You are on page 1of 6

Authorization in SAP NW BI

1. MODELING

Difference between rssm and rsecadmin

RSSM RSECADMIN

Old transaction: RSSM
Concept of authorization: 'Reporting
Authorization'

New transaction : RSECADMIN
Concept of authorization: 'Analysis
Authorization'
Assignement of Reporting
authorization:* by pfcg: mass
distribution of auth by using role

by rssm: generation way (use with
Business Content and flat files loading)

Assignement of Analysis authorization :* by
pfcg: mass distribution of auth by using role,

by rsecadmin: manual way -> Assignement ->
Auth selection ->Insert,
by rsecadmin: generation way (use with
Business Content and flat files loading)
Full Authorization: SAP_ALL,
SAP_NEW

Full Authorization: SAP_ALL, SAP_NEW
0BI_ALL: * Allow full authorization for the IO
authorization relevant,

Used in the authorization object: S_RS_AUTH,
Report 'RSEC_GENERATE_BI_ALL' for the
SAP_ALL user,

Modeling:* IO marked as Authorization
relevant,

rssm enable to flag relevant
infoprovider,
rssm are used to custom
Auhthorization object,
Authorization variable are used in Bex
Query,
Pfcg to assign reporting authorization
trough the Object class: RSR,
Query access manage by object
S_RS_COMP, S_RS_COMP1,
Area Button/ Access : S_RS_FOLD,
Authorization for Cube, ODS,
Hierarchy and infoset managed by:
o S_RS_ICUBE,
o S_RS_ODSO,
o S_RS_HIER,
o S_RS_ISET.

Modeling:* IO + Navigation ATTR can be
Authorization relevant,

An IO auth relevant is auth relevant for all the
cube he is used,
rsecadmin to define Analysis authorization with
sepcial IO : 0TCAACTVT, 0TCAIPROV,
0TCAVALID,
Authorization variable are used in Bex Query,
pfcg to assign analysis authorization through
the object S_RS_AUTH (Object Class: RS),
Query access manage by object
S_RS_COMP, S_RS_COMP1,
Area Button/ Access : S_RS_FOLD,
Authorization for Cube and ODS for reporting
user are managed by the special authorization
characteristic 0TCAIPROV,
S_RS_ICUBE, S_RS_ODSO, S_RS_HIER,
S_RS_ISET: are not checked anymoe for
reporting user.
S_RS_ICUBE, S_RS_ODSO, S_RS_HIER,
S_RS_ISET: are used for allowing access to
developper team,
New object to manage acess for developper
user:
-
New object authorization for Web application
Designer & Report Designer:* S_RS_BTMP,

S_RS_BITM,
S_RS_ERPT,
S_RS_EREL.
Step by Step
RSSM RSECADMIN
0. Pre-requisites -
Activate all business content
related to authorizations
before you get started:*
InfoObjects: 0TCA* and 0TCT*

InfoCubes: 0TCA*
Set the following InfoObjects
as "authorization relevant":*
0TCAACTVT
0TCAIPROV
0TCAVALID
0TCAKYFNM (optional, if key
figure restriction needed)
Add 0TCAIFAREA as an
external hierarchy
characteristic to 0INFOPROV
(optional)
1. Set Master data
Authorization
relevant
RSA1 -> InfoObjects -> Business
Explorer Tab -> Flag
'Authorization relevant

RSA1 -> InfoObjects ->
Business Explorer Tab -> Flag
'Authorization relevant
RSA1 -> InfoObjects -
> Attribute Tab -> Flag
'AuthorizRelevant'
2. Create
Authorization
Object/ Analysis
authorization
RSSM -> Enter the name of your
Authorization object -> Create ->
Put IO Authorization relevant in
the selected InfoObjects part ->
Save

3. Set Infoprovider RSSM -> Select: 'Check for
InfoCubes' -> Change -> Flag the
related InfoCubes
The IO authorization relevant
are authorization relevant for
all cubes
4. Create BEX
variable for
authorization
1. Right click on the IO -> choose
'Restrict'
2. Choose 'Selection' = 'Single
Value' and 'from Hierarchy' = 'flat
list'
If a hierarchy exists, select the
hierarchy for the IO
3. Go on the variables tab ->
Right click -> 'New variable'
4. For a restriction without
hierarchy, the type of variable is
'Characteristic Value' and if you
have choose a hierarchy, the type
of variable is 'Hierarchy node'
5. Select a variable name & a
description
6. Choose 'Processing by': =
'Authorization' then check the
characteristic and click 'next'
7. Choose the display area for the
variable -> Variable represents: =
'Single Value' or 'Selection
Option'
8. Choose if the variable entry is
Optional or mandatory,
9. Don't select 'Ready for input'
and 'Can be changed in query
navigation
10. Next to the end

5. Insert
Authorization in
Role

6. Assign
Authorization/ Role
to Users

2. AUTHORIZATION
Reporting User: Authorization for End User

o S_RS_AUTH:
o Insert here the Analysis Authorization you customize in Rsecadmin.
o Allow right on IO marked as 'authorization relevant' (Data)
o S_RS_COMP : Query Accessibility
o Activity: 01 (Create or generate), 02 (Change), 03 (Display), 06 (Delete), 16 (Execute),
22 (Enter, Include, Assign)
o InfoArea: '*'
o InfoCube: <Selected infoprovider>
o Name (ID) of a reporting component: <Selected query>
o Type of a reporting component: CKF (Calculated key figure), QVW (Query View), REP
(Query), RKF (Restricted key figure), SOB (Selection object, New object !!!), STR
(Template structure), VAR (Variable)
o S_RS_COMP1 : Query for specific users
o S_RS_FOLD ( Hide 'Folder' Pushbutton): 'False' or 'True'
o S_USER_AGR: Role Name
S_RS_BITM : !!! NEW !!!
S_RS_BTMP : !!! NEW !!!
Developper

o S_DEVELOP
o S_RO_BCTRA in ECC side for activate (remote) Datasource
o S_RS_BC
o S_RS_BCS
o S_GUI
o S_RS_DS: Authorizations for working with the DataSource or its sub-objects (as of SAP
NetWeaver 2004s)
o S_RS_ISNEW: Authorizations for working with new InfoSources or their subobjects (as
of SAP NetWeaver 2004s)
o S_RS_DTP: Authorizations for working with the data transfer process and its subobjects
o S_RS_TR: Authorizations for working with transformation rules and their subobjects
o S_RS_CTT: Authorizations for working with currency translation types
o S_RS_UOM: Authorizations for working with quantity conversion types
o S_RS_THJT: Authorizations for working with key date derivation types
o S_RS_PLENQ: Authorizations for maintaining or displaying the lock settings
o S_RS_RST: Authorization object for the RS trace tool
o S_RS_PC: Authorizations for working with process chains
o S_RS_OHDEST: Open Hub Destination
o S_RS_DAS: Authorizations for working with Data Access Services
o S_RS_BTMP: Authorizations for working with BEx Web templates
o S_RS_BEXTX: Authorizations for the maintenance of BEx texts Authorization objects for
the administration of analysis authorizations
o S_RSEC: Authorization for assignment and administration of analysis authorizations
o S_RS_AUTH: Authorization object to include analysis authorizations in roles
o S_RS_ADMWB: Changed Authorization Objects (Data Warehousing Workbench:
Objects)
General

o S_RFC: Authorization Check for RFC Access:
o Activity 16
o Name of RFC to be protected *
o Type of RFC object to be protetected: FUGR
o S_TCODE: Transaction Code Check at Transaction Start
o Transaction Code SE37,RRMX, RRMXP
o S_GUI: Authorization for GUI activities
o Activity 02, 60, 61
o S_BDS_DBC-SRV-KPR-BDS: Authorizations for Accessing Documents
o Activity 03
o BDS: Data element for LOIO cla *
3. ASSIGNEMENT
Generation (rsecadmin)

Role (pfcg)

4. TECHNICAL
Tables

o RSECVAL : Authorization Value Status,
o RSECUSERAUTH : BI AS Authorizations: Assignment of User Auth.
Function Modules:

o RSEC_AUTHORITY_CHECK_IPROV
o RSEC_AUTH_GET_IOBJ_RELEVANT
o RSEC_CHECK_IPROV
o RSEC_CHECK_VALIDITY
o RSEC_COMPLETE_HIERAUTH
o RSEC_GET_AUTH_FOR_USER
o RSEC_GET_AUTH_HIER_FOR_USER
o RSEC_ASSIGN_AUTHS_TO_USERS
o RSEC_GET_ALL_GENERATED_AUTHS
o RSEC_READ_ODS_HIER
o RSEC_READ_ODS_USER_AUTH
o RSEC_READ_ODS_VAL
o RSEC_AUTHORIZATIONS_OF_USER
o RSEC_GET_AUTH_FOR_USER_RFC
Authority check
Here some links:

o Get Authorization Detail (Function Module)
o Authorisation Check Program