on 10-05-2012 11:54 AM
Hi guys,
We have the following issue in SAP BI 4.0 SAP 4:
We have created 2 different Custom Level Access (CAL) in order to make possible that some people were able to use reports based on a universe or create reports based on a universe. These CAL include the following access rights:
- CAL A: Data Access, View Access
- CAL B: Data Access, View Accees, Create and Edit Queries Based on possible
So, for instance:
For Users A,B we apply CAL A on Universe A & B
For User B we apply CAL B on Universe B
In this scenario the user B can effectively refresh reports based on Universe A and create reports based on universe B. The issue is the following:
When the User B creates a new document, and selects to create a new data provider based on a Universe, the list of "availables"universe show both universes A & B, despite that user can not create queries on Universe A. If he tries to use it (Universe A) it receives an error.Question is: why the universe A is showed in the list?
In version 3.1 using the same CAL the list only showed the "universes" that can be effectively used for creating data providers.
Has someone faced this issue and knows a workaround/way to fix it?
Thanks in advance,
hi Alfons,
Can you clarify the below for me.
Do you maintain any second level folder for universe objects after root folders or all the universe come directly under root folders without any categorization?
We also came across the same scenario as yours and our approach was to maintain a second level folder beneath the root folder and controlled the access by tweaking security at second level folder by using the rights at (Apply to Objects only /Apply to Subobjects only)
Kindly let me know for any issues further.
Regards,
Mani
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Alfons,
The tweak would be
More settings
- Inheritance should be disabled at root folder as well as in secondary folder level
- Viewers shouldnot have access to both Root and secondary folders.
Regards,
Mani
Hi Manikandan,
I don't know If I have misunderstood your advices but I have not been able to achieve the desired result. I have organized the universes in folders but the problem is always the same. If the user has "View Objects" rights on the universe (that is required to execute reports based on it) the universe is always shown in the list of availables universes when trying to create a report from WebI.
Alfons
Alfons,
What you understood is right. Let me clarify the bit of thing which you missed out.
The trick is that Universe should be accessible to all the users who refers universe for information consumption. But the Universe folder should be accessible to users who are more privileged than viewer but not the viewers. By this way you restrict viewer users not to see the Universe folders in turn Universe and the viewers can still access universe as they already have view access to universe.
you can achieve your requirement by proceeding the approach above. moreover there shouldn't be any inheritance from Universe folder to Universe
Regards,
Mani
Hi Manikandan,
First of all thanks by our help.
Your approach has sense (preventing acces at folder level should restrict the visibility of universes when user tries to create documents using WebI) but for some strange reason the list of availables universes for query seems to be ignoring the universe folder rights..
We have repeteadly verifying your approach
1) Create a Folder Universe (FA) under Universe root level. Put the universe A under this secondary folder
Universe Root Folder
-> Folder FA
-> Universe A
2) Check that the Viewer User has no access over FA folder (root level and folder level). Inheritance is broken when exists.
3) Assign Data Access and View universe privileges to Viewer user directly to the universe.
But as you can see in the available link the Universe still appears in the list of availaboe queries (curiously the folder column appears empty).
Can you confirm which released are you currently using? We are on 4.0 SP4 Patch 8.
http://www.mediafire.com/view/?7g7h7at1e45g7bx
regards,
Alfons
Hi Alfons,
I am also facing similar issue.
Tried many configuration settings but still not able to achieve the combination where user is able to refresh the report from universe, but not able to create reports based on it.
We are also on SP4.
Let me know if you found any solution.
I hope SAP will provide a fix for this in next Patch.
Best Regards,
Dinesh Agarwal
Hi,
As a side note, i would not leave it to chance, and simply ' hope for a fix '
the only way you can "drive" this process is by working collaboratively with SAP Support , and proving that this is infact a defect (and not an issue in your security model )
please be aware that SP04 is no longer maintained. the last patch on that codeline has already been released. (patch15)
If you are adamant this is a bug then you will need to requalify the defect on either SP05 Patch9 or Sp06 Patch1 (the 2 latest and actively maintained codelines for BI 4.0 )
It may already be that this 'defect' has been resolved in recent weeks / months, compared to vaniall SP04 . you should check the 'fixed issues' lists to determine that.
Regards,
H
Hi Alfons,
please try to apply KBA 1348507 which states:
Symptom
User should be able to create and refresh reports based on a particular
universe and should only be able to refresh reports based on another
universe.
Environment
Resolution
Now the Test user will be able to create and refresh the reports from
Universe 1 and only refresh the reports from Universe 2.
If this does not work, please open a CSS message and let me know
Thanks
Best regards
Simone Caneparo, SAP
Hi Dinesh,
Thanks for the suggestion. The security model that you purpose is the one that we have already in place now. Effectively it prevents users for create reports but because it allows them to see all the universes in the choice list situation becomes quite confusing (we have dozens of universes and some users may only work with a single one).
Regards,
Hi,
I observed that this is achievable in SAP BIP 4.1 Platfrom but in UNV only not with DSL.Universe(UNX).
Regards,
Sandeep
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I am testing my 3.1 SP6 to 4.1 SP4 and I am experiencing the same thing with the adminstrators group that has Full Control.
Universe Folder
Universe1
Universe2
Universe3
When I logged in as me (member of the administrators group), click on Web Intelligence, Clicked on New, choose Universe. I could not see Universe2 but I could see Universe1 and Universe2.
I logged into the CMC
Went to the Universes screen
Expanded my Universe Folder
Right Clicked on Universe2
Clicked on User Security
Clicked ont he line for the "Administrators" principal
Noticed that my Access Rights were "Full Control" but not Inherited
I clicked on the "Reset Security Settings" button on the bottom of the screen
I logged back in
Now I am able to see the universe
Guessing it could be something with Explicit Rights assigned that are the same as the Inherited rights or something like that. I would love to be able to click on an object, choose a userid and see all the different possible principals they belong to and see their rights for each to determine why you can or cannot access something.
Hoping this helps. Hard part is identifying all the places this could be a problem.
Tammy Datri
Grane Healthcare
Hi Alfons,
I observed it still persists in SAP BIP 4.1 SP4. Were you able to resolve it?
Regards,
Sandeep
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I'm just started testing BI 4.1 SP4 and the issue looks to be fixed in this version! Hopefully nothing else broke and I can apply to PROD.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I put in a ticket with SAP and got refereed to SAP Note 1722836 which has been open for over a year. Apparently this bug that is being treated as an enhancement request with no timetable except say possible fix is next major release which from what I understand would be 5.x. I can't believe this is being treated as an enhancement request when this ability was present in prior release and is present in the current Rich Client. Does anyone know how to go about escalating this issue as quite a few users have started to complain about getting errors when trying to open a universe they shouldn't have access to?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Was this ever fixed? Or was a workaround found? This seems to be present in BI 4.1 SP2 as well...When creating adhoc reports, a user shouldn't be able see a universe in which they don't have Create and Edit Queries Based on Universe rights. User has View Objects right so that they can refresh existing static reports. It's very disconcerting that simple things that worked in XI 3.1 are not working the same even in the latest version of BO.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Joseph and Alfons,
We are facing the exactly same issue in a customer of ours, using BO 4.1 SP1 Patch 3. We expected to see a solution in 4.1 SP2, but as Joseph put it, it's really disconcerting that such a small issue has not been solved so far.
We will try to get a solution through CSS/incident report.
Regards,
Luigi
Hi alfons,
This depends one how you apply security to universes root folder and the individual universes.
Kindly brief that. More over check whether eveyone group have access to root folder.if so try remove it.
View Objects right is the key here which enables the User/Usergroup to view the particular object.
Regards
Mani
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Manikandan,
Effectively everything depends on the the right applied effectively on the object. In our case we have checked that there is nor rights applied to the everyone group in the root folder. To my understand the key point comes from the "View Object" Right. This right seems to be applied on a Universes if we want to execute any report that contains any data source referred to this particular universes. On the other side ,once applied, this rightallows to see the universe in the list of universes avalaibles as data source (despite that users has no create & edit query on it).
How to fix this situation?
Thanks
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.