Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

S_RS_COMP assigned twice via separate roles

Former Member

‎03-25-2008 11:19 AM

0 Kudos

Hi experts,

Please, can I ask your help on this?

For a new security model the functional requirement is to restrict user access by 2 factors:

  • what a user can do (e.g. create Y* queries using QD)

  • what cubes a user can see (= which MultiProviders)

As we want to keep the number of roles down, our idea was to create 15 roles for the 15 MultiProviders in the system. And 1 additional role for Y* query creation.

For example a user could get the following combination of roles:

ROLE_ACCESS_FIN_CUBES

ROLE_ACCESS_LOG_CUBES

ROLE_ACCESS_CRM_CUBES

ROLE_CREATE_QUERIES

-> The user shall be able to read and create queries in the FIN, LOG and CRM areas.

The first role was designed as follows:

S_RS_COMP - ACTVT = 03 - RSINFOAREA = FIN - RSINFOCUBE = FINCUBE1, FINCUBE2 - RSZCOMPID = * - RSZCOMPTP = *

Meaning that this user can read all reports in the Finance area.

The create-queries-role looks like this:

S_RS_COMP - ACTVT = * - RSINFOAREA = * - RSINFOCUBE = * - RSZCOMPID = Y* - RSZCOMPTP = REP

Meaning that this user can create reports (everywhere) as long as they start with a Y*.

The problem now is that these two roles cannot be combined.

ROLE_ACCESS_FIN_CUBES + ROLE_CREATE_QUERIES = Can read and write everywhere.

  • Is there any simple workaround to this problem?

  • Would it be possible to leave RSINFOAREA and RSINFOCUBE in the create-queries-role empty?

  • Are there any other values possible (#, : or $)?

  • What about exit variables?

Thanks a lot for any input in advance! <removed_by_moderator>

Gerrit

Edited by: Julius Bussche on Mar 28, 2008 1:25 PM

4 REPLIES 4

Former Member

‎03-25-2008 12:10 PM

0 Kudos

Is there any simple workaround to this problem?

-No

Would it be possible to leave RSINFOAREA and RSINFOCUBE in the create-queries-role empty?

-Yes - but it will not work - empty means NOTHING.

Are there any other values possible (#, : or $)?

-what for ?

What about exit variables?

-Not here. You van use variables in queries...

Generally, SAP is not merging authorisations as some people think.

SAP just creates keys for authorisation objects and compares list of keys defined for user in role with required access.

Wider access always win.

I'm afraid you can't avoid creating separate roles for query developers.

Former Member
In response to Former Member

‎03-25-2008 1:55 PM

0 Kudos

Hi Wojciech and Auke,

thanks to both of you for your thoughts!

Wojciech:

I just thought that if "empty" means "nothing", maybe "#" means "whatever values he's been given for this parameter through other roles".

The exit variable would have been the last resort (-> read the cubes/infoareas from the table directly). I thought that this can be done (e.g. $MYEXIT). I've never tried it though. I could be wrong. Probably wouldn't justify the effort in any case.

Looks like we just have to create the roles for each user type separately.

Thanks anyways!

Former Member

‎03-25-2008 12:55 PM

0 Kudos

best apprach here is to create query creator roles for every area you want to seperate on.

normally you should create:

A report reader role,

B report creator(writer) role

C Report publisher

D menu role

for each area specific.

Former Member

‎03-25-2008 5:00 PM

0 Kudos

Instead of giving

S_RS_COMP

Infoarea = *

infocube= *

RSZCOMPID= *

Dropdown the infoarea and infoprovider fields and select all using the 'select all' button at the top. and deselect the FIN part that would restrict users in creating reporting components on FIN.

and if you want to allow them to create Y* queries on FIN you have to add one more S_RS_COMP with FIN and Y* values.

Thanks