cancel
Showing results for 
Search instead for 
Did you mean: 

Issue in BEX authorization (BI 7.3)

former_member412824
Discoverer
0 Kudos

Hello,

We have Company Code info-object which is marked Authorization Relevant in BW (7.3).

We have Infocube which contains Company Code object and data for various Company code.

We have defined Analysis Authorization object which is restricted to show data for only Company Code "ABC" and same is assigned to user role.

Infocube contains data for various Company Codes such as "ABC" and "XYZ".

Bex query defined has Company Code in filter restricted by Authorization variable (Ready for input) and it is not used in output of query.

Bex query also has User Input filter on Cost Center which is not authorization relevant.

While running Bex query, user get selection screen with Company Code & Cost Center.

User (who is authorized for only "ABC" Company Code) keeps Company Code "BLANK" and selects Cost Center which is part of "XYZ" company code in transactional data.

When user executes, report output is shown. Even though data displayed actually belongs to "XYZ" Company Code.

After checking authorization trace, we can see that "I EQ :" authorization check is performed on Company Code. Please see screenshot below.

Our understanding - Irrespective of Authorization Relevant object used in Query or not, data displayed should be checked for all Authorization Relevant info-objects in Info-provider. So in above scenario, user should not have got output of data from Company Code to which he is not authorized. Is there anything missing in our setup?

Kind Regards

Abhijit

Accepted Solutions (1)

Accepted Solutions (1)

sander_vanwilligen
Active Contributor
0 Kudos

Hi Abhijit,


According to me the authorization check works as expected. Company Code is not used in the selection so it will display the aggregated values because of the aggregation authorization (the colon : authorization).


In order to avoid the issue described above, I suggest to make the input-ready authorization variable for Company Code mandatory to force a selection on Company Code. Now only authorized Company Codes (i.e. ABC) can be selected.


Best regards,

Sander


cornelia_lezoch
Active Contributor
0 Kudos

Hi,

I think the problem is caused, becasue the comp code is not used in the query rows or columns.

Becasue when it is not used in the drilldown, it will be read as "aggregation".

So either take the aggregation auth away, or put comp code into rows or columns.

regards

Cornelia

Answers (1)

Answers (1)

former_member412824
Discoverer
0 Kudos

Sander/Cornelia - So it works only if Company Code is used in output or else we need to take out Aggregation authorization from object. Understood. Thanks both of you for your replies.

sander_vanwilligen
Active Contributor
0 Kudos

Hi,

I suggest a different approach. Colon / aggregation authorization can be considered as a best practice to avoid "unexpected" authorization issues. It is checked if the characteristic is in the free characteristics (not in drilldown) without any selections or the characteristic does not exist in the BEx Query at all (but is authorization-relevant and part of the InfoProvider).

In my opinion you should create a variable "filled by authorization" and add it to the global filter (i.e. characteristic restrictions) of the BEx Query. This will overrule the colon / aggregation authorization to be checked. The BEx Query global selection will automatically be restricted to the authorized values.

Please refer to the following SAP Notes for more information:

Best regards,

Sander