Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Generated Analysis Authorizations and Deleted Users

former_member646608
Explorer

‎2008 Jul 29 9:44 PM

0 Likes
438

We use generated analysis authorizations. I have found that if an ID that has generated analysis authorizations is deleted and later the same ID is created that the analysis authorization is given to the ID at the time the ID is created.

Since we reuse IDs the new person has received the analysis authorization for a previous employee.

At help.sap.com I found:

If a data record with the user name u2018D_E_L_E_T_Eu2019 is loaded into the ODS object OTCA_DS01, the system firstly deletes the generated authorizations for all users for the authorization object in the BW system. This normally only happens for users for whom data is available in the ODS object. Afterwards, authorizations are generated using the data in the ODS objects in the usual way.

This doesn't appear like it will work in our situation. We used generated authorizations for an initial load and made manual changes after that. We would not want to undo changes that we have subsequently made.

Is anybody aware of a way to keep this from happening, or cleaning up analysis authorizations assignements for deleted users?

Thanks

Steve

2 REPLIES 2
Read only

Former Member

‎2008 Aug 07 8:07 PM

0 Likes
400

Steve,

Can you please elaborate why and what manual changes were made to generated auths after the initial load? I can think of a few scenarios why one would make such changes but would like to understand what prompted your situation and what was changed. Either way, I personally don't recommend manually changing generated auths. There are bound to be changes to source data after initial load. Hence modifying generated auths that are so heavily dependent on this source data is a bad practice.

The way I see it, once you change a generated auth, it ceases to be generated auth and instead should be treated as manual auth. You seem to want the flexibility offered by generated auths and add other controls on top of that by means of altering the authorization. This will work only if there is no further change to data after initial load. The fact that users were deleted (and will be deleted in future) means that loaded data is not static and hence will require corresponding loads to reflect the changes.

If you haven't done so already, you may want to analyze if you can create new set of (manual) authorizations for all the "manual" changes you make to generated auths. You can then either manually assign these new set of auths directly to users or include them in role(s) and follow the usual role assignment to users. This will help you keep generated auths independent of manual changes and will lead to a more flexible design.

Ashutosh

Read only

former_member646608
Explorer

‎2008 Aug 07 10:31 PM

0 Likes
400

Thank you for the response.

When we upgraded we went from a complicated role based security model to personalized analysis authorizations. To set up hundreds of existing users we converted them using automated generations of authorizations. This was basically an initial load. New authorizations are being set up manually. If someone needs a change to their access a new analysis authorization is created and the automatically generated authorization is deleted. The original process has not been run again. If it did it would recreate the authorizations that have been deleted.