Solved: Union of BI Analysis Authorisations

Former Member · ‎06-15-2007

Hi

I hope someone can help clarify.

I am interested to understand more about the way that Analysis Authorisation merge when a user has access to more than one role/ authorisation.

Just to point out that I have searched the foum, help.sap, my SAP training material and very little info is available. This link is the closest I have found but not enough with another dead end link.

/message/3522282#3522282 [original link is broken]

Business Requirement:

HR Reporting. A user is authorised to access the entire Org hierarchy in reports 1 and 2. The user is restricted to a lower level 2 Org node for reports 3 to 10.

I have created 2 BI Analysis Auth objects.

HR_001 and the hierarchy authorisation is for the top node of the hierarchy.

HR_002 and the hierarchy authorisation is for a level 2 node.

2 Roles have been created

ZBEX_HR_001 with reports 1 and 2 and BI Analysis Auth object HR_001.

ZBEX_HR_002 with reports 3 to 10 and BI Analysis Auth object HR_002.

The HR user has been assigned to the above 2 roles.

When the user executes any of the reports 1 through to 10 the user has access to the full org hierarchy.

Reports 3 to 10 are not restricted to the level 2 node even though the role has BI Analysis Auth object HR_002 assigned.

I have used RSECADMIN and generarted an authorisation log. It appears as though the 2 authorisations are merged.

If this is the correct behavoiur can anyone shed any light on how to restrict the user as per my business requirement explained above.

Thanks in advance

Cheers

Ian

Former Member · ‎06-18-2007

Hello

Just wondering if there are any Netweaver security experts out there who may be able to comment.

Thanks

Ian

Former Member · ‎06-18-2007

Hello

Just wondering if there are any Netweaver security experts out there who may be able to comment.

Thanks

Ian

Former Member · ‎07-10-2007

Hi Ian,

I agree the documentation on this topic is very sparse....simple scenarios are covered in depth (i.e. a single hierarchy to be restricted where the user has the same access for all queries) but the more complex are not covered.

I can suggest a solution to your problem, a bit drastic but should work.

Basically, create two multiproviders on the base cube- multiprovider A and multiprovider B. Build reports 1 and 2 off of multiprovider A. Build reports 3-10 off of multiprovider B. Create two seperate roles/anaylsis authorizations.

Here is where the trick is. In the new BI its possible to restrict an analysis authorization to only a single cube. So when you build your analysis authoriation for Multiprovider A restrict it to only multiprovider A (you do that with the 0TCAIPROV object). Then do the same for multiprovider B. By restricitng the analysis authorization to a single cube you prevent the join when you assign the two roles....

Thats my solution...did you come up with another way??

Former Member · ‎07-18-2007

Hi Scott

Thanks for your input. Yes that is an option, although as you mentioned bit drastic.

Another option is to create a reference characteristic - in my case it was ZORGUNIT based on 0ORGUNIT. (0ORGUNIT is used in my auth object)

Add this second characteristic to the infocube and populate via the transformation with the same values as 0ORGUNIT.

Include ZORGUNIT in reports 3 to 10 and restrict in the filter to the relevant level 2 Org Unit.

That way the characteristic 0ORGUNIT is filled by authorisation on the level 1 org unit and ZORGUNIT restricted in the filter to level 2 org unit. The net effect is that the user will only see level 2 and below.

It works based on preliminary testing but is still not a very tidy solution.

Cheers

Ian