cancel
Showing results for 
Search instead for 
Did you mean: 

Authorization on Attribute and Nav. Attribute

or_ish-shalom2
Explorer
0 Kudos
754


Hi all,

I am performing a change on the authorization concept.

From Authorization 3.5 (RSSM) to Authorization 7 (RSECADMIN)

Our system is BW 7.01 SP 14.

We are using structural authorization for HR reports on 0ORGUNIT.

some of our reports are using 0ORGUNIT and some are using 0EMPLOYEE__0ORGUNIT.

In the old auth concept there was no problem,

but the new concept all reports with 0EMPLOYEE__0ORGUNIT are not working due to authorization issues.

When I mark 0EMPLOYEE__0ORGUNIT as auth. relevant all reports are not working.

All the queries use the same auth. variable which is on 0ORGUNIT.

How can I make it work on both objects?

Why does in looks on the nav. attribute different?

Thanks & BR,

Or.

View Entire Topic
Loed
Active Contributor
0 Kudos

Hi Ish-Shalom,

Did you include 0ORGUNIT and 0EMPLOYEE__0ORGUNIT in the RSECADMIN? You must enter same values for each group having same authorization..

For example:

If GROUP A must be authorized to 0ORGUNIT = 10..

Then in RSECADMIN, enter 10 for 0ORGUNIT and 0EMPLOYEE__0ORGUNIT..

Hence,

0ORGUNIT = 10

0EMPLOYEE__0ORGUNIT = 10

Did I answer your query?

NOTE:

The authorization relevant for both object must be ticked..

Regards,

Loed

or_ish-shalom2
Explorer
0 Kudos

Hi Leod,

Thanks for the answer.

As you said i ticked both objects as Auth. relevant.

We are working with structural ahutorizations, meaning there us a hierarchy authorization on each object in RSECADMIN.

We have one report that uses 0ORGUNIT with the authorization variable an another reprot that uses 0EMPLOYEE__0ORGUNIT with the authorization variable.

now both reports don't work because it has miising auth. on both.

Meaning:

when you run report 1 (uses 0ORGUINT) it says it is missing auth. on object 2 (0EMPLOYEE__0ORGUNIT).

and when you run report 2 (uses 0EMPLOYEE__0ORGUINT) it says it is missing auth. on object 1 (0ORGUNIT).

BR,

Or.

Loed
Active Contributor
0 Kudos

Hi Ish,

Are the two (2) auth objects assigned to the group of the user that you are using to access the report?

Can you post a screenshot of your RSECADMIN config for this?

Did you get the error messages above using RSRT?

Regards,

Loed

or_ish-shalom2
Explorer
0 Kudos

Hi,

I have attached an image for RSECADMIN and the queries.

Both objects use the same authorization variable and both queris are on the same infocube.

BR,

Or.

Loed
Active Contributor
0 Kudos

Hi Ish,

Can you post the error if you run the query using tcode RSRT? Using it we will find out what authorization lacks in query # 2..

Thank you!

Loed

or_ish-shalom2
Explorer
0 Kudos

Hi,

This are 2 logs on the report with 0EMPLOYEE__0ORGUNIT

Authorization Check Log

For a general description, see the Note 1234567

Date and Execution Time (Local Server)
Execution Date: 04.09.2014
Execution Time: 11:44:06
Executed Query: ZCUBE/ZQUERY
Transaction RSRT ( BW - output test )
Executed by User 
Executed with Analysis Authorizations of Another User 


Software Component Release Level Support Package
SAP_BASIS 701 0014 SAPKB70114
SAP_ABA 701 0014 SAPKA70114
SAP_BW 701 0014 SAPKW70114


  InfoProvider Check  

Building the Buffer...
...Buffer Built
Are there authorizations for accessing InfoProvider ZCUBE with activity 03?
Authorization exists for general access to InfoProvider ZCUBE with activity 03



  Relevant Characteristics for Detailed Authorization Check  
(Characteristics with Full Authorization Are Not Listed!)
  List of Effective Authorization-Relevant Characteristics for InfoProvider ZCUBE:  


Characteristic
0EMPLOYEE__0ORGUNIT
0ORGUNIT
0USERNAME
0TCAACTVT



  Authorization Check  
  Detail Check for InfoProvider ZCUBE 

  Preprocessing:  
Selection Checked for Consistency, Preprocessed and Supplemented As Needed
Subselection (Technical SUBNR) 1
Check Node Definitions and Value Authorizations...
Node- and Value Authorizations Are OK
End of Preprocessing

Filling the Buffer...
...Buffer Filled
  Main Check:  


  Subselection (Technical SUBNR) 1  
Supplementation of Selection for Aggregated Characteristics
  Check Added for Aggregation Authorization:     0ORGUNIT  
  Check Added for Aggregation Authorization:     0USERNAME  

  Authorizations missing for aggregation (":")  


Char. Z_ORGUNT_001
0ORGUNIT   Node  
0USERNAME   I EQ :  

Entries marked with red do not have aggregation authorization
You can find more information about checking aggregation authorization in Note: 1140831

  The authorization check stops here as this selection is no longer needed  

  Message EYE007: You do not have sufficient authorization  
  No Sufficient Authorization for This Subselection (SUBNR)  
Following CHANMIDs Are Affected:
158 ( 0EMPLOYEE__0ORGUNIT )
  Authorization Check Complete  

After adding colon authorization in addition to the hierarchy authorization…

Authorization Check Log

For a general description, see the Note 1234567

Date and Execution Time (Local Server)
Execution Date: 04.09.2014
Execution Time: 11:45:50
Executed Query: ZCUBE/ZQUERY
Transaction RSRT ( BW - output test )
Executed by User 
Executed with Analysis Authorizations of Another User 


Software Component Release Level Support Package
SAP_BASIS 701 0014 SAPKB70114
SAP_ABA 701 0014 SAPKA70114
SAP_BW 701 0014 SAPKW70114


  InfoProvider Check  

Building the Buffer...
...Buffer Built
Are there authorizations for accessing InfoProvider ZCUBE with activity 03?
Authorization exists for general access to InfoProvider ZCUBE with activity 03



  Relevant Characteristics for Detailed Authorization Check  
(Characteristics with Full Authorization Are Not Listed!)
  List of Effective Authorization-Relevant Characteristics for InfoProvider ZCUBE:  


Characteristic
0EMPLOYEE__0ORGUNIT
0ORGUNIT
0USERNAME
0TCAACTVT


 


  Authorization Check  
  Detail Check for InfoProvider ZCUBE  

  Preprocessing:  
Selection Checked for Consistency, Preprocessed and Supplemented As Needed
Subselection (Technical SUBNR) 1
Check Node Definitions and Value Authorizations...
Node- and Value Authorizations Are OK
End of Preprocessing

Filling the Buffer...
...Buffer Filled
  Main Check:  


  Subselection (Technical SUBNR) 1  
Supplementation of Selection for Aggregated Characteristics
  Check Added for Aggregation Authorization:     0ORGUNIT  
  Check Added for Aggregation Authorization:     0USERNAME  

List of authorizations that provide authorization for selection on ":" (aggregation):


Char. Z_ORGUNT_001
0ORGUNIT   I EQ :  
0USERNAME   I EQ :  

You can find more information about checking aggregation authorization in Note: 1140831

In the following part of the check, the remaining characteristics will be checked

Explanation of the Authorization Check Logic: 1233793


Following Set Is Checked Comparison with Following Authorized Set Result Remaining Set
Characteristic Content in SQL Format
0TCAACTVT
0EMPLOYEE__0ORGUNIT

0TCAACTVT = '03'
AND 0EMPLOYEE__0ORGUNIT LIKE *


Characteristic Content in SQL Format
0EMPLOYEE__0ORGUNIT Node A0001 ,
I EQ :
0TCAACTVT I EQ 03


Not Authorized

All Authorizations Tested
  Message EYE007: You do not have sufficient authorization  

  No Sufficient Authorization for This Subselection (SUBNR)  
Following CHANMIDs Are Affected:
158 ( 0EMPLOYEE__0ORGUNIT )
  Authorization Check Complete  

  Objects Used  

Hierarchy Node Definitions:Used in the Authorization: Node Char. Hierarchy Version Key Date Node InfoObject Node Name Type Level Validity Period Structure Date
Node A0001 0EMPLOYEE__0ORGUNIT ORGEH 000 99991231 0HIER_NODE ROOT 2 00 0 20140901

Legend:

Type 0: Selected Nodes Only
Type 1: Subtree under Node
Type 2: Subtree under node up to and including level (absolute)
Type 3: Complete Hierarchy
Type 4: Subtree under node up to and including level (relative)

Validity Area 0: Name, Version Identical, Key Date Smaller or Equal
Validity Area 1: Name and Version Identical
Validity Area 2: Name Identical
Validity Area 3: All Hierarchies