Sunday, January 18, 2009

SAP BI 7.0 Authorization - Part 1: InfoObjects level authorization
New SAP BI 7.0 Authorization concept (analysis authorization) change a lot in accessing, analyzing and displaying BI information. The approach allow to restrict data access on Key figure, Characteristic, Characteristic value, Hierarchy node, and InfoCube levels. It enables more flexible data access management. Analysis authorization is active by default in SAP BI 7.0 systems and I think it is worth to spend some time to look closer at the new concepts and the features. In part one of this two-article series, I will show you how you can restrict access to SAP BW reports on InfoObjects level.

Initial settings
At the beginning activate business content objects (TCode RSORBCT) related to authorizations:
y y

InfoObjects 0TCA* InfoCubes 0TCA*

and set the following InfoObjects as Authorization-Relevant:
y y y y

0TCAACTVT (activity such as Display) 0TCAIPROV (InfoProvider authorization) 0TCAVALID (validity period of authorization) 0TCAKYFNM (if you want to restrict access to key figure)

Characteristics authorization
Use TCode RSA1, go to Modelling -> InfoObjects. Display properties of the characteristic to which you want to restrict access and set it as AuthorizationRelevant.

San Francisco. The following pictures show how allow users to access to specific sale organization (e.Characteristics values authorization To authorize characteristics values you need to create new authorization object through TCode RSECADMIN.g. New York. Create new authorization object (e. Dallas).. .g. Z_SORG_B).. 1.

BT .range of values. CP pattern ending with (*) (e.. 3.New York.2. 1615 . Available operators: EQ .single value. Choose characteristic and press Details button. 1612 .Dallas). .g. You have also option to Include (I) or Exclude (E) values. abc*).g. 1614 .San Francisco.. Select sales organization (e.

Attributes authorization To authorize navigational attributes. Z_SORG_B). Hierarchies authorization To grant authorization on hierarchy level edit or create authorization object (e.g. and choose type of authorization. set them as Authorization-Relevant. add hierarchy and nodes.. .

and choose the key figure to be authorized.Key figure authorization To grant authorization to particular key figure. . add special object 0TCAKYFNM to authorization object (e. Z_SORG_B)..g.

but keep in mind system limitations. where characteristics are authorization relevant. Exceptions are hierarchies in the drill down and variables which are dependent on authorization. All marked characteristics are checked for existing authorization if they are in a query or in an InfoProvider that is being used. must have sufficient authorization to the characteristics ("all-or-nothing" rule). In part two. If you want to check which InfoObjects are authorization relevant in your BI system. use TCode RSECADMIN -> Authorization Maintenance and display 0BI_ALL authorization. Avoid setting too many characteristics as authorization relevant (more than 10 in a query). More about 0BI_ALL you will find in the article on creating and assigning authorization. It means that the user who is executing the query. I will describe how to create and assign SAP BI authorization . Too much authorization objects may slow query execution.Summary InfoObject level authorization gives you a great flexibility. Exception are characteristics with all (*) authorization. . Remember that authorization do not work as a filters do.

and 0TCAVALID (validity) in at least one authorization for a user. 7..0 Authorization . They are used for: y 0TCAACTVT . 5. Insert authorization-relevant characteristics and navigational attributes (Insert Row -> press F4 -> choose item). 3. You must include special characteristics: 0TCAACTVT (activity). 0TCAIPROV (InfoProvider).to restrict the authorization to activities. Press Maint. Z_USR_A1) and press Create. Use TCode RSECADMIN. Save the authorization. and 0TCAVALID by pressing Insert Special Characteristics button. Press Details button to restrict values and hierarchy authorization of inserted items.g. I described how to set InfoObjects as authorization-relevant in previous articles.SAP BI 7. Insert special characteristics: 0TCAACTVT. 2. Creating authorization To create analysis authorization perform the following steps: 1. . Now I will focus on creating and assigning authorization. default value: Display. Fill required Short Text field. go to the Authorizations tab. 0TCAIPROV. 6. 4. button and enter a name (e.Part 2: Creating and assigning authorization I the previous articles I discussed InfoObjects level authorizations.

Organization's hierarchy can facilitate your work by providing structures and levels of authorization. y If you want to authorize access to key figures. add 0TCAKYFNM characteristic to the authorization.to restrict the validity of the authorization. To assign authorization directly use TCode RSECADMIN. default value: always valid (*). Summary I encourage you to collect all requirements related to BI security. press Change and select the authorization. Assigning authorization to a user You may assign authorization directly to a user or to a role. The entry includes analysis authorization in roles. Enter here authorization that you previously created. To assign authorization to the role use TCode PFCG. Now enter the user name. structure of the organization and authorization needs before starting authorization preparation.y 0TCAIPROV . It is important to know that if this characteristic is authorization-relevant.to restrict the authorization to InfoProviders. it will be always checked during query execution. Indirect authorization assignment can also save your time because it is more flexible and easier to maintain. . I have learned that it can save a lot of time. default value: all (*). Using Authorization tab change authorization data by adding S_RS_AUTH entry. Use this authorization if you have users that are allowed to execute all queries. enter the role name and press Change. 0TCAVALID . go to the User tab and press Assign. 0BI_ALL authorization The 0BI_ALL authorization includes all authorization-relevant characteristics. It is automatically updated when you restrict a BI InfoObject.

Sign up to vote on this title
UsefulNot useful