these values(or any value) has to be provided through Analysis Auth. Object. What is the use of Creating a Variable and marking it  'Processing by Authorization'.

Hi Plaban,

 But even if i do not do this, still then values can be picked up from Analysis Object.

The values/input to the query selection fields are either supplied by user or processed as 'blank' values. These input values are then compared with user's analysis authorization values to determine if the user is authorized to query upon those values of infoobjects.

With a variable defined as processing type "Authorization", you can automatically pass the values of any particular infoobject from user's analysis authorization as input to the query. You can further control if a user is allowed to change the input values (once they are automatically picked up by the variable) or not via the "ready for input" check box.

Hope this clarifies.

Thanks

Sandipan

Without using Variable, with processing type "Authorization" ALSO, I can pass values in Analysis Auth.(AA) Object.I just need to give that particular value in AA object directly. So, what is the need of Variable?

I do not find any difference by using/not using 'Ready for Input' button. We can ignore this now.

There is a difference between query input field values and analysis authorization vlaues which you need to consider.

Suppose you have a auth relevant characteristics 0COMP_CODE which is one of the query input field and user's analysis authorization has 0COMP_CODE=1000, 2000.

Now while user enters the values for query input field i.e for 0COMP_CODE, its upto him to input any value in the query input field or leave it blank. So if user enters 1000, he is authorized but if he enters 2000 & 3000, the result is not authorized because of BI's all or none principle.

Hence if you want the user to execute the query with only those input values that he is authorized for, then you can use an authorization type variable to automatically fill the values (in above example 1000 & 2000) from user's analysis authorization.

Thanks

Sandipan

If user is provided with the value 1000 only in AA object, then he cannot access data for any other value. This can be done WITHOUT creating Variable also. Now, Query Input scenario is below:

Case 1.if field is displayed for Input, then user gets report(data) or error, as per AA object
Case 2. IF field is NO displayed for input, then value from AA is read and report is displayed.

Now, where and how does Variable with 'Authorization', come into play?

PLABAN SAHOO wrote:
Case 2. IF field is NO displayed for input, then value from AA is read and report is displayed.

I am curious how do you make a field "NO displayed for input" ? and what values does the system compare with the AA values before deciding whether user is authorized or not?

If user's AA has 0COMP_CODE=1000 and he enters 1000 as query input  then the result is authorized. But what happens when user enters 1000 as well 2000 as input or just leaves the field "BLANK"? The result is not authorized.

Here is the point when we want the user to run the query inputting only those values of 0COMP_CODE as that are contained in his AA. There is no chance an end-user would know what his AA contains, so he will either enter any or no values for query input field 0COMP_CODE. A authorization type variable helps to automatically fetch the values from user's AA and pass them as input to the query.

You should look at it as- in any authozation check, a value A has to be compared against value B. Where value A could be authority checks in a program or query inputs in BI and Value B is authorization contained in roles, analysis authorizations in BI. So even if user has value B for 0COMP_CODE in his analysis authorization but it still needs Query input (i.e Value A) for comparison or authorization check to happen at the first place. Thereafter based on the authorization check logic, the access is granted or denied.

I am sorry if I haven't be able to express myself clearly. Should you still have any questions, please do let me know.

Thanks

Sandipan