Scenario :-
We had a design studio dashboard report deployed on the business objects server. The design studio dashboard was using a business explorer query as the data source, which was fabricated by using a cube as the info provider.
The user's ID's were restricted to only this particular report by the security team.
Problem Faced :-
Whenever the report was executed with the power user everything was working properly. But when the report was executed with the restricted user various error was thrown as follows :-
"Cannot load query.." and "Could not instantiate the data source..".
Actions taken for resolution :-
Searched the the error on sap community site and found various helpful answers.
https://archive.sap.com/discussions/thread/3854041
https://archive.sap.com/discussions/thread/3855168
Tried the above solutions but the didnt help me solve the issue. Also got the reviewed OLAP connection scrupulously but everything seemed right.
Also tried executing the query of report in RSRT T-Code of BI to rule out any possibilities of Security issue and the query executed properly in BI system.
Later, reviewed the authorization objects assigned to the user ID and also found nothing dubious but still we asked the security consultant to go over the roles again as it was clear after scrutinizing the dashboard, the OLAP connection and the BEx query that it had to be security issue.
Solution :-
When the security consultant reviewed the roles and it was later discovered that some authorization object was not assigned to the ID hence it was restricting the ID from accessing the data from BI system.
Following are the authorization objects that were assigned earlier when the issue was faced :-
So the major missing authorization object was the one that allowed for RFC that is
S_RFC .
Conclusion :-
So, it can be said that due to improperly configuration of role the issue had persisted. Hence, due to no authorization RFC the ID couldn't get the data from the BI system and display it the dashboard report running on BO server.
Hence assigning necessary authorization objects solved the issue.