Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BI Security Implementation and restrictions at Infocube levels

Former Member

‎02-14-2007 8:06 PM

0 Kudos

Dear all,

I am trying to update myself on BI security and practical implementations. I read expert guide and other relevant documentation. We have BW security integrated with CRM and Portal.

Please explain or provide me some direction in understanding how BI security works at key figure level.

<b>Is it necessary to set the following InfoObjects as “authorization-relevant” . Is it MANDATORY to make the following settings as "Authorization-Relevant" before we start the BI Security

0TCAACTVT

0TCAIPROV

0TCAVALID

0TCAKYFNM</b>

and

Add 0TCAIFAREA as an external hierarchy characteristic to 0INFOPROV

When I changed above infoobjects to Authorization relevant, BI Portal Users are complaining that they have Access issues. I have to change this setting back.

Can someone explain me the implication of making the above objects as Authorization Relevant. What making these objects, Do I need to complete some steps to make it work.

All users have 0BI_ALL object defined in S_RS_AUTH. I don't know how 0BI_ALL works for users.

I greatly appreciate if anyone can explain how I can achieve the following scenarios:-

1. How Can I restrict user access to all the Characteristics and Key Figures of Infocube ZEN_XXX1 except for Characteristic 0CRM_SALORG.

2. How can I restrict User access to all the Characteristics and Key Figures of Infocube ZEN_XXX1 except for Characteristic 0CRM_SALORG (Sales Organization CRM) and Key Figure ZVOLSU.

3. How can I restrict User Access to all Infocubes EXCEPT ZEN_T001 infocube.

I tried using PFCG but it does not work. 3rd scenario worked fine. I really need help in resolving scenario 1 and 2.

please eMail me if I need to go thru any other step-by-step procedure.

I am trying my best to resolve and at the same time reading other documentation and experimentation.

Waiting for a Positive Reply

Kumar

2 REPLIES 2

Former Member

‎02-15-2007 3:50 PM

0 Kudos

HI,

3. How can I restrict User Access to all Infocubes EXCEPT ZEN_T001 infocube?

>>> You have to create 1 role with the transaction RSECADMIN (pfcg is the old transaction). This role contain the S_RS_ICUBE with activity 'disp' and the name of all the cube authorized. You assign this role to the correpondand user.

2. How can I restrict User access to all the Characteristics and Key Figures of Infocube ZEN_XXX1 except for Characteristic 0CRM_SALORG (Sales Organization CRM) and Key Figure ZVOLSU?

>>> you have to mark all the char used in the cube as autho relevant and the char 0CRM_SALORG too. Then you creat your authorization object corresponding for the IO you will give a acess (0TCAACTVT = disp, 0TCAIPROV = cube name, 0TCAVALID = default, 0TCAKYFNM = name of the KF) After that you create 1 role wich the object S_RS_ICUBE with the activity disp and the name of your infocube + S_RS_AUTH with activity Disp and the name of your autho object you have created.

1. How Can I restrict user access to all the Characteristics and Key Figures of Infocube ZEN_XXX1 except for Characteristic 0CRM_SALORG?

>>> you go with the same way but for your autho object on 0CRM_SALORG for 0TCAKYFNM you put = *

Keep in mind that then you create a autho object you give an authorization. Before (BW 3.X) a object autho give a restriction.

0BI_ALL is the 'SAP_ALL' autho for you IO autho relevant. If you put 0BI_ALL in S_rs_AUTH you give acess at all Master data autho relevant.

Hope it help's

PKing
Participant

‎03-07-2007 9:18 PM

0 Kudos

Hello Kumar,

<b>here are my statements:</b>> Is it necessary to set the following InfoObjects

> as “authorization-relevant” . Is it MANDATORY to make

> the following settings as "Authorization-Relevant"

> before we start the BI Security

> 0TCAACTVT

> 0TCAIPROV

> 0TCAVALID

> 0TCAKYFNM

<b>Be careful when checking 0TCAKYFNM. If you do so EVERY user will be influenced because reporting is based on key figures. But as you need to restrict to certain key figures you will have to check 0TCAKYFNM authorization relevant. As a consequence every user will need key figure authorizations.</b>>

> and

> Add 0TCAIFAREA as an external hierarchy

> characteristic to 0INFOPROV

<b>This is not mandatory but may be helpful if you want to restrict authorizations on InfoArea Level.</b>

> When I changed above infoobjects to Authorization

> relevant, BI Portal Users are complaining that they

> have Access issues. I have to change this setting

> back.

<b>They might complain because they do not have authorizations for any key figure.As I explained above checking this object has impact on every query because every query contains key figures and when you check 0TCAKYFNM users will need the authorizations for this object.</b> >

> Can someone explain me the implication of making the

> above objects as Authorization Relevant. What making

> these objects, Do I need to complete some steps to

> make it work.

>

> All users have 0BI_ALL object defined in S_RS_AUTH. I

> don't know how 0BI_ALL works for users.

<b>0BI_ALL is SAP_ALL on analysis level - you must not assign this to your reporting users!</b>>

> I greatly appreciate if anyone can explain how I can

> achieve the following scenarios:-

>

> 1. How Can I restrict user access to all the

> Characteristics and Key Figures of Infocube ZEN_XXX1

> except for Characteristic 0CRM_SALORG.

<b>Figure out if characteristic 0CRM_SALORG has to be marked as authorization relevant or not. If not - there's nothing to do. If yes - you will have to setup analysis authorizations.

Create an analysis authorization in RSECADMIN like:

ZEN_XXX1_ALL

0CRM_SALORG = *

specify your other auth. relevant characteristics and enter ":" as values

0TCAIPROV = ZEN_XXX1

0TCAACTVT = 03

0TCAVALID = *

Do not forget to allow authorizations for these auth. relevant characteristics in your other infoproviders (where applicable).

Assign the authorization to the users in RSU01 or create a role containing S_RS_AUTH with the analysis auth. as value.

</b>

>

> 2. How can I restrict User access to all the

> Characteristics and Key Figures of Infocube ZEN_XXX1

> except for Characteristic 0CRM_SALORG (Sales

> Organization CRM) and Key Figure ZVOLSU.

<b>Create an analysis authorization in RSECADMIN like:

ZEN_XXX1_KEY

0CRM_SALORG = CRM

specify your other auth. relevant characteristics and enter ":" as values

0TCAIPROV = ZEN_XXX1

0TCAACTVT = 03

0TCAVALID = *

0TCAKYFNM = ZVOLSU

And also do not forget to allow authorizations for these auth. relevant characteristics and all key figures in your other infoproviders.

Assign the authorization to the users in RSU01 or create a role containing S_RS_AUTH with the analysis auth. as value.</b>

> 3. How can I restrict User Access to all Infocubes

> EXCEPT ZEN_T001 infocube.

<b>Enter in auth object (PFCG) S_RS_COMP and S_RS_COMP1 your cube ZEN_T001 in field RSINFOCUBE, RSZCOMPTP = REP, ACTVT = 16

</b>

>

> I tried using PFCG but it does not work.

<b>Why? What was the problem? Keep in mind that you always will need the three special dimensions since BI 7.0</b>

3rd scenario

> worked fine. I really need help in resolving scenario

> 1 and 2.

>

> please eMail me if I need to go thru any other

> step-by-step procedure.

>

> I am trying my best to resolve and at the same time

> reading other documentation and experimentation.

>

> Waiting for a Positive Reply

>

> Kumar