10-27-2011 9:58 PM
Hello BIW security experts
I have a problem where I created an analysis authorization on a cost center range and it looks like the interval is not working. The report is just a list of cost centers (demo to users to prove that analysis authorizations work in order to skip 2 managerial cost centers.
. Cost centers are numeric. Example: 2000100. In the drop down list they appear as such.
. I want to have the following cost center range: 1000000 to 1000771, 1000773 to 2000771, 2000773 to 9999999.
Thereofore 1000772 and 2000772 should not appear in the list.
. In the analysis authorization I have put the 3 ranges above on 3 separate lines. 'BT' is the operator. The cost centers have been selected from the drop down list.
Results: I get only 1 record from the report.... 2000772. (which is one I want to exclude..
Steps tried to debug:
. When I put a list of cost centers in the analysis authorization on separate line with the 'EQ' operator, then the report works.
. I tried putting ' ' delimiters since cost center is a char field but it fails.
. I tried adding leading and trailing zeros to fill up the char(10) but no luck.
. I tried creating a hierarchy with the interval and put it in the hierachy auth. tab and it does not work either. It gives the same number of records than the first step.
. A hierarchy with single values work.
I do not know what else to try..
Thanks.
YB.
10-28-2011 11:38 AM
Hi,
In case you are just trying to restrict access on few specific cost centers then you can use the Exclude (E) Functionality instead of Include (I) which is default and put in the specific values.
Eg: E EQ 1000772
E EQ 2000772
Thanks,
Deb
10-28-2011 2:25 PM
Hello Deb
I forgot to mention I tried to use the 'E' but it is always greyed out. So I can not select it. Is there a trick way to <ungrey out> this option ?
Tx
Yves.
10-28-2011 4:22 PM
Hi,
If that is grayed out, I will try to find out what drives it and if there is any setting which governs maintenance of that column.
However you can also try out an alternative solution:
Request ABAP/BI consultants to create an User exit type variable which will have all the cost centers that you want users to have access ( either code can be dynamic or hard coded). This variable should not be same as auth type variable used in the relevant BI reports.
You can add that user exit variable in your analysis auth.
Thanks,
Deb
10-28-2011 4:30 PM
Hello again Deb
By researching more it looks like the 'E' is greyed out for a reason and not allowed.
Your suggesiton is a good one but I was hoping not to use it but I might have to. I am also trying to have a hierarchy (with enumerated values and not a range) and remove the 2 cost centers. I will test that.
But it looks like a range with char objects like cost center does not work right and we may have to do a customer exit.
If you find anything in the mean time please let me know.
10-28-2011 5:14 PM
Hi,
I will am looking out for it. A combination of I and E should work as it makes sense. Would be interesting to know about this.
Thanks,
Deb
11-02-2011 11:21 PM
- The option E can be used only in 0TCAVALID (SAP Help).
- Try to stick with I, CP and BT and while using BT do not use wild character [BT A* B*] - Stay simple, life will be easy
- Please go to table RSECVAL and pull out all the values for the analysis authorization for 0COSTCENTER and post it in the forum. Issue might not be in the specified range
11-03-2011 3:25 PM
Good morning
Here it is from RSECVAL
ZCC_TEST 0COSTCENTER I BT 1000000 1000771
ZCC_TEST 0COSTCENTER I BT 1000773 2000771
ZCC_TEST 0COSTCENTER I BT 2000773 9999999
ZCC_TEST 0COSTCENTER I EQ #
ZCC_TEST 0COSTCENTER I EQ :
ZCC_TEST 0INFOPROV I CP *
ZCC_TEST 0TCAACTVT I EQ 03
ZCC_TEST 0TCAIPROV I CP *
ZCC_TEST 0TCAKYFNM I CP *
Thank you for your help.
11-03-2011 6:37 PM
Please review
ZCC_TEST 0INFOPROV I CP *
I think the the object is 0TCAIFAREA. Even with that object, if you can avoid using it, it will be easier in future.
Try this
0TCAACTVT I EQ 03
0TCAIPROV I CP *
0TCAKYFNM I CP *
0TCAVALID *
0COSTCENTER [Range you want to display]
All other objects auth-relevant for the InfoProvider for the concerned query :
Check the log in RSECADMIN. It will very clearly tell you what values are getting checked.
11-03-2011 7:25 PM
Hello again...
0INFOPROV had to be there as it was giving me authorization errors and the trace mentioned that.
Tx.
11-04-2011 10:21 AM
Hi,
I consulted with few BI consultants, and the best way we could find out is using User Exit Variable which I mentioned before.
There are quite a few huge project using this method for fulfilling much more complicated requirements than this one.
Also, you can make an user exit variable dynamic and therefore can be globally used for variety of requirements.
Thanks Deb
11-07-2011 6:16 PM
Hi Yves,
0INFOPROV is giving you authorization error because it must have been marked authorization relevant in RSD1, and that is what I meant to review, do you really need it to be authorization relevant. For most cases 0TCAIPROV is sufficient to control for InfoProvider access.
Also you are providing 0TCAKYFNM I CP * - if your design is not restricting on Key Figures, it will be better for just unmark the auth relevancy on Key Figures. It will reduce maintainence effort considerable for now and future.
and about 0COSTCENTER - Please start with
0COSTCENTER I BT 1000000 1000771
check the log and then
increase the range
ZCC_TEST 0COSTCENTER I BT 1000000 1000771
ZCC_TEST 0COSTCENTER I BT 1000773 2000771
If results are skipping the provided range then the best and I guess only option is to raise an OSS message.
11-07-2011 6:29 PM
You are right for 0INFOPROV. It was installed as it with marked as <authorization relevant>. I will take care of this one.
I have raised a message with SAP. I have prepared a simple test case with a range of 5 cost centers as opposed to an enumerated list of the same 5 cost centers. The range is still failing but the enumerated list works perfectly. They are supposed to login today or tomorrow so I will post the solution when the mystery is solved...
tx
11-07-2011 6:34 PM
Shivraj
I can't assign any points for your last answer as I am not sure why but I can't get back to the user id that posted the message. I can only reply. If I find the problem I will be happy to assign some points for your last answer. Sorry about that.
11-08-2011 7:30 PM
11-11-2011 7:05 PM
Here is how the problem was solved based on a message opened at SAP and various tests.
The range authorization analysis now works only if the authorization variable in the query is defined as <Selection option>.
And, of course, as an <Authorization> type of variable...
Case closed...