on 10-15-2014 8:09 AM
Hi All,
We have created an authorisation object in the system which apply to all BW queries / reports. The authorisation object restricts a field / infoobject 0COMP_CODE to a particular range of values.
The BW reports in the roles use this field 0COMP_CODE and restricts to an authorization variable which brings in the restrictions applied in the roles.
The above scenario works fine for users currently.
Now there is a new requirement that I need help with.
Suppose there are 10 BW queries assigned in the roles. We now want to remove the authorization variable / restriction from 5 out of the 10 BW queries.
When we do that by simply removing the variable from BW query and run the reports it gives us an authorization error message. I suppose this is because at the role level there is a restiction and at the BW query level there is no authorization variable to pick this.
If we move the 5 queries to a new role where there is no Authorization object applied and the 5 queries don't have an Authorization variable it still gives as an Authorization error.
So now we have the below scenario
Role 1: 5 Queries with Authorization variable and Authorization object restriction
Role 2: 5 Queries with no Authorization variable / Authorization object
Role 2 queries do not work because the same user is assigned Role 1 and Role 2 and the Authorization restrictions get pulled in from there !
Any suggestions on how to proceed here and make Role 2 work without any restrctions?
Thank you.
Raghav,
1) As long as 0COMP_CODE is authorization-relevant, and its access to a user is restricted based on analysis authorization (I assume you are on BW 7.X) assigned to the user, any query executed by the user that has 0COMP_CODE will need authorization variable.
2) As long as 0COMP_CODE is authorization-relevant, and its access to a user is NOT restricted based on analysis authorization (I assume you are on BW 7.X) assigned to the user i.e. 0COMP_CODE (*) assigned, any query executed by the user that has 0COMP_CODE will NOT need authorization variable.
3) If all your 10 queries are based on same InfoProvider and supposed to be assigned to the same user, then your scenario is not workable. you will need to move your Role 2 queries to a separate InfoProvider and assign the user 0COMP_CODE (*) only for the new InfoProvider. Then role 2 queries will work without authorization variable.
Additional Point: there is a scenario where instead of (*), you just need to assign (:) but I think what you are looking for is detailed access so you will need (*).
Adding an authorization variable to a query does not take considerable effort, so I am not sure why you would like to skip this step. Because even if you don't want to restrict the user today, but in future requirement may change so that you have to restrict the user, then it will be an additional effort to rework the queries.
Regard
Shivraj Singh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.