- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Selective checks with Analysis Authorizations and ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Selective checks with Analysis Authorizations and Hierarchies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-18-2006 11:21 PM
Hello,
I'm looking for some insight on the following scenario.
Our security model requires four different infoObjects to be checked across different infoProviders. For each infoProvider, there is usually only one of the 4 secured characteristics that needs to be checked; however, often more than one (or even all 4) are included in the cube.
In general, I've seen this work pretty much the same way in the new analysis auth concept with one major difference. In the new concept, marking an infoObject auth relevant activates a check on that infoObject for every query written against a cube that contains that object, regardless of its inclusion in the query or not. In most cases this is fine - either it is included in the query and it is our "main" checked object, thus it is selected at runtime and the user executes the query only with the values for which they are authorized - or it is not included in the query and the colon auth satisfies the aggregate check.
There are a few scenarios where this breaks down. We have several queries that include more than one of the auth relevant objects but functionally only require one of those objects to be checked. In the old concept, the undesired check could be "turned off" for this cube and the user would not have an issue. In the new concept, since the user is not required to specify the node for the "unchecked" object, the query effectively executes with a "" call for that object. Since the user's analysis auth for that cube only specifies the colon auth, the auth check fails. The only way around this is to give the user "" auth to the unchecked infoObject for the infoProviders where it is not a relevant security object. Adding this auth, however, causes the user to no longer have their hierarchy selections filtered in the queries where this object SHOULD be checked because the union of their analysis auths includes a value of "*".
So the main issue is preserving the nice feature of filtering the hierarchy selection options based on what the user is authorized to see while still allowing the ability to selectively check auth relevant infoObjects from one infoProvider to the next.
I appreciate any help (that means you - Prakash! )
Thanks
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2006 9:06 AM
> In the new concept, since the user is not required to specify the node
> for the "unchecked" object, the query effectively executes with a "*" call
> for that object.
That sounds like a bug. Occationally someone misunderstands the AUTHORITY-CHECK concept and assumes that requesting a '*' value is equivalent to labelling a field as "not relevant" (not knowing that there is the DUMMY directive, see ABAP online help).
In that case I'd recommend to report this as support issue to SAP.
Cheers, Wolfgang
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2006 9:06 AM
> In the new concept, since the user is not required to specify the node
> for the "unchecked" object, the query effectively executes with a "*" call
> for that object.
That sounds like a bug. Occationally someone misunderstands the AUTHORITY-CHECK concept and assumes that requesting a '*' value is equivalent to labelling a field as "not relevant" (not knowing that there is the DUMMY directive, see ABAP online help).
In that case I'd recommend to report this as support issue to SAP.
Cheers, Wolfgang
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2006 3:58 AM
HI Matthew,
I am trying to implement hierarchy authorizations in bi 7.0 but it is not working, the scenario is as follows and what i have done:
I have an hierarchy built on an authorization object say X, and i want to build an hierarchy authorization to see only particular node in the hierarchy.
Here is what i did:
In RSECADMIN i creaed an authorization AS below;
0TCAIPROV = *
0TCAVALID = *
0TCACTVT = 03
(INFO OBJECT) X AND selected the node from the hierarchy
I assigned this authorization to a user but still he is able to see all the other reports. i would like to know if i am missing some thing.
Thanks.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2006 4:07 AM
Hi narsing,
Analysis authorizations only restruct data within a given report, they do not restrict which reports a user can execute. Standard authorization objects S_RS_COMP and S_RS_COMP1 are still used as the basic report security objects.
The scenario you described above would restrict the data to the node you specified in the hierarchy for infoObject X.
Cheers
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2006 7:01 AM
Hi,
The are other Authorization values too inaddition to "*" and ":", they are "#" and "$". So "#" gives access to the unassigned Infoobjects. so this might suffice to the problem u might be facing try using "#" and let me know if it works.
Also look into it
http://help.sap.com/saphelp_nw2004s/helpdata/en/be/076f3b6c980c3be10000000a11402f/frameset.htm
might help
Regards,
Manohar
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2006 7:05 AM
Hi,
This is the exact link
http://help.sap.com/saphelp_nw2004s/helpdata/en/31/4af438cd2b7058e10000000a11402f/content.htm
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2006 3:14 PM
hi matthew what i meant was he was able to see the data from other nodes as well.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-20-2006 3:16 PM
when i execute a report he must see the data for that node only but he is seeing data from other nodes as well. actually there is a drop down list from which we can select a region. using the hierarchy i restricted to a particular region. when he selects other region from the list even than he is able to seee the data. he is not getting authorization errors.
thanks.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2007 12:17 PM
Hello Matthew,
how did you solve the problem? I am currently in a migration project, was wondering and struggling exactly about this same problem you have, posted a question (Necessary Authorizations while migrating auhorization objects) and now coincidentally read all these comments. Can you please include the solution here and how you are able to reflect this problem in your analysis authorization concept?
Thanks,
Petra
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2007 4:43 PM
Hi Matthew,
I am upgrading BW 3.1 to Bi 7.0.
I have some problems in migrating hierarchies from 3.1 to 7.0.
Can you share your experience in upgrading hierarchies that would help me alot.
Thanks,
Ram
- SAP Managed Tags:
- Security
