09-30-2012 9:02 AM
Dear Experts:
Thanks in Advance.
I need to migrate current BW3.5 security design to new security ananlysis authorization design of BI 7.3. i am going to do it manually with out using the standard SAP tool RSEC_MIGRATION. Here i don't know how to create ananlysis authorizations by using existing authorization objects and thier values.
please guide me to do this activity. i have seen many threads but i could not find any... please let me know the path where i can find the stanadard documentation also.
your suggestions are very valuable for me...
10-02-2012 6:26 PM
http://scn.sap.com/community/data-warehousing/netweaver-bw/blog/2012/05/22/authorization-in-bi-7
This is a very good link about how to set up security in BI7.
BW 7.3 security is exactly as BI7 security, with few minor additional steps like activating the analysis authorization.
Hope it helps,
Regards,
Shivraj
10-02-2012 6:26 PM
http://scn.sap.com/community/data-warehousing/netweaver-bw/blog/2012/05/22/authorization-in-bi-7
This is a very good link about how to set up security in BI7.
BW 7.3 security is exactly as BI7 security, with few minor additional steps like activating the analysis authorization.
Hope it helps,
Regards,
Shivraj
10-03-2012 7:28 AM
Hi Shivraj,
thanks for your reply. i have situation like below
S_RS_ICUBE
ACTVT 03
RSICUBEOBJ DATA, DEFINiTION
RSINFOAREA AB_STATS,AB_USERS
RSINFOCUBE 0BWTC_C10, BW_SU_01, VC_ZRSPC
Please let me know how can i maintain this restriction using analysis authorization.
thanks,
Ananth.
10-03-2012 5:47 PM
Kishore,
For reporting S_RS_ICUBE is no longer checked under BW73 settings. It is replaced by 0TCAIPROV which you will have to maintain in analysis authorization.
One way is to create an analysis authorization with only 3 0TCA* objects - 0TCAACTVT 03 0TCAIPROV - 0BWTC_C10, BW_SU_01, VC_ZRSPC & 0TCAVAL - *. & update the S_RS_ICUBE role with that analysis authorization.
Regards,
Shivraj
10-04-2012 6:39 AM
Hi Kishore,
It seems that you are looking for designing part! BW auth object S_RS_ICUBE is obsolete in BI 7.3.
Now try to design you analysis authorizations based on RSINFOCUBE, like Z0BWTC_C10 and maintain the field values as above. your analysis authorization structure should be based on Infoprovider OR Infocude.
The Authorizations structure from BW 3.5 inevitably changes as of BI 7.3.
Let me if any additional information required.
Thanks
Anil Surukanti
10-05-2012 10:14 AM
Hi Experts,
thanks for your reply...
i have a question.
S_RS_ICUBE
ACTVT 03
RSICUBEOBJ DATA, DEFINiTION
RSINFOAREA AB_STATS*, AB_USERS*
RSINFOCUBE *
in this case how can we restricte on infoarea using analysis authorizations.
Thanks in Advance,
Kishore.
10-05-2012 6:05 PM
Kishore,
0TCAIFAREA can be used for this purpose.
You have to add it to 0INFOPROV as an external hier char.
Please refer to
http://scn.sap.com/thread/193027
Regards,
Shivraj
10-15-2012 7:19 AM
Hi Shivaraj,
Thank you very much for your reply...
In above case apart from adding hierarchy to 0INFOPROV.. do i need to maitain all infoproviders of those infoareas under 0TCAINPROV object.
thanks in advance.
Kishore.
10-15-2012 6:56 PM
Kishore,
0TCAIPROV has to be maintained all the time as it gets checked every time a query is executed.
Regards,
Shivraj
10-17-2012 7:58 AM
Hi Shivraj,
Thanks for your valueble suggestions.
in our current role design there is RSR clss object ZHR_SLRY( field 1KYFNM. ) this is added in some roles with some values.
1.So i have to mention these values in AA under 0TCAKYFNM object right!!!!
2. the roles with out this object, i am giving * for 0TCAKYFNM infoobject in AA.. is that right.
3. if a use get access to both AAs.... what is the access he is going to have for 0TCAKYFNM
* or for specific values.
or will it work individually depending on infoproviders respective to that perticular AA.
can you please suggest me.
Thanks,
Kishore.
10-17-2012 6:00 PM
Kishore,
1. Since you are using Key Figure Security, you will have to mark 0TCAKYFNM auth-relevant. Once it is marked auth-relevant, it will get checked for every Info-provider or another way to say it is for every query execution.
2. For the roles with ZHR_SLRY, you will have to match the field values
3. For roles with no ZHR_SLRY, mentioning (*) in field values is not a good idea, it means access to all key-fig including salary data which is sensitive in HR.
4. Alternative is to first identify which Key-fig are sensitive and maintain a range excluding these sensitive key-figs. It is just one alternative, you will have to test if it is applicable to your scenario or not.
5. regarding # 3 on your list, AA are restricted by the Info-providers mentioned in 0TCAIPROV. And these do merge when Info-providers are same across AAs. There are examples on SAP help about the logic that governs such merging, and I think there is a note also.
Regards,
Shivraj
10-17-2012 8:32 AM
Hi Kishore,
If you want to do it manually which I think is the best way to implement security since the approach in BW and BI is entirely different.
Rather than looking into BW reporting authorization objects created and used in 3.5 version and try to create and equivalent Analysis Authorization (AA) I would suggest you to incorporate a fresh BI security strategy.
Follow this plan
You may need to interact a lot with Business People and BI team but this will give you a perfect BI security measures for your system.
Hope this helps.
Regards,
Amit