cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BI 7.0 Analysis authorization- How to control

Former Member

on ‎12-21-2008 7:00 AM

0 Kudos

Hi Experts,

In our project, BI application team has developed BI reports based on transcation codes in ECC.

CEO is having access to company code 1000 1100 1300 2000

VP is having access to comapny code 1000 1100 1300

Now the requirement is to assign CEO reports to other users like VP, GM etc.

I analysed the VP's access in ECC(for that corrosponding tcode) for one of the CEO FICO report.

for that report VP is having access to company codes 1000 & 1100 only. It mean in ECC when VP execute the CEO FICO tcode, he is authorised to see data for company codes 1000 & 1100.

In same way when VP user executes BI report, VP should see only company code 1000 & 1100 only.

So I created one separate PFCG role (e.g CEO_forVP with analysis auth values 1000 1100).

I assign this role to VP user.

Now VP is having 1. --> his own VP roles for other reports with access 1000 1100 & 1300.

2. --> CEO_forVP role with access 1000 & 1100.

Now when VP user is executing BI CEO FICO report, he is able to see 1300 company code data also.I think he picks up authorization value from other VP roles also.

In ECC we will be having diffrent auth object for company code, but in BI it will go and check standard auth. object so it will show value for other company codes also.

So how we can restrict the authorizations in BI 7.0 ????

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎01-25-2009 11:35 AM
0 Kudos

Thanks

Show replies
Show replies
Former Member
‎12-23-2008 12:07 PM
0 Kudos

Hi-

Even if the user's UMR has surplus authorization via diff. roles, analysis authorization can control which one to use and which one to drop. Thats the beauty with BI 7.0 Analysis Authorization.

You can try the following steps to restrict VP not to see a perticular company code-

-Execute RSECADMIN

-Click User Tab

-Click Assignment Tab

-Populate the user name say VP

-Click Change

-Go to Role based tab (It will give list of all Org level assigned authorization in user's UMR)

-Double click the auth. named "company code". (It will give auth. structure listing all charactersitics/dimensions)

-Double click the charactersitics/dimensions named company code.

-Now here there are two tabs

-x Value Authorizations (Maintain company code per your choice by INCLUDE/EXCLUDE selection)

-Hierarchy Authorizations (A node level hierarchy auth. needs to be created by development team and restrict under this tab which node to display and which one to drop escpecially when user executes report from a portal front end).

Please let us know the test result, if working per your desired functionality.

Cheers!

Ashok

Show replies
Show replies
Former Member
‎12-26-2008 7:11 AM
0 Kudos

Dear Ashok,

I have designed roles excatly how you said. But it is showing extra data.

Dear All,

I will give you exact scenario, how it is happening.

========================================================

User: Test_vp

Below 4 PFCG Roles assigned to User

1. VP_1000_report

(linked to rsecadmin role VP_1000 (via S_RS_AUTH) with 0comp_code =1000)

Query names(via R_RS_COMP & S_RS_COMP1) : Z_VP_QRY1, Z_VP_QRY2

2. VP_1100_report

(linked to rsecadmin role VP_1100 (via S_RS_AUTH) with 0comp_code =1100)

Query names (via R_RS_COMP & S_RS_COMP1) : Z_VP_QRY1, Z_VP_QRY2

3. VP_1300_report

(linked to rsecadmin role VP_1300 (via S_RS_AUTH) with 0comp_code =1300)

Query names(via R_RS_COMP & S_RS_COMP1) : Z_VP_QRY1, Z_VP_QRY2

-

4. CEO_VP_report

(linked to rsecadmin role CEO_VP (via R_RS_AUTH) with 0comp_code = 1000, 1100)

Query Names (via R_RS_COMP & S_RS_COMP1): Z_CEO_QRY

Now when user test_vp exceurtes query Z_CEO_QRY, it is displaying data for 1000, 1100 & 1300.

Please advise..

Edited by: Imran Mulani on Dec 26, 2008 8:13 AM

Former Member
‎12-29-2008 6:21 AM
0 Kudos

Hello Imran,

Please check the values for the fields RSINFOAREA InfoArea & RSINFOCUBE InfoCube in the object S_RS_COMP. As your query names are following strict naming conventions the object should restrict the query for the values provided in the fields RSINFOAREA and RSINFOCUBE.

Also, the object S_RS_AUTH with field 0comp_code in all four roles having different values in each roles does not make a difference as the authority-check will possibly cummulate the values and give access to all three company codes. Try to deactivate S_RS_AUTH in role for company code 1300 and then try executing the CEO Query and the VP query for company code 1300.

Regards,

Subbu

Edited by: Subramaniam Iyer on Dec 29, 2008 7:24 AM

Former Member
‎12-30-2008 6:25 AM
0 Kudos

Sub,

INFO AREA & INFO CUBE values are diffrent for VP reports & CEO reports.

I have mentioned corrosponding values for RSINFOAREA & RSINFOCUBE in S_RS_COMP.

You said

>>Also, the object S_RS_AUTH with field 0comp_code in all four roles having different values in each roles does not make a difference as the authority-check will possibly cummulate the values and give access to all three company codes. Try to deactivate S_RS_AUTH in role for company code 1300 and then try executing the CEO Query and the VP query for company code 1300.

Obvioulsly If i deactivate S_RS_AUTH for company code 1300 then VP will see data only for two company codes for CEO reports. But when VP executes his own VP reports that time he will not able to see 1300 company code which he suppose to see.

Are you sure BI analysis authorization "authority-check will possibly cummulate the values & dispaly data for all company codes"

Then how it is poosible in BI7.0 security to restrict user by company code values?? Some option will definately be there to restrict company code values.

Please advise

Edited by: Imran Mulani on Dec 30, 2008 7:25 AM

Edited by: Imran Mulani on Dec 30, 2008 7:26 AM

Former Member
‎01-06-2009 6:30 AM
0 Kudos

Hi,

it is showing extra dada because trhe info provider is same inside VP roles & CEO roles.

As per SAP Note 557924 - Filling variables with multi-dimensional authorizations.

We need to use Customer exit in the BI reports.

Former Member
‎01-09-2009 10:41 PM
0 Kudos

Hi Imran,

The security setup is working as it is supposed to work. In BI unlike in BW3.5 the final authorized set is calculate using UNION i,e V.P 1000,1100, 1300 Union CEO 1000, 1100 is 1000,1100 and 1300. Hence the data far all the three is shown. If it were BW 3.5 only 1000 and 1100 would have been shown.

Thanks.

Neha.

Former Member
‎01-10-2009 7:19 AM
0 Kudos

Thanks Neha,

So how we can restrict the access in BI7.0. As per my analysis we must use customer exit in the BI query.

Please advise.

Former Member
‎01-25-2009 11:34 AM
0 Kudos

closing this thread. Planning to use customer exit in the query. ABAPers are working on it.

Former Member
‎12-22-2008 6:20 AM
0 Kudos

Hi Imran,

It is advisable to work with custom authorization objects for BI reporting users as the standard objects would have limited functionality.

Show replies
Show replies
Former Member
‎12-22-2008 7:26 AM
0 Kudos

Thanks Sub,

May I know usually who will develop the custom. auth. object?

Is it responsibility of securtity admin/ Bi application team/ or BI Abaper ?

Former Member
‎12-22-2008 9:08 AM
0 Kudos

Hi Imran,

The scope of creation of the BI authorization object is with the security admin.

Since there are no reporting objects provided in standard SAP for infoobjects you need to create your own. Tcode RSSM if you have not upgraded to Netweaver 7.0 else you can use Tcode RSECADMIN.

You can find the details on this Link:

http://help.sap.com/saphelp_nw04s/helpdata/EN/55/46eb411a7f6324e10000000a1550b0/frameset.htm

If you are using RSSM the procedure is given below:

- Use Tcode RSA1 admin workbench and drill down to your infoobject, double click and open the Business explorer tab, check if the auth relevant checkbox has been ticked.(This part has to be done with the help of the BW administrator)

- You decide which fields to be put in the authobject from a list of auth relevant infoobjects

- After creating your object add it to your role in PFCG.

- Ask your query designer to add a variable to the query so that the result can be filtered.

- Link the authobject to an infoprovider

Former Member
‎12-22-2008 10:05 AM
0 Kudos

Thanks again,

I am using BI7.0 (RSECADMIN). I know how to create RSECADMIN analysis authorization roles.

What i need is ..for ex. User is assigned with multiple roles. When user is executing BI report ..he should go & check only that PFCG role where that BI report name is mentioned(S_RS_COMP & S_RS_COMP1) & through that PFCG role(via s_RS_AUTH) it should check corrosponding auth. values.

but Now user is going and checking all auth. values those are present in other PFCG role (via S_RS_AUTH). Beacause of this user is able to see other company code data also.

I hope you understand what I am explaining. Please advise.

Former Member
‎12-22-2008 12:07 PM
0 Kudos

Hello Imran,

S_RS_COMP & S_RS_COMP1 together should work for you provided you have followed strict naming conventions for your queries. I am sure the query being executed by the CEO is different to the query being executed by the VP. You want the VP to have authorizations for executing the CEO queries for Cocode 1000 & 1100 but not 1300.

The queries for which VP has access for 1000,1100 & 1300 should have a different naming convention.

Thereby based on the check for the field "name of reporting component" the authorization shoule get limited to 1000 & 1100 only.

Former Member
‎12-23-2008 10:46 AM
0 Kudos

Hi Sub,

The query names are diffrent. but still it is showing value for other company codes.

Ask a Question