cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

BPC Embedded Authorization issue (how to separate read/write in one report)

Go to solution
former_member539392
Participant

on ‎11-18-2020 12:19 PM

0 Kudos

Hi Experts,

hope you're doing well!

I'm writing with regard to authorization issue we can't implement.

Task:

to get an input report, which will display 2 values of PLANT dimension (technical name Z4WHC) (according to authorization) in this case, for the first value of dimension (E14) data will be available for input; for the second (E20) - only for reading:

I have already pursue this matter I tried to separate via authorizations, but the result is not what I expected.

In order to resolve this matter I did next:

1. Key Figure Z4WHC has been made relevant to authority

2. tc RSECADMIN - had been created permissions for the Z4WHC object (values E14 and E20, 0TCAACTVT = 02 and 03), assigned to the user

3. Created an input request - the input request is opened, input is available for both E14 and E20. But I need input for E14 only.

4. tc RSECENVI - assigned the authority from paragraph 2 (of this list) for Environment

5. Created a model in BPC Web Client, added a composite to the model for checking authorizations

6. Created Data Access Profiles. Specified E14 - write, E20 - read in the Access Right field

7. Created a workbook, assigned a planning model to it

8. Update the request for 2 dimension values (E14 + E20) - message no authorization - EYE-007 You do not have sufficient authorization for InfoProvider <Provider name>. The input request does not open

9. In this case, if you update only by E14 - the request is opened for input.

Q1:

Is it possible using DAP to differentiate access in one report and get a report simultaneously for 2 values, while E14 - for writing, E20 - for input?

I am aware that this can be done via Data Slices;). But what about locks in this case, if the second user needs to open the same report, but using E14 for viewing, and E20 for input?

Q2:

What solution can be used for such cases?

BW/4HANA 2.0 (SP04)

BPC11.1 Embedded (SP03)

Best regards,

Alex.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

gregor_dieckmann
Advisor
Advisor
‎11-19-2020 11:20 AM

Hi Alexander,

authorization and data slices are independent concepts. The third aspect here is the lock concept that is based on 'data region' locks based on the static query filter and the lock relevant structure elements in the query definition.

So with authorization you cannot control whether data cells are input-ready or not; this concept does not help here. You need a data slice to control data protection based on the authorization. This solves the protection problem. But as you mentioned this will lead to a data locking problem when user A works on E14 in change mode, E20 in read mode and user B just the other way round. The reason is that data slices and the data region to be locked are also independent. The reason for the latter is that in the general case the locked data region has to be a cart. set, to remove not authorized regions or regions protected in data slices from this set can lead to maybe very complex non cart. sets that would make the BW enqueue server extremely complex (not to mention the performance problem such a design would cause).

So with standard features this cannot be achieved. In a two structure query you could use structure elements restricted to E14, E20, respectively and make one of the elements not lock relevant. But this is a static solution; for a dynamic solution one would need an exit that controls the lock relevant flag based on the authorization for E14, E20.

But if the situation is just as you describe you may use and ABAP Enhancement in class CL_RSPLS_ENQ, method PREPARE_SELECTION: you remove the not authorized values in the exporting table E_T_CHASEL at the end of the method. In this case you should only work with lists of single values in the selection; this makes it easy to remove corresponding values in E_T_CHASEL (selection in 'normal form' for the BW enqueue server).

Remark:

The data in E_T_CHASEL are displayed in transaction RSPLSE.

Attention:

In BW/4 2.0 SP04 and higher the method with the same name in class CL_RSPLS_ENQ_SRVS is used for the same purpose.

Regards,

Gregor

Show replies
Show replies
former_member539392
Participant
‎11-20-2020 1:26 PM
0 Kudos

Hi Gregor,

many thanks for your qualified answer and clarifying of some questions that I wasn't been sure. I really appreciate your help!

Best Regards,

Alex.

Answers (0)

Ask a Question