Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

Introduction

 

All users who want to display transactional data from authorization-relevant characteristics in a query require analysis authorizations (or OLAP authorizations) for these characteristics. Analysis authorizations are NOT based on the SAP Standard Authorization concept. They use their own concept based on the BW reporting and analysis features. Please have a look at note 820183 which provides an overview and description on how the authorization concept works.

Important to Know

  • The OLAP-authorization-check must not be confused with the basis-authorization-check. When executing a BW-query some basis-authorizations are checked first. f.e. S_RS_COMP1, S_RS_COMP (authorization for executing a BW-report, see note 540720), ..etc. If the basis-authorization-check is successful, the OLAP-authorization-check (which checks the analysis-authorizations) is performed.
  • It's very important to understand that the OLAP authorization-check is executed before the data are retrieved from the database. It checks whether the assigned authorization-set authorizes the selection-set of the query. The selection-set comprises of all the filters/restrictions applied in the query. If the selection-set is bigger than the authorization-set, the user will always get an authorization-error. It is irrelevant whether authorized values are booked in the infoprovider.
  • OLAP authorizations do not act automatically as filter restrictions in queries (this is only possible with the "thinning-out" feature described in note 1905641). If this is required you need to use variables filled by authorizations. However please read note 1736473 which describes possible problems when using authorization-variables for multidimensional authorizations.

The old authorization-concept in BW 3.X has been completely replaced by the new 7.X authorization-concept introduced with BW 7.X. This site will only deal with the new authorization concept as the old authorization-concept will no longer work in future releases (see note 923176).

Runtime of the OLAP authorization-check

The figure shown above roughly shows how the authority-check is carried out executing a BW-query. The runtime of the authority-check also involves checking the authorizations for the infoprovider and retrieving the assigned authorization-values. The query in the example is very simple not using any variables/hierarchies/complex OLAP-features etc.

Step 1: The query is executed with a selection defined in the query-definition

Step 2, 3 and 4: The authorizations for all authorization-relevant attributes used in the query are collected and filled into the authorization buffer. Note 1951019 provides more details on attribute authorizations. The auth-relevant attributes for which the user is not authorized are simply not getting displayed in the BW report.

Step 5, 6, 7 and 8: The authorizations relevant for the infoprovider are collected and filled into the authorization buffer. The system then checks whether the user is authorized for the infoprovider on which the query is based. Note 2504860 provides more details on the infoprovider-check which is the first part of the OLAP authorization-check.

Step 9a: The query displays an authorization error if the infoprovider-check in the previous step fails.

Step 9b and 10: The system now continues with the main authorization-check checking the selection-set selected by the query in Step1. If the selection-set is greater than the authorization-set, the authorization-check fails.

Step 11a: The query displays an authorization error if the main authorization-check in the previous step fails.

Step 11b, 12 and 13: If the authorization-check is successfull, the system continues retrieving the selected data from the database. It's very important to understand that the OLAP auth-check is done before the database is accessed. Hence the idea that authorizations work as filters is not correct. Authorizations do not automatically filter the data according to the authorized values. The authorization-check simply checks the selection-set (regardless of whether data exists for this selection).

 

CSS component: BW-BEX-OT-OLAP-AUT

Guided Answers

Use the decision tree for analyzing authorization issues: Guided Answers: Analyzing BW authorizations issues


SAP Online Documentation

Latest Documentation for SAP BW 7.X Analysis Authorizations

Examples

 Authorization VariableExample01

SAP Consulting Notes

   

SAP BW Analysis Authorizations

820183New authorization concept in BI 

1234567

The authorization log RSECADMIN

1052242

BI Analysis authorization: Generation 

1000004

Merging and optimizing analysis authorizations

1053989

Intervals and Patterns [(*),(+)] in Analysis Authorizations

1140831

Colon authorization during query execution 

1951019 Navigation Attribute and Display Attribute for BW Analysis Authorization

OLAP AUTH Search


SAP Support Troubleshooting Guideline


 Topics

"No authorization" executing a BW-query

Consulting Notes / KBAs:

  • 1905641    "No authorization" message when deactivating hierarchy display or removing drilldown in BW Query 
  • 1736473    Usage of authorization variables results in "no authorization" when multi-dimensional auths are assigned
  • 1904962    How to Analyze a "No Authorization" or Showing Too Much Data Issue with BW Analysis Authorization
  • 1234567     The authorization log RSECADMIN
  • 1140831     Colon authorization during query execution
  • 1632677    Query with Multiple Authorization variables failing with "No Authorization"
  • 1951019    Navigation Attribute and Display Attribute for BW Analysis Authorization
  • 1953967    BW Analysis Authorization for Navigation Attribute in Query Based on InfoSet
  • 2232492    "No Applicable Data Found" instead of "No Authorization" When the User does not Have Enough Analysis Authorization


Wiki-Page:

Colon authorization during query execution

 Authorization Maintenance

Consulting Notes / KBAs:

  • 1929419    BW Analysis Authorization Maintenance has "Exclude" Option Greyed out
  • 1053989    Intervals and Patterns [(*),(+)] in Analysis Authorization
  • 1982399    Removing Inconsistent analysis authorizations that show as inactive
  • 1630584    Analysis Authorization not changable in closed client
  • 1685338    Analysis Authorizations missing, deleted or inactive after upgrade to 730
  • 1911259    Analysis Authorization Missing after Upgrade to 730
  • 1956404    Characteristics 0TCAIPROV, 0TCAACTVT, 0TCAVALID are no longer Authorization Relevant after Upgrade to BW7.3 or higher
  • 1982399    Removing Inconsistent analysis authorizations that show as inactive

 
Wiki-Page:

Analysis Authorization - Authorization log tables
The authorization Log in RSECADMIN

Hierarchy authorizations not working

Consulting Notes / KBAs:

  • 1905641    "No authorization" message when deactivating hierarchy display or removing drilldown in BW Query
  • 1772536    EYE020 when editing Analysis Authorization
  • 1791558    Node authorization does not work when determined using exit or generated using RSEC_GENERATE_AUTHORIZATIONS
  • 1927047    Node authorization does not work for hierarchies with time-dependent structure
  • 1772536    EYE020 when editing Analysis Authorization
  • 1170163    "Validity" in hierarchy authorizations 


Wiki-Page:

"Validity" in hierarchy authorizations

Authorization- & Customer-Exit Variables

Consulting Notes / KBAs:

  • 1900590    Error executing BW query when using Customer Exit Variable in Analysis Authorization definition
  • 1772536    EYE020 when editing Analysis Authorization
  • 1791558    Node authorization does not work when determined using exit or generated using RSEC_GENERATE_AUTHORIZATIONS
  • 976680      Usage of variables in authorization
  • 1226163    Authorization variables in workbook
  • 1561635    Filling Analysis Authorizations from exit variables in I_STEP=0
  • 1988154    BW Query F4 Help doesn't Show Value for Restricted Authorization Users
  • 1579015    Could not determine value for variable from authorization
  • 1914703    Transaction RSECADMIN "Execute as User" has different BW query result compared to direct BW query execution result by this user
  • 2672200 - Please use Function module RSEC_GET_AUTHS_FILTERED 


Wiki-Page:

Variable Replaced with Authorization

DTP & RSDRI & Data Federator

 Consulting notes/KBA

  • 1291204    Loading with DTP: Failed authorization check on 0BI_ALL 


Wiki Page

Analysis Authorizations & BPC DAP (Data Access Profile) Consulting notes/KBA
  • 2403016    Error "This query is invalid. Please contact your administrator" when Open a BW BEx Query with EPM Add-In in AO
  • 2479551    Query results display in AO but not EPM Add-in

Wiki Page

Performance

Consulting Notes / KBAs:

  • 1454140    Performance problems with authorizations
  • 1592528    Delete Authorisation Logs from BW table RSECLOG to gain memory space and improve performance
Generation of Authorizations

Consulting Notes / KBAs:

  • 1052242    BI Analysis authorization: Generation
  • 1630469    Deleting Generated Authorizations using D_E_L_E_T_E
  • 1940454    BW Analysis Authorization Generation for HCM Structural Authorization Generates More Authorized Values than you Expect
  • 2182202    Error Message "Message number 999999 reached. Log is full" (BL252) occurs for BW Analysis Authorization Generation