Bi2008 - Bi 7.0 Roles & Authorizations - V1.0: India Sap Coe, Slide 1

BI2008 – BI 7.
0 Roles &
Authorizations – v1.0
India SAP CoE, Slide 1

BI2008 - BI 7.0 Roles &
Authorization - v1.0
1 PrepareMe
2 TellMe
3 ShowMe
4 LetMe
5 HelpMe
BI2008 - BI 7.0 Roles &
1 PrepareMe
2 TellMe
3 ShowMe
4 LetMe
5 HelpMe
Introduction
• Purpose
• Use
• Challenges

Purpose
• Explain the key features of new authorization concept
in SAP Netweaver 2004s.
• Describe the steps involved to setup an ‘Analysis

Authorization’ for users.
• Explain migration steps requirement between old and

new authorization concept.

Use
• The SAP authorization concept protects transactions,
programs, data and services in SAP systems from
unauthorized access.
• Authorization allows a user to perform a certain activity

on a certain object in the BI System.
• Authorizations can be added to roles that define what

content is available to specific users or set of users.
• It prevents unauthorized users from accessing the

system.

Challenges
• To define authorizations and maintain them by object
( InfoObject, Query, ODS Object or InfoCube) and
hierarchies.
• Set up of user authorizations for queries containing

authorization – relevant characteristics, as query
results will not be shown at all even if parts of the
authorization are not met.
• Migration of old authorization objects to new

authorizations.

BI2008 - BI 7.0 Roles &
1 PrepareMe
2 TellMe
3 ShowMe
4 LetMe
5 HelpMe
SAP Authorization Concept
• Involves protecting transactions, specific field values,
programs, and services in SAP systems from
unauthorized access.
• On the basis of the authorization concept,
administrator assigns authorizations to the users that
determine which actions a user can execute in the
SAP System.
• The authorizations represent instances of generic
authorization objects and are defined depending on
the activity and responsibilities of the employee. The
authorizations are combined in an authorization profile
that is associated with a role.

SAP Authorization Concept
USER MASTER RECORD
M:N
COMPOSITE ROLE
M:N SINGLE ROLE
AUTHORISATION AUTH. 1:10 AUTH. FIELDS

1:1 OBJECT WITH VALUES
GENERATED GENERATED AUTH. 1:10 AUTH. FIELDS

PROFILE AUTHORISATION OBJECT WITH VALUES
SINGLE ROLE AUTHORISATION AUTH. 1:10 AUTH. FIELDS

OBJECT WITH VALUES
COMPOSITE PROFILE
M:N MANUAL
PROFILE AUTHORISATION AUTH. 1:10 AUTH. FIELDS
OBJECT WITH VALUES
MANUAL
PROFILE AUTHORISATION AUTH. 1:10 AUTH. FIELDS
OBJECT WITH VALUES

BI Authorization Concept
• Primary activities in BI are:
– Displaying Data
– Analyzing Result
• Primary BI Security focus is on:
– Infoarea
– Infoprovider (For e.g. Infocube,Datastore Object)
– Queries
• Two types of Authorizations Supported in SAP
Netweaver ‘04:
1)Standard Authorization : Focused on Administrative users
2)Analysis Authorization : Focused on Report Users

BI 7.0 Authorization Types
1) Standard authorizations
• Allow Users to perform administration tasks and ability to

change/delete/create meta data objects like Infocube,
DSO in BW
• Based on standard structures provided by SAP i.e.
preconfigured ‘authorization objects’ are provided by SAP.
Individual authorization objects are grouped into
‘roles’.The authorizations are then entered into individual
users’ master records in the form of ‘profiles’.
• Transaction PFCG is used to assign authorization objects
to roles and flag relevant InfoProviders.
• Eg: S_RS_COMP, S_RS_COMP1, S_RS_FOLD

Authorization – 0BI_ALL
• Automatically generated and not changeable.
• Grants authorization for all values of all authorization-

relevant characteristics.
• Adjusted whenever a new Infoobject is set to

authorization-relevant.
• A user that has a profile with authorization object

S_RS_AUTH and has entered 0BI_ALL would have
complete access to all data.

Standard authorization Set Up
Steps in Brief
• Create a ‘Role’ using the transaction PFCG
• Assign the ‘Standard Authorization object’ to the

‘Role’.

Standard Authorization Set Up
Step 1 : Create a
‘Role’ using the
transaction PFCG
Step 2: Assign the

Authorization
object to the role.

BI 7.0 Authorization Types
2) Analysis Authorizations
• All users who want to display transaction data from

authorization-relevant characteristics or navigation
attributes in a query require analysis authorization. This
type of authorization is not based on the standard
authorization concept of SAP.
• Instead these authorizations use their own concept that
takes the features of reporting & analysis in BI into
consideration. Using this analysis authorization concept
of BI for the display of query data, critical data is
protected in a better way.
• Transactions : RSECADMIN and PFCG are used to
assign auth objects to users or roles and specify relevant
InfoProviders. Authorization Object S_RS_AUTH is
assigned to roles or users.

Analysis Authorizations Options
• On Characteristic Level
– Restriction of access to all values of a particular characteristic
• On Characteristic Value Level

– Restriction of access to certain values of a particular characteristic
• On Key Figure Level

– Restriction of access to certain Key Figures
– For using this option, Infoobject 0TCTAKYFNM should be included
in ‘authorization’. When 0TCTAKYFNM is flagged as authorization
relevant , key-figures are checked for every infoprovider
• On Infocube Level
– Restriction at Infocube Level
• On Hierarchy Node Level

– Restriction of access to certain nodes of a Hierarchy

Analysis authorization :
Characteristic level

Analysis authorization:
Characteristic value level

Analysis authorization :
Key Figure level

Analysis Authorizations
Prerequisites for managing Analysis Authorization:
1. Authorization :
– Authorization object S_RSEC.This which covers all relevant objects with
namespace authorizations for specific activities.
2. Activate Three BI Content Characteristics

• Activate following 3 objects of the technical BI Content related to
authorizations:
– Activity (0TCAACTVT)
– Infoprovider (0TCAIPROV) : For granting authorization to particular
infoprovider
– Validity (0TCTAVALID): For granting authorization to specific time period
• They must be assigned to user in atleast one authorization and must

not be included in Queries.

• Define Characteristics as Authorization Relevant
– Select the following InfoObjects of the technical BI Content

to be authorization relevant: 0TCAACTVT, 0TCAIPPROV,
0TCAVALID, and 0TCAKYFNM.
– All characteristics that are to be checked by authorization

check should be made authorization relevant. Define the
navigation attributes as authorization relevant too if these
are to be checked

Navigation Attribute - Authorization
• We can use navigation attributes as authorization
objects in BEx.
• No need to mark the main characteristic as
authorization relevant in order to make the navigation
attribute as authorization relevant.

• Transaction : RSECADMIN ( Management of Analysis
Authorizations ) provides a central entry point for all
functions that are required to manage analysis
authorizations.
• There are three important tabs in the main screen of

this transaction. They are:
– Authorizations
– User
– Analysis

RSECADMIN - Authorizations Tab
1.Used for creating and

changing analysis
authorizations
2.Used for generating

analysis authorizations
3.Used for collecting

previously created
authorizations to a
transport request

RSECADMIN – User Tab
3.Used for general user

maintenance
4.Used for general role

1.Used to assign maintenance (opens
analysis authorizations transaction PFCG )
to a user
2.To transport created

and assigned
authorizations

RSECADMIN - Analysis Tab
1.Used for executing various

transactions as another user for
checking their authorizations
2.For checking logs of

authorization check
3.For checking log of all

generation runs for
authorizations

Standard vs Analysis Authorization
Standard Analysis
Authorization Authorization
Semantic Data Slices

Meta Data objects (Eg. (Eg. Company Code
Allows access to Infocube) 1000)
Object maintenance, Granular access to

Data access at high subsets of data / data
Used For level slices
Structure Designed
by SAP Customer

Authorization Objects
- For Data Warehouse Workbench
Authorization
Object* Use
for working with Individual Objects of the Data Warehousing
S_RS_ADMWB Workbench (DWH)
S_RS_ODSO for working with Datastore Objects and their Subobjects
S_RS_HIER for working with Hierarchies
S_RS_IOBJ for working with individual InfoObjects and their subobjects
S_RS_ISNEW for working with InfoSources (Release > BW 3.x)
for working with Datasources (Release > BW 3.x)or its
S_RS_DS subobjects.
S_RS_ICUBE for working with InfoCubes and their subobjects
for working with InfoSources with flexible updating and their
S_RS_ISOUR subobjects
* For Complete List ,Refer transactions SU03/SU21 or SAP Help at
http://help.sap.com/saphelp_nw04s/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/content.ht
m

Authorization Objects
- Business Explorer
Authorization
Object* Use
S_RS_COMP for using different components for the query definition

S_RS_COMP1 for queries from specific owners
S_RS_FOLD display authorization for folders
* For Complete List ,Refer transactions SU03/SU21 or SAP Help at

http://help.sap.com/saphelp_nw04s/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/content.ht
m

Reporting User Authorizations
Minimum authorization requirements for Reporting
User:
• Analysis Authorization for an infoprovider

• S_RS_COMP ( Activities 03, 16)
• S_RS_COMP1 ( Query Owner)
• S_RFC ( BEx Analyzer or Browser only)
• S_TCODE ( RRMX for BEx Analyzer)
In addition if BEx Analyzer tool is used by Reporting user

then authorization for objects: S_RFC and S_TCODE
with transaction code RRMX also needed

Migration to new Authorizations
• Migration is performed with the help of program
RSEC_MIGRATION.
• No complete, automatic migration, but support

– About 80% automatic migration expected
– Customer exit variables for 0TCTAUTHH cannot be
migrated
– Intensive tests are highly recommended
• Singular event
• During migration to new authorization concept, the

existing concept won’t be changed.

Migration Steps
• Step 1: Choose users
• Step 2: Choose authorization objects to be migrated
• Step 3: Choose assignment method

– Direct user assignment
– Create new profiles
– Extend existing profiles
– Undo migration
• Step 4: Choose details of authorization migration and

check logs

BI2008 - BI 7.0 Roles &
1 PrepareMe
2 TellMe
3 ShowMe
4 LetMe
5 HelpMe
Steps to create and assign Analysis Authorization in brief:
1. Enter transaction code RSECADMIN.Select

‘Authorization’ tab and choose ‘maintenance’. Enter
authorization name and click on ‘create’.
2. Insert 3 special characteristics and add at least one
other authorization relevant infoprovider which needs
to be restricted using analysis authorizations.
3. Assign relevant value/hierarchy authorization
corresponding to the infoprovider(s) and save the
analysis authorization.
4. Assign authorization to user with RSECADMIN – user
tab.
5. Assign analysis authorization using a role (optional).

Step 1 : Create Analysis Authorization Object using the
transaction code: RSECADMIN ‘Authorizations’ Tab
‘Maintenance’ Option
Enter the technical

name and click on
‘Create’

Step 2 a : Use ‘insert’ option to include special
characteristics: 0TCAACTVT, 0TCAIPROV, 0TCAVALID
1.Enter the text details and

select ‘insert’ option to
include special
characteristics.
2.Auth Structure
after insertion of
special
characteristics

Step 2 b: Maintain values for the characteristics
Select a characteristic
say ‘0TCTAACTVT’ and
click on ‘Details’ to
maintain values for
Authorization

Step 2 c: Assign the value authorizations for the selected
characteristic
In the ‘Value Auths.’ Tab ,provide
relevant ‘Operator’ and ‘Technical
Character.’ assignments and Save.
For e.g.: For characteristic
0TCAACTVT select the Activity
‘EQ’ to Display 03

Step 2 d: Go back and Insert the infoprovider using for
which authorizations are to be maintained using option
1.Choose the
infoprovider
option
2.Provide the
infoprovider
name in the next
pop-up and
select ‘Enter’

Step 2 e: Select the authorization relevant infoobject of the
infoprovider
Select the authorization

relevant infoobject of
the infoprovider (In this
case infoobject
0INFOPROV) and
select ‘Enter’

Step 3 a : Select the authorization relevant infoobject of
infoprovider and assign ‘value authorizations’ to it.
Select the authorization relevant

infoobject of infoprovider (in
this case 0INFOPROV) and
click on ‘Details’ to assign
values to it.

Step 3 b : Assign Value authorization for the selected
infoprovider
In the ‘Value Auths.’ tab

assign appropriate ‘operator’
and ‘Technical Character.’
as per authorization
requirements. For e.g. for
access to unassigned
values, operator = EQ and
Technical Character. = # is
used.

Authorization Values Options
The options available for providing the value authorizations are:
• I/E Include / Exclude

• EQ Equal to
• BT Range of values
• LE Less than or equal to
• LT Less than
• GT Greater than
• GE Greater than or equal to
• CP Contains pattern , eg. ABC *
• : aggregated values
• # unassigned values
• * any character string
• + for exactly one character
• $VARNAME Variables of type customer exit can be used

Step 3 c : To provide hierarchy authorizations, use the
hierarchy/Authorizations tab
1.Select Hierarchy/
Authorizations Tab
and click in ‘Create’
2.In the next pop-up,

Use ‘Select
Hierarchy’ to view
available hierarchies
3.Select the Hierarchy

and Click on ‘Enter’

Analysis Authorization
Step 3 d : Assign relevant values for Hierarchy Authorizations
Assign relevant
authorization. For e.g.
for Complete hierarchy
authorization ,Type = 3
is used

Step 4 a : Enter the transaction code: RSECADMIN ->
‘User Tab’ and Select ‘Assignment’ option for assigning
analysis authorization to the User.
Select
‘Assignment’

Step 4 b : Enter the User id to which the authorization
is to be provided
Enter username
and click on
‘Change’.

Step 4 c : Add the required Analysis Authorization
1.Choose ‘Help’ ( F4)

option to view list of
available Analysis
Authorizations
2.Select the required

authorization and
click on ‘Enter’

Step 4 d : Save the Assignment
Analysis authorization has been

assigned to user, save the
assignment. Additional
authorizations can be added if
necessary.

Step 5 : This step is optional. Using the ‘Role maintenance’
option of transaction RSECADMIN in the ‘User’ Tab,
Add analysis authorization to role using object S_RS_AUTH.

Authorization Error Analysis
• Transaction RSECADMIN - > ‘Analysis’ Tab is used
for analysis of the authorization errors.
• Two options available for analyzing the errors are
1. Execute as - Execute as another user and then Analyze the

logs.
2. Error logs - User executes the steps leading to the error
after configuration of ‘recording’. Once this id done,
generated ‘logs’ are analyzed.

1. Using option - Execute as
Step 1 a : Select the option ‘Execute as’ on
the‘Analysis’ tab of RSECADMIN transaction
Select Execute as on the Analysis tab

to analyze errors as another user

Step 1 b: Enter the Username and choose the
relevant option (for example transaction : RSRT)
and click on ‘Execute’:
1. Enter the
username and select
with log.
2. Choose the relevant

option & execute the
transaction.

Step 1 c: Enter the
Query name for
which authorization
error is to be
analyzed
Step 1 d: Enter the

selection parameters
for the query and
execute

Step 1 e: Analyze the errors that appear on the screen
Analyze the errors that appear on

this screen.

2. Using option – Error Logs
Step 1 a : Select the option ‘Error Logs’ on the

‘Analysis’ tab of RSECADMIN transaction
Error log option is used to

configure recording to track
user authorization errors.

Step 1 b : Select the option ‘Configure Log Recordings’
Click on ‘Configure Log

Recording’ to add user
name for whom the Error
is to analyzed.

Step 1 c :Enter the Username and save.Next request the

user to run the Query
Add username, save and go back

to the previous screen. Request
the user to run the query now and
check the log.

Step 1 d :Check the generated error log once the user has
executed the Query .For this use the transaction
RSECADMIN - > Analysis tab -> ‘Error logs’ option.
Provide the
Username and time
of run in the selection
screen and select
‘Display’ option to
view the log

Step 1 e :Analyze the errors that appear in the Log

Information on authorization
objects
Transaction SU03 provides information about the Authorization
and Roles
2.Select the
object and use
‘Documentation’
option for
viewing further
details
1.Select Class (for e.g.
RS for Business
Information Warehouse )
and execute ‘List
Authorizations’ option

BI2008 - BI 7.0 Roles &
1 PrepareMe
2 TellMe
3 ShowMe
4 LetMe
5 HelpMe
LetMe
• Step 1. Create Analysis Authorization
• Step 2. Insert 3 special characteristics:0TCAACTVT,

0TCAIPROV, 0TCAVALID.Add atleast one other
authorization relevant infoprovider which should be
restricted using analysis authorizations.
• Step 3. Assign the relevant values corresponding to the

infoprovider(s) and save the analysis authorization.
• Step 4. Assign authorization to user
• Step 5. Assign analysis authorization using a role (optional).

BI2008 - BI 7.0 Roles &
1 PrepareMe
2 TellMe
3 ShowMe
4 LetMe
5 HelpMe
Useful Transaction codes
Transaction code Use
RSECADMIN For creating and assigning analysis
authorizations and checking errors
in analysis authorization.
PFCG For creating roles and assigning

users to roles.
SU03 / SU21 For information on authorization
objects.
ST01 For checking errors in standard
authorizations.

Tips and Tricks
• In case there are no authorization restrictions for any
user (for example in a development system ) include
special authorization 0BI_ALL in authorization object
S_RS_AUTH.
• SUIM – User Information System is a useful transaction

code for checking user and role Assignments.
• Transaction codes RSECADMIN, ST01 and SU53 can

be used to analyze user authorization errors.

BW 3.X Authorizations
• Reporting Authorizations
Previous to SAP NetWeaver 2004s, the SAP standard
authorization concept was also used for analysis
authorizations, then called reporting authorizations.
SAP recommends using the new concept (Analysis

Authorization in 2004s) because it is better suited to the
requirements of BI and because the previous concept will
no longer be supported.
• To migrate authorizations from BW 3.X to BI 7.0,use

program RSEC_MIGRATION

Additional Info
SAP Help Site for complete information on BI 7.0

authorizations.
http://help.sap.com/saphelp_nw04s/helpdata/en/be/07
6f3b6c980c3be10000000a11402f/frameset.htm

Bi2008 - Bi 7.0 Roles & Authorizations - V1.0: India Sap Coe, Slide 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Bi2008 - Bi 7.0 Roles & Authorizations - V1.0: India Sap Coe, Slide 1

Uploaded by

Copyright:

Available Formats

BI2008 – BI 7.

India SAP CoE, Slide 1

India SAP CoE, Slide 4

• Describe the steps involved to setup an ‘Analysis

• Explain migration steps requirement between old and

India SAP CoE, Slide 5

• Authorization allows a user to perform a certain activity

• Authorizations can be added to roles that define what

• It prevents unauthorized users from accessing the

India SAP CoE, Slide 6

• Set up of user authorizations for queries containing

• Migration of old authorization objects to new

India SAP CoE, Slide 7

India SAP CoE, Slide 9

M:N SINGLE ROLE

AUTHORISATION AUTH. 1:10 AUTH. FIELDS

GENERATED GENERATED AUTH. 1:10 AUTH. FIELDS

SINGLE ROLE AUTHORISATION AUTH. 1:10 AUTH. FIELDS

India SAP CoE, Slide 10

India SAP CoE, Slide 11

• Allow Users to perform administration tasks and ability to

India SAP CoE, Slide 12

• Grants authorization for all values of all authorization-

• Adjusted whenever a new Infoobject is set to

• A user that has a profile with authorization object

India SAP CoE, Slide 13

• Create a ‘Role’ using the transaction PFCG

• Assign the ‘Standard Authorization object’ to the

India SAP CoE, Slide 14

Step 2: Assign the

India SAP CoE, Slide 15

• All users who want to display transaction data from

India SAP CoE, Slide 16

• On Characteristic Value Level

• On Key Figure Level

• On Hierarchy Node Level

India SAP CoE, Slide 17

India SAP CoE, Slide 18

India SAP CoE, Slide 19

India SAP CoE, Slide 20

2. Activate Three BI Content Characteristics

• They must be assigned to user in atleast one authorization and must

India SAP CoE, Slide 21

– Select the following InfoObjects of the technical BI Content

– All characteristics that are to be checked by authorization

India SAP CoE, Slide 22

India SAP CoE, Slide 23

• There are three important tabs in the main screen of

India SAP CoE, Slide 24

1.Used for creating and

2.Used for generating

3.Used for collecting

India SAP CoE, Slide 25

3.Used for general user

4.Used for general role

2.To transport created

India SAP CoE, Slide 26

1.Used for executing various

2.For checking logs of

3.For checking log of all

India SAP CoE, Slide 27

Semantic Data Slices

Object maintenance, Granular access to