08-09-2010 2:09 PM
Hi SAP Guru,
We are in process of migration of BW 3.5 Authorization to BI 7 New analysis Authorization.
We have one scenario where as in One Object in 3.5 let say Auth Object ABC having two fields 0Profit_CTR and 0TCTAUTHH Authorized on Finance Cubes. We have another Object XYZ also having 0PROFIT_CTR authorized on SALES Cubes in 3.5.
In New solution we want only to give the access same way as it is now , the only problem we see with our new design is that when we add * to 0Profit_CTR as part of XYZ then user get more access for all profit Center and for ABC as well.
Can you please suggest me how to proceed so that users donu2019t get more access to Profit Centers.
Fyi, we have maintained infocubes access in separate Role and planning to maintain ABC or XYZ as Analysis authorizations in Separate.
Thanks in advance for time.
Br,
Deepak
08-09-2010 4:43 PM
Deepak,
With one role(0Profit_CTR : *) and another with value will over ride(more access),whether you create two roles or one role and add it the same user buffer. (in other word more access).
Other option is you can restrict on query name / Query Owner.
Thanks,
Sri
08-10-2010 6:48 PM
Hi Deepak,
In BW 3.5, Apart from custom authorization objects, S_RS_ICUBE object was used to control the access to cubes
In BI7, you need to ensure 0TCAIPROV with specific values to allow users access to those cubes
- Maintain Profit Center authorization object in two separate Analysis authorizatios
a) With * value
b) specific value you want to restrict upon
- Now to restrict the access for users based on Infocube
a) Ensure to restricit S_RS_COMP (Field RSINFOCUBE) to a particular cube name
- Ensure you restrict cube access using 0TCAIPROV
Kind Regards,
Sheenam
08-13-2010 3:10 PM
Hi ,
1.Note that in BW3.5 the authorization relevance is per infoObject and infoCube
in BI 7.0 its only infoobject setting
2.For infoProvider authorization BW3.5 sepparate authorization objects are used ( S_RS_* )
in BI 7.0 its included in authorization.
Even if you follow all the steps mentioned by sheenan I still think "*" will give full authorization.
if the infoProviders are different why dont you grant authorization to those two infoproviders using its possible values like
EQ/BT/CP
I will strongly consider Sri's response/idea.
Regards
10-05-2010 7:53 AM