- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- How many auths relevant objects are allowed under ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How many auths relevant objects are allowed under the BI Authorisations?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2011 10:12 AM
Hello,
Can anyone please confirm how many InfoObjects are allowed to be auths relevant in the BI Analysis Authorization?
I have a presentation called The New SAP NetWeaver BI AA, by Amelia Lo, SAP consultant and according to this document there is an unlimited number of InfoObjects allowed. However our consultants tell me that 10 is a SAP recommended number and anything greater than this will have a serious impact on the performance.
We have tens of master data attributes which we want to hide from unauthrised users but our consultants warn us of the implications of it.
Can anyone advise please?
Many thanks,
Agata
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2011 10:37 AM
Hi Agata,
The New SAP NetWeaver BI AA, by Amelia Lo, SAP consultant and according to this document there is an unlimited number of InfoObjects allowed
Yes. It is correct. Ther eis not limit on the # of InfoObjects that you can make authorization relevant.
However our consultants tell me that 10 is a SAP recommended number and anything greater than this will have a serious impact on the performance.
The AA will normally be built on 1 InfoObject that is authorization relevant and can be assigned to the user. If you wish to have more than 1 InfoObject in 1 Analysis authorization, Yes, you may have performance issues.
For eg: Assume that you have data in InfoCube called SALES that contains data related to country, territory, product and so on..
If you are restricting on one InfoObject such as Country, or product there should not be any performance issues. But, if you restrict on all in and create analysis authorizations, they do have impact on performance.
We have tens of master data attributes which we want to hide from unauthrised users but our consultants warn us of the implications of it..
It doesn't really matter if you have ten or hundred. It all depends on how well you maintain your analysis authorizations.
Hope this helps!!
Best Regards,
Raghu
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2011 10:37 AM
Hi Agata,
The New SAP NetWeaver BI AA, by Amelia Lo, SAP consultant and according to this document there is an unlimited number of InfoObjects allowed
Yes. It is correct. Ther eis not limit on the # of InfoObjects that you can make authorization relevant.
However our consultants tell me that 10 is a SAP recommended number and anything greater than this will have a serious impact on the performance.
The AA will normally be built on 1 InfoObject that is authorization relevant and can be assigned to the user. If you wish to have more than 1 InfoObject in 1 Analysis authorization, Yes, you may have performance issues.
For eg: Assume that you have data in InfoCube called SALES that contains data related to country, territory, product and so on..
If you are restricting on one InfoObject such as Country, or product there should not be any performance issues. But, if you restrict on all in and create analysis authorizations, they do have impact on performance.
We have tens of master data attributes which we want to hide from unauthrised users but our consultants warn us of the implications of it..
It doesn't really matter if you have ten or hundred. It all depends on how well you maintain your analysis authorizations.
Hope this helps!!
Best Regards,
Raghu
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2011 2:06 PM
"The AA will normally be built on 1 InfoObject that is authorization relevant and can be assigned to the user. If you wish to have more than 1 InfoObject in 1 Analysis authorization, Yes, you may have performance issues."
Is that correct, though? It would have to be a very simplistic scenario to only contain one InfoObject. Not to mention that there are already three 0TCT objects that need to be included in at least one role you are assigning to a user.
If for example, I want to restrict access to a 100 attributes, so that people can't see them, I will need to put all those 100 objects in one role and give them a ":" access. Otherwise the authorisation will fail if people attempt to run a query with these objects.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2011 3:05 PM
Hi Agata,
When I mean one, it doesn't include 0TCA* objects.
Well, COLON authorizations is a different scenario and ofcourse a good approach. User Exists is another approach that you can adapt to manage if you want to restrict on multiple attributes.
Let me know how exactly you are planning to implement. Flat AA authorizations is the widely used, but there is always room for the other two It fairly depends on the amount of InfoObjects and the criticality of the authorization restrictions that you wish to apply.
Regards,
Raghu
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2011 4:09 PM
Here is what SAP says ..
[Analysis Authorization|http://help.sap.com/saphelp_nw70/helpdata/en/be/076f3b6c980c3be10000000a11402f/frameset.htm]
In principle, all authorization-relevant characteristics are checked for existing authorizations if they occur in a query or in an InfoProvider that is being used. For this reason, you should avoid flagging too many characteristics as authorization-relevant so you keep the administrative efforts to a minimum and keep performance good.
We recommend that you include a maximum of 10 authorization-relevant characteristics in a query, since performance is otherwise negatively impacted. Authorization-relevant characteristics with asterisk (*) authorization are an exception to this; you can include more authorization-relevant characteristics of this type in a query.
IMO it really depends on your business scenario, what you really think is critical enough to be restricted and how much you can compromise with the performance which I am sure you are already aware of...reason for this question
One thing that gets difficult with lot of auth relevant objects in a query is the RSECADMIN error log because of the way SAP builds and check Analysis authorizations.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2011 5:47 PM
Thank you very much for that. It's very helpful. So the restriction on the 10 InfoObjects relates to a single query not to the pool of all InfoObjects in BW...
V. helpul!
Cheers.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2011 11:53 PM
Just a little side note: There is currently a very interesting blog and discussions about performance considerations in the comments -
> /people/lars.breddemann/blog/2011/08/13/sap-support-case-for-all-entries-disaster
Performance tuning in BW is a big issue for basis folks and the blog (read the comments) is primarily about the coding techniques at the application and database level.
Consider the impacts of authority-checks and analysis authorizations (generation) and their locations in the code when the requirement is just a "nice to have" but the users can all run Fi / Co reports anyway...
Cheers,
Julius
- SAP Managed Tags:
- Security
