07-09-2012 7:00 AM
Hi,
We are performing the BI Manual Security Migration from 3.5 to 7.3.
There are few BI ZAUTHOBJECTS and 4 BI Authobjects(for ICUBE,ISET,ODSO and MultiProv )
S_RS_ICUBE
S_RS_ODSO
S_RS_ISET
S_RS_MPRO
which are populated in the RSECADMIN (---> Extras---> 3.5 to 7.3) Migration screen.
So we took these and have manually created analysis auth for the Z and the 4 BI Authobjects.
1.My question is when we have scenario like below,how do we maintain the authorization seperately for ICUBE or ODSO( where 0TCAIPROV applies for the four objects)?
S_RS_ODSO ACTVT 3, 23
S_RS_ODSO RSINFOAREA *
S_RS_ODSO RSODSOBJ 0AA*
S_RS_ODSO RSODSPART DATA
S_RS_ODSO RSODSPART *
S_RS_ODSO RSODSOBJ *
S_RS_ODSO RSINFOAREA *
S_RS_ODSO ACTVT 23
S_RS_ICUBE ACTVT 3
S_RS_ICUBE RSICUBEOBJ DATA
S_RS_ICUBE RSINFOAREA *
S_RS_ICUBE RSINFOCUBE 0AP*
I have created seperate objects for each authobject like below ,is this correct?
AUTHYY
0TCAACTCT 3,23
0TCAIPROV 0AA* , 0AP*
0TCAVALID *
0TCTIFAREA *
OR do we need to create as below seperately?
AUTHXX
0TCAACTCT 3
0TCAIPROV 0AA*
0TCAVALID *
0TCTIFAREA *
AUTHX1
0TCAACTCT 23
0TCAIPROV *
0TCAVALID *
0TCTIFAREA *
AUTHX2
0TCAACTCT 3
0TCAIPROV 0AP*
0TCAVALID *
0TCTIFAREA *
and added them in the roles.
But how can we add for S_RS_ODSO RSODSPART DATA
2.Can we add 0TCTIFAREA for Infoarea instead of 0TCAIFAREA
3.Can we add seperately 0TCTDSOURC, for DS Objects if in the case 1.?
4.For S_RS_ODSO RSODSPART DATA ,do we need to maintain the value DATA in S_RS_DS(which is for the DataSource or its sub objects).
Many Thanks.
07-09-2012 1:03 PM
Hi,
1. If you are going through manual upgrade, make excel sheet of old objects with values (role by role), later compare with new values after migration.
if the example provided by you is for same user then no need to separate the roles.
Also 0TCAACTCT is not correct object in analysis role. It should be 0TCAACTVT. In BI7.3, there are only two values for 0TCAACTCT (02 and 03).
2. Usually there is no need to restrict on Infoarea level in analysis roles. If you still need you have to use 0TCAIFAREA.
3. Data source also is not required to add in analysis roles. It might required in PFCG roles for few business users if they are using integrated planning etc.
4. Usually we can put * value for DATA and restrict on Info Area level. However sub object you can select based on trace values. It should be usually Data and Defination
If it is forthe analysis roles you created
07-09-2012 1:13 PM
*****Corrections in my reply*** It is not allowing to update previous replies..
1. In BI7.3, there are only two values for 0TCAACTVT (02 and 03).
4. The last line " if it is forthe analysis***" can be ignored...
Regards,
Imran
07-09-2012 1:47 PM
Hi Imran,
Thanks for your Reply...
if the example provided by you is for same user then no need to separate the roles.
I was talking about inserting the authorizations in one AuthObject(created in RSECADMIN) not roles.
When we have as below ,how can we include them in same object we are creating but each with diff activity,
0TCAIPROV 0AA*
0TCAIPROV *
0TCAIPROV 0AP*
BTW 0TCAACTCT was a typo in my earlier post ...
Many Thanks
07-09-2012 1:57 PM
Hi Malti,
If you want different activity then you must separate the analysis roles.
Best Regards
Imran
07-09-2012 2:26 PM
Hi,
And if we have values like below for 3 diff auth objects in a role with diff activities(For Infocube and Infoset or DS)?
For INFOCUBE in S_RS_ICUBE 0AA*
For ODS in S_RS_ODS *
For INfoset in S_RS_ISET 0AP*
In this case,how we mainatin all the 3 values(0AA* ,* and 0AP*) in RSECADMIN one Authobject.
Many Thanks.
07-09-2012 4:58 PM
Hi Malti,
I guess, you are trying to link role(pfcg) auth objects values with analysis role (rsecadmin) which is not correct.
In Analysis roles only 0TCAACTVT, 0TCAIPROV and 0TCAVALID are mandatory checks. Other analysis objects needs to added based on nature of BI query. Usually other analysis objects will be like 0COMPANY_CODE, 0PROF_CTR etc...(org. level objects).
In my experience in BI, I never come across situation where DSO etc..need to added in analysis role.
Now you have 3 different infoprovider values 0AA*, 0AP* and *. All these info provider you want to restrict with three different activities. then you should create 3 separate analysis roles.
Thanks
Imran
07-11-2012 2:44 PM
Hi,
Thanks for your response
I guess, you are trying to link role(pfcg) auth objects values with analysis role (rsecadmin) which is not correct.
Well,in upgradation we need to compare below objects values,for analysis auth which we create(0TCAACTVT, 0TCAIPROV and 0TCAVALID).
S_RS_ICUBE
S_RS_ODSO
S_RS_ISET
S_RS_MPRO
Many Thanks.
10-03-2012 7:44 AM
Dear Experts,
I have a scenario like below
S_RS_ICUBE
ACTVT 03
RSICUBEOBJ DATA, DEFINiTION
RSINFOAREA AB_STATS,AB_USERS
RSINFOCUBE 0BWTC_C10, BW_SU_01, VC_ZRSPC
Please let me know how can i maintain this restriction using analysis authorization.Do i need to maitain infocube values in 0TCAIPROV. Than how can i restrict infoarea values.
thanks,
Ananth.