01-19-2011 6:21 AM
Hello All,
need your help here.
For BI security,
I've configured menu role (for example ZBEX_FIN) in order for the end users to see only specific queries/workbook inside the menu folder that assigned to him/her.
And I've made a function role for end user, copy from the template S_RS_RREPU with the modification:
1. I delete 0BI_ALL
2. add S_USER_AGR and put my menu role above (ZBEX_FIN) for field ACT_GROUP
3. add S_RS_FOLD to disable the infoarea button in BEx.
currently the user can see and execute report assigned in the role menu folder, this is correct.
But the problem is there's a find button in the BEx, when the user try to search other query (non authorized query,the one that supposed he can't see), he still can display the query, then can execute the query. This is not acceptable.
Anyone can suggest whether I can disable the find button in the BEx
or any other restriction in the role that I missed, so the user can only execute and display the query/workbook under the role menu only.
Thanks in advance.
01-19-2011 6:32 AM
Hi,
Did you put restrictions on S_RS_COMP auth object for infoarea/infoprovider and query name?
Please note template S_RS_RREPU has "*" values for Infoarea, Infocube and RSZCOMPID (query name) which needs to be replaced with specific values for which you would want the user to have access to.
Also, make sure the Analysis authorization which you put in S_RS_AUTH is restricted to correct infoprovider.
Hope this helps
Sandipan
01-19-2011 6:32 AM
Hi,
Did you put restrictions on S_RS_COMP auth object for infoarea/infoprovider and query name?
Please note template S_RS_RREPU has "*" values for Infoarea, Infocube and RSZCOMPID (query name) which needs to be replaced with specific values for which you would want the user to have access to.
Also, make sure the Analysis authorization which you put in S_RS_AUTH is restricted to correct infoprovider.
Hope this helps
Sandipan
01-19-2011 7:27 AM
Thanks a lot Sandipan for quick response.
for S_RS_AUTH I've restricted with specific authorization data.
but for S_RS_COMP, I still keep it as * , so this one make the problem. In our requirement, I can't restrict by InfoArea and Infocube, so I have to restrict by the query ID.
So it means that we need to do it twice restrictring the query in the role menu and then inside the S_RS_COMP ?
so later when the user wants to add more queries in his role, we need to add those in the role menu as well inside the S_RS_COMP. is this correct ?
And if I have a workbook, how I put it inside the S_RS_COMP ? because the component of S_RS_COMP is query only.
I try to simulate the problem, the user also can search other workbook that assigned to other role menu.
Thanks again.
01-19-2011 7:46 AM
So it means that we need to do it twice restrictring the query in the role menu and then inside the S_RS_COMP ?
so later when the user wants to add more queries in his role, we need to add those in the role menu as well inside the S_RS_COMP. is this correct ?
When you add queries/workbook to role menu, you are not restricting the access. Its just that user menu would list those queries/workbooks. Users can search for other queries and workbook and run them with proper authorizations in S_RS_COMP. You may consider maintaining query naming convention with wild cards for example YRZ* etc to give access to all queries/workbooks starting with YRZ. This would save your effort to update role too freqeuntly.
And if I have a workbook, how I put it inside the S_RS_COMP ? because the component of S_RS_COMP is query only.
S_RS_COMP can restrict queries as well as workbooks with field RSZCOMPTP= REP
01-19-2011 8:29 AM
Hi Sandip,
Thanks it's clearer now.
But I still can't restrict the workbook.
I tried using REP, and put the field RSZCOMPID with the workbook description but the length is not fit, then try to put with workbook ID, but it's not working, the user still can search workbook inside other roles.
So I still have problem for the workbook.
For the query it's solved by using your recommendation.
Regards.
01-19-2011 11:12 AM
Work book cannot be controlled by S_RS_COMP. Recheck assigned roles to user and authorization value in S_USER_AGR
Regards,
Arpan Paik
01-19-2011 12:28 PM
My Bad Arpan is correct, queries can be controlled by S_RS_COMP and for workbook its S_USER_AGR. Please check all roles assigned to user and see if anyone of them give wider access to S_USER_AGR as far as role name is concerned.
01-21-2011 3:48 AM