Analysis & Reporting: BEx Analyzer 

Use
BEx Analyzer is Business Explorer's analytical, reporting, and design tool embedded in
Microsoft Excel. In BEx Analyzer, you can analyze and plan with selected InfoProvider data
by navigating, with the context menu or via drag and drop, within queries created in the BEx
Query Designer.
You can also design the interface for your queries by embedding design items such as the
analysis grid, dropdown boxes, and buttons into your Excel workbook, thus turning the
workbook into a query application.
Features
BEx Analyzer’s functionality is divided into two modes, each with a dedicated toolbar and
menu path:
Analysis mode – for performing OLAP analysis on queries
Design mode – for designing the interface for query applications
Analysis Mode
Working in analysis mode, you can accomplish the following types of tasks:
1. Launch the BEx Query Designer in order to define queries
2. Analyze selected InfoProvider data by navigating interactively within these queries
3. Navigate and analyze via the context menu or via drag and drop
4. Perform OLAP functionality such as filtering, drilling, and sorting
5. Execute planning functionality
6. Precalculate and distribute workbooks with the BEx Broadcaster
7. For advanced programming capabilities, embed your own customized VBA programs
(Visual Basic for Applications)
8. Save workbooks in your favorites or in your role on the server, or locally on your
computer
You access analysis mode functionality with its dedicated analysis toolbar or via the BEx
Analyzer menu.
See also:
Analysis Mode
Design Mode
Working in design mode, you can accomplish the following types of tasks:
1. Design the interface for your queries by embedding design items such as the analysis
grid, dropdown boxes, radio button groups, and buttons into your Microsoft Excel
workbook
2. Further customize your workbook with Excel’s formatting and chart functionality
You access design mode functionality with its dedicated design toolbar or via the BEx
Analyzer menu.
Design Mode
For general information about the way messages and errors are communicated in BEx
Analyzer, see General Error and Message Handling.
Integration
The following graphic provides an overview of how BEx Analyzer integrates into the
Business Explorer Suite:

Activities
To start BEx Analyzer, from the Windows Start menu, choose Programs ® Business
Explorer ® Analyzer.

Query Monitor - helpful tool for testing BI queries

Query Monitor is one of the BEx monitor tools that enable to display and verify query
correctness, test variants and additional query properties. To use it start RSRT transaction
(you do not need BW front end).

I usually use Execute and Execute + Debug options. Execute + Debug option enable for
example to check aggregates, set authorization breakpoints, run query with BI Accelerator,
display SQL statement for the query and show BW statistics.
You may choose different query display format. BEX Analyser display format is by far the
fastest and the simplest, List gives you additional query options and using HTML format you
receive portal-like view.

You can also use the tool to check users' authorization to a query. To execute a query as
another user start RSUDO transaction and choose a user and a query.
What's the basic difference in between SU22 & SU24?
SU22 displays and updates the values in tables USOBT and
USOBX, while SU24 does the same in tables USOBT_C and
USOBX_C.
The _C stands for Customer.
The profile generator gets its data from the _C tables.
In the USOBT and USOBX tables the values are the SAP
standard values as shown in SU24.
With SU25 one can (initially) transfer the USOBT values to
the USOBT_C table.

Can we set any password limitations/exceptions in SAP? If yes, how?

There are many parameters anda table to manage password

limitations and exceptions.

login/password_expiration_time
login/min_password_lng
login/failed_user_auto_unlock
login/min_password_digits
login/min_password_letters
login/min_password_diff
login/password_max_new_valid
login/password_max_reset_valid

and Table USR40 to insert password exceptions

how to transport roles

1.Goto PFCG
2.enter the role which you want to transfer to other system. 3.goto
utilities->Mass download it will ask the path where to download/save that
role on local desktop
4.give the location and save it.
5.Next logon to the system where you want that particular role.
6.goto PFCG-> Role -> upload.
7.Give the path where the role is saved. it accepts and generates
successfully.
This is one method

What is an Authorization Group and when is it used? Explain

with example???

An authorization group contains tables and views with the

same security requirements
When you create or maintain a role, you assign an
authorization group to the role using the authorization
object S_PROGRAM (the authorization group is a field in
this authorization object).
You can create new roles or work on existing ones using
transaction PFCG.
Choose the Authorizations tab.
Under Maintain authorization data and generate profiles
click the Change authorization data button.
The system asks you to choose a template.

Choose the Manually button. The authorization object

contains the field Authorization group:ABAP/4 program (the
P_GROUP field). You can enter an authorization group for
the report and thus assign it to your role.

The authorization object also has a field ABAP/4 program:

user action (the P_ACTION field). Set this field to SUBMIT

Q6)
When do you get a screen for
" maintaining the authorization values for org elements "
in PFCG ???
(i.e..screen you get thru PFCG --> AUTHORIZATION tab -->
CHANGE AUTHORIZATION DATA --> SCREEN FOR MAINTAINING ORG
ELEMENT VALUES )

If you attempt to ceate roles with Functional tcodes

automatically it asks for maintain org levels in
authorization tab PFCG.

Usually we can maintain org levels in derived role concept.

What is the procedure you follow in your company as a

security admin when a end user complains that he is unable
to perform or execute an action in a particular tcode?

we go to the Tcode SUIM--PROFILE--BY AUTHORIZATION VALUE--

S_TCODE--PARTICULAR TCODE,,,,This will provide us with a
list of profiles having that tcode.we can check activities
of some profiles by double click on them and then can
choose profile of our interest.

Q3)
What is difference between R/3 security and HR security?
Explain in detail or its importance?
 
Hi,

The difference b/w R/3 n HR security is in R/e we can

restrict authorisation through auth objects and fields and
values. In HR also using objects but restricting through
infotypes and personal area' define in HR ORG structure.

More over in hR having restirction through structure

profiles also.

In R/3 the Security is through General Auth. profile and in

HR Security it is a combination of Structural Auth Profile
and General Auth. Profile .
General Auth. Profile is restricted through Object and
field values . Structural Profile is data model based on
different object types and thier relationships which are
components of Personnel Management i.e 1. Organization
Management 2. Personnel Development AND 3. Time and Event
management.

 Q1)
What is the difference between Derived Role & Copy Role?
Can't we just do a copy instead of deriving it when both
have the same characterstics or inputs or functions??

Derived role:
-------------
Derived role inherits all properties from Master role.It
mean all authorizations.
If u made any changes in master role it will reflect in
child role but not vice versa.

We can't add any authorizations in derived role.But we can

maintain org levels.

copy role:
---------
copying role means creating a role same as from existing
role.It's name should be changed.

There is no relation between existing role and copied role.

what is the difference between se16 and se16n ?
SE16 and SE16N both transactions works same I mean use for table display.
SE16N is new version of SE16. Difference could be display setting.So its my
advice better execute both transactions then only you will come to know. So
try it.

Hi,

SE16 - SAPLSETB - Data Browser

SE16N - RK_SE16N - General Table Display

SE16:
** SE16 is a data browse and it is used to view the
contents of the table and we cannot change or append new
fields to the existing structure of the table as we cannot
view the structure level display using the SE16 .

SE16N:
** The transaction code SE16N (general table display) is an
improved version of the old data browser (SE16). It has
been around for some time, but is not widely known amongst
consultants and end users of SAP. It looks a bit different
to the old “data browser” functionality (SE16).

** Once you have entered your table name, type "&SAP_EDIT"

without the quotation marks into the transaction code. This
enables editing functionality on SE16N and allows you to
make table changes. This allows you to access both
configuration and data tables which may be otherwise locked
in a production environment.

** Whilst this may appear to be a short cut and allow you

to access a back door which is normally shut, this hidden
feature should be used with caution in any SAP client -
especially a live or production system.
New Features of SE16N:
** The new transaction has a number of distinct advantages
over SE16.
** You no longer have a maximum of 40 fields to select in
the output.
** There are fewer steps involved in executing a number of
functions, whether it be outputting the results,
maintaining the values in a table etc.
** Exporting the data into Excel is far easier and quicker
** ALV functionality is available as standard
** The user is not restricted by having a maximum width of
1023 saved as a default in the user settings.

Limitations of SE16N:
**You can only output one table at a time. If you wish to
output more than one table you can use the available
reporting tools or the QuickViewer (transaction code SQVI)
functionality within SAP.

Mr. Prabhu explain a complete list of the difeerences , I

want only add the following information:
It is possible to find all changes executed by transaction
SE16N on the following tables:
SE16N_CD_KEY -> Table Display: Change Documents – Header
SE16N_CD_DATA - > Table Display: Change Documents – Data

There is a new security note that block the function

&SAp_edit
 Security Transaction Codes
Security PFCG Role Maintenance
Security PFUD User Master Data Reconciliation
Security S_BCE_68001397 Users According to Complex Criteria
Security S_BCE_68001398 Users According to Complex Criteria
Security S_BCE_68001400 Users According to Complex Criteria
Security S_BCE_68001406 Profiles by Authorization Values
Security S_BCE_68001420 Act. Grps According to Complex Crit.
Security S_BCE_68001423 Act. Grps According to Complex Crit.
Security S_BCE_68001425 Act. Grps According to Complex Crit.
Security S_BCE_68001426 Transactions for User
Security S_BCE_68001430 Comparisons
Security S_BCE_68001439 For user
Security S_BCE_68002041 Executable for Role
Security SCU3 Table History
Security SCUA Central User Administration
Security SCUL Central User Administration Log
Security SE93 Maintain Transaction Codes
Security SECR Audit Information System
Security SH01 Online help: F1 Help server
Security SM18 Reorganize Security Audit Log
Security SM19 Security Audit Configuration
Security STUN Menu Performance Monitor
Security SU_REFUSERVARIABLE Maintain reference user variables
Security SU0 Maintain Own Fixed User Values
Security SU01 User Maintenance
Security SU01_NAV User maint. to include in navigation
Security SU01D User Display
Security SU02 Maintain Authorization Profiles
Security SU03 Maintain Authorizations
Security SU05 Maintain Internet Users
Security SU1 Maintain Own User Address
Security SU10 User Mass Maintenance
Security SU12 Mass Changes to User Master Records
Security SU2 Maintain Own User Parameters
Security SU20 Maintain Authorization Fields
Security SU21 Maintain Authorization Objects
Security SU22 Auth. Object Usage in Transactions
Security SU24 Auth. Obj. Check Under Transactions
Security SU24_CHECK Switch Off Authorizations: Test
Security SU25 Upgrade Tool for Profile Generator
Security SU26 Upgrade Tool for Profile Generator
Security SU3 Maintain Users Own Data
Security SU50 Own data
Security SU51 Maintain Own User Address
Security SU52 Maintain Own User Parameters
Security SU53 Evaluate Authorization Check
Security SU55 Call the Session Manager menus
Security SU56 Analyze User Buffer
Security SU80 Archive user change documents
Security SU81 Archive user password change doc.
Security SU82 Archive profile documents
Security SU83 Archive authorization docs.
Security SU84 Read Archived User Change Documents
Security SU85 Read Archived Password Change Doc.
Security SU86 Read Profile Change Documents
Security SU87 Read Authorization Change Documents
Security SU96 Table maint.: Change SUKRIA
Security SU97 Table maint.: Display SUKRIA
 Security SU98 Call Report RSUSR008
Security SU99 Call report RSUSR008
Security SUCOMP User company address maintenance
Security SUCU Table authorizations: Customizing
Security SUDDIREG Maintain UDDI Registries
Security SUGR Maintain User Groups
Security SUGR_NAV Maintain User Groups
Security SUGRD Display user groups
Security SUGRD_NAV Display User Groups
Security SUIM User Information System
Security SUIM_OLD Call AUTH Reporting Tree (Info Sys
Security SUMG Unicode Migration Tool
Security SUPC Role Profiles
Security SUPN Number range maint.: PROF_VARIS
Security SUPO Maintain org. levels
Security SUPO_PREPARE Maintain Organizational Levels
Security SUUM Global User Manager
Security SUUMD Display User Administration
Security TU02 Parameter changes

End User

Transaction Code Menu Path Purpose

SU3 System --> User Profile--> Set address/defaults/parameters
Own Data
SU53 System --> Utilities --> Display last authority check that failed
Display Authorization Check
SU56 Tools --> Administration --> Display user buffer
Monitor --> User Buffer

Role Administration

Transaction Code Menu Path Purpose

PFCG Tools --> Administration -->
User Maintenance --> Roles
PFUD <none>
SUPC Tools --> Administration -->
User Maintenance --> Roles
--> Environment --> Mass
Generation
Maintain roles using the Profile Generator
Compare user master in dialog.
This function can also be called in the
Profile Generator:   Environment --> Mass
compare
The Job for user master comparison is:
PFCG_TIME_DEPENDENCY (to Release
4.0 RHAUTUP1)
Mass Generation of Profiles

User Administration

Transaction Code Menu Path Purpose

SU01 Tools --> Administration --> Maintain Users
User Maintenance --> Users
SU01D Tools --> Administration --> Display Users
User Maintenance -->
Display Users
SU10 Tools --> Administration --> User mass maintenance
User Maintenance --> User
Mass Maintenance
SU02 Tools --> Administration --> Manually create profiles
User Maintenance -->
Manual Maintenance -->
Edit Profiles Manually
SU03 Tools --> Administration --> Manually create authorizations
User Maintenance -->
Manual Maintenance -->
Edit Authorizations
Manually

Profile Generator Configuration

Transaction Code Menu Path Purpose

RZ10 Tools --> CCMS --> Maintain system profile parameters.
Configuration --> Profile (auth/no_check_in_some_cases = Y).
Maintenance
SU25 IMG Activity: Installation
 Enterprise IMG --> Basis
Components --> System
Administration --> Users
and Authorizations -->
Maintain authorizations and
profiles using  Profile
Generator --> Work on SAP
check indicators and field
values
Select: Copy SAP check
ID’s and field values
SU24 Same as for SU25:
Select: Change Check
Indicators
1. Initial Customer Tables Fill
Upgrade
2a. Preparation: Compare with SAP
values
2b. Reconcile affected transactions
2c. Roles to be checked
2d. Display changed transaction codes
 Maintain Check Indicators
 Maintain Templates

Transport

Transaction Code Menu Path Purpose

SCCL Tools --> Administration --> Local client copy (within one system,
Administration --> Client between different clients)
Administration --> Client
Copy --> Local Copy
SCC9 Tools --> Administration --> Remote Client Copy (between clients
Administration --> Client in different systems) Data exchange
Administration --> Client over a network (not files).
Copy --> Remote  Copy
SCC8 Tools --> Administration --> Client transport (between clients in
Administration --> Client different systems) Data exchange
Administration --> Client using a data export at operating
Transport --> Client Export system level.
<none> Tools --> Administration --> Mass transport of roles
User Maintenance --> Roles
--> Environment --> Mass
Transport
<none> Tools --> Administration --> Upload/Download of Roles
User Maintenance --> Roles
--> Role -->
Upload/Download
SU25 Point 3. Transport of Check indicators
STMS Tools -->Administration--> Transport Management System
Transports --> Transport
Management System
 System configuration

Transaction Code Menu Path Purpose

RZ10 Tools --> CCMS--> Maintain system profile parameters.
Configuration -->Profile (auth/no_check_in_some_cases = Y). .
Maintenance
RZ11   Description of system profile
parameters
SM01 Tools --> Administration --> Lock transaction codes from execution
Administration -->
Transaction Code
Administration

Authorization Object

Transaction Code Menu Path Purpose

SU20 Tools --> ABAP Workbench List of authorization fields
--> Development --> Other
Tools --> Authorization
Objects --> Fields
SU21 Tools --> ABAP Workbench List of authorization objects (Initial
--> Development --> Other screen lists by object class)
Tools --> Authorization
Objects --> Objects

Audit

Transaction Code Menu Path Purpose

SE84 Tools --> Administration --> Information System for SAP R/3
User Maintenance --> Authorizations
Information System
SECR*  <none> Audit Information System

SAP Security Tables

  Table Description
USR02 Users Data (logon data) RSUSR020
USR04 User master authorization (one row per user)  
UST04 User profiles (multiple rows per user)  
USR10 Authorisation profiles (i.e. &_SAP_ALL)  
 UST10C Composit profiles (i.e. profile has sub profile)  
USR11 Text for authorisation profiles  
USR12 Authorisation values RSUSR030
USR13 Short text for authorisation  
USR40 Tabl for illegal passwords  
USGRP User groups  
USGRPT Text table for USGRP  
USH02 Change history for logon data  
USR01 User Master (runtime data)  
USER_ADDR Address Data for users  
AGR_1016 Role and Profile RSUSR020
AGR_1016B Role and Profile  
AGR_1250 Role and Authorization data  
AGR_1251 Role Object, Authorization, Field and Value RSUSR040
AGR_1252 Organizational elements for authorizations  
AGR_AGRS Roles in Composite Roles  
AGR_DEFINE To See All Roles (Role definition) RSUSR070
AGR_HIER2 Menu structure information - Customer vers  
AGR_HIERT Role menu texts  
AGR_OBJ Assignment of Menu Nodes to Role  
AGR_PROF Profile name for role  
AGR_TCDTXT Assignment of roles to Tcodes  
AGR_TEXTS File Structure for Hierarchical Menu - Cus  
AGR_TIME Time Stamp for Role: Including profile  
AGR_USERS Assignment of roles to users  
USOBT Relation transaction to authorization object (SAP)  
USOBT_C Relation Transaction to Auth. Object (Customer)  
USOBX Check table for table USOBT  
USOBXFLAGS Temporary table for storing USOBX/T* chang  
USOBX_C Check Table for Table USOBT_C  
TSTCA Transaction Code, Object, Field and Value  

SAP Security Reports

   

SAP Security Report Name
RSUSR_SYSINFO_ROLE (YOU
NEED TO LOG ON TO THE
CENTRAL SYSTEM FOR THIS)
RSUSR_SYSINFO_PROFILE
Description
Report cross-systm information/role
STANDARD SELECTION, User name,
Receiving system, SELECT ROLE Role
Report cross-systm information/profile
(YOU NEED TO LOG ON TO THE STANDARD CRITERIA User Name,
CENTRAL SYSTEM FOR THIS) Receiving system, Profile
RSUSRSUIM Same as SUIM User Information System

 
RSUSR402 Download user data for CA manager from
Secude

 
RSUSR300 Set External Security Name for all Users

 
RSUSR200 List of Users According to Logon Date and
Password Change

 
RSUSR102 Change Documents for Authorizations

 
RSUSR000 Currently Active Users Tcodes SU04 and
AL08

 
RSUSR002 Users by Complex Selection Criteria (search
by User, Group, User Group, Reference User,
User ID Alias, Role, Profile Name, Tcode,
SELECTION BY FIELD NAME, Field Name,
SELECTION BY AUTHORIZATIONS
Authorizatrion Object, Authorization,
SELECTION BY VALUES, Authorization
Object 1, AND Authorization Object 2, AND
Authorization Object3, ADDITIONAL
SELECTION CRITERIA, Account number,
Start Menu, Output Device, Valid Until,
Locked Users ONLY, Unlocked Users Only,
CATT Check ID

 
RSUSR002_ADDRESS Select User According to Address, NAMES,
First Name, Last Name, User,
COMMUNICATION PATHS, Company, City,
Buildings, Room, Extension, OTHER DATA,
Department, Cost Center

 
RSUSR003 Check the Passwords of Users SAP* and DDIC
 in All Clients (SAP* DDIC SAPCPIC )

 
RSUSR004 Restrict User Values to the following Simple
Profiles and Auth Objs SELECTION
CRITERIA Single Profiles, Authorization Objs

 
RSUSR005 List of Users with Critical Authorizations
(SAME AS RSUSR009 but difference is here
you can't chose)

 
RSUSR006 List of Users According to Logon Date and
Password Change

 
RSUSR007 List Users Whose Address Data is Incomplete
(here give the Required Address Data)
RSUSR008 Critical Combinations of Authorizations at
Transaction Start (Can view either Critical
Combinations or Users)

 
RSUSR009 List of User with Critical Authorizations
SAME AS RSUSR005 but here you can
(Check using either customer data of Check
using SAP data)

 
RSUSR010 Transaction for User with Profile or
Authorization (Transaction executable either
by, User, with Role, Profile, Authorization

 
RSUSR011 Lists of transactions after selection by User,
profile or obj SELECTION FOR User

 
RSUSR012 Search authorizations, profiles and users with
specified object value (DISPLAY authorization
objects, DISPLAY authorizations, DISPLAY
profiles, DISPLAY users)

 
RSUSR020 Profiles by Complex Criteria SELECTION
CRITERIA Profile, Profile test,
 ADDITIONAL CRITERIA FOR PROFILES,
Composite Profile, Single Profile, Generated
Profiles, SELECTION BY CONTAINED
PROFILES Profile, SELECTION BY
AUTHORIZATIONS, Authorization Object,
Authorization, SELECTION BY VALUES,
Auth obj, auth obj2, auth obj3, SELECTION
BY ROLE
RSUSR030 Authorizations by Complex Selection Criteria
SELECTION CRITERIA, Auth Object,
Authorization, BY VALUES
RSUSR040 Authorization Objects by Complex Criteria,
STANDARD SELECTIONS, Authorization
object, ADDITIONAL CRITERIA Object
class, Obj class text, Field

 
RSUSR050 COMPARISIONS, Compare Users, USER A
------   USER B--------, ROLES, PROFILES<
AUTHORIZATIONS, Across Systems
RSUSR070 Roles by Complex Selection Criteria
STANDARD SELECTION Role, Description,
SELECTION BY USER Assignments

 
RSUSR100 Change Documents for Users

 
RSUSR101 Change Document for Profiles