Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BI Authorizations : Regarding Analysis Authorization

Former Member

‎12-25-2010 5:52 PM

0 Kudos

Dear ALL,

I have query Q1 which hits the infoprovider IP1 to fetch data.

I need to restrict the data based on Company code,Hence Company code is marked as AUT-RELEVANT.

I create a ANALYSIS AUTH A_COMP_CODE = 1000 to restrict data based on Company code 1000.

Also vlaues for the below special characteristic are provided as below:

0TCAACTVT =03

0TCAIPROV =IP1

0TCAVALID =Upto 31.12.9999

Also other auth object such as S_RS_COMP,S_RS_COMP1,,,,etc have been maintained.

Execution of the query with above auth throws auth error.

As per log in rsecadmin ; it shows missing authorization for (colon) : for 3 characteristics (c1,c1,c3)of infoprovider IP1.

When the 3 characteristics c1,c2,c3 are given : vlaue the query runs fine.

What are scenarios in which colon authorizations is asked for?

What should be the approach to restrict data based on analysis auth?

How do we identify the characteristic to be included in analysis authorizations by analyzing the query ?

Regards

Ajit

4 REPLIES 4

Former Member

‎12-25-2010 7:50 PM

0 Kudos

Hi,

In BI Authorization concept this scenerio happens when an infoprovider is flagged to be restricted by multiple characteristics.

Even if you give specific or full access to one of the characteristics, the system would still look for authorization to the remaining auth relevant charecteristics of the infoprovider for execution of the query and the minimum authorization to provide to the remaining characteristics is ":" or aggregate which only gives a summation level access to the data being protected by those characteristics.

What should be the approach to restrict data based on analysis auth?

It is a good practice to only make those characteristics authorisation-relevant for an infoprovider which are needed to check and they should be limited. Please refer SAP note # 1053989 for understanding the pattern of restriction in BI analysis authorization.

See the wiki below for more details on analysis authorizations in BI

[http://wiki.sdn.sap.com/wiki/display/BI/AnalysisAuthorizationsinBI-+approach]

How do we identify the characteristic to be included in analysis authorizations by analyzing the query ?

You need to include all auth relevant characteristics to your analysis authorization for an infoprovider which your query is hitting.

To find all auth relevant info objects for an infoprovider follow steps below:

1. The table RSDCUBEIOBJ gives you the list of all infoobjects corresponding to an Infocube.

2. If you plugin this list of infoobjects in the table RSDCHA, you will obtain the list of infoobjects that are Auth Relevant.

And incase of multiple auth relevant characteristics for an infoprovider you will have to provide ":" ( minimum access) or "" (full access) value to all characteristics for which business has not provided any specific restricting requirement (it is preferrable to use ":" instead of "" whereever possible as to avoid overloading the system resources).

Hope this clarifies!

Sandipan

Edited by: Sandipan Choudhury on Dec 26, 2010 7:20 PM

Former Member

‎12-26-2010 11:41 AM

0 Kudos

Dear,

You need to use C1,c2,c3 characteristics in the row/columns of the query. If the char. are not in use then system will look for : colon authorization.

Check with your BW developer and make sure that char c1,c2,c3 used in the query(through query designer).

I hope it helps you.

Best Regards

Imran

Former Member
In response to Former Member

‎12-26-2010 1:43 PM

0 Kudos

Hi,

Irrespective of whether the query includes or excludes c1, c2, c3, the system would still check for them before authorizing the user to acces data of the infoprovider since these characteristics have been marked as auth relevant for the infocube where the query hits.

As I understand in this case, we don't have any specific requirement from business (queries are built as per business requirement and it might not require protecting the query in this case via c1, c2 and c3) about restricting them, a minimum access of ":" has to be provided. But you might as well go through this authorization check successfully with "*" for characteristics c1, c2 or c3 in the analysis authorization.

Thanks,

Sandipan

former_member701183
Active Participant

‎12-26-2010 2:47 PM

0 Kudos

Hi,

Apart from what Sandipan has correctly mentioned, I would like to provide the below points related to first question:

"What are scenarios in which colon authorizations is asked for?"

This is mainly used for 2 purposes

1. For viewing summarised data to be reported for characteristics level and also user do not have the authorization to view or access detailed data.

2. Some authorizations may not contain authorization relevant Info objects that are checked in info cubes.

Regards

Aveek.