BI 7.0 Analysis Authorization Not Working After NW...

Former Member · ‎07-28-2011

Hello All,

A while back I implemented BI 7.0 security in my sandbox system and was able to run several tests validating some navigation attributes successfully. Since that time we refreshed the sandbox (which took it back to the 3.5 security model) and applied Netweaver 7.0 EhP2. I thought I followed the same steps as before but I am unable to get the kind of test results I received previously. Here's what I have done and I hope someone can spot a piece I am missing that will make the security work again.

1.) Changed the authorization mode to "Current Procedure with Analysis Authorizations" via transaction SPRO

2.) Activated the BI Content for the 0TCA* objects

3.) Set the SAP characteristics 0TCAIPROV, 0TCAACTVT, and 0TCAVALID to Authorization-Relevant

4.) Set our custom characteristic (ZSENS_HQ) used for navigation to Authorization-Relevant

5.) Used transaction RSECADMIN to create an authorization (ZSENSCLMNOWC) and include the above mentioned characteristics.

6.) Set the value ZSENS_HQ to I EQ # (so that only those rows where this characteristic is unassigned are displayed from the query.)

7.) Added the S_RS_AUTH authorization with the value of ZSENSCLMNOWC to a role assigned to one of my test users

Here is my dilemma. The infoObject involved with my query has many rows where ZSENS_HQ is either blank or X. When I run the query using the authorization mode "Obsolete Concept with RSR Authorization Objects" and specify targets where one row is blank and one row is X, I only get the one role where the characteristic is blank. The user account doing the test has a security role with an RSR authorization specifying a value of #. However, when I perform the above mentioned steps and run the same query under the new security methodology I get both rows where I would expect to only receive the one row.

Based on what I've identified above, can anyone provide any insight as to why this would not be working for me now? I cannot find any SAP notes directly related to this not functioning after EhP2 so I am at a complete loss.

Any advice is greatly appreciated.

Kindest Regards,

Doug Helton

Former Member · ‎07-28-2011

Hi Doug,

The steps that you have followed are perfect and I don't see any issue with them.

The issue is with the AA or the Query design. I recommend you replace EQ with CP and use the # value. If the issue still persists, you may run the RSECADMIN trace to identify whether the authorization check is carried out or not at the AA level.

Also, engage your Query designer can identify any potential issues with the migrated queries.

Regards,

Raghu

Former Member · ‎07-29-2011

Hello Raghu,

It is not possible to change the characteristic to be I CP # because the system does not recognize # as a pattern character. Only * and + are allowed for patterns. When I tried to set it to that and attempted to save, I got a message that it would be converted to I EQ #.

I'm thinking it may be the query too. It seems to me that I had to engage them when I had this working before but no one can remember for certain. The fact that the query is pulling everything regardless of the characteristic leads me to think more investigation on the query end is needed.

Regards,

Doug

Former Member · ‎07-29-2011

Hi Doug,

Yes. I too think that the issue can be with the queries. But I also recommend you to check with the other queries to isolate whether the issue is with a specific query or in general. This may give you some room to think and quickly work on.

Regards,

Raghu

Former Member · ‎08-30-2011

Hi All,

I am also facing same problem.

In Analysis problem, EQ works fine, but when I give CP = some profit center * ( PC*) like , it does not work. It gives below error:

"You do not have sufficient authorization"

Any Idea?

Regards

Former Member · ‎08-30-2011

Hi for this error "You do not have sufficient authorization", you need to create an Analysis Authorization for the profit center (the profit center which you put in the query) and assign that AA in the object S_RS_AUTH in the role.

Vinod

krysta_osborn · ‎08-31-2011

Check your query. I think you have to tell it to filter profit center based on authorization. I believe that you do that by making profit center an authorization type variable (not sure of the exact terminology) in your query. Then it should filter the results based on what the user is allowed to see.

Former Member · ‎08-31-2011

Hi Vinod,

you need to create an Analysis Authorization for the profit center (the profit center which you put in the query) and assign that AA in the object S_RS_AUTH in the role.

The OP is regarding the AA only. When he uses CP (Contains Pattern) as PC*, it is giving authorization error. What difference it makes assigning the AA to the user directly or S_RS_AUTH?? Can you re-validate your solution??

Regards,

Raghu

Former Member · ‎08-31-2011

Hi Aman,

What does your RSECADMIN trace says?? Check the trace and see what is missing.

Regards,

Raghu

Former Member · ‎09-01-2011

Hello Raghu,

I found the problem causing my issue. We had two characteristics defined in our system. One of them was defined as the technical name (that's the one I originally set as Authorization Relevant) and the other is an attribute on an object with a different technical name. I was seeing this other technical name in my RSECADMIN traces and I was finally able to figure out that I needed to set the attribute there to Authorization Relevant. Once I did that the reports functioned as expected and my problem was solved.

Regards,

Doug

BI 7.0 Analysis Authorization Not Working After NW 7.0 EhP2