Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

BI Auth - user still can search & execute for not authorized query

Former Member
0 Kudos

Hello All,

need your help here.

For BI security,

I've configured menu role (for example ZBEX_FIN) in order for the end users to see only specific queries/workbook inside the menu folder that assigned to him/her.

And I've made a function role for end user, copy from the template S_RS_RREPU with the modification:

1. I delete 0BI_ALL

2. add S_USER_AGR and put my menu role above (ZBEX_FIN) for field ACT_GROUP

3. add S_RS_FOLD to disable the infoarea button in BEx.

currently the user can see and execute report assigned in the role menu folder, this is correct.

But the problem is there's a find button in the BEx, when the user try to search other query (non authorized query,the one that supposed he can't see), he still can display the query, then can execute the query. This is not acceptable.

Anyone can suggest whether I can disable the find button in the BEx

or any other restriction in the role that I missed, so the user can only execute and display the query/workbook under the role menu only.

Thanks in advance.

1 ACCEPTED SOLUTION

Former Member

Hi,

Did you put restrictions on S_RS_COMP auth object for infoarea/infoprovider and query name?

Please note template S_RS_RREPU has "*" values for Infoarea, Infocube and RSZCOMPID (query name) which needs to be replaced with specific values for which you would want the user to have access to.

Also, make sure the Analysis authorization which you put in S_RS_AUTH is restricted to correct infoprovider.

Hope this helps

Sandipan

7 REPLIES 7

Former Member

Hi,

Did you put restrictions on S_RS_COMP auth object for infoarea/infoprovider and query name?

Please note template S_RS_RREPU has "*" values for Infoarea, Infocube and RSZCOMPID (query name) which needs to be replaced with specific values for which you would want the user to have access to.

Also, make sure the Analysis authorization which you put in S_RS_AUTH is restricted to correct infoprovider.

Hope this helps

Sandipan

0 Kudos

Thanks a lot Sandipan for quick response.

for S_RS_AUTH I've restricted with specific authorization data.

but for S_RS_COMP, I still keep it as * , so this one make the problem. In our requirement, I can't restrict by InfoArea and Infocube, so I have to restrict by the query ID.

So it means that we need to do it twice restrictring the query in the role menu and then inside the S_RS_COMP ?

so later when the user wants to add more queries in his role, we need to add those in the role menu as well inside the S_RS_COMP. is this correct ?

And if I have a workbook, how I put it inside the S_RS_COMP ? because the component of S_RS_COMP is query only.

I try to simulate the problem, the user also can search other workbook that assigned to other role menu.

Thanks again.

0 Kudos

So it means that we need to do it twice restrictring the query in the role menu and then inside the S_RS_COMP ?

so later when the user wants to add more queries in his role, we need to add those in the role menu as well inside the S_RS_COMP. is this correct ?

When you add queries/workbook to role menu, you are not restricting the access. Its just that user menu would list those queries/workbooks. Users can search for other queries and workbook and run them with proper authorizations in S_RS_COMP. You may consider maintaining query naming convention with wild cards for example YRZ* etc to give access to all queries/workbooks starting with YRZ. This would save your effort to update role too freqeuntly.

And if I have a workbook, how I put it inside the S_RS_COMP ? because the component of S_RS_COMP is query only.

S_RS_COMP can restrict queries as well as workbooks with field RSZCOMPTP= REP

0 Kudos

Hi Sandip,

Thanks it's clearer now.

But I still can't restrict the workbook.

I tried using REP, and put the field RSZCOMPID with the workbook description but the length is not fit, then try to put with workbook ID, but it's not working, the user still can search workbook inside other roles.

So I still have problem for the workbook.

For the query it's solved by using your recommendation.

Regards.

0 Kudos

Work book cannot be controlled by S_RS_COMP. Recheck assigned roles to user and authorization value in S_USER_AGR

Regards,

Arpan Paik

0 Kudos

My Bad Arpan is correct, queries can be controlled by S_RS_COMP and for workbook its S_USER_AGR. Please check all roles assigned to user and see if anyone of them give wider access to S_USER_AGR as far as role name is concerned.

0 Kudos

Thanks a lot guys for your help. I'll give u both points.