0INFOPROV vs 0TCAIPROV

I recently faced an authorization issue when a new BW/BEx report was created. It wasn’t accessible by end users. When I traced in t-code RSECADMIN I got below error message:

Authorization missing for aggregation (":"): Char: 0INFOPROV – empty

From the trace itself, it looked like it is obvious. Analysis authorization object used in role of end user lack a 0INFOPROV characteristics. In particular its column aggregation. I followed up my analysis by checking corresponding analysis authorization object.

By definition (see e.g. here) every analysis authorization object needs to have below three characteristics:

0TCAACTVT (activity), 0TCAIPROV (InfoProvider) and 0TCAVALID (validity)

 

Therefore, no mention of the 0INFOPROV that popped up in the RSECADMIN’s trace. From this, it seemed that my analysis authorization object is setup in correct way. Nevertheless, why the RSECADMIN’s trace is complaining about 0INFOPROV? What is relation between the 0INFOPROV and 0TCAIPROV? The latter is referenced to earlier one. However, that shouldn’t matter...

It turned out that the 0INFOPROV was set to be an Authorization Relevant (in table RSDCHA field AUTHRELFL is set to X). As you can see on below picture, the 0INFOPROV comes from a Business Content as not Authorization Relevant (tables in both systems) however in the SAP BW system in question (table at the picture’s bottom) the active version of the characteristics was enabled as Authorization Relevant. That particular setting was driving the security trace to mark the 0INFOPROV as not present in the analysis authorization object. Once I included the 0INFOPROV (and its column aggregation) into the analysis authorization object effected, business user was able to access the report.

More information:

Defining Analysis Authorizations

820183 - New authorization concept in BI

1956404 - Characteristics 0TCAIPROV, 0TCAACTVT, 0TCAVALID are no longer Authorization Relevant after Upgrade to BW7.3 or higher

BEx QD errors "BI system has version; 70000 is required" or "System is not a BI system"

After update of SAP GUI to version 75 there are below error popping up during startup of BEx Query Designer:

"BI system has version; 70000 is required"

or

"System is not a BI system"

This is caused by an architecture change within SAP GUI 75 where BEx tool are now using .Net Connector of version (NCo) 3 whereas in lower versions of the BEx tools the NCo version 2 was used. The SAP standard function modules like RFC_METADATA_GET / RFC_METADATA are used for data exchange between the BEx Query Designer and the SAP BW backend. To run the FMs user needs must have an authorization object S_RFC assigned.  Only this grants the user possibility to run the FMs.

To solve this the roles of the BW developers need to be extended with the mentioned authorization objects.

More information:

2577916 - Error "BI system has version; 70000 is required" or "System is not a BI system" occurs in Bex Analyzer after update to SAP GUI 750

Wiki - Checking Tx RRMX with SAP GUI 750/760

Authorization relevant t-codes in SAP BW

Here’s a brief overview of BW authorization / security relevant t-codes.

Transaction Code     Short text

RSECADMIN            Manage Analysis Authorizations

RSECAUTH               Maintenance of Analysis Auth.

RSECAUTH02           Mass Maintenance - Analysis Auths

RSECENVI                Assignment Environment Authorization

RSECPROT               Maintenance of Analysis Auth.

RSECSY                   Mass Maintenance - Analysis Auths

RSU01                     User Maint. BI Analysis Auth.

RSUDO                    Execution as Other User

RSUDU                    Execution as Other User

More information:

2182164 - RSECADMIN Overview [VIDEO]

OLAP Authorizations wiki

1234567 - The authorization log RSECADMIN

2552884 - HowTo: Bex query authorization analysis - decision tree

177875 - Authorizations for investigation of OLAP problems

2044628 - How to record and save an OLAP authorization trace using transaction RSECADMIN

Find out users having a role

Just a quick tip on how to find out what are user(s) having particular role assigned in the SAP system. Normally this can be done via t-code PFCG there in role maintenance screen is a tab called Users, which shows this information.

However if one has no access to the PFCG t-code it needs it be relied on tables. The table that holds an information on assignment of roles to users is called AGR_USERS. The same info as in PFCG can be seen there.

Error displayed in strange way while opening query in BEx QD

I came across a strange error in BEx Query Designer (QD) recently. While my user wasn’t authorized to edit the query I got below message from the message class R9 – msg no 108:

You do not have authorization for &1

While the error was shown in the QD it was displayed as follows, just plain msg ID and number. It was obvious that my user couldn’t change the query. But why regular description associated with the text ID and number is not displayed it is a mystery for me… Any thoughts? 

Special characters in Analysis Authorization values

First a brief info on what Analysis Authorization is.

Analysis Authorizations (AAUT) is concept used in BW systems to grant an access to the data in the system for users. This AUT concept is not based on the standard authorization concept of SAP as it is used in SAP transactional systems like ECC. The AAUT concept serves the purpose of users that access query data.

Unlike standard authorization concept of SAP which is based on classic authorization objects the AAUT concept is based on so called Analysis Authorization object. Such an object includes a group of characteristics and there are values defined for these characteristics which an access will be granted to. The AAUT object (or so called authorization objects for reporting) can include any characteristics that are flagged as authorization-relevant characteristics. This flag is available on maintenance screen of the characteristics in RSA1 -> Modeling -> Business Explorer -> Authorization Relevant. Once the flag is enabled AAUT objects for reporting can be generated for the characteristic.

While BW report or query is running by user the system selects the data from infoprovider. Once there is an authorization relevant characteristics part of the data set the system evaluates whether user has enough authorization for the whole data set. Only in case use fulfills the AUT values they the data is displayed.

The AAUT objects are maintained in tcode RSECAUTH (you can jump there also via tcode RSECADMIN). One AAUT object can have multiple characteristic included and each of them can have multiple values against which an access is evaluated. Basically the values can be of two types: flat values or hierarchy values. All operators like EQ, BT, GT, LE etc. are possible.

Now let’s see what different flat values that can be entered here are. Except regular values where the value is precisely spelled out there can be also following ones:

* (asterisk): represents any number of characters

+ (plus): represents exactly one character

: (colon): authorization for aggregated values, serves for purposes of displaying aggregated values (e.g. totals), in case there are two characteristic values tied to different key figures and user is only authorized to see the data for characteristics of one value having Colon in the AAUT object will enable the user to see the total coming from both values of the characteristic.

$ (dollar sign): enables usage of BW variables of type customer exit in authorizations, the variable name is introduced by dollar sign.

Few examples:

I EQ      02                                   //fixed value

I EQ      0TCT_24                           // fixed value          

I CP      A*                                   // patter                

I EQ      $VAR_SECT                       //variable

I EQ      :                                     //for aggregated values

Searching for role by given BW objects

I was recently asked by user to analyze his authorization relevant issue. He wasn’t able to run the report. My user on other hand wasn’t able to run t-codes like PFCG. I also wasn’t sure what roles he has. My aim was just simply find all roles in the system which have particular cube (on top user’s report was built) assigned.

I needed to find out a table name which stored assignment of infocube names into Authorization Object (RSINFOCUBE) values. I thought that there would be the role where the cube is restricted.

After digging into the system I found my table. It is the table AGR_1251 - Authorization data for the activity group. Here into the field LOW I entered the cube name (ZMM*) which the report was based on. As an output I got role name (Z_BW_ADMIN_EU):

Normally this is assigned in t-code PFCG -> Authorization -> Display Authorization Data -> drilldown to particular Authorization Object. However as said already I wasn’t authorized to run t-code PFCG.

Disabling SSO in SAP app

Single Sing On (SSO) is a great thing. It saves us from slave labor of entering passwords into many different systems every time as we are already logged into trusted system (e.g. operating system) already.

However there are scenarios that we don’t need to be authenticated via SSO and we would like the system asks us for logon credentials. Most basic case is when we are testing something. And in such a cases it comes handy when we know how to suppress e.g. temporarily the SSO.

With regards to many SAP applications which are accessed by web browser there is a special parameter supplied that supports SSO disabling.  Usually name of the parameter is SPNEGO. It stands for Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO). This thing actually serves as a protocol used to determine whether common GSSAPI (Generic Security Services Application Program Interface) mechanisms are available. If so it selects it and dispatches all security operations to it.

Whenever SPNEGO is used we are authenticated by SSO and there is no need to enter password again. The parameter is provided via URL of the application. How to use the parameter to disable the SSO?

1. SAP Portal usage:

http://hostname:port/irj/portal?spnego=disabled

2. NWBC usage:

          http://hostname:port/nwbc?spnego=disabled

3. example case for JAVA AS usage:

          http://hostname:port/nwa?spnego=disabled

http://hostname:port/useradmin?spnego=disabled

http://hostname:port/scheduler?spnego=disabled

4. example of common app usage:

http://hostname:port/my_app?spnego=disabled

t-code STAUTHTRACE

I recently faced authorization issue. As usually I sent an output of t-code SU53 which is evaluate of authorization check to SAP security team. As colleague from the security had some issues with finding the objects which authorization was missing to be granted for my user we sat together to see the issue. While we were working on it he showed my new interesting t-code of which existence I wasn’t aware before. It is the t-code STAUTHTRACE.

The t-code allows system-wide trace evaluation. This solves very common issue in case of system with multiple application servers. In such a case you need to perform analysis of authorization checks on particular server where user is logged to.

The trace in the t-code is very detailed. It basically shows all trace (similarly to t-code SU22) needed for analyze any kind of AUT issues. The trace so detailed but is limited authorization checks only.

The new t-code is available as of following NW releases: NW Basis 700 SP27, 701 SP12, 702 SP12, 730 SP8, 731 SP5 and NW 74+.

More information:

1707841 - STAUTHTRACE: System-wide trace evaluation

1603756 - Using StAuthTrace to record authorization checks

Online docu

Setting up password expiration time in SAP NetWeaver ABAP stack

Once new SAP user is created in SAP NetWeaver ABAP stack and password is generated it can get its expiration time. This is supposed to be a temporary password type of thing as it is expected that user will change it soon. Expiration time may vary as it governs by SAP instance parameter. Name of the instance parameter is:

login/password_expiration_time

The password expiration time or validity period of passwords is given in days. There may be following values specified in parameter. If the value is 0 it means user is not forced to change the password. If there is any value different from 0 it means the number of days after which users must change the password. Maximum permitted value is 1000 days.

The value of the parameter can be maintained in t-code RZ11.

How to access BW objects don’t belong to name space you are authorized to access

A disclaimer at first place: Notice that this blog post discusses activities done in debugger while changing the values of variables. Such activities are usually not supposed to be executed. Bear in the mind that you may cause serious harm into your system. If you decide to proceed with it do it only after real understanding of all consequences and only on development and/or test system.

Sometimes BW developer can face following situation. You need to do prototype of new functionality (let’s say data flow) in development system. However as per your developer authorization you get the aces to to customer namespace let say ZZ*. You do not want to create your prototype objects in ZZ* namespace. For time being and for prototyping purposes you would like to use YY* namespace. However once you are authorized to use ZZ* only every attempt to create any objects will be denied by system throwing error message (let’s say in dace of transformation):

You have no authorization for the transformation rule

Message no. RSM904

Diagnosis

TLogo type of source: ODSO

Name of source: ZZ_DABC

TLogo type of target: CUBE

Name of target: ZZ_CBCD

Procedure

For the transformation you require authorization for the authorization object Data Warehousing Workbench - Transformation Rules with the field values stated above and activities 03, 16, or 23.

There is a one function module (FM) checking your authorization. It is the FM RSSB_AUTHORITY_ADMWB_TR. By simply putting breakpoint after authorization check was called (in BE version SAP NetWeaver 7.3 SP08 it is line no 69) and changing value of sy-subrc to zero you can obey this error message.

Difference in SAP authorization: what is role and is profile?

Authorization is synonym to authorization object. Authorization object element of authorization system. It contains various fields (up to 10) which are checked during the runtime. To successful pass the authorization check each field contained in the object must be checked successfully.

Example of BW’s Authorization object: Business Explorer - Components [S_RS_COMP] has following fields: 

1. Activity (ACTVT) has following values which grant access to:

01      Create or generate

02      Change

03      Display

06      Delete

16      Execute

22      Enter, Include, Assign

2. InfoArea (RSINFOAREA) grants access to particular InfoAreas created in BW (e.g. Finance, Purchasing, etc.).

3. InfoCube (RSINFOCUBE) grants access to particular infocubes created in BW (e.g. 0QM_C04 Business Content infocube Inspection Results: General Data).

4. Name (ID) of a reporting component (RSZCOMPID) grants access to BW report’s components e.g. BEx query names.

5. Type of a reporting component (RSZCOMPTP) grants access to different BW reporting components:

CKF    Calculated key figure

QVW   Query View

REP     Query

RKF    Restricted key figure

SOB    Selection object

STR    Template structure

VAR    Variable

Notice that there are many other BW’s Authorization objects e.g.:

S_RS_COMP1 - Business Explorer - Components: Enhanced to the Owner,

S_RS_FOLD - Business Explorer - Folder View On/Off,

S_RS_HIER - Data Warehousing Workbench – Hierarchy,

S_RS_ICUBE - Data Warehousing Workbench – InfoCube,

S_RS_MPRO - Data Warehousing Workbench – MultiProvider,

S_RS_ODSO - Data Warehousing Workbench - DataStore Object,

S_RS_PARAM - Business Explorer - Variants in Variable Screen.

S_RS_TR - Data Warehousing Workbench – Transformation

S_RS_WSPAC - BW Workspace

S_RS_XCLS - Front-end Integration - Xcelsius Visualization

S_RS_LPOA - Data Warehousing Workbench - Semantically Partitioned Object

S_RS_ISRCM - Data Warehousing Workbench - InfoSource (Direct Update)

S_RS_HIER - Data Warehousing Workbench - Hierarchy

S_RS_HIST - Authorizations for TLOGO Object History

S_RS_HYBR - Data Warehousing Workbench - HybridProvider

S_RS_IOMAD - Data Warehousing Workbench  - Maintain Master Data

S_RS_ISOUR - Data Warehousing Workbench - InfoSource (Flexible Update)

R_STS_CUST - Planning: Customizing for Status and Tracking

S_RS_ADMWB - Data Warehousing Workbench - Objects

S_RS_AINX - Analytic Index

S_RS_AUTH - BI Analysis Authorizations in Role

S_RS_CPRO - Authorization Object for BW Composite Provider

S_RS_DTP - Data Warehousing Workbench - Data Transfer Process

Profile represents a grouping of authorizations (max 150 authorizations in one profile) together. Usually BW’s apps are complex ones comprised from many objects linked and working together. To be able to enable grouping of objects Profiles are used.

Finally we are coming to the Role. Role represents a container of Profiles. By this it is easier to track authorization requirements. Also role overcomes limits of profiles as it can hold only 150 authorizations).

Also note that speaking of classic SAP’s transaction codes (TA or T-codes) they are not assigned directly to the users. You need to assign into the roles. Then role is assigned to the user (TA SU01) and this automatically populates profile assignment. That’s why we see both tabs in SU01: Role tab along with Profile tab.