BW Authorization Thru Auth Variables

Field Based Authorization in BW BEx queries
SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com

2006 SAP AG 1
Applies to:
SAP BW version 3.5 (Netweaver 2004 BI)
Summary
The document will run the readers through a step-by-step example of how to enable field-based
authorizations in BEx queries. The article assumes no prior knowledge of authorization objects and provides
an exhaustive solution replete with screenshots for clear understanding of the configuration.
Author(s): Nikhil Chowdhary

Company: Infosys Technologies Limited

Created on: 05 October 2006

Author Bio
Nikhil Chowdhary is a SAP Certified Solution Consultant for Netweaver 2004 BI and is
currently working as an Associate Consultant for Infosys Technologies Limited



2006 SAP AG 2
Table of Contents
Applies to:........................................................................................................................................ 1
Summary.......................................................................................................................................... 1
Author Bio........................................................................................................................................ 1
The Requirement............................................................................................................................. 3
Step-by-step guide to add authorization on the cost center object................................................. 3
Step 1: Define the 0COSTCENTER InfoObject as Authorization Relevant:................................ 3
Step 2: Create a reporting authorization object for this InfoObject:............................................. 3
Step 3: Assign the authorization object to the relevant InfoProviders: ........................................ 4
Step 4: Add this new authorization object to the relevant roles/users:........................................ 5
Step 5: Add a variable to the query:............................................................................................. 6
Disclaimer and Liability Notice......................................................................................................... 8



2006 SAP AG 3
The Requirement
We want to give users only to specific values of an InfoObject when executing BEx Queries, i.e., they will see
data only having the values assigned to them for this field. Lets take an example for this: Say we want the
users to see data only pertaining to their cost centers. Following are the steps that need to be followed
Step-by-step guide to add authorization on the cost center object
Step 1: Define the 0COSTCENTER InfoObject as Authorization Relevant:
Open the InfoObject in change mode and go to the Business Explorer TAB. There is a check box at the
bottom of the general settings section that needs to be checked to make the InfoObject Authorization
relevant. Unless this is done, the object will not be visible in RSSM and thus it will not be possible to create
an Authorization Object based on this InfoObject.

Step 2: Create a reporting authorization object for this InfoObject:
This would be done through transaction RSSM. Go to transaction RSSM and create a new authorization
object from the top box:



2006 SAP AG 4

The create button will throw up a screen asking for the Authorization object name & description. Once you
enter these values, the next screen will give you options to choose your InfoObject from a list of all objects
that have been marked as relevant for Authorization (through Step1). Select the 0COSTCENTER object and
transfer it to the left pane. Once its done it should look like the screen below:

Step 3: Assign the authorization object to the relevant InfoProviders:
This is again done through transaction RSSM. This will force the reporting authorization object to be checked
when ANY query on the cubes to which it is added here gets executed. In our example say we have an
InfoCube called ACCA_C11 and we need all queries on this cube to check for this authorization.


2006 SAP AG 5
So we enter in the second pane the name of this cube and then click on the change button:

This opens up a screen that allows you to select which Authorization objects should be checked for this
InfoProvider. The list only shows the authorization object for which the corresponding InfoObject
(0COSTCENTER in our example) is present in the InfoProvider. So in our case we will select the checkbox
next to our Authorization Object:

Step 4: Add this new authorization object to the relevant roles/users:
This can be done through transaction PFCG. When this is added to the roles/users we also need to specify
the values to which each user in that role has access for this InfoObject. This is mostly a basis or BW


2006 SAP AG 6
System admin job. In our example we need to specify, say, for the combination of role 1 & authorization
object Z_CCTR2 the valid values are 100101, 100102 & 100103. In the example screenshot below I have
given myself access to all cost centers by putting in a *:

Step 5: Add a variable to the query:
This is required because the query needs to be able to restrict data by cost center dynamically. We need to
create a variable to restrict the 0COSTCENTER InfoObject. The variable should be of type authorization, and
should take in single value/multiple single values/interval (based on how the values are defined in Step 4). It
is advisable to add the 0COSTCENTER InfoObject restricted by this variable in the filter section of the query.
This variable needs to be added to all queries based on the InfoProvider we selected in Step 3 that have the
0COSTCENTER object. Any query based on the InfoProvider (ACCA_C11 in our case), which has the
0CSTCENTER InfoObject NOT restricted by this authorization variable will generate an error message for
restricted users (users who do not have a * value as defined in Step 4). This is because the query will try and
fetch the data for all cost centers but the authorization object will not return all the data once it checks that
the user is restricted to specific values of 0COSTCENTER.

We have to use this variable to restrict 0COSTCENTER in every query based on our selected InfoProvider
(ACCA_C11).

An example of such a variable will be:



2006 SAP AG 7



2006 SAP AG 8
Disclaimer and Liability Notice
This document may discuss sample coding or other information that does not include SAP official interfaces
and therefore is not supported by SAP. Changes made based on this information are not supported and can
be overwritten during an upgrade.
SAP will not be held liable for any damages caused by using or misusing the information, code or methods
suggested in this document, and anyone using these methods does so at his/her own risk.
SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of
this technical article or code sample, including any liability resulting from incompatibility between the content
within this document and the materials and services offered by SAP. You agree that you will not hold, or
seek to hold, SAP responsible or liable with respect to the content of this document.

BW Authorization Thru Auth Variables

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BW Authorization Thru Auth Variables

Uploaded by

Copyright:

Available Formats

Field Based Authorization in BW BEx queries

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com

You might also like