Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Query authorizations

Go to solution
Former Member

‎12-31-2008 7:50 PM

0 Kudos

Hi Experts/Fellow SDNers,

I am currently restricting a BW system and have a few questions/would like some confirmation on a few points to make sure I am understanding things correctly. My understanding of BW is limited so kindly bare with me:

1. Basically, it would appear that query access is restricted by the object S_RS_COMP. In S_RS_COMP, the field RSZCOMPID (Name) allows me to restrict access to queries by name (i.e. Z* will provide access to all queries with name starting with 'Z'). One thing that is confusing me is the 2 additional fields: RSINFOAREA (InfoArea) and RSINFOCUBE (InfoCube). My colleague advised, a BW query basically pulls information from an InfoProvider (such as an InfoCube/ODS Object). So, does this mean that even if I allow access to a query by name through RSZCOMPID, if the InfoCube it requires is not included in the RSINFOCUBE field, then the query will fail?

2. I need help in understanding the differences between S_RS_COMP and S_RS_COMP1. From what I can see, they are very similar. Documentation I have read advises that S_RS_COMP1 allows users to administer certain queries but besides the RSZOWNER (Owner - Person Responsible) field, I don't see what else it offers over S_RS_COMP. If I don't need to restrict by Owner, then I have no need for S_RS_COMP1? Would it make sense for the fields in S_RS_COMP and S_RS_COMP1 to always match (i.e. same values in ACTV, RSZCOMPID, and RSZCOMPTP)?

3. Before, it was my (mistaken) understanding that a query that is published to a role (i.e. exists in a role's role menu) automatically granted the user who was assigned to this role access to that query. I performed a quick test and this seemed not to be the case. I gave the user roles that granted access to queries Z*, but non of the roles had any queries published. I logged in through BEx and sure enough, I could manually type/find the query name and execute the query even though it was not under the Roles list. Therefore, other than making the name of the query appear when you click on the Roles button in BEx, are there any other uses to publishing a query to a certain role?

As always, any help is greatly appreciated!

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎12-31-2008 8:06 PM

0 Kudos

Are you on BI or old BW, because in BI you also have Analysis Authorization objects which also play a vital role in deciding what can be accesses and what can't be

> 

> 
> 1.  Basically, it would appear that query access is restricted by the object S_RS_COMP.  In S_RS_COMP, the field RSZCOMPID (Name) allows me to restrict access to queries by name (i.e. Z* will provide access to all queries with name starting with 'Z').  One thing that is confusing me is the 2 additional fields:  RSINFOAREA (InfoArea) and RSINFOCUBE (InfoCube).  My colleague advised, a BW query basically pulls information from an InfoProvider (such as an InfoCube/ODS Object).  So, does this mean that even if I allow access to a query by name through RSZCOMPID, if the InfoCube it requires is not included in the RSINFOCUBE field, then the query will fail?
>

Yes, you are right with that. You need to have access to data ( infoproviders) even though you have the queries access. Just like if you have access in SAP to do things and don't have access to the computer itself 

>
> 2.  I need help in understanding the differences between S_RS_COMP and S_RS_COMP1.  From what I can see, they are very similar.  Documentation I have read advises that S_RS_COMP1 allows users to administer certain queries but besides the RSZOWNER (Owner - Person Responsible) field, I don't see what else it offers over S_RS_COMP.  If I don't need to restrict by Owner, then I have no need for S_RS_COMP1?  Would it make sense for the fields in S_RS_COMP and S_RS_COMP1 to always match (i.e. same values in ACTV, RSZCOMPID, and RSZCOMPTP)?
>

If you are not going to restrict by owner then it makes sense to exclude this Authorization Object in the roles.

 
> 3.  Before, it was my (mistaken) understanding that a query that is published to a role (i.e. exists in a role's role menu) automatically granted the user who was assigned to this role access to that query.  I performed a quick test and this seemed not to be the case.  I gave the user roles that granted access to queries Z*, but non of the roles had any queries published.  I logged in through BEx and sure enough, I could manually type/find the query name and execute the query even though it was not under the Roles list.  Therefore, other than making the name of the query appear when you click on the Roles button in BEx, are there any other uses to publishing a query to a certain role?
>

You need to save queries on the role, then only they will appear to the user. You can use BEx Query designer to create and save queries on the role. They will appear in the role menu in PFCG also.

We have created a separate reporting role which only has the link to queries.

HAPPY NEW YEAR

Cheers !!

Zaheer

3 REPLIES 3

Go to solution
Former Member

‎12-31-2008 8:06 PM

0 Kudos

Are you on BI or old BW, because in BI you also have Analysis Authorization objects which also play a vital role in deciding what can be accesses and what can't be

> 

> 
> 1.  Basically, it would appear that query access is restricted by the object S_RS_COMP.  In S_RS_COMP, the field RSZCOMPID (Name) allows me to restrict access to queries by name (i.e. Z* will provide access to all queries with name starting with 'Z').  One thing that is confusing me is the 2 additional fields:  RSINFOAREA (InfoArea) and RSINFOCUBE (InfoCube).  My colleague advised, a BW query basically pulls information from an InfoProvider (such as an InfoCube/ODS Object).  So, does this mean that even if I allow access to a query by name through RSZCOMPID, if the InfoCube it requires is not included in the RSINFOCUBE field, then the query will fail?
>

Yes, you are right with that. You need to have access to data ( infoproviders) even though you have the queries access. Just like if you have access in SAP to do things and don't have access to the computer itself 

>
> 2.  I need help in understanding the differences between S_RS_COMP and S_RS_COMP1.  From what I can see, they are very similar.  Documentation I have read advises that S_RS_COMP1 allows users to administer certain queries but besides the RSZOWNER (Owner - Person Responsible) field, I don't see what else it offers over S_RS_COMP.  If I don't need to restrict by Owner, then I have no need for S_RS_COMP1?  Would it make sense for the fields in S_RS_COMP and S_RS_COMP1 to always match (i.e. same values in ACTV, RSZCOMPID, and RSZCOMPTP)?
>

If you are not going to restrict by owner then it makes sense to exclude this Authorization Object in the roles.

 
> 3.  Before, it was my (mistaken) understanding that a query that is published to a role (i.e. exists in a role's role menu) automatically granted the user who was assigned to this role access to that query.  I performed a quick test and this seemed not to be the case.  I gave the user roles that granted access to queries Z*, but non of the roles had any queries published.  I logged in through BEx and sure enough, I could manually type/find the query name and execute the query even though it was not under the Roles list.  Therefore, other than making the name of the query appear when you click on the Roles button in BEx, are there any other uses to publishing a query to a certain role?
>

You need to save queries on the role, then only they will appear to the user. You can use BEx Query designer to create and save queries on the role. They will appear in the role menu in PFCG also.

We have created a separate reporting role which only has the link to queries.

HAPPY NEW YEAR

Cheers !!

Zaheer

Go to solution
Former Member

‎12-31-2008 8:14 PM

0 Kudos

Hi Zaheer,

Thank you very much for your quick and direct response. This has answered all of my questions. As an aside to your original question, we were on BW 3.x and did upgrade to BI 7. Currently, we have not migrated the existing roles to the new concept and am using 0BI_ALL until the decision is made to use the new analysis authorization model.

Happy New Year too (you see, thinking about SAP during New year...)!!

Go to solution
Former Member
In response to Former Member

‎12-31-2008 8:40 PM

0 Kudos

Welcome

Cheers !!

Zaheer