04-07-2011 9:37 AM
Hello,
In RSECADMIN it is possible to directly assign the 'analysis authorisations' to user-id's
It is also possible to assign the 'analysis authorisations' to a role via the authorisation object S_RS_AUTH
Can somebody tell me
- what are the pros and cons of directly assigning the analysis autorisations to the users in the RSECADMIN ?
- In which situation is direct assigning in RSECADMIN used ?
- IS dirtectly assigning to users in RSECADMIN in a production environment critical?
- what does SAP propose: directly assigning in analysis authorisations our via a role
In our case we have the situation of
BI system with a large number of analysis authorisations. The values of the analysis authorisations should be
maintainable in production environment.
We have also to take in mind:
- Roles are added to users via CUA ( RSECADMIN is not maintainable via CUA)
- Business Objects is coming. So set up the authorisations that they can be used for Business Objects
- Flexible ( new autorisation relevant info Objects) should be easy adeptable.
What we want to use is
- assigning analysis authorisations via a single role ( in a composite ) to the user
- a variable in the analysis authorisations as field value of a characteristic. In that case the values can be
assigned dynamically in production.
the data access role has the link to the analysis autorisations in the RSECADMIN.
this analysis authorisation contains variables instead of a fixed field value.
The values of the variables are maintained in a table in a production environment
Is using directly assigning analysis authorisations to users in the RSECADMIN in the production environment an alternative ?
Thanks for your answers
With Kind Regards,
Vincent
Edited by: Vincent Willems on Apr 7, 2011 10:37 AM
06-22-2011 4:12 PM
Hi Willem,
You might want to look around on SAP's site to see if there are any white papers about the two ways to assign analysis auths to users.
We have quite a few analysis auths in production, and we have chosen to assign them manually. As a result, we have fewer roles to maintain and assign. The roles are used to give access to the tools, e.g. BEx. We then control what data the users can see with analysis auths.
We do not currently use the functionality that is available to look at change history for assignment of analysis auths. We do include analysis auths in access requests so the access is approved by the business before being assigned. We focus our control more on the role assignment right now. I expect that we will review analysis auth assignments in the future, though.
Not sure if this is what you were after, but I hope it helps!
Krysta
06-23-2011 6:46 AM
If for the same set of query, access requires for different auth relevant characteristics, then you should use directly assiging AA to user. Which will reduce number of roles in your system. Now generally in BI system the number of users are less so by S_RS_AUTH the purpose can also be served for one type maintainance.
Regards,
Arpan Paik
06-23-2011 8:52 AM
Hello Vincent,
My way of working is to follow the structure you have in the providing systems. If you have created a role for a production employee then try to translate the roles for the production analysis the same way in BI. You can use the s_rs_auth object. In HR you can use structural authorizations, you can use some programs to set the structural authorizations in BI and that will be done by creating an analysis object and add this to the user involved. Also updates from structural authorizations will be done automatically by these programs. I should not add your own objects to single users, that is a lot of maintenance you do not want. Use in BI the same concept as in the providing systems, it is more clear for anyone who has to work with it.
Have fun
Bye
Jan van Roest
PS. Did you solve your problem? If so please close your question
Edited by: J. van Roest on Jul 7, 2011 12:51 PM