09-14-2011 10:11 AM
Hi Gurus,
Implementation of Object level security in BI system. Customer is looking to Implement BI security model for a new piece of functionality that they are setting up in BI (Commissions processing) specifically in the area of SD (Sales Distict, Office, Group, etc.).
Kindly suggest me how do i apply Object level security in BI for large number of People.
I have 3 characteristics to Restrict in Analysis Authorization.
0SALES_DIST: 300001, 300002, 300003, 300004
0SALES_OFF: 3010, 3011, 3012, 3020, 3021, 3022
0SALES_GRP: 3AA ,3AB, 3AC, 3AF, 3AG, 3AH
Kindly suggest me the best method to Implement. System is BI 7.0.
09-14-2011 11:55 AM
Hi Syed,
Your question is at a very high level. Without knowing what your users require, no one can recommend a better solution. However, ensure to have 1 PFCG role that gives authorization to S_RS_COMP with the required Infoarea/Infocubes and queries.
If you are making any of the below characterstic values as authorization relevant, you need to create analysis authorizations for the same.
0SALES_DIST: 300001, 300002, 300003, 300004
0SALES_OFF: 3010, 3011, 3012, 3020, 3021, 3022
0SALES_GRP: 3AA ,3AB, 3AC, 3AF, 3AG, 3AH
If you wish to seperate the authorizations on indiviidual sales off, dist, and group, you need to have indiviudal AA. If you need a mix and match like 1st sales_dist, and 2nd Sales off, and 3rd sales groups, you will have to have 4X6X6 Analysis authorizations.
Regards,
Raghu
09-14-2011 11:55 AM
Hi Syed,
Your question is at a very high level. Without knowing what your users require, no one can recommend a better solution. However, ensure to have 1 PFCG role that gives authorization to S_RS_COMP with the required Infoarea/Infocubes and queries.
If you are making any of the below characterstic values as authorization relevant, you need to create analysis authorizations for the same.
0SALES_DIST: 300001, 300002, 300003, 300004
0SALES_OFF: 3010, 3011, 3012, 3020, 3021, 3022
0SALES_GRP: 3AA ,3AB, 3AC, 3AF, 3AG, 3AH
If you wish to seperate the authorizations on indiviidual sales off, dist, and group, you need to have indiviudal AA. If you need a mix and match like 1st sales_dist, and 2nd Sales off, and 3rd sales groups, you will have to have 4X6X6 Analysis authorizations.
Regards,
Raghu
09-14-2011 12:24 PM
Thanks Raghu,
Role Design is in Place. They have restriction to Query based on S_RS_COMP and Created AA and made Info object Authorization Relevant. I am sorry for the high level description earlier. Hope this is explanatory.
Now there are 3 characteristics 0SALES_DIST, 0SALES_OFF, 0SALES_GRP to be Maintained in Analysis Authorization. These 3 characteristics have Huge values (Example 0 - 1000) Individually. And there are 400 End Users. Characteristic Values for each User is different. So one way is to create individual AA for each specific Combination and create separate Role and Assign it to User. But this will create huge Number of AA and Roles.
So if there is any other alternative to solve this, Please Suggest
09-14-2011 6:53 PM
Hi Syed,
You might be able to do something with hierarchy authorizations. If you create a hierarchy out of sales district / office / group, you can secure based on the hierarchy levels rather than individual values. That would help reduce the number of AA you need. Of course, that won't work if authorization will be different for every user.
Another thing to think about is whether you want to include your AA in roles. You can assign them manually instead. So you'd have a single, generic reporting role for instance and many AA. Then each user would get the reporting role and whatever combination of AA meets their needs. But that means more work for the security team when setting up users. So you have to decide which will save more time - maintaining fewer roles or updating users.
Regards,
Krysta
09-15-2011 11:34 AM
Thanks Krysta Osborn,
I have come up with a Model. I would create Individual AA for each Value of Sales district, sales office and sales group and add it an Individual Role.
So that the combination of above Roles will give the Required access to end user. I found this as a easy way. Rather than to create AA for permutation and combination of all values of sales area which will go up to 2500+ AA and Roles.
Thank you for your suggestions.
Regards
Syed Zameer
09-15-2011 11:44 AM
Hi Syed,
Analaysis authorizations are more flexible than Hirerachy authorizations.
However, the solution is simple. You doesn't require to create 100s of Analysis authorization and can use the user exits, or the variables instead. The below articles provides you detailed information on implementing them, which means you can achieve with a single anaysis authorization
Regards,
Raghu
09-15-2011 12:19 PM
09-20-2011 9:37 AM