SAP BI Authorizations

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 8
At a glance
Powered by AI
The key takeaways are that InfoObject level authorization in SAP BI 7.0 provides flexibility but to avoid performance issues, characteristics as authorization relevant should be limited. Collecting requirements upfront can save time when preparing authorizations.

The steps to restrict access to SAP BW reports on InfoObjects level are to activate business content objects related to authorizations, set the relevant InfoObjects as Authorization-Relevant and use transaction code RSA1 to set characteristics as Authorization-Relevant.

To authorize characteristics values, you need to create a new authorization object through transaction code RSECADMIN and select the characteristic, then the specific values to include or exclude.

SAP BI 7.

0 Authorization - Part 1: InfoObjects level authorization


New SAP BI 7.0 Authorization concept (analysis authorization) change a lot in accessing, analyzing and displaying BI information. The approach allow to restrict data access on Key figure, Characteristic, Characteristic value, Hierarchy node, and InfoCube levels. It enables more flexible data access management.

Analysis authorization is active by default in SAP BI 7.0 systems and I think it is worth to spend some time to look closer at the new concepts and the features. In part one of this two-article series, I will show you how you can restrict access to SAP BW reports onInfoObjects level.

Initial settings
At the beginning activate business content objects (TCode RSORBCT) related to authorizations:

InfoObjects 0TCA* InfoCubes 0TCA*

and set the following InfoObjects as Authorization-Relevant:

0TCAACTVT (activity such as Display) 0TCAIPROV (InfoProvider authorization) 0TCAVALID (validity period of authorization) 0TCAKYFNM (if you want to restrict access to key figure)

Characteristics authorization
Use TCode RSA1, go to Modelling -> InfoObjects. Display properties of the characteristic to which you want to restrict access and set it as Authorization-Relevant.

Characteristics values authorization


To authorize characteristics values you need to create new authorization object through TCode RSECADMIN. The following pictures show how allow users to access to specific sale organization (e.g., New York, San Francisco, Dallas). 1. Create new authorization object (e.g., Z_SORG_B).

2. Choose characteristic and press Details button.

3. Select sales organization (e.g., 1612 - New York, 1614 - San Francisco, 1615 - Dallas). Available operators: EQ - single value, BT - range of values, CP - pattern ending with (*) (e.g., abc*). You have also option to Include (I) or Exclude (E) values.

Attributes authorization
To authorize navigational attributes, set them as Authorization-Relevant.

Hierarchies authorization
To grant authorization on hierarchy level edit or create authorization object (e.g., Z_SORG_B), add hierarchy and nodes, and choose type of authorization.

Key figure authorization


To grant authorization to particular key figure, add special object 0TCAKYFNM to authorization object (e.g., Z_SORG_B), and choose the key figure to be authorized.

Summary
InfoObject level authorization gives you a great flexibility, but keep in mind system limitations. Avoid setting too many characteristics as authorization relevant (more than 10 in a query). All marked characteristics are checked for existing authorization if they are in a query or in an InfoProvider that is being used. Too much authorization objects may slow query execution. Exception are characteristics with all (*) authorization. If you want to check which InfoObjects are authorization relevant in your BI system, use TCode RSECADMIN -> Authorization Maintenance and display 0BI_ALL authorization. More about 0BI_ALL you will find in the article on creating and assigning authorization.

Remember that authorization do not work as a filters do. It means that the user who is executing the query, where characteristics are authorization relevant, must have sufficient authorization to the characteristics ("all-or-nothing" rule). Exceptions are hierarchies in the drill down and variables which are dependent on authorization.

PART II
I the previous articles I discussed InfoObjects level authorizations. Now I will focus on creating and assigning authorization.

Creating authorization To create analysis authorization perform the following steps: 1. Use TCode RSECADMIN, go to the Authorizations tab. 2. Press Maint. button and enter a name (e.g., Z_USR_A1) and press Create.

3. Fill required Short Text field. 4. Insert special characteristics: 0TCAACTVT, 0TCAIPROV, and 0TCAVALID by pressing Insert Special Characteristics button.

5. Insert authorization-relevant characteristics and navigational attributes (Insert Row -> press F4 -> choose item). I described how to set InfoObjects as authorization-relevant in previous articles. 6. Press Details button to restrict values and hierarchy authorization of inserted items. 7. Save the authorization. You must include special characteristics: 0TCAACTVT (activity), 0TCAIPROV (InfoProvider), and 0TCAVALID (validity) in at least one authorization for a user. They are used for:

0TCAACTVT - to restrict the authorization to activities, default value: Display; 0TCAIPROV - to restrict the authorization to InfoProviders, default value: all (*); 0TCAVALID - to restrict the validity of the authorization, default value: always valid (*).

If you want to authorize access to key figures, add 0TCAKYFNM characteristic to the authorization. It is important to know that if this characteristic is authorization-relevant, it will be always checked during query execution.

0BI_ALL authorization The 0BI_ALL authorization includes all authorization-relevant characteristics. It is automatically updated when you restrict a BI InfoObject. Use this authorization if you have users that are allowed to execute all queries.

Assigning authorization to a user You may assign authorization directly to a user or to a role. To assign authorization directly use TCode RSECADMIN, go to the User tab and press Assign. Now enter the user name, press Change and select the authorization. To assign authorization to the role use TCode PFCG, enter the role name and press Change. Using Authorization tab change authorization data by adding S_RS_AUTH entry. The entry includes analysis authorization in roles. Enter here authorization that you previously created.

Summary I encourage you to collect all requirements related to BI security, structure of the organization and authorization needs before starting authorization preparation. I have learned that it can save a lot of time. Organization's hierarchy can facilitate your work by providing structures and levels of authorization. Indirect authorization assignment can also save your time because it is more flexible and easier to maintain.

You might also like