cancel
Showing results for 
Search instead for 
Did you mean: 

BPC Matrix Security not working

Former Member
0 Kudos

We are currently on Netweaver version 10.0, SP13, Patch 4, NET 3.5, Build 8308.  We implemented matrix security for go live last year as our security parameters are quite complex.  Everything seemed to be working fine, but today someone brought an issue to my attention, and it looks like it isn't working.  An example:

User has two access profiles:

Profile 1

CORP = US

DEPT = ALL

Profile 2

CORP = ALL

DEPT = IT ONLY

Under those parameters, expectation is user can pull any DEPT from US (profile 1), any IT cost center from ALL (profile 2) - but should NOT be able to pull a cost center OUTSIDE of IT for WW, NOR should they be able to pull consolidated results, which would be the intersection of DEPT = ALL from profile 1, and CORP = ALL from profile 2.

However, user is able to pull any cost center outside of IT for the world, and can pull consolidated.

Under what circumstances would matrix fail to function as intended?

Accepted Solutions (0)

Answers (4)

Answers (4)

Former Member
0 Kudos

It's a known limitation. See details in SAP Note 1565985

1565985 - Planning and Consolidation 10.0 NW Limitations

Matrix Security mode is not available

Matrix Security, an optional way of defining rights for access to data, is not yet available. Data access profiles are defined in the same way as in previous releases.

Ankur_Jain
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi William,

In the screenshot provided, it is visible that user was assigned "ALL- RW" in both CORP and COST CENTER in one of the profiles. Though he/she was assigned RO or RW on some specific members in some other profiles but as least restrictive profiles always wins hence, user has RW access on all the members of CORP and COST CENTER.

You have to define data access profiles in a way so that least restrictive profile has the desired rights for the user for desired outcome.

Regards,

Ankur Jain

Former Member
0 Kudos

I understand that it is the way classic BPC security works, least restrictive always wins, but I thought that was the purpose of matrix security, that it could define specific intersections, and that total security would be comprised of all the different matrix profiles.

So is it true then that even with matrix security, least restrictive wins?  This would make us rethink security then?

Appreciate any insights you can provide.

damovand
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hello,

As you probably know in BPC classic when there are more than one access profiles for the same data region, the least restrictive is used.  Based on your example it seems that rule is being applied here.  Even though you have enabled matrix security, it seems only the least restrictive rule is used. 

Best Regards,

Leila Lappin

Former Member
0 Kudos

Yes I have been working with this product since it was Outlooksoft 5.0, and I always knew classic BPC security functioned that way, least restrcitive wins, but I thought that the purpose of matrix security was to allow two or more detailed intersections to combine for very tailored security.

Is it true then that with Matrix security, least restrictive wins also?

Ankur_Jain
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi William,

Are both these profiles read only or read & write?

Also, please let me know whether these are the only 2 profiles which are assigned to the user or are there any other profiles as well which is inherited from the team (if this user is assigned to some team)?

Regards,

Ankur

Former Member
0 Kudos

This user has several profiles which affect all of our models, I just simplified for my initial question.  For purposes of replying to you, I will just use our FINANCE model as an example.  RO indicated read only, RW indicates RW.  I have attahced an excel file template, please let me know your thoughts.