Analysis Power user role

Former Member · ‎05-28-2010

Hi

I have created power user role with following objects, could any body suggest do we need any other objects for power user role

Tcodes- LISTCUBE, LISTSCHEMA, SU01D, SQVI , ST22 , RSIMG, RRMX , Objects S_RFC *, S_TCODE, S_USER_AGR -Act 2,3 ,8; S_USER_AUT 03 ,08,; S_USER_GRP, S_USER_PRO; S_DEVELOP; S_QUERY ; S_TRANSPRT, S_ADDRESS1,

S_RS_AUTH; S_RS_BITM; S_RS_BTMP ;

S_RS_COMP 01, 02, 03, 16, 22 ACTVT

RSINFOAREA

Ztest RSINFOCUBE

Ztest1 RSZCOMPID

RSZCOMPTP

S_RS_COMP1 ctivity 02, 03, 16, 22 ACTVT

Ztest1 RSZCOMPID

RSZCOMPTP

RSZOWNER

S_RS_DS; S_RS_FOLD; S_RS_PARAM.

My restriction on power user Develop reports for self consumption, to change reports that they have created, but not those

created by anyone else., Execute pre-defined standard reports.

For testing i have created two power users with same role but unable to get exact output , could any body help on this

Former Member · ‎05-29-2010

Hi,

For restricting access to the user to change queries created by ownself only you need to maintain the value " $USER" in RSZOWNER in S_RS_COMP1 . Authorization given to the user for anything related to a query is a combination of values in S_RS_COMP and S_RS_COMP1.

As per your requirement, you can maintain 2 instances of S_RS_COMP1:

1) 03, 16, 22 - ACTVT----

No change auth for queries

Ztest1 RSZCOMPID

RSZCOMPTP
RSZOWNER

2) 02, 03, 16, 22 ACTVT----

Change auth for queries created only by oneself

Ztest1 RSZCOMPID

RSZCOMPTP

$ USER RSZOWNER

Hope this helps.

Regards,

Manisha

Former Member · ‎05-29-2010

Thank you manisha, do you mean two instances means do i need to create different two power user role with different activies (ex $user) and other without or i have create two s_rs_comp1objects in same role with different activites could you please confirm .

Former Member · ‎05-29-2010

Hi,

There is no need to create two different roles . You can add S_RS_COMP1 two times in the same role but with different set of values as I have given in the previous post. $ USER will give auth only for queries created by ownself.

Hope this helps.

Regards,

Manisha

Former Member · ‎05-31-2010

Hi

You have mentioned value "ZTEST1" for RSZCOMPID. Probabely you meant is "ZTEST1* " (All reporting components starting with the name ZTEST1* ).

My recommendation would go for creating 2 seperate roles for seperate power users based on different values for the field RSZOWNER if the value maintained for the field RSZCOMPID is same for both the users.

However if you can have different values for RSZCOMPID for seperate power users(i.e. seperate power users should create/change reporting componenets with different naming convention), then you can include two S_RS_COMP1 objects in the same role and assign the same role to different power users.

Thanks.

Anjan

Former Member · ‎05-31-2010

Thanks anajan, i will t try that too as per suggestion, now i am facing some issue in BEx designer , i was adding some rows and trying to save , but it is showing an error: you don't have authorization for add or create . i check the trace unable get the exact object . When i was testing with super user role i was able to do that . Please any objects you have any idea on this

Former Member · ‎05-31-2010

hi

As you are getting an error when you are saving the report, please check the authorizations for object S_USER_AGR(If the report is getting saved in roles). You may also want to check for authorization provided through objects S_RS_COMP & S_RS_COMP1.

Thanks.

Anjan

Edited by: anjanpandey on May 31, 2010 7:26 AM

Former Member · ‎05-31-2010

Hi,

I'm not sure how many Power Users do you have in your current BI Set-up and if creating different roles for different power users will be helpful as this may go on increasing with different requirements. Going by the standards you should have a common set of authorizations for the power users, even after that , if you have restrictions based on create/change query by a specific user , you can easily do that by maintaining different set of values for Object S_RS_COMP1 for field RSZOWNER rather than creating a completely new role for it.

Ths issue regarding changing the queries and saving them needs to be chacked with the set of values you have provided in activities for S_RS_COMP and S_RS_COMP1. Moreover , as Anjan has correctly pointed out, if they are being saved in a role, you also need to check the change authorization in S_USR_AGR .

Regards,

Manisha

Edited by: Manisha Nadir on May 31, 2010 12:48 PM

Former Member · ‎05-31-2010

Hi , thanks for your help, i tried to give

S_rs_comp

Activity 01, 02, 03, 16, 22 ACTVT

InfoArea * RSINFOAREA

InfoCube ZTest RSINFOCUBE

Name (ID) of a reporting compo Ztest1 RSZCOMPID

Type of a reporting component * RSZCOMPTP

S_rs_comp1

Activity 02, 03, 16, 22 ACTVT

Name (ID) of a reporting compo Ztest1 RSZCOMPID

Type of a reporting component * RSZCOMPTP

Owner (Person Responsible) for $USER RSZOWNER

S_user_agr

Activity * ACTVT

Role Name * ACT_GROUP

I also created another Super user role with following Tcodes and tested with that with all above objects it is working fine

Rsa1, rsa2,rsa3,rsa5,rsa6,rsa7, listcube, rspc, listscema, su01d, sqv1, rsimg, rsimpcur, rsinput, rsir_deltatrack, rrmx .

Earlier as anajan suggested i have looked into couple help sites . I think restricting perfectly as per requirement for Power user -

Develop reports for self consumption

Ability to change reports that they have created, but not those created by anyone else.

Execute pre-defined standard reports

Train End users

as on initial implementation my developer created ztest cube with ztest1 query and doing testing as per requirement .

Former Member · ‎05-31-2010

I was restricting on query also

s_rs_comp

01, 02, 03, 16, 22 ACTVT

RSINFOAREA

Ztest RSINFOCUBE

RSZCOMPID

RSZCOMPTP

s_rs_comp1

02, 03, 16, 22

*

$USER

now working fine if i changed to above settings able create or edit in bex querydesigner - now i want to test whether power user should able to change or create his own queries , but he should not create/change any other queries . by "$user "he can only create or change to restricted cube but he is not restricted by query i think . please suggest ima in right

Former Member · ‎06-01-2010

Hi

You are right to interpret based on the values maintained in the authorization objects S_RS_COMP & S_RS_COMP1.

However this way power user will be creating queries based on any naming convention. Recommendation should always be to follow a naming convention while creating new queries. So the access should be restricted based on the value provided in the field RSZCOMPID.

Also by providing a value " * " in the field RSZCOMPTP allows the user to create change Calculated key figure,

Restricted key figure, Template structure, Query, Variable. Are you sure that you want your power user to have create/change access for all of these.

Thanks.

Anjan

Former Member · ‎06-01-2010

Hi,

$ USER restricts the user with that role to have authorization only for queries created by the user itself . You can further restrict these queries by specifying the exact InfoCube and InfoArea in RSINFOCUBE and RSINFOAREA . Moreover, if you are following some specific naming convention for queries then you can give that value in RSZCOMPID.

Please go through the documentation provided for each of these fields in S_RS_COMP and S_RS_COMP1 in help.sap.com to get a clear understanding of what needs to be given and where restrictions can be put.

<removed_by_moderator>

Regards

Manisha Nadir

Edited by: Julius Bussche on Jun 1, 2010 2:08 PM

I do however agree with you that "roam78" should close the thread...

Former Member · ‎06-02-2010

Thank you everybody for your suggestions, I followed according to your inputs working fine