Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

HR Security - How to setup BW Security similar to Security setup on R/3

Former Member
0 Kudos

Hello Gurus,

In our BW environment we are restricting the HR data based on the administrator group (SBMOD). For Example: We have two analysis authorizations. First one will gives access to US SBMOD values and the second one gives access to EX-US (International) SBMOD values. Then if a user is assigned with both the authorizations and he runs the query for all the SBMOD values, no data is returned. Is there a way to make this combination work in BI Analysis Authorizations?

I understand in BW I can create one role that for the example above gives access to all sbmod values and then the person who had this role would have access to all employees.

This is just one example, we are an international company and on the R/3 side have over 1000 roles for different groups of employees and then we can assign multiple roles to give access to multiple groups of people because in R/3 you get the join of all the roles you have.

We are able to give multiple roles on the R/3 to make this work we are trying to avoid creating a role in BW for every combination of roles assigned on R/3.

Any suggestions would be appreciated.

Thanks,

Dileep

4 REPLIES 4

Former Member
0 Kudos

Hi,

From your question, can I derive the following points?

1. SBMOD is a characteristics (or Info Object) which is authorization relevant.

2. You have created atleast two analysis auths, 1 for US SBMOD and the other one for EX-US SBMOD and these two have different set of values/ranges in them.

3. When you assign both the above analysis auths to the user, then the user is unable to view any data?

4. You are sure that in the system there is no unassigned data, by which I mean there is no data which corresponds to none of the SBMODs.

Let me know if this is not the correct understanding. Also please provide here what values are maintained in the analysis auths.

FYI..Analysis auths can work in combination, same way as roles in ECC. However as you know in BI there are queries unlike reports in ECC, therefore input selection needs to be precise for output of data. Otherwise we often get this message as No data found.

Also you need to trace analysis auths for errors. Often running queries for complete/full load data requires a ":" (colon) along with the provided values for characteristics.

Thanks, Deb

0 Kudos

Deb,

I work with Dileep.

Here is our setup for 3 separate roles in RSECVAL:

User master maintenance: Authorization n InfoObject SIGN Operator Internal Characteristic Value Internal Characteristic Value

YHRGLB 0BUS_AREA I CP *

YHRGLB 0COMP_CODE I CP *

YHRGLB 0CO_AREA I CP *

YHRGLB 0EMPLGROUP I CP *

YHRGLB 0EMPLSGROUP I CP *

YHRGLB 0ORGUNIT I CP *

YHRGLB 0ORG_KEY I CP *

YHRGLB 0PERS_AREA I CP *

YHRGLB 0PERS_SAREA I CP *

YHRGLB 0PLANT I CP *

YHRGLB 0TCAACTVT I EQ 03

YHRGLB 0TCAIPROV I CP 0HAP*

YHRGLB 0TCAIPROV I CP 0PA*

YHRGLB 0TCAIPROV I CP YCATS*

YHRGLB 0TCAIPROV I CP YHR*

YHRGLB 0TCAIPROV I CP YPA*

YHRGLB 0TCAIPROV I CP YPY*

YHRGLB 0TCAIPROV I EQ 0EMPLOYEE

YHRGLB 0TCAIPROV I EQ 0PERSON

YHRGLB 0TCAKYFNM I CP *

YHRGLB 0TCAVALID I CP *

YHRGLB YHRMDADMN I CP *

YHRGLB YHRPRLADM I CP *

YHRGLB YHRSBMOD I CP *

YHRGLB YHRTRADMN I CP *

YHRINTL 0BUS_AREA I CP *

YHRINTL 0COMP_CODE I CP *

YHRINTL 0CO_AREA I CP *

YHRINTL 0EMPLGROUP I CP *

YHRINTL 0EMPLSGROUP I CP *

YHRINTL 0ORGUNIT I CP *

YHRINTL 0ORG_KEY I CP *

YHRINTL 0PERS_AREA I CP *

YHRINTL 0PERS_SAREA I CP *

YHRINTL 0PLANT I CP *

YHRINTL 0TCAACTVT I EQ 03

YHRINTL 0TCAIPROV I CP 0HAP*

YHRINTL 0TCAIPROV I CP 0PA*

YHRINTL 0TCAIPROV I CP YCATS*

YHRINTL 0TCAIPROV I CP YHR*

YHRINTL 0TCAIPROV I CP YPA*

YHRINTL 0TCAIPROV I CP YPY*

YHRINTL 0TCAIPROV I EQ 0EMPLOYEE

YHRINTL 0TCAIPROV I EQ 0PERSON

YHRINTL 0TCAKYFNM I CP *

YHRINTL 0TCAVALID I CP *

YHRINTL YHRMDADMN I CP *

YHRINTL YHRPRLADM I CP *

YHRINTL YHRSBMOD I BT A% O%

YHRINTL YHRSBMOD I BT Q% Z%

YHRINTL YHRTRADMN I CP *

YHRUS 0BUS_AREA I CP *

YHRUS 0COMP_CODE I CP *

YHRUS 0CO_AREA I CP *

YHRUS 0EMPLGROUP I CP *

YHRUS 0EMPLSGROUP I CP *

YHRUS 0ORGUNIT I CP *

YHRUS 0ORG_KEY I CP *

YHRUS 0PERS_AREA I CP *

YHRUS 0PERS_SAREA I CP *

YHRUS 0PLANT I CP *

YHRUS 0TCAACTVT I EQ 03

YHRUS 0TCAIPROV I CP 0HAP*

YHRUS 0TCAIPROV I CP 0PA*

YHRUS 0TCAIPROV I CP YCATS*

YHRUS 0TCAIPROV I CP YHR*

YHRUS 0TCAIPROV I CP YPA*

YHRUS 0TCAIPROV I CP YPY*

YHRUS 0TCAIPROV I EQ 0EMPLOYEE

YHRUS 0TCAIPROV I EQ 0PERSON

YHRUS 0TCAKYFNM I CP *

YHRUS 0TCAVALID I CP *

YHRUS YHRMDADMN I CP *

YHRUS YHRPRLADM I CP *

YHRUS YHRSBMOD I BT 0000 9ZZZ

YHRUS YHRTRADMN I CP *

We can assign someone the US or INTL or GLB. Ideally we would have liked to not have to create the Global role and just assigned the US and INTL roles to the same person.

Any suggestions of how we could set this up differently so we would not have to have a separate role for each combination of access would be greatly appreciated.

Thanks,

Barb

0 Kudos

Barbara

Is the AA YHRINTL working by itself ?

YHRINTL YHRSBMOD I BT A% O%

YHRINTL YHRSBMOD I BT Q% Z%

shivraj_singh2
Active Participant
0 Kudos

In our BW environment we are restricting the HR data based on the administrator group (SBMOD).

SBMOD is the field in ECC, in BW what InfoObject are you using? If the InfoObject used for securing Adm Group in BW is showing authorization relevant for the InfoProvider on which you are executing HR query, then it should be pretty simpe to build two separate analysis authorizations to control for US adm group and rest of the adm groups, just make sure you are using the 0TCA characteristics properly for the authorizations to combine.