BI Upgrade

Former Member · ‎07-09-2012

Hi,

We are performing the BI Manual Security Migration from 3.5 to 7.3.

There are few BI ZAUTHOBJECTS and 4 BI Authobjects(for ICUBE,ISET,ODSO and MultiProv )

S_RS_ICUBE

S_RS_ODSO

S_RS_ISET

S_RS_MPRO

which are populated in the RSECADMIN (---> Extras---> 3.5 to 7.3) Migration screen.

So we took these and have manually created analysis auth for the Z and the 4 BI Authobjects.

1.My question is when we have scenario like below,how do we maintain the authorization seperately for ICUBE or ODSO( where 0TCAIPROV applies for the four objects)?

S_RS_ODSO ACTVT                          3, 23
S_RS_ODSO RSINFOAREA                *
S_RS_ODSO RSODSOBJ                    0AA*
S_RS_ODSO RSODSPART                 DATA

S_RS_ODSO RSODSPART                      *
S_RS_ODSO RSODSOBJ                        *
S_RS_ODSO RSINFOAREA                     *
S_RS_ODSO   ACTVT                               23

S_RS_ICUBE ACTVT 3

S_RS_ICUBE RSICUBEOBJ DATA

S_RS_ICUBE RSINFOAREA *

S_RS_ICUBE RSINFOCUBE 0AP*

I have created seperate objects for each authobject like below ,is this correct?

AUTHYY

0TCAACTCT 3,23

0TCAIPROV 0AA* , 0AP*

0TCAVALID *

0TCTIFAREA *

OR do we need to create as below seperately?

AUTHXX

0TCAACTCT 3

0TCAIPROV 0AA*

0TCAVALID *

0TCTIFAREA *

AUTHX1

0TCAACTCT 23

0TCAIPROV *

0TCAVALID *

0TCTIFAREA *

AUTHX2

0TCAACTCT 3

0TCAIPROV 0AP*

0TCAVALID *

0TCTIFAREA *

and added them in the roles.

But how can we add for S_RS_ODSO RSODSPART DATA

2.Can we add 0TCTIFAREA for Infoarea instead of 0TCAIFAREA

3.Can we add seperately 0TCTDSOURC, for DS Objects if in the case 1.?

4.For S_RS_ODSO RSODSPART DATA ,do we need to maintain the value DATA in S_RS_DS(which is for the DataSource or its sub objects).

Many Thanks.

Former Member · ‎07-09-2012

Hi,

1. If you are going through manual upgrade, make excel sheet of old objects with values (role by role), later compare with new values after migration.

if the example provided by you is for same user then no need to separate the roles.

Also 0TCAACTCT is not correct object in analysis role. It should be 0TCAACTVT. In BI7.3, there are only two values for 0TCAACTCT (02 and 03).

2. Usually there is no need to restrict on Infoarea level in analysis roles. If you still need you have to use 0TCAIFAREA.

3. Data source also is not required to add in analysis roles. It might required in PFCG roles for few business users if they are using integrated planning etc.

4. Usually we can put * value for DATA and restrict on Info Area level. However sub object you can select based on trace values. It should be usually Data and Defination

If it is forthe analysis roles you created

Former Member · ‎07-09-2012

*****Corrections in my reply*** It is not allowing to update previous replies..

1. In BI7.3, there are only two values for 0TCAACTVT (02 and 03).

4. The last line " if it is forthe analysis***" can be ignored...

Regards,

Imran

Former Member · ‎07-09-2012

Hi Imran,

Thanks for your Reply...

if the example provided by you is for same user then no need to separate the roles.

I was talking about inserting the authorizations in one AuthObject(created in RSECADMIN) not roles.

When we have as below ,how can we include them in same object we are creating but each with diff activity,

0TCAIPROV 0AA*

0TCAIPROV *

0TCAIPROV 0AP*

BTW 0TCAACTCT was a typo in my earlier post ...

Many Thanks

Former Member · ‎07-09-2012

Hi Malti,

If you want different activity then you must separate the analysis roles.

Best Regards

Imran

Former Member · ‎07-09-2012

Hi,

And if we have values like below for 3 diff auth objects in a role with diff activities(For Infocube and Infoset or DS)?

For INFOCUBE in S_RS_ICUBE 0AA*

For ODS in S_RS_ODS *

For INfoset in S_RS_ISET 0AP*

In this case,how we mainatin all the 3 values(0AA* ,* and 0AP*) in RSECADMIN one Authobject.

Many Thanks.

Former Member · ‎07-09-2012

Hi Malti,

I guess, you are trying to link role(pfcg) auth objects values with analysis role (rsecadmin) which is not correct.

In Analysis roles only 0TCAACTVT, 0TCAIPROV and 0TCAVALID are mandatory checks. Other analysis objects needs to added based on nature of BI query. Usually other analysis objects will be like 0COMPANY_CODE, 0PROF_CTR etc...(org. level objects).

In my experience in BI, I never come across situation where DSO etc..need to added in analysis role.

Now you have 3 different infoprovider values 0AA*, 0AP* and *. All these info provider you want to restrict with three different activities. then you should create 3 separate analysis roles.

Thanks

Imran

Former Member · ‎07-11-2012

Hi,

Thanks for your response

I guess, you are trying to link role(pfcg) auth objects values with analysis role (rsecadmin) which is not correct.

Well,in upgradation we need to compare below objects values,for analysis auth which we create(0TCAACTVT, 0TCAIPROV and 0TCAVALID).

S_RS_ICUBE

S_RS_ODSO

S_RS_ISET

S_RS_MPRO

Many Thanks.

Former Member · ‎10-03-2012

Dear Experts,

I have a scenario like below

S_RS_ICUBE

ACTVT 03

RSICUBEOBJ DATA, DEFINiTION

RSINFOAREA AB_STATS,AB_USERS

RSINFOCUBE 0BWTC_C10, BW_SU_01, VC_ZRSPC

Please let me know how can i maintain this restriction using analysis authorization.Do i need to maitain infocube values in 0TCAIPROV. Than how can i restrict infoarea values.

thanks,
Ananth.