topic Re: BI Authorization Issue in Application Development and Automation Discussions

BI Authorization Issue

Former Member — Fri, 11 Mar 2011 04:50:57 GMT

Hi Gurus,

We are having problem with analysis authorizations for a particular query. The report is for the vendor balance, it has balance, cumulative balance as key figures and vendor as characteristics. We wanted to restrict the report by account group level. we have 4 account groups. The account group is a navigational attribute of creditor account group. account group [char] is auth relevant but the creditor account group [char] is not. so we gave respective auth group for accnt grp [char] but the query fails. The analysis log is follows, any help will be appreciated

Authorization Check

Detail Check for InfoProvider ZFIAP_S01

Preprocessing:

Selection Checked for Consistency, Preprocessed and Supplemented As Needed

Subselection (Technical SUBNR) 1

Check Node Definitions and Value Authorizations...

Node- and Value Authorizations Are OK

End of Preprocessing

Filling the Buffer...

...Buffer Filled

Main Check:

Subselection (Technical SUBNR) 1

Supplementation of Selection for Aggregated Characteristics

No Check for Aggregation Authorization Required

Following Set Is Checked Comparison with Following Authorized Set Result Remaining Set

Characteristic Content in SQL Format

0ACCNT_GRPV

0TCAACTVT

0TCAACTVT = '03'

AND 0ACCNT_GRPV LIKE *

Characteristic Content in SQL Format

0ACCNT_GRPV I EQ :

I EQ ZCON

I EQ ZCOR

I EQ ZFRN

I EQ ZGAR

0TCAACTVT I CP *

Partially or Fully Authorized (Intersection) Characteristic Content in SQL Format

0ACCNT_GRPV

0TCAACTVT

NOT 0ACCNT_GRPV IN ('ZCON','ZCOR','ZFRN','ZGAR')

AND 0TCAACTVT = '03'

Value selection partially authorized. Check of remainder at end

Following Set Is Checked Comparison with Following Authorized Set Result Remaining Set

Characteristic Content in SQL Format

0ACCNT_GRPV

0TCAACTVT

NOT 0ACCNT_GRPV IN ('ZCON','ZCOR','ZFRN','ZGAR')

AND 0TCAACTVT = '03'

Characteristic Content in SQL Format

0ACCNT_GRPV I EQ :

I EQ ZCON

I EQ ZCOR

I EQ ZFRN

I EQ ZGAR

0TCAACTVT I CP *

Not Authorized

All Authorizations Tested

Message EYE007: You do not have sufficient authorization

No Sufficient Authorization for This Subselection (SUBNR)

Following CHANMIDs Are Affected:

2596 ( ZFIAP_S01___F2 )

Authorization Check Complete

Re: BI Authorization Issue

sivakumar_kilari3 — Fri, 11 Mar 2011 05:36:44 GMT

Hi,

1) Make sure that you use the objects 0TCAACTVT, 0TCAIPROV and 0TCAVALID in your analysis authorization.

2) Make sure that you also have assign to this analysis authorization all characteristics that are "Authorization relevant" .

3) If the consolidation group is authorization relevant, always put " * ".

Regards

Siva

Re: BI Authorization Issue

Former Member — Fri, 11 Mar 2011 05:56:53 GMT

Hi,

As per SAP Note 642072 (Authorization check on : for char./navigation attribute):

In new BI 7.x releases, the authorization logic has been enhanced and navigation attributes have the same status as 'normal' characteristics. An overlay of characteristic A and navigation attribute B__A no longer occurs. They are now treated as completely seperate objects.

As you said, account group (0ACCNT_GRPV) is a navigational attribute of creditor account group (say 0CREDITOR), so the characteristics here becomes 0CREDITOR__0ACCNT_GRPV. So you have to mark 0CREDITOR__0ACCNT_GRPV as auth relevant by tcode RSD1~~> go to 0CREDITOR~~> in attribute tab check 0ACCNT_GRPV as auth relevant and activate it.

As per the trace you posted, it seems currently its just checking for 0ACCNT_GRPV and not 0CREDITOR__0ACCNT_GRPV which is treated as separate entity in BI7.x versions.

Also, for restriction on navigational attributes, you need to create an authorization variable on your navigational attribute (i.e 0CREDITOR__0ACCNT_GRPV ) and make it input ready in your query. This will pull the user's authorized values and input them into the query. Also, maintain the desired authorized values for your navigation attribute (0CREDITOR__0ACCNT_GRPV) in the Analysis authorization assigned to the user. Leaving it blank or no values entered will make the query check for "*".

P.S (edited): Most importantly, the query should have a check on auth relevant characteristics (in your case 0CREDITOR__0ACCNT_GRPV) otherwise it is not possible to restrict the characteristics to specific values and BI will by default check for "*" and atleast ":" has to be added to the analysis authorization for successful execution of query but that does not serve the purpose as ":" shows aggregated data for all account groups. Please see note # 1140831

Hope this helps!

Sandipan

Edited by: Sandipan Choudhury on Mar 11, 2011 12:36 PM

Re: BI Authorization Issue

Former Member — Mon, 21 Mar 2011 21:28:16 GMT

Hey siva & sandipan,

Both of your answer's helped a lot. Finally the BI team has to tweak their query to fix the issue. It seem's that the navigational attribute was not really necessary. Thanks for the help. Assigning points for both of you and closing this thread

Edited by: saranya.j on Mar 21, 2011 10:29 PM