Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BI 7.01 BEx component authorization question

Former Member

‎08-31-2011 5:09 PM

0 Kudos

We are on BW 7.01 Level 007. When in PFCG, if I choose a role and navigate to its authorization, I see that the Business Explorer components (S_RS_COMP) has Activities, InfoArea, InfoCube, Name of reporting component, and Type of reporting component.

Where do you set the authorizations for infoproviders OTHER than an infocube? For instance, we have infoobjects that are infoproviders and can be used for reporting, but users with this role cannot see them. Do I need to add a new field specifically for infoObjects to the list?

Thank you, I appreciate your guidance.

Linda

11 REPLIES 11

Former Member

‎08-31-2011 7:44 PM

0 Kudos

Hi Linda,

Infoproviders should be added in the InfoArea field. Below is how you should add the authorizations:

InfoArea - All the Infoproviders and Infoareas in which the infocube is existed.

InfoCube - The infocube(s) for which you wish to give authorization

Name of reporting component - Queries that actually provide authorization to the data in the InfoCubes

Type of reporting comp - Query options such as aggregates etc.,

S_RS_COMP and S_RS_COMP1 are the objects that controls the majority of reporting authorizations in BI.

Regards,

Raghu

Edited by: Raghu Boddu on Aug 31, 2011 8:44 PM

Former Member

‎08-31-2011 7:51 PM

0 Kudos

You wrote:

InfoArea - All the Infoproviders and Infoareas in which the infocube is existed.

The infoarea part is clear, but to put infoprovider under infoarea is confusing to me. Are you suggesting that you list every multiproviders, infosets, dso, and infoobjects (basically any reportable infoprovider other than a cube) under InfoArea?

thanks,

Linda

Former Member
In response to Former Member

‎09-01-2011 7:48 AM

0 Kudos

Hi Linda,

Assume that you have a setup like the below:

ZMPTEST - Multi provider

ZIPTEST1 - Infoprovider under ZMPTEST

ZIPSUBTEST - InfoProivder under ZIPTEST1

ZICTEST - InfoCube under ZIPSUBTEST

Now, your S_RS_COMP should have ZMPTEST, ZIPTEST1, ZIPSUBTEST in the InfoArea field and ZICTEST in the InfoCube field.

For DSO, you have an additional authorization object called S_RS_DSO where you will specify the DSO objects clearly.

InfoObject restriction (if the InfoObject is set to authorization relavant) happens at the Analysis Authorization level.

If you are not sure on restricting authorizations at InfoObjects, a simple search would yeild lots of links.

Regards,

Raghu

arpan_paik
Active Contributor

‎09-01-2011 12:03 PM

0 Kudos 
 Where do you set the authorizations for infoproviders OTHER than an infocube? For instance, we have infoobjects that are infoproviders and can be used for reporting, but users with this role cannot see them

In BI7 these are also covered in S_RS_COMP. Like old days for reporting S_RS_ODSO, HIER etc are no longer required. These objects are only require if user need to admin these component.

One point to remember, if you give multiprovider name in infocube field, it will not work. You have to give each infoprovider name in this field (i.e. leaf level authorization will work, not root level)

Regards,

Arpan Paik

Former Member

‎09-01-2011 2:25 PM

0 Kudos

Arpan, Raghu,

Thanks so much for your help so far. Can either of you point me to the documentation or even a good book on BW security? Sorry if I am slow at this, but I'm on the BW team and needing to know what to ask our Security team to do.

Currently we have the following under Business Explorer - Components, but users with this role cannot report off of InfoObjects (set up as infoproviders) under infoareas that they have access to. Is this even the place where you authorize users to report off of infoobject infoproviders? Basically, we want all super and power users to be able to report off of any infoobject that is an infoprovider, so I hope we don't have to authorize each infoobject individually.

For: FI505_000_SUPER_USER_COMPLETE

Business Explorer u2013 Components (S_RS_COMP)

Activity (ACTVT) 03, 16

InfoArea (RSINFOAREA) *

InfoCube (RSINFOCUBE) 0BBP, 0GM, 0PA, 0PU, ZFI, ZFMPS, ZGM, ZHRPY, ZSRM

Name (ID) of a reporting component (RSZCOMPID) 0, Z*

Type of a reporting component (RSZCOMPTP) CKF, QVW, REP, RKF, STR, VAR

Business Explorer - Components

Activity 01, 02, 03, 06, 16, 22

InfoArea *

InfoCube 0BBP, 0GM, 0PA, 0PU, ZFI, ZFMPS, ZGM, ZHRPY, ZSRM*

Name (ID) of a reporting compo Y*

Type of a reporting component CKF, QVW, REP, RKF, STR, VAR

Business Explorer - Components

Activity 03, 16

InfoArea *

InfoCube 0BBP, 0GM, 0PA, 0PU, ZFI, ZFMPS, ZGM, ZHRPY, ZSRM*

Name (ID) of a reporting component *

Type of a reporting component CKF, RKF, SOB, STR

Former Member
In response to Former Member

‎09-01-2011 5:16 PM

0 Kudos

Hi Linda,

BW365 - SAP BW Authorizations is the best that explains you well about the BI PFCG and Analysis authorizations.

Regards,

Raghu

Former Member

‎09-01-2011 3:00 PM

0 Kudos

in RSECADMIN , execute as user, and see the Log Report. The red marked fields will help you know the missing fields (in Analysis object) and their values

Former Member

‎09-02-2011 2:09 PM

0 Kudos

I found a copy of BW365 - SAP BW Authorizations and am working my through the chapters. So far when they talk about infoobject security, they are referring to row level security. We do not need that. I just need infoobjects infoproviders to be seen and reportable to our power users. I am hoping it is addressed in upcoming chapters.

thanks,

Linda

Former Member
In response to Former Member

‎09-02-2011 6:28 PM

0 Kudos

Great..it should give you enough information. Also, you may look at the below link that provides more information on BI Analysis authorizations:

http://wiki.sdn.sap.com/wiki/display/BI/AnalysisAuthorizationsinBI-+approach

A quick search in the articles, and Wikis do defiantly provide you more learning experiences. All the best!!

Regards,

Raghu

Former Member

‎09-02-2011 6:38 PM

0 Kudos

Raghu,

My original question was does the InfoCube (2nd line shown below) in the S_RS_COMP, mean just infocubes or does it include DSOs and infoobject that are set as infoproviders.

After all I have read, I conclude that it does mean ALL infoproviders and it would be more accurate to have it named InfoProvider rather than InfoCube. Knowing that helps me understand why our situation is not working as planned. Thanks for all of your help.

Linda

InfoArea - All the Infoproviders and Infoareas in which the infocube is existed.

InfoCube - The infocube(s) for which you wish to give authorization

Name of reporting component - Queries that actually provide authorization to the data in the InfoCubes

Type of reporting comp - Query options such as aggregates etc.,

Former Member
In response to Former Member

‎09-02-2011 7:19 PM

0 Kudos 
the InfoCube (2nd line shown below) in the S_RS_COMP, mean just infocubes or does it include DSOs and infoobject that are set as infoproviders.

InfoCubes can only be maintained in S_RS_COMP. For DSOs, you need to user S_RS_DSO. S_RS_COMP doesn't provide authorization to Infocubes.

Regards,

Raghu