cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BI analysis authorization - Same info provider- diffrent access ?

Go to solution
Former Member

on ‎01-25-2009 7:04 AM

0 Kudos

Hi Gurus,

Designation of roles:

1. User is having two PFCG roles (A1 & B1) assigned.

2. Role A1 contains query name ZQRYA1 & Role B1 contains query name ZQRYB1

3. Role A1 is linked to analysis authrozation role AR1 and Role B1 is linked to analysis auth. role BR1 (thorugh S_RS_AUTH)

4. AR1 is having access to Company code 1000 & info proivder is ZIC_COPA

5. BR1 is having access to Company code 2000 & info provider is same ZIC_COPA.

Requirement :

When user is executing ZQRYA1, he should see only 1000 company code.

Result:

With above design user is able to see 1000 & 2000 company code data for ZQRYA1.

My analysis:

1. We should use Customer exit in the Query. (SAP note referred 668520).

2. As per SAP note 1000004 (Merging and optimizing analysis authorizations), I understand that if same info provider is there then BI analysis auth. will merge the values.

Please correct me if I understand something wrong. Also suggest how can implement role so that values will not merge.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎01-25-2009 7:28 PM
0 Kudos

I believe that the easiest (and most flexible) way to have two different authorizations is to build two different MultiProviders on top on ZIC_COPA and then have the two queries build on seperate InfoProviders. The authorizations will not merge as a result of the two different InfoProviders.

I don't think Customer exit variables in the queries is the way forward. This solution could be too difficult to maintain, since changes to query or analysis authorizations in roles requires changes to the customer exit. Secondly, query designers will have to know which customer exit variable to include in the query in stead of just including a SAP authorization variable.

Regards,

Lars

Show replies
Show replies

Answers (2)

Answers (2)

Former Member
‎02-02-2009 5:13 AM
0 Kudos

> 

> 
> Requirement : 
> When user is executing ZQRYA1, he should see only 1000 company code. 
>

Can Query Name be made Authorization-relevant characterstic and then

Role A1 contains authorizations having dimensions as

Query name - ZQRYA1

Company code - 1000

Info Provider - ZIC_COPA

Role B1 contains authorizations having dimensions as

Query name - ZQRYB1

Company code - 2000

Info Provider - ZIC_COPA

Show replies
Show replies
Former Member
‎02-02-2009 5:25 AM
0 Kudos

Hi,

In Query ZQRYA1, we used company code as authorization variable.(Processing by Authorization) but when user is executing ZQRYA1 then system will merge the compnay code values 1000 & 2000 because ZIC_COPA info-provider access is present in both the AA roles.

See my description in 1st question

>>4. AR1 is having access to Company code 1000 & info proivder is ZIC_COPA

>> 5. BR1 is having access to Company code 2000 & info provider is same ZIC_COPA.

Thats reason I am asking if same info-provider access is there in two AA roles for same user, then what to do so that it will not merge the values ?

Edited by: Imran Mulani on Feb 2, 2009 6:25 AM

Edited by: Imran Mulani on Feb 2, 2009 6:28 AM

Edited by: Imran Mulani on Feb 2, 2009 6:28 AM

Former Member
‎02-02-2009 5:45 AM
0 Kudos

From what I think Authorization having three fields can do the trick.

Role A having Authorization with company code as one field or one dimension, Info Provider as second field and a third field which is unique for the queries....something like query name itself as one dimension.

Does it make sense ...I maybe wrong.

Former Member
‎01-25-2009 9:04 PM
0 Kudos

Hi Imran,

Other possible way is to check with the query designer (or functional analysts). Since the company code is being maintained as Authorization variable, the system is picking up the Company codes assigned to AA object for the info-provider available with the user, which is your case is picking up 1000 and 2000.

If the query ZQRYA1 is limited to company code 1000 then change the variable type in the query design.

PS: I have also faced so many issues with the merging authorization and the authorization variables..

Cheers !!

Zaheer

Show replies
Show replies
Former Member
‎01-26-2009 7:02 AM
0 Kudos

Hi Lars/Zaheer,

Thanks for the reply.

1. 1st option by Lars to make multiprovider and diffrent info provider --> Its possible but it makes tough task for BI developers. They have to change thier entire process chain links to new info providers.

2. By Zaheer --> The query ZQRYA1 is being used by other users also for thier own company code access.Thats reason in query designer I made company code as auth. variable ( Processing by Authorization)

Zaheer, as you have faced many such issues, what do you advise to resolve this issue ?

Former Member
‎02-01-2009 5:54 AM
0 Kudos

Hi experts,

I am getting confused now.

As pe rmy practical experience for same info-proivder BI AA will merge the values. Even i got same response in SDN forums.

But when I raised this issue to SAP (OSS message), SAP says this issue should resolve by applying SAP notes through SNOTE..

1138708 Unauthorized data is displayed: "Not assigned" (#)

1158432 Too many values authorized for hierarchy with intervals

1234334 Authorization error for query on InfoSet

1229602 Error when using hierarchies: Authorization error

1226163 Authorization variables in workbook

1000004 Merging and optimizing analysis authorizations

1150754 Authorizations for InfoSet chars. ignored in input help

1235049 F4 help: Unauthorized data for referencing characteristic

I have gone through notes but did not find relevant, but still SAP replied it should resolve the issues.

Please suggest.

Former Member
‎02-01-2009 9:19 AM
0 Kudos

That looks like "note-farming"... it will probably be worth your while to apply a more recent SP pack than SNOTE all of those.

If SAP have done a clean-up in the Analysis Authorization area, then your "bug" might be tucked away in those notes somewhere as well, or there will be more explanatory messages to understand the system behaviour.

Give it a try on a Sandbox (that is what they are for).

Cheers,

Julius

former_member206112
Contributor
‎02-02-2009 8:42 PM
0 Kudos

Dear Imran,

If the user would have two values the authorization will merge.

The problem should be solve on the application, as far as I see there are two options:

1. create a second multiprovider for each query. This is a bit problematic, but, i guess there is some business sense in some cases. Than, the authorization maintenance is simple.

2. Use Bex customer exit variable on company code in each of the queries, which will be query related. (compnent on the exit inteface in CMOD). The problem with that, is that if users use "other" queries, than, the might access more data than they are allowed to.

I guess there's no bug in the system, so there is no need to implement notes.

Tomer.

Former Member
‎02-03-2009 11:00 AM
0 Kudos

Thanks Tomer for the reply.

We have applied all mentioned SAP notes using SNOTE but still the query is showing extra company code data. So it mean as you said "there is no bugs in the system ".

Now we are working on "Customer exit option".

Dear experts,

If anybody is facing similar kind of issues, please reply to this post.

lee-yen_tye
Explorer
‎02-04-2009 5:07 AM
0 Kudos

Hi Imran,

IMHO: Agree with both Lars and Tomer's Option1 suggestions about building your problematic queries on top of separate multiproviders since it is more flexibly viable for your long term authn goals.

Agree also with Tomer that it is not so much a "bug issue" since your requirement is more a new design issue.

Humbly beg to differ with Tomer a little wee bit since I think it is still a good idea to apply all those OSS Notes ....so you are more up to date

If you don't like the multiprovider option, a less elegant and more clunky way which I don't quite advocate, to mitigate risk of CMOD intervention and associated future development forgetfullness, is to create your separate 1000 or 2000 queries with hard-coded Company Code 1000 or 2000 filter values instead of using the variable..

Hope this helps.

Thanks and Regards,

Lee

Former Member
‎01-12-2010 5:43 AM
0 Kudos

Hi,

SAP has apologized for saying to apply OSS notes. It was wrong approch. Only solution is to use customer exit variable Or build new multiprovider.

Thanks

Imran

Edited by: Imran Mulani on Jan 12, 2010 6:44 AM

Ask a Question