Question:
Hi experts!
When we run a query the Notification Number BRAIN 804 pops up - You do not have authorization to read object...
The query is defined using one hierarchy on profit center and a variable filled by authorization on profit center as well.
Now, the variable is filled with the right values, that can be verified. And if we remove the hierarchy from the query it works perfect.
So we activated the object 0TCTAUTHH and put that into a new authorization object together with profit center. Both the old and the new object are checked in the cube. We give authorization for all hierarchies and all nodes. But it still does not work.
Even when we create a small hierarchy with only the one node which the user has access to in it, we still get the same message.
When we run the Authorization Check Log from RSSM we get the following text that hints at the problem
Authorization Check for Reporting Authorizations:
SUBNR 1
ZPROFIT_CTR Authorization Object Is Being Checked
NB_OP_W_DE00 Authorization Being Checked
ZPROFIT_CTR
Authorized Values:
[ DE ,
Reading Hierarchy Authorizations:
Hierarchy Selections Check:
Check of Hierarchy Selection Against Authorized Values:
Not All Nodes and Leaves Can Be Compared with Values
0 0 66- 1
Result of All Checks for the Characteristic
ZPROFIT_CTR Not All Authorization Checks for the Authorization Objetc Were Sucessful
It seems that is where the problem occurs, but I cannot understand how to solve it. Any of you experts out there that have an idea?
We run on 3.1 with support pack 12.
Thanks!
/Jan
Answer:
Both the old and the new object are checked in the cube
This complicates things (there are some notes describing similar situations) the old object should be redundant, I suggest you don't have it checked for this cube.
As you have discovered 0TCTAUTHH must be included when an active hierarchy is associated with an authorization relevant object. Contrary to what you may expect, when the hierarchy is active access is governed by the node authorizations; when it is not the InfoObject assignments apply. The exception is when you have * in either, in which case full access is granted.
In the authorization you would need something like:
TCTAUTHH= MYNODE
PROFIT_CTR = PC1, PC2, PC3
... assuming PC1,2 and 3 are the leaves that are authorized by MYNODE hierarchy authorization.
I have had so many problems with hierarchy authorizations that I have recently eliminated them by introducing a copy of [e.g.] costcentre as a navigable attribute of costcentre master data (assigned in transfer rules) and using it to limit access as a query filter restricted by an authorization variable. This allows access to be granted based on the value of cost centre alone irrespective of whether any hierarchy is active -- much easier to maintain!