You are on page 1of 10

BW SECURITY

Data warehousing in SAP BW represents the integration, transformation, consolidation, cleanup and
storage of data. It also signifies the extraction of data for analysis and interpretation. The data
warehousing process includes data modelling, data extraction and the management of the data
warehouse management processes.
SAP BW Authorization Specifics

In an SAP BW system there are two different types of authorization objects.
1.

2.

Standard authorization objects: This type of authorization objects is provided by SAP and covers
all checks for e.g. system administration tasks, data modelling tasks, and for granting access to
Info Providers for reporting. For this type of authorizations the same concept and technique is
used as in an SAP R/3 system.
Reporting authorization objects: For more granular authorization checks on an Info Provider’s
data you need another type of authorization objects defined by the customer. With these
objects you can specify which part of the data within an Info Provider a user is allowed to see.

Both types of authorization objects use the same authorization framework. Technically they are treated
in the same way. However, the design of reporting authorizations is more complex because you need to
design the reporting authorization objects first. This is an additional step that needs to be treated with
care because the structure of the authorization objects determines the possible use in regards to
selections, combinations and granularity. In your project you need expertise in the area of reporting
authorizations; knowledge of the basis authorization framework is not sufficient.
User Type in BW
There are different types of users in SAP BW. Most of your users will be the users who execute queries
and workbooks. These people could be considered "reporting users" or "end users." To read more about
how to secure reporting users click here
Reporting User Security
Authorization Objects Used Primarily by Reporting Users
In order to execute any query, you must have access to
S_RS_ICUBE, S_RS_COMP, S_RS_COMP1 and S_RS_FOLD.
S_RS_COMP is a powerful object that enables you to make choices on how to secure. There is one field
in S_RS_COMP that relates to the query, and another field that relates to the Info Cube. This gives you
the option to secure by query name, Info Area, or Info Cube.

Tips

• Info Area = group of Info Cubes
• Info Cube = actual data
• Info Object=field (for example: company code, plant, or cost center)
There are also users who develop new queries. Some people may refer to them as "power users" or
"data analysts." The users who develop queries may also create new workbooks and may be responsible
for publishing that information to the right audience.
Then, there are users who create new objects like Info Cubes, Info Areas, and Info Objects. They also
schedule data loads, create update rules for Info Cubes, monitor performance, and set up source
systems. The users who do these tasks are normally referred to as "administration users." read more
about how to secure administrator users.

metadata. Info Package group. Administrator Workbench. Info Package. settings. Info Area.66 Other Authorization objects for Admin user Authorization object/ Technical Description name Administrator Workbench -Objects Authorizations for working with individual objects of the S_RS_ADMWB Administrator Workbench. Data Sources. object S_RS_ADMWB is the first object checked.23 Update metadata . Reporting Agent settings. Info Areas. The primary objects used are: S_RS_ADMWB: Administrator Workbench . hierarchies. monitor performance. maintaining Info Objects Monitor: monitoring data brought over from the source systems Workbench: Checked as you execute transaction code RSA1 Info Area: Creating and maintaining Info Areas Appl Comp: Limiting which application components you can access Info Package: Creating and scheduling Info Packages for data extraction Metadata: Replication and management of the metadata repository The following list shows possible values for the Activity field. and Info Sources. The possible values for the Administrator Workbench field are:         Source Sys: Working with a source system Info Object: Creating. Info Spoke. InfoObject. these are: source system. documents (for metadata. Reporting Agent package. create update rules for Info Cubes.     Maintain . They also schedule data loads. When you do anything in transaction code RSA1. application component. There are two fields in this object: Activity and Administrator Workbench Object.03 Execute-16 Administer document storage . Create transfer rules and update rules Design Info Cubes Schedule and monitor data-loading processes Administration authorization objects are primarily used when doing anything in the Administrator Workbench (transaction codeRSA1). document store administration. monitor. . transaction data). In detail. and set up source systems. The users who do these tasks are normally referred to as "administration users. Each of the two fields can have a variety of values. master data.Objects Authorization object S_RS_ADMWB is the most critical authorization object in administration protection." Some of the common tasks performed by administration users are:      Set up and maintain different source systems and connections to SAP BW Manage metadata and define new Info Objects. and Info Objects.Administrator There are users who create new objects like Info Cubes.

To do this. If we want a query to . This is done in transaction code RSSM. The reason the variable is required is sometimes unclear at first. Create a custom reporting authorization object. The business needs will drive which Info Objects should be relevant for security. The Authorization Relevant setting for an Info Object made in the Info Object definition on the Business Explorer tab.0B. As of BW 3.Info Set Authorizations for working with InfoSets S_RS_ISET Administrator Workbench hierarchy S_RS_HIER Authorizations for working with hierarchies Administrator Workbench – Master data maintenance S_RS_IOMAD Steps to Implement Info Object Security (field-level security) 1. Authorizations for working with Info Sources with flexible updating and their sub-objects Authorizations for working with InfoSources with direct updating and their sub-objects Authorizations for working with InfoCubes and their sub-objects Administrator Workbench MultiProvider S_RS_MPRO Authorizations for working with MultiProviders and their sub-objects Until BW 3.Administrator Workbench . Support Package 2. 4. Once you have created a new reporting authorization object and linked it to the appropriate Info Cube(s). Add your new authorization object to a role. choose in Customizing under Business Information Warehouse ® General BW Settings ® Settings for Authorizations. Keep in mind that the people using SAP BW are running queries to help make strategic decisions on how to better run the business. The decision makers typically need to see more data on SAP BW than they would need to see in SAP R/3.0B.0A. users will need access to your reporting authorization object. you will have to create your own reporting authorization object for any Info Object you decide to secure. General authorization protection for Info Objects still works as in the past.Info Object S_RS_IOBJ Administrator Workbench InfoSource (flexible update) S_RS_ISOUR Administrator Workbench InfoSource (direct update) S_RS_ISRCM Administrator Workbench – InfoCube S_RS_ICUBE Authorizations for working with individual Info Objects and their subobjects Until Release 3. Administrator Workbench . this can be maintained. Special protection with S_RS_IOBJ is only used if there is no authorization for S_RS_ADMWB-IOBJ. You will need to manually insert your object into a role. only general authorization protection was possible with authorization object S_RS_ADMWB. 3. or you can change the check over to the authorization object S_RS_MPRO. 2. Add a variable to the query. Administrator Workbench – ODS object S_RS_ODSO Authorizations for working with ODS objects and their sub-objects. When creating your reporting authorization object. Support Package 1. Only Info Objects that have been marked Authorization Relevant are eligible to be put in a reporting authorization object. Make the Info Object authorization-relevant. you select which fields to put in the authorization object from a list of authorization-relevant Info Objects. Since there are no reporting authorization objects provided for Info Objects. authorizations for MultiProviders were checked by using the authorization object S_RS_ICUBE.

Save your entries Using Workbooks model. Select the InfoObject key figure (1KYFNM) if you want to restrict the authorization to a single key figure. where they can be saved. Now that the user has spent that time to format the results in a meaningful way. Workbooks are actual results that have been formatted and can be refreshed each time the workbook is executed. you will impact people currently executing queries for the Info Provider that is now related to your reporting authorization object. refreshed manually. or they may want to save the workbooks to a location where other users can execute the same workbook. Select the Info Object (0TCTAUTHH) if you want to check authorizations for a hierarchy. Difference between workbooks and queries An SAP BW user spends more time on the results.5. or refreshed automatically when the workbook is retrieved. Queries are actually inserted into workbooks so you can display them. choose Save → Save as new workbook. Enter a technical name and a description for the reporting authorization object. Before we can secure on division. 6. a query is more the technical definition of what the results should look like. On the right-hand side. . Generally power user create query to suit their teams needs and save the results in a workbook. for example. Thus. They perform activities such as drilling down to various levels in the data. the user does not execute a query. rearranging the results to highlight certain relationships in the data. After executing a query. the query must be able to restrict data by division. then the query itself needs the ability to filter specific division values. 9. Assign the InfoObject fields to the reporting authorization object: Select the characteristics for which an authorization check of the selection conditions should be carried out. Save your entries. Link the reporting authorization object to an Info Provider. and eventually saving the results to a workbook. Choose Authorization Object >> Create. You must set up security to control who can save workbooks. Workbooks can also be created in the BEX Analyzer. and which workbooks appear in the BEX Browser for a specific user. The workbook contains the results of the query in the formatted look and feel that the user requires. Data in a workbook can either be static. only provide results based on the division. The only way the query can restrict data dynamically is through a variable. A workbook could contain several queries that are related in nature. you get an overview of all the Info Objects indicated as authorization-relevant. and security related to workbooks. they would like the results to be in the same format each time they retrieve the results. To accomplish this. This linkage forces your reporting authorization object to be checked when ANY query tied to the Info Provider is executed. Linking your reporting authorization object to an Info Provider is a very critical step. In this step. They may want to save the workbooks to their Favorites folder for easy retrieval later. How the reporting user accesses workbooks. 8. In the SAP Easy Access screen of the SAP Business Information Warehouse choose Business Explorer >> Authorizations>> Reporting Authorization Objects. but instead executes a workbook. 7. Caution: Only those characteristics that have previously been marked as authorizationrelevant in Info Object maintenance can be assigned to a reporting authorization object as fields.

You can then assign the role to all parties who need to share workbooks. The user needs value RRMX in this field. the user needs activities 03 and 30. The role name is the name of a role that will be used to hold workbooks. Authorization object S_USER_TCD has one field Transaction Code. the data and the layout is saved in the workbook. The Class Type field should be set to OT. so object S_USER_AGR is a required object. Role Name. Activity. . For security reasons. The activity field must be set to 60. The two objects listed below are the minimum authorizations a user needs to save workbooks. Once a workbooks is saved. but rather only allow power users to save workbooks. This is done to maintain the roles and to ensure that the workbooks are manageable. the users selects from following menu path from the BEx Analyzer: Tools > All queries in Workbooks > Delete results. For S_BDS_DS. Saving Workbooks to Roles If a user wants to save a workbook to a location where it can be easily accessed by others. Use proper naming convention for roles so that the roles can be restricted pretty easily. they need to save to a Role rather than saving the workbook in their own Favorites folder. a user needs:   S_USER_AGR: Authorizations: Role check S_USER_TCD: Transactions in roles The authorization object S_USER_AGR has two fields: Activity and Role Name. This also prevents users from changing workbooks saved by other users. To save the workbook without the data. we recommend that users save workbooks without the data. Saving to a Role means saving to a security role. The authorization object S_GUI has one field. a user needs two authorization objects. You may want to set up roles specifically for saving workbooks. you should enter the specific roles you have created for saving workbooks. 02 and If the user can delete workbooks. In order to save workbooks to roles. they will also need value 06.Securing Workbooks In order to save a workbook.   S_GUI: Authorization for GUI activities S_BDS_DS: Authorizations for document set Using both S_GUI and S_BDS_DS will enable a user to save workbooks to their Favorites folder. Activity field -Must have at least values 01. Another option is to not allow users to save workbooks. Saving a workbook to a role actually updates the Menu portion of a role.

Open the Favorites folder in the tree structure of the BEx Browser. Open the BEx Analyzer and execute the selected query. 4. Enter a name for the query and select the sub-folder you created in your Favorites folder. In the BEx Analyzer. The right-hand part of the screen contains empty windows for filter selections. you see the name of the query in your new folder. 2. When you call the BEx Browser. On the next screen. 8. This brings you to a selection screen containing all of the InfoCubes for which you can define a new query. rows. When you have finished defining your query. 9. 3. 7. 3. rows. This area is empty at first. Select the InfoCube on which you want the query to be based by selecting it with the mouse. Thursday. you can display a list of all the key figures for the InfoCube. Save the workbook by choosing Save→ Save as new workbook. and the free characteristics of the query.Step by step instruction on Creating folders and saving workbook 1. choose Save Query. By expanding the key figure node in the InfoCube tree. By choosing the plus or minus symbols for the directories. 6. Confirm with OK. These objects include the key figures of the fact table and the characteristics of the dimensions. and free characteristics). The following procedure explains how to create a simple query using the BEx Query Designer. You can drag the characteristics and key figures for the InfoCube into the windows for the query definition (filter. 2007 . The results of the query can be displayed either in Microsoft Excel using the BEx Analyzer or on the web. shown as a sub-folder within your Favorites folder. Place the cursor on the right side of the screen and create a new folder (New → Folder). August 23. You can see the technical name of the InfoCube by choosing Technical Name (wrench icon). 2. After selecting an InfoCube. The bottom right-hand part of the screen shows a preview of the query result area. for example. choose New to create the query. The objects available for the InfoCube you have selected are shown as a tree structure in the left-hand part of the BEx Query Designer. columns. Choose Quit and Use Query (check mark icon) to execute and start working with the query. Give it an appropriate name and specify how you want it presented by choosing Select Color and Symbol. choose New. 5. choose Open → Queries from the BEx toolbar. you can expand or compress the directory structure. Step by step instruction on Creating a new query 1. columns. Double-click on the workbook name to retrieve the saved query results.

For example. meaning the internal node that is not displayed. Hint: If you enter the value "*" here (all characteristic values).  Validity period :  Node variable default value: If this option is chosen. Now create an authorization for the new authorization object. hierarchy. This option. Version. you want to authorize a user to work with a hierarchy from the top node. and it is this node that is at the top of the hierarchy. Select the Type of authorization: 0 . enter the technical name of the definition as a characteristic value for the characteristic 0TCTAUTHH. and the top-level node has not been specified explicitly. All hierarchies . Please note that this is an absolute value and refers to the entire hierarchy. you can use this value to specify to which level the user can expand the hierarchy. and node. and key Date identical 1: Name and version identical 2. then the user can expand/see the hierarchy up to level 3. allows you to determine the top-level node of the hierarchy yourself. It often makes sense to also enter ":" (colon) so that queries without this characteristic are also allowed. for example. the system checks the authorization against the highest node in the hierarchy.for a sub tree below the node up to and including levels (relative) (You must specify a level that is defined relative to the node for this type. Name identical 3. If you have entered the value 3 for the hierarchy level. If.for a sub tree below the node up to and including levels for a sub tree below the node 3 . 2. Specify a technical name for this definition. Choose Business Explorer → Authorizations → Reporting Authorization Objects. Make sure that the indicator relevant for authorization is set.  Hierarchy level : Within the framework of the authorization check. If you do not enter a value. 0: Name. is not actually the top of the hierarchy. 7." (blank). regardless of whether a hierarchy is used or a complete drilldown is carried out. down to a particular level. specify the value" . you must first transfer and activate the Info Object 0TCTAUTHH from Content. this definition of a hierarchy authorization is used as the default value for node variables. For the characteristic defined on the hierarchy. but this node is moved to another level when the hierarchy is restructured. 1. the hierarchy is used in the query without a filter set for this node. This is because the node that is displayed at the highest level in the hierarchy. for example.for a sub tree below the node 2 . on the other hand. To do this. This is an internal node. a level higher than the highest node that appears in the hierarchy display. so that you can ensure that users are assigned the appropriate authorizations. but a node in the hierarchy nevertheless.for the node 1 . the user is not able to execute the query. a unique ID is set. 4.for the entire hierarchy 4 . You must also create an authorization object for which you want to make the authorization. there is the . It makes sense to specify a relative distance if an employee may only expand the hierarchy to a certain depth below his initial node. you can of course authorize the user for the highest node in the hierarchy.) 5. select the Info Object. the user is allowed to view data for all characteristic values. If. node. If the hierarchy is used in the query.All Other Leaves. 6. therefore.Maintaining Authorizations for Hierarchies Before you can make authorizations for hierarchies. 3. Choose Authorizations → Authorization Definitions for Hierarchies > Change. Optionally you can use the following fields:  Top of hierarchy: This option allows you to select the top of the hierarchy instead of a node in the hierarchy. In the Definition. The highest node of a hierarchy stands at level 1.

lt . I Assigning Analysis Authorizations to Users and Roles ntegrating al Now in-order to assign analysis authorizations to user we can do it in two ways one way is to go to “RSECADMIN” transaction code and click on „User’ tab and click on „Assignment„ button which would take us to „RSU01„ transaction and enter the user id to whom the Analysis Authorization needs to be assigned enter the analysis authorization name and click on insert button The other way round is directly adding the Analysis Authorization in user‟s role under the object S_RS_AUTH in the „BIAUTH„field . . characteristics which are mandatory for any analysis authorization 0TCAACTVT 0TCAIPROV 0TCAVALID 0PLANT 0TCAKYFNM Later on we need to add characteristic which we want to secure we can go in each and every characteristic and maintain values individually. Creation of Analysis Authorizations The need of Analysis Authorizations is to provide access to Auth relevant characteristics. Find the Analysis Authorization in which the cube is maintained 1. the correct variable type must be chosen and an authorization must be marked as the default value. 2. Analysis Authorizations are created through transaction code „RSECADMIN„ by clicking „Maintenance‟ button which would eventually take us to „RSECAUTH„ transaction code which means that the creation of analysis authorizations can also be done through „RSECAUTH‟ tcode .If a user is allocated several authorizations for subareas of the same hierarchy. value” field and Execute. 3. Screen “Data Browser:Table RSECVAL Select Entries” will be displayed.Then enter the Analysis Authorization name and click on create button on the next screen we need to enter short . Select the Analysis Authorization from the Column “TCTAUTH-Authorization “based on the affiliate. Enter “RSECVAL” in the “Table Name” field. Only one node can be chosen for a node variable in the variable screen of a query.medium and long texts as necessary and the most important thing here is the special. one of these authorizations must be defined as the default value in this way. In order that this variable be filled from the authorizations. Run transaction SE16-Data Browser. Enter the name of the Cube in the field “TCTLOW-Internal char.

 Queries created can be processed in Microsoft excel or the same can be viewed in a web browser like internet explorer. to set up dashboards. Enter the Analysis Authorization under the field BI Analysis Authorizations which was obtained from table RSECVAL Now Execute and you will find the Roles in which the Analysis Authorization is maintained.S_RS_COMP1 . or mobile technologies. It comes as part of the SAP Business Warehouse Desktop installation. BEx analyzer allows saving multiple queries in a workbook in excel.User Information System in a new session. totaling etc. The BW administration objects are used to secure administation functions in business information warehouse. Business Explorer thus acts as an information catalogue.  Using the BEx query designer users can define and update queries.  BEx analyzer can be connected with VBA applications and programs. These editing functions can be used in microsoft excel. I am listing some features of the BEX analyzer below. They are in the areas of BIW – reporting and BIW – administration.  BEX tools support editing of data such as sorting. Primarily there are two classes of authorization objects in SAP BIW. SAP Business Information Warehouse Administration .S_RS_ADMWB . Expand the Roles tree and select Roles by Complex Selection Criteria. with BW users can access information in SAP BW using the Enterprise Portal.Find the roles in which analysis authorization is maintained Run transaction SUIM.S_RS_COMP . 1. BEx analyzer is thus a user interface based on Web technology and MS Excel. Security Authorization Objects for SAP BW Security in SAP is controlled through authorization objects. which allows users to browse the available information from the business applications. One can create different query views of data. the intranet (Web application design). The BIW reporting authorization objects are used for field level security in BW reporting. These analysis tools can support complex multidimensional analysis based on different data views. Click Enter. templates as required. There are many standard reports available in the library.  Now Enter the Authorization Object name as “S_RS_AUTH” in the field “Object1″. has a set of authorization objects specific to BW which control security in BW. Not only that. as well as the required analysis tools. SAP Business Information Warehouse Reporting . Below are some of the authorization objects in the above two areas of BW security. The SAP Business Information Warehouse BIW. SAP BW BEx Analyzer Business Explorer Concepts BEx analyzer is an analysis and reporting tool which is an add-on in Microsoft Excel.S_RS_FOLD 2. Users with advanced knowledge can develop their own programs. reports.

GLOBAL_TEMPLATES Templates for modelling and evaluating data . S_RS_ODSO and S_RS_HIER.S_RS_ISOUR . there are a set of common authorization objects which are used in BW. The common set of authorization objects used in SAP BIW include S_RS_ICUBE. One key point to note is that BW reporting authorization objects for field level security are created as needed whereas the BW administration authorization objects are used across the module to secure admin functions..S_RS_IOBJ . SAP BW Security transaction codes Transaction Code Description RSA1 Transaction RSA1 is the main transaction for administrative functions in SAP BW (Administrator Workbench) RSD1 This transaction code can be used to mark objects as relevant for authorization (InfoObject Maintainence) RSSM This transaction code can be used to create and modify authorization objects in SAP BW RSZV This transaction code is used to create or modify the variables for authorization checks. (Variable Maintenance) RRMX Business Explorer is the reporting tool in SAP BW and is used for analyzing data.S_RS_ISRCM Apart from the above two classes of authorization objects in SAP BW. These common authorization objects are required by all users as these auth_objects are checked in different areas.