on 03-30-2009 2:56 PM
Hi ,
I am testing the BI analysis authorization concept. I would like to restrict the sales organization characteristic.
The transaction I am using for testing the auth is /SAPAPO/SDP94 (Supply & Demand Planner: Init.Screen)
when I use a sales organization with " * ", everything works fine when I use a list of values containing all possible values I get the message
You do not have authorization for all the characteristic values selected
Checking the SU53 I see a authorization check failed in
S_RS_AUTH => 0BI_ALL
some idea why it is different * to put i the whole list of possible values? how to debuf¡g this problem?
Thanks
FedeX
Even when you enter * in your selection, it must be allowing to use only those Sorg which are entered in the authorisation object....is it?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Problem solved..every time you change the BI analysis auth you need to log out the system in order changes take correct efect..
FedeX
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Zoltan
Thanks.
I run the report to be sure .. but the problem stills...
you are right... I mentioned..that when I get the error and run SU53...the log shows a problem with 0BI_ALL... but I can not assign 0BI_ALL otherwise all user can see all Sales Org using /SAPAPO/SDP94 and that is exactly what I would like to control...
chrees
FedeX
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I was able to trace the problem...an now I do not understand why I get as Result : "Not Authorized"
here the last part of that trace log:
Value selection partially authorized. Check of remainder at end
Following Set Is Checked
Contents
SQL Format:
NOT /BIC/YWSO_S
ORG IN ('#','0605','0624','0625','0707','0807','2000','2001','707','807',':')
AND TCAACTVT = '03'
Comparison with Following Authorized Set
Characteristic Contents
0TCAACTVT I CP *
I EQ #
I EQ 0605
I EQ 0624
I EQ 0625
I EQ 0707
I EQ 0807
I EQ 2000
I EQ 2001
I EQ 707
I EQ 807
I EQ :
Result
Not Authorized
All Authorizations Tested
Message EYE007: You do not have sufficient authorization
No Sufficient Authorization for This Subselection (SUBNR)
Following CHANMIDs Are Affected:
103 ( <charac name> )
Remaining Set
<no info in this column>
I really not identify any difference between the data in Following Set Is Checked and Comparison with Following Authorized Set
well if someone has some idea... I will appreciate it.
Thanks
FedeX
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
As Info..
I am not using 0BI_ALL because it gives authorization to all values in the characteristic, instead of that I have created my own BI analysis authorization where I list the values that the user is allow to see.
Thanks
FedeX
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Whenever the 0BI_ALL is not complete (= does not include all authorization relevant InfoObjects) a SAP_ALL-User receives a "no authorization" message for some queries that include authorization relevant characteristics.
Execute report RSEC_GENERATE_BI_ALL. This report assures that all InfoObjects in BI which are authorization relevant, plus the meta InfoObjects = 0TCAIPROV, 0TCAACTVT, 0TCAVALID receive *-authorization in authorization 0BI_ALL.This authorization, which should never be changed manually, includes all characteristics that are authorization relevant.
Maybe this helps.
Kind regards,
Zoltan.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I found an interesting Thread regarding a similar situation
1) Testing /SAPAPO/SDP94 with RSECADMIN -> analysis -> execute as
I was trying to do as it is described in the thread using TAs MDXTEST and then /SAPAPO/SDP94 .. but I get only traced the MDXTEST execution in the log file..
somebody knows the exactly steps in order I can get the trace for /SAPAPO/SDP94 using this tricky alternative? or it is not possible at all?
As information the MDXTEST query is working as expected... show a warning message indicating the user is not allow to see everything and listing in the end only the product he is authorized..
2) using " : "
I added " : " as a new value in the BI Analysis Authorization but have not change in the behavior... I mean by selecting objects in the /SAPAPO/SDP94 ... I still get....
You do not have authorization for all the characteristic values selected
and as result no product shown in the output list
I will appreciate any idea or how to trace /SAPAPO/SDP94 and possible solutions.. or note...
Thanks
FedeX
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I have a test user with some roles
one role contains only the S_RS_AUTH with only the BI analysis authorization in questions.. no 0BI_ALL is there..
there are other roles grantting auth to InfoArea, InfoCube etc...
what I am testng is changing the values in the BI analysis authorization ...and running the transaction /SAPAPO/SDP94 .
As told before cube contains only 2 records with SalesOrg 2000 and 2001....if BI analysis authorization contains *, # , 2000 and 2001 then /SAPAPO/SDP94 do not brings the error message.... but if I remove * ... then the error messages appears..... I wonder because #, 2000 and 2001 are the 3 possible values for this characteristic....
for me * or the list of the 3 possible values is the same...or not?
as info # = blank..
some idea?
Thanks
FedeX
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I am trying to let * and exclude some values in order to have in the end only the values I would like to control...
in this case by defining the Analysis authorization..I am able only to select "Include" option even both (Include and exclude ) are present in the list... I am doing something wrong ....again???
Thanks,
FedeX
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Looks like there is some problem in the authorization role setup.
Can you go to PFCG, enter your authorization role, lookup authorization objects ( in authorizations tab)
Check the object
Business Information Warehouse (RS )
What is your setup here?
Did you give BI ALL there and what are the activities (03, 23, 06 etc.) that you are trying to assign in that?
If you are trying to restrict the keyfigure 0sales org by a particular value, then you should specify it there and do not include * along with it.
By best bet is if you play with those assignments, you can get this thing working.
Good luck.
Hi ,
here some more info about my test.
in the cube I have 2 records
SalesOrg : 2000 and 2001
if I use * for Sales Organization in the Analysis Auth then I can select characteristics in DP transaction withou problem (Interactive DP - Planning Book -> Selection Window -> Object Selection)
.
if I use a list of values containing 2000 and 2001 then I get the mentioned error message when I try to select characteristics in the DP transaction (Interactive DP - Planning Book -> Selection Window -> Object Selection)
if I use a list of values containing only one value ..for example 2000 then I get also the same problem .
Thanks
FedeX
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
9 | |
4 | |
3 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.