Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BW Analysis authorization issue on cost center range

Former Member

‎10-27-2011 9:58 PM

Hello BIW security experts

I have a problem where I created an analysis authorization on a cost center range and it looks like the interval is not working. The report is just a list of cost centers (demo to users to prove that analysis authorizations work in order to skip 2 managerial cost centers.

. Cost centers are numeric. Example: 2000100. In the drop down list they appear as such.

. I want to have the following cost center range: 1000000 to 1000771, 1000773 to 2000771, 2000773 to 9999999.

Thereofore 1000772 and 2000772 should not appear in the list.

. In the analysis authorization I have put the 3 ranges above on 3 separate lines. 'BT' is the operator. The cost centers have been selected from the drop down list.

Results: I get only 1 record from the report.... 2000772. (which is one I want to exclude..

Steps tried to debug:

. When I put a list of cost centers in the analysis authorization on separate line with the 'EQ' operator, then the report works.

. I tried putting ' ' delimiters since cost center is a char field but it fails.

. I tried adding leading and trailing zeros to fill up the char(10) but no luck.

. I tried creating a hierarchy with the interval and put it in the hierachy auth. tab and it does not work either. It gives the same number of records than the first step.

. A hierarchy with single values work.

I do not know what else to try..

Thanks.

YB.

15 REPLIES 15

Former Member

‎10-28-2011 11:38 AM

0 Kudos

Hi,

In case you are just trying to restrict access on few specific cost centers then you can use the Exclude (E) Functionality instead of Include (I) which is default and put in the specific values.

Eg: E EQ 1000772

E EQ 2000772

Thanks,

Deb

Former Member

‎10-28-2011 2:25 PM

0 Kudos

Hello Deb

I forgot to mention I tried to use the 'E' but it is always greyed out. So I can not select it. Is there a trick way to <ungrey out> this option ?

Tx

Yves.

Former Member
In response to Former Member

‎10-28-2011 4:22 PM

0 Kudos

Hi,

If that is grayed out, I will try to find out what drives it and if there is any setting which governs maintenance of that column.

However you can also try out an alternative solution:

Request ABAP/BI consultants to create an User exit type variable which will have all the cost centers that you want users to have access ( either code can be dynamic or hard coded). This variable should not be same as auth type variable used in the relevant BI reports.

You can add that user exit variable in your analysis auth.

Thanks,

Deb

Former Member

‎10-28-2011 4:30 PM

0 Kudos

Hello again Deb

By researching more it looks like the 'E' is greyed out for a reason and not allowed.

Your suggesiton is a good one but I was hoping not to use it but I might have to. I am also trying to have a hierarchy (with enumerated values and not a range) and remove the 2 cost centers. I will test that.

But it looks like a range with char objects like cost center does not work right and we may have to do a customer exit.

If you find anything in the mean time please let me know.

Former Member
In response to Former Member

‎10-28-2011 5:14 PM

0 Kudos

Hi,

I will am looking out for it. A combination of I and E should work as it makes sense. Would be interesting to know about this.

Thanks,

Deb

shivraj_singh2
Active Participant
In response to Former Member

‎11-02-2011 11:21 PM

0 Kudos

- The option E can be used only in 0TCAVALID (SAP Help).

- Try to stick with I, CP and BT and while using BT do not use wild character [BT A* B*] - Stay simple, life will be easy

- Please go to table RSECVAL and pull out all the values for the analysis authorization for 0COSTCENTER and post it in the forum. Issue might not be in the specified range

Former Member

‎11-03-2011 3:25 PM

0 Kudos

Good morning

Here it is from RSECVAL

ZCC_TEST 0COSTCENTER I BT 1000000 1000771

ZCC_TEST 0COSTCENTER I BT 1000773 2000771

ZCC_TEST 0COSTCENTER I BT 2000773 9999999

ZCC_TEST 0COSTCENTER I EQ #

ZCC_TEST 0COSTCENTER I EQ :

ZCC_TEST 0INFOPROV I CP *

ZCC_TEST 0TCAACTVT I EQ 03

ZCC_TEST 0TCAIPROV I CP *

ZCC_TEST 0TCAKYFNM I CP *

Thank you for your help.

shivraj_singh2
Active Participant
In response to Former Member

‎11-03-2011 6:37 PM

0 Kudos

Please review

ZCC_TEST 0INFOPROV I CP *

I think the the object is 0TCAIFAREA. Even with that object, if you can avoid using it, it will be easier in future.

Try this

0TCAACTVT I EQ 03

0TCAIPROV I CP *

0TCAKYFNM I CP *

0TCAVALID *

0COSTCENTER [Range you want to display]

All other objects auth-relevant for the InfoProvider for the concerned query :

Check the log in RSECADMIN. It will very clearly tell you what values are getting checked.

Former Member

‎11-03-2011 7:25 PM

0 Kudos

Hello again...

0INFOPROV had to be there as it was giving me authorization errors and the trace mentioned that.

Tx.

Former Member
In response to Former Member

‎11-04-2011 10:21 AM

0 Kudos

Hi,

I consulted with few BI consultants, and the best way we could find out is using User Exit Variable which I mentioned before.

There are quite a few huge project using this method for fulfilling much more complicated requirements than this one.

Also, you can make an user exit variable dynamic and therefore can be globally used for variety of requirements.

Thanks Deb

shivraj_singh2
Active Participant
In response to Former Member

‎11-07-2011 6:16 PM

0 Kudos

Hi Yves,

0INFOPROV is giving you authorization error because it must have been marked authorization relevant in RSD1, and that is what I meant to review, do you really need it to be authorization relevant. For most cases 0TCAIPROV is sufficient to control for InfoProvider access.

Also you are providing 0TCAKYFNM I CP * - if your design is not restricting on Key Figures, it will be better for just unmark the auth relevancy on Key Figures. It will reduce maintainence effort considerable for now and future.

and about 0COSTCENTER - Please start with

0COSTCENTER I BT 1000000 1000771

check the log and then

increase the range

ZCC_TEST 0COSTCENTER I BT 1000000 1000771

ZCC_TEST 0COSTCENTER I BT 1000773 2000771

If results are skipping the provided range then the best and I guess only option is to raise an OSS message.

Former Member
In response to Former Member

‎11-07-2011 6:29 PM

0 Kudos

You are right for 0INFOPROV. It was installed as it with marked as <authorization relevant>. I will take care of this one.

I have raised a message with SAP. I have prepared a simple test case with a range of 5 cost centers as opposed to an enumerated list of the same 5 cost centers. The range is still failing but the enumerated list works perfectly. They are supposed to login today or tomorrow so I will post the solution when the mystery is solved...

tx

Former Member
In response to Former Member

‎11-07-2011 6:34 PM

0 Kudos

Shivraj

I can't assign any points for your last answer as I am not sure why but I can't get back to the user id that posted the message. I can only reply. If I find the problem I will be happy to assign some points for your last answer. Sorry about that.

shivraj_singh2
Active Participant
In response to Former Member

‎11-08-2011 7:30 PM

0 Kudos

Np Yves,

It not about the points, but please share the outcome.

Former Member

‎11-11-2011 7:05 PM

Here is how the problem was solved based on a message opened at SAP and various tests.

The range authorization analysis now works only if the authorization variable in the query is defined as <Selection option>.

And, of course, as an <Authorization> type of variable...

Case closed...