Question Re: Problem defining two analysis authorizations for one user in Technology Q&A

Problem defining two analysis authorizations for one user

BeateQ — Tue, 10 Dec 2013 14:25:32 GMT

Hello,

I have the following requirement according to analysis authorizations, but after reading several discussion, help documents and notes I think it is insolvable - or has anyone an idea? We are on BI 7.0

I have two authorization relevant info objects in an Info Provider, info object 0FUNDS_CTR and 0PU_MEASURE. Now it should be possible, that a user has, for example, authorization for 0FUNDS_CTR value 10 and on this funds center a restriction on 0PU_MEASURE values L1,L2, L3.

He should also have authorization for 0FUNDS_CTR value 20, but on this he should only see 0PU_MEASURE value L4 (and not L1,L2 and L3).

So I defined two analysis authorizations:

AUTH1:

0FUNDS_CTR: 10

0PU_MEASURE: L1, L2, L3

AUTH2:

0FUNDS_CTR: 20

0PU_MEASURE: L4

I assigned this two analysis authorizations to the user.

In the query on the Info Provider, I defined selections on 0FUNDS_CTR and 0PU_MEASURE with authorization variables.

But when executing the query for the user, authorization check fails.

Reading note 1233793, 1000004, 1234567 I understood why this happens:

First, the following is analyzed:

0FUNDS_CTR IN ('10','20')

AND 0TCAACTVT = '03'

AND 0PU_MEASURE LIKE *

It is proved against AUTH1 and a remaining set that is not yet authorized is determined for L4.

No authorization for 0FUNDS_CTR 10 and 0PU_MEASURE L4 is found, so the authorization check fails (some other following checks fail, too).

So, has anybody an idea whether it is possible to implement a query, so that for the first funds center 10 only L1,L2,L3 is authorized for this user and for the second funds center 20 only L4 is displayed? We have a lot of 0FUNDS_CTR/0PU_MEASURE combinations and assignments to users, so that a authorization based solution seems to be the only way....

Best Regards

Beate

Re: Problem defining two analysis authorizations for one user

former_member182343 — Tue, 10 Dec 2013 14:51:04 GMT

Hi,

Did you execute report using RSECADMIN and verify logs. Kindly paste those logs here.

While creating authorization object using T code RSECADMIN - check whether you have restricted values proper or not.

Here you need to assign authorization object to Roles , right. How come you assigned created authorization abject to directly user?

Best Wishes.Vijay

Re: Problem defining two analysis authorizations for one user

former_member182343 — Tue, 10 Dec 2013 14:56:42 GMT

I suggest you to create:

1st Auth object using RSECADMIN - with values -

0FUNDS_CTR: 10

0PU_MEASURE: L1, L2, L3

0TCAACTVT = '03'

Then assign this object to ROLE1(lets say) and assihn this ROLE1 to User.

2nd Authorisation Objcet using RSECADMIN - with values -

0FUNDS_CTR: 20

0PU_MEASURE: L4

0TCAACTVT = '03'

Then assign this Auth object (2nd) to ROLE2(lets say) and assihn this ROLE2 to User.

Regards,

Vijay

Re: Problem defining two analysis authorizations for one user

MGrob — Tue, 10 Dec 2013 18:08:27 GMT

Have you checked in RSECADMIN what the authorization log suggests the issue is? I believe this should be possible and work. Try to define the variables differently or assign the ":" value to allow the aggregated values.

hope that helps

Martin

Re: Problem defining two analysis authorizations for one user

BeateQ — Wed, 11 Dec 2013 07:44:57 GMT

Hi,

Thanks for your advices, but they don't help.

I tested the different role solution, although it is not practicable for us as we have a lot of funds centers and we want to generate the analysis authorizations - nevertheless, it didn't work.

So, the problem is that beside having a lot of 0FUNDS_CTR/0PU_MEASURE combinations, every user can have the authority for a lot of funds centers.

I think, the main problem is, that in a query I can't select on characteristic combination (in the sense of: if you have fundscenter A then select 0PU_MEASURE values L1 and L2, if you have fund center B, then choose L3 and L4...). Defining this in a structure with selection for each fund center would be a hard work, also working with different variables seems to be no solution for me...

So, the result of the rsecadmin check looks like this:

I have two analysis authorizations assigned to my test user:

AUTH1:

0FUNDS_CTR: 101250

0PU_MEASURE:H1705, L01, L61

0TCAACTVT = '03'

AUTH2:

0FUNDS_CTR: 324600

0PU_MEASURE:H0066,L35

0TCAACTVT = '03'

-------------------------------------------------------------------------------------

Protokoll der Berechtigungsprüfung

Eine allgemeine Beschreibung finde Sie in Hinweis1234567

Datum und Ausführungszeit (auf lokalem Server)

Ausführungsdatum:11.12.2013

Ausführungszeit: 08:17:53

Ausgeführte Query: C_0PU_KLE/YREP_KTO_LHH_EINZEL

Transaktion RSRT ( BW - Test der Ausgabe )

Ausgeführt durch Benutzer BQUESTER

Ausgeführt mit Analyseberechtigungen eines anderen Benutzers PRTUSR1

Softwarekomponente	Release	Level	Support Package
SAP_BASIS	700	0029	SAPKB70029
SAP_ABA	700	0029	SAPKA70029
SAP_BW	700	0031	SAPKW70031

InfoProvider-Prüfung

Aufbau des Puffers...

...Puffer aufgebaut

Gibt es Berechtigungen für den Zugriff auf InfoProvider C_0PU_KLE mit Aktivität 03?

Berechtigung für allgemeinen Zugriff auf InfoProvider C_0PU_KLE mit Aktivität 03 vorhanden

Relevante Merkmale für die detaillierte Berechtigungsprüfung

(Merkmale mit voller Berechtigung werden nicht aufgelistet!)

Liste der effektiv berechtigungsrelevanten Merkmale für InfoProvider C_0PU_KLE:

Merkmal

0FUNDS_CTR

0PU_MEASURE

Berechtigungsprüfung
Detail-Prüfung für InfoProvider C_0PU_KLE

Vorverarbeitung:
Selektion wird auf Konsistenz überprüft, vorverarbeitet und eventuell ergänzt
Teilselektion (technisch SUBNR) 1
Überprüfe Knotendefinitionen und Werteberechtigungen...
Knoten- und Werteberechtigungen sind in Ordnung
Ende der Vorverarbeitung

Füllen des Puffers...
...Puffer gefüllt
Hauptprüfung:

Teilselektion (technisch SUBNR) 1
Ergänzung der Selektion für aggregierte Merkmale
Keine Prüfung auf Aggregationsberechtigung notwendig

Folgende Menge wird geprüft

Vergleich mit folgender berechtigten Menge

Ergebnis

Restmenge

Merkmal	Inhalt (in SQL-Format)
0FUNDS_CTR 0PU_MEASURE 0TCAACTVT	0FUNDS_CTR IN ('101250','324600') AND 0PU_MEASURE IN ('H0066','H1705','L01','L35','L61') AND 0TCAACTVT = '03'

Merkmal	Inhalt
0FUNDS_CTR	I EQ 101250
0PU_MEASURE	I EQ H1705 I EQ L01 I EQ L61
0TCAACTVT	I CP *

Teilweise oder ganz berechtigt (Schnittmenge)

Merkmal	Inhalt (in SQL-Format)
0FUNDS_CTR 0PU_MEASURE 0TCAACTVT	0FUNDS_CTR = '101250' AND 0PU_MEASURE IN ('H0066','L35') AND 0TCAACTVT = '03' OR 0FUNDS_CTR = '324600' AND 0PU_MEASURE IN ('H0066','H1705','L01','L35','L61') AND 0TCAACTVT = '03'

Werte-Selektion teilweise berechtigt. Prüfung Rest(e) am Ende.

Folgende Menge wird geprüft

Vergleich mit folgender berechtigten Menge

Ergebnis

Restmenge

Merkmal	Inhalt (in SQL-Format)
0FUNDS_CTR 0PU_MEASURE 0TCAACTVT	0FUNDS_CTR = '101250' AND 0PU_MEASURE IN ('H0066','L35') AND 0TCAACTVT = '03' OR 0FUNDS_CTR = '324600' AND 0PU_MEASURE IN ('H0066','H1705','L01','L35','L61') AND 0TCAACTVT = '03'

Merkmal	Inhalt
0FUNDS_CTR	I EQ 101250
0PU_MEASURE	I EQ H1705 I EQ L01 I EQ L61
0TCAACTVT	I CP *

Nicht berechtigt

Folgende Menge wird geprüft

Vergleich mit folgender berechtigten Menge

Ergebnis

Restmenge

Merkmal	Inhalt (in SQL-Format)
0FUNDS_CTR 0PU_MEASURE 0TCAACTVT	0FUNDS_CTR = '101250' AND 0PU_MEASURE IN ('H0066','L35') AND 0TCAACTVT = '03' OR 0FUNDS_CTR = '324600' AND 0PU_MEASURE IN ('H0066','H1705','L01','L35','L61') AND 0TCAACTVT = '03'

Merkmal	Inhalt
0FUNDS_CTR	I EQ 324600
0PU_MEASURE	I EQ H0066 I EQ L35
0TCAACTVT	I CP *

Teilweise oder ganz berechtigt (Schnittmenge)

Merkmal	Inhalt (in SQL-Format)
0FUNDS_CTR 0PU_MEASURE 0TCAACTVT	0FUNDS_CTR = '101250' AND 0PU_MEASURE IN ('H0066','L35') AND 0TCAACTVT = '03' OR 0FUNDS_CTR = '324600' AND 0PU_MEASURE IN ('H1705','L01','L61') AND 0TCAACTVT = '03'

Werte-Selektion teilweise berechtigt. Prüfung Rest(e) am Ende.

Folgende Menge wird geprüft

Vergleich mit folgender berechtigten Menge

Ergebnis

Restmenge

Merkmal	Inhalt (in SQL-Format)
0FUNDS_CTR 0PU_MEASURE 0TCAACTVT	0FUNDS_CTR = '101250' AND 0PU_MEASURE IN ('H0066','L35') AND 0TCAACTVT = '03' OR 0FUNDS_CTR = '324600' AND 0PU_MEASURE IN ('H1705','L01','L61') AND 0TCAACTVT = '03'

Merkmal	Inhalt
0FUNDS_CTR	I EQ 101250
0PU_MEASURE	I EQ H1705 I EQ L01 I EQ L61
0TCAACTVT	I CP *

Nicht berechtigt

Folgende Menge wird geprüft

Vergleich mit folgender berechtigten Menge

Ergebnis

Restmenge

Merkmal	Inhalt (in SQL-Format)
0FUNDS_CTR 0PU_MEASURE 0TCAACTVT	0FUNDS_CTR = '101250' AND 0PU_MEASURE IN ('H0066','L35') AND 0TCAACTVT = '03' OR 0FUNDS_CTR = '324600' AND 0PU_MEASURE IN ('H1705','L01','L61') AND 0TCAACTVT = '03'

Merkmal	Inhalt
0FUNDS_CTR	I EQ 324600
0PU_MEASURE	I EQ H0066 I EQ L35
0TCAACTVT	I CP *

Nicht berechtigt

Alle Berechtigungen getestet
Meldung EYE007: Sie haben keine ausreichende Berechtigung

Keine ausreichende Berechtigung für diese Teilselektion (SUBNR)
Folgende CHANMIDs sind betroffen:
41 ( 0FUNDS_CTR )
48 ( 0PU_MEASURE )
Berechtigungsprüfung abgeschlossen

----------------------------------------------------------------------------------------------------------------------------------------

Regards

Beate

Re: Problem defining two analysis authorizations for one user

Former Member — Wed, 15 Jan 2014 12:01:24 GMT

Hi Beate,

do you found another way to configure your access rights or even better a solution for your issue?

Thanks in advance!

Andreas

Re: Problem defining two analysis authorizations for one user

BeateQ — Wed, 15 Jan 2014 14:46:24 GMT

Hi Andreas,

Unfortunately, I found no solution for this problem...

So I had to tell our financial department, that it's not possible.

Regards

Beate

Re: Problem defining two analysis authorizations for one user

former_member186399 — Wed, 15 Jan 2014 15:22:22 GMT

Dear Beate

May be one crude way of doing it would be to maintain data in 2 seperate cubes. That is for data combination of 0FUNDS_CTR value 10 and 0PU_MEASURE values L1,L2, L3 in one cube &

another for 0FUNDS_CTR value 20 &0PU_MEASURE value L4 .And then report to be made on a multiprovider.

Now have a exit variable for Infoprovider selection which checks for the inputs and directs then to the correct infoprovider.

Regards

Gajesh