Documente Academic
Documente Profesional
Documente Cultură
With the SAP BI 7.0 we have new tool to maintain the reporting level
security. We can access this new tool using tcode RSECADMIN which
replaces the old RSSM tool of BW 3.x.
## Below are the Step-by-Step instructions to create/maintain
authorization objects for SAP BI Reporting:
I am covering the scenario where each employee (Sales Team) is assigned
with one territory number, and the data should be accessible to employee
based on their territory only. For this scenario to work we have to set
security restriction for the corresponding territory InfoObject (ZDWSLTER).
# The first step before we create any Authorization Object is to set all the
InfoObjects as authorization relevant for which we want to restrict data
access.
# The very first step of creating any Authorization Object is to add the
special characteristics as field for restirction:
# We can double click on the newly added infobject, and can define the
value which we want to allow for this InfoObject. We can also set the
dynamic value using Customer Exit Code which we will cover later in this
blog.
Authorizations in SAP NW BI
TOPICS
1. MODELING
2. AUTHORIZATION
Reporting User
Developper
General
3. ASSIGNEMENT
Generation (rsecadmin)
Role (pfcg)
4.TECHNICAL
Tables
Authority check
1. MODELING
Difference between rssm and rsecadmin
RSSM
RSECADMIN
Authorization'
Assignement of Reporting authorization:* by pfcg:
mass distribution of auth by using role
by RSSM: generation way (use with
Business Content and flat files loading)
Modeling:* IO marked as Authorization relevant, Modeling:* IO + Navigation ATTR can be Authorization relevant,
rssm enable to flag relevant infoprovider,
An IO auth relevant is auth relevant for all the cube he is
rssm are used to custom Auhthorization object, used,
Authorization variable are used in Bex Query,
Pfcg to assign reporting authorization trough the
Object class: RSR,
Query access manage by object
S_RS_COMP, S_RS_COMP1,
Area Button/ Access : S_RS_FOLD,
S_RS_HIER,
S_RS_ISET.
Step by Step
RSSM
0. Pre-requisites
RSECADMIN
Authorization relevant
2. Create Authorization
Object/ Analysis
authorization
RSSM -> Select: 'Check for Info Cubes' -> Change ->
Flag the related Info Cubes
for authorization
5. Insert Authorization in
Role
6. Assign Authorization/
Role to Users
2. AUTHORIZATION
Reporting User: Authorization for End User
S_RS_AUTH:
Insert here the Analysis Authorization you customize in Rsecadmin.
Allow right on IO marked as 'authorization relevant' (Data)
S_RS_COMP : Query Accessibility
Activity: 01 (Create or generate), 02 (Change), 03 (Display), 06
(Delete), 16 (Execute), 22 (Enter, Include, Assign)
InfoArea: '*'
InfoCube: <Selected infoprovider>
Name (ID) of a reporting component: <Selected query>
Type of a reporting component: CKF (Calculated key figure), QVW (Query View),
REP (Query), RKF (Restricted key figure), SOB (Selection object, New object !!!), STR (Template structure),
VAR (Variable)
S_RS_COMP1 : Query for specific users
S_RS_FOLD ( Hide 'Folder' Pushbutton): 'False' or 'True'
S_USER_AGR: Role Name
S_RS_BITM : !!! NEW !!!
S_RS_BTMP : !!! NEW !!!
Developper
S_DEVELOP
S_RO_BCTRA -in ECC side for activate (remote) Datasource
S_RS_BC
S_RS_BCS
S_GUI
S_RS_DS: Authorizations for working with the DataSource or its sub-objects (as of
SAP NetWeaver 2004s)
S_RS_ISNEW: Authorizations for working with new InfoSources or their subobjects
(as of SAP NetWeaver 2004s)
S_RS_DTP: Authorizations for working with the data transfer process and its
subobjects
S_RS_TR: Authorizations for working with transformation rules and their subobjects
S_RS_CTT: Authorizations for working with currency translation types
S_RS_UOM: Authorizations for working with quantity conversion types
S_RS_THJT: Authorizations for working with key date derivation types
S_RS_PLENQ: Authorizations for maintaining or displaying the lock settings
S_RS_RST: Authorization object for the RS trace tool
S_RS_PC: Authorizations for working with process chains
S_RS_OHDEST: Open Hub Destination
S_RS_DAS: Authorizations for working with Data Access Services
S_RS_BTMP: Authorizations for working with BEx Web templates
S_RS_BEXTX: Authorizations for the maintenance of BEx texts Authorization objects
for the administration of analysis authorizations
General
S_RFC: Authorization Check for RFC Access:
Activity 16
Name of RFC to be protected *
Type of RFC object to be protetected: FUGR
S_TCODE: Transaction Code Check at Transaction Start
Transaction Code SE37,RRMX, RRMXP
S_GUI: Authorization for GUI activities
Activity 02, 60, 61
S_BDS_DBC-SRV-KPR-BDS: Authorizations for Accessing Documents
Activity 03
BDS: Data element for LOIO cla *
3. ASSIGNEMENT
Generation (rsecadmin)
Role (pfcg)
4. TECHNICAL
Tables
RSECVAL : Authorization Value Status,
RSECUSERAUTH : BI AS Authorizations: Assignment of User Auth.
Function Modules:
RSEC_AUTHORITY_CHECK_IPROV
RSEC_AUTH_GET_IOBJ_RELEVANT
RSEC_CHECK_IPROV
RSEC_CHECK_VALIDITY
RSEC_COMPLETE_HIERAUTH
RSEC_GET_AUTH_FOR_USER
RSEC_GET_AUTH_HIER_FOR_USER
RSEC_ASSIGN_AUTHS_TO_USERS
RSEC_GET_ALL_GENERATED_AUTHS
RSEC_READ_ODS_HIER
RSEC_READ_ODS_USER_AUTH
RSEC_READ_ODS_VAL
RSEC_AUTHORIZATIONS_OF_USER
RSEC_GET_AUTH_FOR_USER_RFC
# Now we can assign the created Authorization Object to any user using this
tool.
# User with Authorization Object 0BI_ALL is having full access to data, and
can overwrite any other Authorization Objects assignment to it.
Release the change request to transport using SE10 transaction. Press Display,
choose tasks and requests you would like to release and press the button with single
truck (or F9). When both task and request have been released successfully, start
transport in target system.
Target system
To import queries to quality system start STMS transaction > Import Overview (F5)
> Display Import Queue. On the Import Queue screen select the request and press
Import (truck with a small loading). Choose target client's number and press enter.
The queries will be written to the target system.
Standard BEx Transport Request
When the request, you have released, was set as Standard BEx Transport Request,
you need to created a new standard request. If there is no standard request, nobody
is able to process queries or workbooks on the system. When you try to do so, you
will receive the error: The query could not be saved due to a problem in
transport. BEx transport request is not available or not suitable.
To create a new request you need to press BEx and than Assign / Delete button,
add the request and save the choice.
Now all new objects and modifications will be written to the chosen BEx
transport request. For more information on the standard transport request see this
note:194051.
Additional resource:
Transporting: role and objects.
Authorizations for change and transport: S_TRANSPRT and S_CTS_ADMI
Initial settings
At the beginning activate business content objects (TCode RSORBCT) related
to authorizations:
InfoObjects 0TCA*
InfoCubes 0TCA*
and set the following InfoObjects as Authorization-Relevant:
0TCAACTVT (activity such as Display)
0TCAIPROV (InfoProvider authorization)
Characteristics authorization
Use TCode RSA1, go to Modelling -> InfoObjects. Display properties of the
characteristic to which you want to restrict access and set it as
Authorization-Relevant.
3. Select sales organization (e.g., 1612 - New York, 1614 - San Francisco, 1615 - Dallas).
Available operators: EQ - single value, BT - range of values, CP - pattern ending with
(*) (e.g., abc*). You have also option to Include (I) or Exclude (E) values.
Attributes authorization
To authorize navigational attributes, set them as Authorization-Relevant.
Hierarchies authorization
To grant authorization on hierarchy level edit or create authorization object
(e.g., Z_SORG_B), add hierarchy and nodes, and choose type of authorization.
Summary
InfoObject level authorization gives you a great flexibility, but keep in mind system
limitations. Avoid setting too many characteristics as authorization relevant
(more than 10 in a query). All marked characteristics are checked for existing
authorization if they are in a query or in an InfoProvider that is being used. Too much
authorization objects may slow query execution. Exception are characteristics
with all (*) authorization.
If you want to check which InfoObjects are authorization relevant in your BI
system, use TCode RSECADMIN -> Authorization Maintenance and display
0BI_ALL authorization. More about 0BI_ALL you will find in the article on creating
and assigning authorization.
Remember that authorization do not work as a filters do. It means that the user who is
executing the query, where characteristics are authorization relevant, must have
sufficient authorization to the characteristics ("all-or-nothing" rule). Exceptions are
hierarchies in the drill down and variables which are dependent on authorization.
BW Security (Authorizations)
BW Security (Authorizations)
The following are some of the relevant SAP BW Security transaction
codes.
Transaction Code
RSA1
Description
Transaction RSA1 is the main transaction for
administrative functions in SAP BW (Administrator
Workbench)
RSD1
This transaction code can be used to mark objects as
relevant for authorization (InfoObject Maintainence)
RSSM
This transaction code can be used to create and
modify authorization objects in SAP BW
RSZV
This transaction code is used to create or modify the
variables for authorization checks. (Variable
Maintenance)
RRMX
Business Explorer is the reporting tool in SAP BW
and is used for analyzing data.
GLOBAL_TEMPLATES Templates for modelling and evaluating data
How to Activate Authorizations In BW:The following steps explains how to activate the authorizations in BW.
1) Mark InfoObject as relevant for authorization tcode => RSD1
2) Create report authorization object tcode => RSSM
3) Select InfoCubes tcode => RSSM
4) Manually integrate authorization object in role tcode => PFCG
5) Change / Maintain authorization values => PFCG
6) Assign role to user tcode => PFCG or via Central User Administration
Hierarchical Authorizations in BW
The following steps describe the steps to control authorizations for
hierarchies
1) Transfer and activate InfoObject 0TCTAUTHH tcode => RSD1
2) Mark InfoObject 0TCTAUTHH as relevant for authorization tcode =>
RSD1
3) Mark Leaf InfoObject as relavant for authorization tcode => RSD1
4) Create authorization objects with 0TCTAUTHH and Leaf InfoObject =>
RSSM
5) Define hierarchical authorizations tcode => RSSM
6) Manual intrgration of authorization object in role tcode => PFCG
http://wiki.scn.sap.com/wiki/display/BOBJ/Business+Intelligence
http://wiki.scn.sap.com/wiki/display/BOBJ/Business+Intelligence