Solved: Authorization Issue in BW

former_member672609 · ‎2008 Aug 19

Hi Gurus,

Custom Reporting Auth obj was defined based on 'Company Code' and it was linked to some info cubes but in that infocubes list i cant see the infocubes which are of type virtual providers for example:0BCS_VC10

The problem is when a query is run on these infocubes(0BCS_VC10)

which are not included in the above reporting auth obj,there is no auth check performed so the user can run all values.

Can any one let me know how to include those type of infocubes into Reporting auth obj.

This is for BW testing purpose as iam converting these authorizations into BI.

Thanks

Padmaja.

Former Member · ‎2008 Aug 19

Hi again Padmaja,

For infocube, 0BCS_VC10, are there any auth relevant characteristics in that.

If you want to restrict it on some characteristics, make the characteristic auth relevant from RSA1 and then add them in AA object from RSECADMIN the way i told you in your recent post.

PS : Satish Arram :- SU53 is not that much helpful for AA traces, RSECADMIN logs and ST01 auth check traces are more helpful

Regards,

Zaheer

Former Member · ‎2008 Aug 19

Hello Padmaja,

When you run a query on the infocubes which you mentioned, do you see error says *You are not authorized to access" message in the screen? If so, I suggest you to go to the TCode su53 to find the missing authorization object. Then go to SUIM TCode. Using the above missing object from SU53, you can find out what are the available roles for that missing object. There fore, you can create a customized role and assign that missing object to that role.

Hope it helps.

Regards,

Satish.

former_member672609 · ‎2008 Aug 19

Hi Satish,

Thanks for the reply.

The user has to get auth error on that infocube if he try to run on any company code other than 1100 but as the Reporting auth obj is not linked to that particular infocube its allowing the user to run on any company code.

So to link that particular infocube to the rep auth obj its not seen in the infocubes list while linking the rep auth obj.

i checked that particular infocube in rsa1 it shows that its an 'virtual Provider' so iam wondering whether the infocubes

of type 'virtual provider' doesn't show up in the list.

Can you please provide any inputs ?

Thanks

Padmaja.

Former Member · ‎2008 Aug 19

Hi again Padmaja,

For infocube, 0BCS_VC10, are there any auth relevant characteristics in that.

If you want to restrict it on some characteristics, make the characteristic auth relevant from RSA1 and then add them in AA object from RSECADMIN the way i told you in your recent post.

PS : Satish Arram :- SU53 is not that much helpful for AA traces, RSECADMIN logs and ST01 auth check traces are more helpful

Regards,

Zaheer

former_member672609 · ‎2008 Aug 19

Hi Zaheer,

Thanks for the reply.

Yeah i understand what you said as per in BI

but in BW we make particular charecteristic as auth relevant and build an Reporting auth obj based on that charecteristic and then we link to particular infocubes right.

In this case if the infocube is of type virtual provider cant that be seen in RSSM while linking the Rep auth obj to an infocube.

Hope you have understood my exact issue.

Thanks

Padmaja.

Former Member · ‎2008 Aug 19

Is the 0BCS_VC10 active ? (Check from RSDCUBEM)

Are there any auth relevant characteristic in that infocube ?

And, If you know which characteristics of the infocube are auth relevant in this infocube you can add them manually via RSECADMIN. However, since users are able run without restriction seems like it doesn't have any.

Regards,

Zaheer

former_member672609 · ‎2008 Aug 19

Yes Zaheer that infocube is active.

Also i have another issue in this,there is another infocube by name ZIC_CCPLN which has 'company code' char in it which is auth relevent.and this infocube is linked to the Reporting auth obj as well.

The user who should have access to only 1100 company code is able to execute the report on this infocube ZIC_CCPLN even with the other company codes also with out any auth error.

How could that be possible?

How to track like what authorizations are getting checked while the user is executing the report.

can i do with ST01 by checking the box for the 'Authorization check' and then on the trace then ask the user to execute the report again.

will that work?

Please let me know

Thanks

Padmaja.

Former Member · ‎2008 Aug 19

Try RSECADMIN trace, ST01 wouldn't help in this case.

Also, are all the Characteristics being referred are same ? Company code may be 0COMP_CODE or 0COMPANY.

Is the company code characteristic is restricted in AA Object ?

Regards,

Zaheer

former_member672609 · ‎2008 Aug 19

Hi Zaheer/Satish,

Any inputs on how to track in BW on a user who should have access to company code 1100 only but he is able to access all company codes.

I have checked his roles also only one role has the rep auth obj with company code value '1100'

so how to trace what auth value is getting checked at run time?

Thanks

Padmaja.

Former Member · ‎2008 Aug 20

Hello Padmaja gaaru,

It is very difficult to find out the authrizations used by a user at runtime. Do you have the access to SU53, PFCG, SU01 and SUIM TCodes? If so, as you have found authorization which has the access to the company code 1100, try remove that particular authorization object for the user using PFCG TCode. Then perform the Text comparision under Roles tab in SU01 for that user. Then access that user. It gives missing authorization error. Then use SU53 TCode to find the missing authorization object. This way you can find the Authorization objects used at runtime.

Hope it helps.

Regards,

Satish.

Former Member · ‎2008 Aug 20

Hi Padmaja,

You want to show report to user with company code access 1100.

Then check below things

1. in your RSECADMIN role, maintain 0company and 0comp_code value =1100

2. Open your query (using query designer) and check whether the authorization variable for Company code is maintained. This authorization variable should be

a. processing by authorization b. in details tab, uncheck Variable is ready for input checkbox.

(3. In RSA1, check its authorization relevant, as you said its already auth. relevant.)

former_member672609 · ‎2008 Aug 20

Satish/Imran,

Thanks for the reply.

Yeah it got solved because the query which i ran on that infocube have the company hierarchy variable and not company code which is auth relevant so i have selected another query and infocube which has 'company code' char.

Another issue in this is i have defined AA on 'COMPCODE' with the value auth as '1100' and listed the infocubes names in the '0TCAIPROV'.and some infocubes has charecteristics which are auth relevant so i have included all those charecteristics in the AA with the value " : " (Aggregated authorization)

But while testing this AA on one infocube,iam getting Auth error in this fashon:

Following Set is checked:

Characteristic Contents

0COSTCENTER Node 3 1 98 4 D

SQL Format:

0CO_AREA CO_AREA = 'CEPH'

0TCAACTVT AND TCAACTVT = '03'

Comparison with Following Authorized Set:

Characteristic Contents Result

0COSTCENTER I EQ : Not Authorized

0CO_AREA I EQ CEPH

0TCAACTVT I EQ 03

Can you please say what iam missing in this authorization.

Regards

Padmaja.

Former Member · ‎2008 Aug 20

Hello Padmaja,

Can you send me the error log, which shows the failures?

If I'm not wrong, you need to insert the Authorization object S_RSEC.

This is done through one of the menu item ( I guess it is Tools) Tools->Insert Authorization Object -> Select S_RSEC.

Also, check this notes on relevance.

919829 - Compound characteristics using hierarchy node authorizations (- SP 07)

966754 - Hierarchy nodes not authorized if one leaf and compounded (- SP 10)

1030080 - "No authorization" for hierarchy authorization (- SP 13)

1047978 - Hierarchy auth. and intervals: "No authorization" (SP 14)

Hope this helps...

Regards,

Satish

former_member672609 · ‎2008 Aug 20

HI Satish,

Thanks for the reply.

I think S_RSEC is needed if we add the Analysis authorization to the user using RSECADMIN.

If we add the AA to the user through the role then we need S_RS_AUTH.

i will go through the note's you have mentioned,they may be help ful for me.

Thanks

Padmaja.

former_member646608 · ‎2008 Aug 29

We have recently upgraded to a new support pack. After that we got an error similar to yours:

Following Set is checked:

Characteristic Contents

0COSTCENTER Node 3 1 98 4 D

SQL Format:

0CO_AREA CO_AREA = 'CEPH'

0TCAACTVT AND TCAACTVT = '03'

Comparison with Following Authorized Set:

Characteristic Contents Result

0COSTCENTER I EQ : Not Authorized

0CO_AREA I EQ CEPH

0TCAACTVT I EQ 03

This occured on queries that did not have Costcenter in the query. And this worked prior to our upgrade. What I had to do was add " : " in the analysis authorization that had the hierarchy authorization. The " : " is on the Values Authoriations tab and the hierarchy is on the Hierarchy Authorizations tab.

See if that helps.

Former Member · ‎2008 Aug 19

Hello Padmaja,

You can try creating an authorization using restriction for 0TCAACTVT, 0TCAIPROV, 0TCAVALID ....and 0comp_code as infoobject...

If required perform any additional configuration. It should work.

Please go through the following document.

How to.. Reporting from External Data via VirtualInfoProviders

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/39baaa90-0201-0010-499e-f9971180...

Hope it helps

Regards,

Satish.

former_member672609 · ‎2008 Aug 19

Hi Zaheer/Satish,

All i said above is with respect to BW environment.

I guess in BI if an charecteristic is given as "auth relevant" then it becomes global to all the infocubes.

currently iam testing all the defined reporting auth objects in BW. i.e old type authorization concept

Thanks

Padmaja

By Category

Related Content

Activity Groups

Industry Groups

Influence and Feedback Groups

Interest Groups

Location Groups

Customer Only Groups

Forums

Related Resources

Products

Learning and Support

About

My Account

My Account

Authorization Issue in BW