorizations/m-p/5694787#M1293838 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>These node numbers does not have any meaning.</P><P></P><P>However you can go through SAP Note 1234567 - The authorization log RSECADMIN.</P><P></P><P>There you can check the paragraph </P><P></P><P> </P><P>Under the heading</P><P> The Following Hierarchy Authorizations Were Found",</P><P> there is a list of the hierarchy authorizations of the user.</P><P>The fields TCTAUTH and TCTIOBJNM again specify the authorization and</P><P>characteristic names. The fields HIESID and HIEID have no significance in</P><P>this context. The fields TCTHIENM und TCTHIEVERS and TCTHIEDATE are three</P><P>specifications that generally and precisely define each hierarchy of a</P><P>characteristic in a BI system: Hierarchy name, version and date (valid-to).</P><P>The fields TCTNIOBJNM and TCTNODE precisely define the authorized node.</P><P>TCTNODE is simply the technical node name.</P><P>TCTNIOBJNM specifies the node type.</P><P>a) If TCTNIOBJNM = 0HIER_NODE, then a text node with the name</P><P>&lt;TCTNODE&gt; is authorized.</P><P>b) If TCTNIOBJNM is blank, a hierarchy leaf with the given name is</P><P>authorized.</P><P>c) If TCTNIOBJNM has the same name as the hierarchy-defining</P><P>characteristic, a chargeable node is authorized.</P><P>CAUTION The node type is relevant for the authorization. For example: A</P><P>hierarchy authorization for a text node cannot directly authorize a</P><P>chargeable node with the same name.</P><P></P><P>Regards</P><P>Imran</P><P></P><P>Edited by: Imran Mulani on Jul 5, 2009 9:10 AM</P><P></P><P>Edited by: Imran Mulani on Jul 5, 2009 9:11 AM</P></BODY></HTML> Sun, 05 Jul 2009 07:10:27 GMT https://community.sap.com/t5/application-development-and-automation-discussions/interpreting-rsecadmin-trace-bi-analysis-authorizations/m-p/5694787#M1293838 Former Member 2009-07-05T07:10:27Z https://community.sap.com/t5/application-development-and-automation-discussions/interpreting-rsecadmin-trace-bi-analysis-authorizations/m-p/5694788#M1293839 <HTML><HEAD></HEAD><BODY><P>Imran: Thank you very much for leading me to SAP Note 1234567. This is some helpful information in there!</P></BODY></HTML> Mon, 06 Jul 2009 13:49:51 GMT https://community.sap.com/t5/application-development-and-automation-discussions/interpreting-rsecadmin-trace-bi-analysis-authorizations/m-p/5694788#M1293839 Former Member 2009-07-06T13:49:51Z