cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSECADMIN - Problems with authorization 0BI_ALL

Former Member

on ‎10-11-2006 3:56 AM

0 Kudos

Hi Dears,

I need to implement a new authorization object to restrict values of characteristics per USERS.

I am using BW 7.0 version and RSECADMIN transaction.

I created an authorization object "ZTEST" with characteristics following related:

- 0SALESORG = 1122

- 0TCAIPROV = *

- 0TCAACTVT = 03

- 0TCAVALID = *

But, When I run the query appear the message error:

"The user have no authorization to access"

Using SU53 Transaction I saw more details about the authorization error:

"Authorization Object S_RS_AUTH BI Analysis Authorizations in Role

BI Analysis Authorizations: Name of an Authorization 0BI_ALL"

After this, I did another tests:

1) I assigned the authorization "0BI_ALL" in the ZTEST object, But the authorization doesn't work yet.

2) I created another authorization object, copy of 0BI_ALL. But, the problems occurs again.

"The user have no authorization to access"

Despite, it is only working when I use the 0BI_ALL authorization object.

But, The 0BI_ALL provide access to everythings and it´s impossible for us.

Please, I would like to create a new authorization object with specifics characteristics. Can you help me?

Thanks a lot.

Best Regard,

Caio Galantini.

São Paulo - Brazil

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (9)

Answers (9)

Former Member
‎08-25-2008 8:32 PM
0 Kudos

All,

Has anyone resolved this error? I am having the exact same error as described by several people on this thread. I have tried everything mentioned in the thread and read all the OSS Notes referenced and I still get the same error message.

Are there any steps I would have missed?

-- I have created the new authorization via RSECAUTH. The new object ZEMPLOYEE is restricted to only 1 employee number (just to test). InfoObject 0EMPLOYEE is marked as auth-relevant.

-- I also included the 3 special objects 0TCAACTVT = 03, 0TCAIPROV = *, 0TCAVALID = *. The 3 objects are also marked as auth-relevant

-- I added the new object ZEMPLOYEE to user via RSU01. Also tried creating a brand new role with just S_RS_AUTH = ZEMPLOYEE and assigned to user.

-- When user executes report, it gets the "You do not have sufficient authorization" message.

-- I tried creating an authorization BEx variable for the InfoObject as suggested and that didn't work either.

-- As per oss note 820183, I also regenerated 0BI_ALL and ran $SYNC in the system. None of these corrected the problem.

Have I missed any steps? Is there something special I am missing?

Thanks.

Jose

Show replies
Show replies
Former Member
‎11-15-2008 12:55 PM
0 Kudos

I am having similar issues and have tried everything possible.

Any suggestions?

Former Member
‎11-15-2008 1:13 PM
0 Kudos

Hello,

I had the same issue and after a lot of research, i found out the following solution. I am not sure if this is the standard way. But the restriction works for me anyway.

Lets say, you are trying to restrict "plant" using RSECADMIN.. This plant should be a part of the selection screen in the BI report. Then only the restriction works. Otherwise, it keeps on giving you this authorization error.

In the initial state, our report did not have "plant" as part of the selection screen. But when i restrict, it was not working even through i marked the object as "authorization relevant". But the same was working fine for SD report when i try to restrict using "distribution channel". I compared both the reports and found the onl difference was : Plant was not there in the selection screen of the PM report where as "Distribution channel" was part of the selection screen in the SD report. I asked the BI consultant to include "plant" as part of the selection screen in the report and then restricted using RSECADMIN and It worked perfectly!! .. Im not sure if this is the standard and if its because it checks the selection screen during run time. But my issue was solved anyway.

Hope this helps. Award points if this solve your problem.

Regards,

Jazz

Former Member
‎11-15-2008 7:21 PM
0 Kudos

I tried that approach but unfortunately it did not work.

The challenge I am dealing with is the usage of this BI 7.0 Security concept within the interactive demand planning environment, but it is the same as query, only difference is I'm using an OLAP transation rather than a query.

Former Member
‎11-16-2008 1:42 PM
0 Kudos

Hi All.

I faced the same problem and I think I found a solution.

Try to proceed this way:

1. Make a copy of 0BI_ALL in RSECADMIN

2. Edit new created authorization object (copy 0BI_ALL)

3. Make a restriction for characterictics you want to use for authorization

4. Assign your authorization object to the user. You don't need any other auth. objects.

In may case it works. I have a user without sap_all profile and with suppressed R_SR_AUTH in a role.

Hope it helps.

Regards

Maciej

Edited by: Maciej Garecki on Nov 16, 2008 2:42 PM

Former Member
‎11-19-2008 5:05 PM
0 Kudos

To use RSUDO for interactive planning you need to turn on the authorization and hit execute and on the next screen hit execute and let the system tell you that no query exists. Then, go do the transcation and it WILL record the authorization and you can review it via the log.

The reason why the input products wasn't working was because the SAP functionality for DP-PPM performs an aggregation for the components (even when you are on the output) and aggregation requires the concept of colon authorization.

Within the authorization object in RSCEADMIN add a new line for the characteristics and add a new line with the value of ":"

MSATL
Discoverer
‎04-08-2008 9:30 PM
0 Kudos

You need to include the 0TCA characteristics esp. 0TCAIPROV (with the value of the infoproviders) in the analysis authorization that you've built.

I had the same issue and unfortunately the trace wouldn't give much clues.

I know that the thread is rather old but hope this helps those folks who are looking for assistance on this issue.

Show replies
Show replies
Former Member
‎04-25-2007 1:21 AM
0 Kudos

0BI_ALL need to be updated just like SAP_ALL.

You can update 0BI_ALL thru RSECADMIN -> Extra -> Update 0BI_ALL Authorization.

For SAP_ALL, you uses SU21.

Hope this help.

Thanks,

Lye

Show replies
Show replies
Former Member
‎04-13-2007 11:54 PM
0 Kudos

Hi all,

I had the same problem and i resolve in this way:

1) Also if the user has to be restrained to <u>only one characteristic</u> (ES: Costelement = 1000*) you have to put in the authorization built in RSECADMIN all authorization relevant infoobjects that you have in your infocube (the value in RSCEDADMIN will be = *)

2) You have to make an authorization relevant variable in BEX for 0costelement that will be not ready for input if the user don't have to select the values in pop up; if the user has to select values you make it ready for input but it is mandatory to make the variable.

3) Add also the infoobject 0tcakyfnm in authorization RSECADMIN and make the value = *

In this way it works great.

Hope this help.

Alessandro Baiocchi

Show replies
Show replies
Former Member
‎01-19-2007 1:18 AM
0 Kudos

I am also facing the same issue. I am trying to restrict at Compnay code level/Region level. When I have * in S_RS_AUTH then I can see all the data for all the regions. When I put specific region authorization in S_RS_AUTH then I get error message "insufficent Authorizations" Any help would be appreciated.

Gurpreet Mann

Show replies
Show replies
Former Member
‎02-01-2007 9:46 AM
0 Kudos

Same as all of you ...

And any help also appreciated ... An how to seems needed...

Fabrice

Former Member
‎12-21-2006 1:40 PM
0 Kudos

Hi,

Put the name of the authorization object you created in RSECADMIN in the s_rs_auth and remove 0bi_all. Your have 3 ways of working. add your authorization object created with RSECADM direct to the user, work with a user group or when you uses functional authorizations with the PFCG add the object to s_rs_auth. You can see rsecadmin which objects are added in s_rs_auth.

Bye Jan

Show replies
Show replies
Former Member
‎10-12-2006 2:05 PM
0 Kudos

did you add S_RS_COMP and S_RS_COMP1 to the user

Show replies
Show replies
Former Member
‎10-18-2006 3:27 PM
0 Kudos

Hello,

I'm sorry for jumping into this conversation, but I'm having the same exact problem. I'm trying to restrict to a specific fund center, but the SU53 comes back stating I need to grant 0BI_ALL which defeat the purpose of restricting. I've applied the suggested RFC, S_RS_COMP and S_RS_COMP1 but still doesn't work. Any other suggestion? Thanks in advance for your help.

Former Member
‎02-21-2007 11:50 AM
0 Kudos

SU53 is not the proper way to analyze these issues. I suggest to look into transaction RSECADMIN, and to read note 820183.

Former Member
‎10-11-2006 8:02 PM
0 Kudos

did you assign , infocube object/ods object too

Show replies
Show replies
Former Member
‎10-11-2006 8:18 PM
0 Kudos

Yes, when I execute the query appear the message error.

"No authorization"

When I acess the SU53 transaction, I see the log:

"Authorization Object S_RS_AUTH BI Analysis Authorizations in Role"

"BI Analysis Authorizations: Name of an Authorization 0BI_ALL"

If I assigned the autorization "0BI_ALL" in object authorization "S_RS_AUTH" the query works. But I need to restricted the values of characterirtic 0SALESORG.

Thank's

Former Member
‎02-02-2007 12:20 PM
0 Kudos

Hi Caio,

i'm experiencing problem with authorization as you described in your post.

Did you find the right way to secure query using custom authorization instead of 0BI_ALL?

Thanks a lot.

Francesco

Former Member
‎10-11-2006 5:55 PM
0 Kudos

you also need to give the user access to S_RFC, infocube/ODS and type is REP

Show replies
Show replies
Former Member
‎10-11-2006 7:01 PM
0 Kudos

The authorization object S_RFC already is assigned in my authorization with values following related:

- Activity = All Activities

- Name of RFC to be protected = *

- Type of RFC object to be protected = All values

Thank's

Ask a Question