You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »


BW Catalog of roles and authorizations objects used for each BW applications :

Link to the google doc :

WBP Security Matrix

Link to the matrix :

Authorizationmatrix.xls

Link for the documentation :

https://docs.google.com/spreadsheets/d/1ofQlLDNtRyb_RUc4OSu9TFfAPbVxoM7-QoEOr7A_zao/edit#gid=0

How to check user authorization

First, you need to know:

1. Username of the user
2. The query name that user use
3. Selection criteria that user enter at Prompt
How:
1. Go to Tcode: RSUDO
2. Enter username of the user and click on 'Start Transaction'
3. Enter query name and click on 'Execute + Debug' by selecting 'Execute and Explain
4. Mark option 'Authorization Log'
5. Enter selection criteria same as user, Then click on 'Execute'
6. The result will be the same as user. In this case, if there is authorization problem, it will show as below
7. Click back button, the system will explain why this user does not have authorization.


How to do authorization trouble shooting

After BW upgrading, the authorization way has changed a lot. 

The DSO DPBWAU01 will not be used any more.


Instead, security team will change authorizations directly into roles (for companies, plants, families, etc. )  .


3 kinds of rôles are used to control authorizations:

  • Rôle menus
  • Application menus
  • Perimeter Menus


How to find all existing rôles

1. Go to TCode PFCG

2. Select rôle "ZR_RCS_ALL_MENU" and click on the glass

3. In the "Rôles" tab, see all existing rôles


How to find the user's rôles

1. Go to TCode SU01

2. Choose the user and click on the glass

3. Go to "Rôles" tab and see the rôles authorized for this user 


Issues Rôle menu

Description :

The user can't see a rôle menu containing queries or workbooks


Solution : 

1. Find the menu rôles authorized for this user (ending with Mxx) 

2. Compare with the list of all existing menu rôles

3. Find the missing rôle and ask security team to add it to the user's authorizations.


Issues Application menu

Description :

The user can see a query in a rôle, can't execute it.


Solution : 

1. Find the application rôles authorized for this user (ending with Axx) 

2. Compare with the list of all existing application rôles

3. Find the missing rôle and ask security team to add it to the user's authorizations.


Issues Perimeter menu

Description :

The user can see a query in a rôle, can execute it, but can't access to a defined perimeter (Company, Plant, ...)


Solution : 

1. Find the perimeter rôles authorized for this user (not ending with Mxx nor Axx) 

2. Compare with the list of all existing perimeter rôles

3. Find the missing rôle and ask security team to add it to the user's authorizations.



Old documentation - no more used today in actual WBP application

And we can check user’s perimeters by checking table /BIC/ADPBWAU0100 in SE16.

Don't use

The former way of checking authorization object by RSSM is no longer applicable use RSECADMIN to check.


2.  

3. We can also use RSECADMIN to “Execution as” a user’s account, and then check logs to troubleshoot.

+Important : before to do it, you have to add some breakpoint on the Class Builder (SE24) to change the actual user because if not the user tested it will be your and not the user entered (execution as)

After you can use the RSECADMIN

4. For some authorization objects ( Z_PS kind of things ), sometimes a dimension might be missing. For example, CPFCTR1_2 was missing for PS. Then when we troubleshoot with a user’s account, it prompts “No authorization” and in the log, it shows CPFCTR1_2 is empty. Then we add the dimensions in Z_PS and it’s ok.

5. For dimensions with [] as below, if they exist in a query, we need to add filters for them in the Query Designer. The filters can be one of the three kinds:

  • User selection filters
  • Authorization filters
  • Customer exit filters


Authorization Contacts:

Security Team Contact: sbs-is-appli-sd-securite@solvay.com 


  • No labels