Professional Documents
Culture Documents
BW Authorization Thru Auth Variables
BW Authorization Thru Auth Variables
Summary
The document will run the readers through a step-by-step example of how to enable field-based authorizations in BEx queries. The article assumes no prior knowledge of authorization objects and provides an exhaustive solution replete with screenshots for clear understanding of the configuration. Author(s): Nikhil Chowdhary Company: Infosys Technologies Limited Created on: 05 October 2006
Author Bio
Nikhil Chowdhary is a SAP Certified Solution Consultant for Netweaver 2004 BI and is currently working as an Associate Consultant for Infosys Technologies Limited
Table of Contents
Applies to: ........................................................................................................................................ 1 Summary.......................................................................................................................................... 1 Author Bio ........................................................................................................................................ 1 The Requirement ............................................................................................................................. 3 Step-by-step guide to add authorization on the cost center object ................................................. 3 Step 1: Define the 0COSTCENTER InfoObject as Authorization Relevant:................................ 3 Step 2: Create a reporting authorization object for this InfoObject:............................................. 3 Step 3: Assign the authorization object to the relevant InfoProviders: ........................................ 4 Step 4: Add this new authorization object to the relevant roles/users: ........................................ 5 Step 5: Add a variable to the query:............................................................................................. 6 Disclaimer and Liability Notice......................................................................................................... 8
The Requirement
We want to give users only to specific values of an InfoObject when executing BEx Queries, i.e., they will see data only having the values assigned to them for this field. Lets take an example for this: Say we want the users to see data only pertaining to their cost centers. Following are the steps that need to be followed
Step 2: Create a reporting authorization object for this InfoObject: This would be done through transaction RSSM. Go to transaction RSSM and create a new authorization object from the top box:
The create button will throw up a screen asking for the Authorization object name & description. Once you enter these values, the next screen will give you options to choose your InfoObject from a list of all objects that have been marked as relevant for Authorization (through Step1). Select the 0COSTCENTER object and transfer it to the left pane. Once its done it should look like the screen below:
Step 3: Assign the authorization object to the relevant InfoProviders: This is again done through transaction RSSM. This will force the reporting authorization object to be checked when ANY query on the cubes to which it is added here gets executed. In our example say we have an InfoCube called ACCA_C11 and we need all queries on this cube to check for this authorization.
So we enter in the second pane the name of this cube and then click on the change button:
This opens up a screen that allows you to select which Authorization objects should be checked for this InfoProvider. The list only shows the authorization object for which the corresponding InfoObject (0COSTCENTER in our example) is present in the InfoProvider. So in our case we will select the checkbox next to our Authorization Object:
Step 4: Add this new authorization object to the relevant roles/users: This can be done through transaction PFCG. When this is added to the roles/users we also need to specify the values to which each user in that role has access for this InfoObject. This is mostly a basis or BW
System admin job. In our example we need to specify, say, for the combination of role 1 & authorization object Z_CCTR2 the valid values are 100101, 100102 & 100103. In the example screenshot below I have given myself access to all cost centers by putting in a *:
Step 5: Add a variable to the query: This is required because the query needs to be able to restrict data by cost center dynamically. We need to create a variable to restrict the 0COSTCENTER InfoObject. The variable should be of type authorization, and should take in single value/multiple single values/interval (based on how the values are defined in Step 4). It is advisable to add the 0COSTCENTER InfoObject restricted by this variable in the filter section of the query. This variable needs to be added to all queries based on the InfoProvider we selected in Step 3 that have the 0COSTCENTER object. Any query based on the InfoProvider (ACCA_C11 in our case), which has the 0CSTCENTER InfoObject NOT restricted by this authorization variable will generate an error message for restricted users (users who do not have a * value as defined in Step 4). This is because the query will try and fetch the data for all cost centers but the authorization object will not return all the data once it checks that the user is restricted to specific values of 0COSTCENTER. We have to use this variable to restrict 0COSTCENTER in every query based on our selected InfoProvider (ACCA_C11). An example of such a variable will be: