Maintaining Authorizations in BI/BW

SAP BI security is an integral part of any BI implementation. Integrating all

the data coming from various source systems and providing the data access
based on the users role is one of the major concerns of all the BI Projects.
Security of SAP R/3-ECC systems are based on the activities while SAP BI
security is focused on what data user can access. Security in BI is
categorized by major 2 categories:
Administrative Users The way we maintain security for administrative
users is same as ECC security but we have additional authorization objects in
system which are defined only for BI objects.
Reporting Users We have separate tools(Analysis Authorization) to
maintain security for reporting users.
What is Authorization Object?
It allows to check whether a user is allowed to perform a certain action.
Actions are defined on the fields, and each field in authorization object
should pass the check. We can check all the Standard BI Authorization
Objects using tcode SU21 under the Business Warehouse folder:

With the SAP BI 7.0 we have new tool to maintain the reporting level
security. We can access this new tool using tcode RSECADMIN which
replaces the old RSSM tool of BW 3.x.
## Below are the Step-by-Step instructions to create/maintain
authorization objects for SAP BI Reporting:
I am covering the scenario where each employee (Sales Team) is assigned
with one territory number, and the data should be accessible to employee
based on their territory only. For this scenario to work we have to set
security restriction for the corresponding territory InfoObject (ZDWSLTER).
# The first step before we create any Authorization Object is to set all the
InfoObjects as authorization relevant for which we want to restrict data
access.

Authorization Objects on InfoObjects of type Characteristic:

# For accessing the new Analysis Authorization tools we use tcode RSECADMIN ->
Authorizations Tab -> Maintenance Button

# We can also use tcode RSECAUTH directly to come to maintenance

screen:

# We have to give the technical name of the Authorization Object

(ZDWKJTEST) then hit the create button:

# The very first step of creating any Authorization Object is to add the
special characteristics as field for restirction:

# The below 3 characteristics are mandatory for defining any

Authorization Object. If we dont have this we will get no access to any
InforProvider. By default this gives us access to all the InfoProvider(Full
Access), but we can also set the value of InfoProvider for which we want
the Authorization Object to work.

# Now I am adding the infoobject(ZDWSLTER) for which we want to add

restriction

# We can double click on the newly added infobject, and can define the
value which we want to allow for this InfoObject. We can also set the
dynamic value using Customer Exit Code which we will cover later in this
blog.

Assigning Authorization objects to Users in BI/BW

Assigning Authorization Objects to Users:
# Go to the screen (RSECADMIN), and click on assignment button under
user tab:

Authorizations in SAP NW BI

TOPICS
1. MODELING

Difference between rssm and rsecadmin

Step by Step

2. AUTHORIZATION

Reporting User
Developper
General

3. ASSIGNEMENT

Generation (rsecadmin)
Role (pfcg)

4.TECHNICAL

Tables
Authority check

1. MODELING
Difference between rssm and rsecadmin

RSSM

RSECADMIN

Old transaction: RSSM

New transaction : RSECADMIN

Concept of authorization: 'Reporting

Concept of authorization: 'Analysis Authorization'

Authorization'
Assignement of Reporting authorization:* by pfcg:
mass distribution of auth by using role
by RSSM: generation way (use with
Business Content and flat files loading)

Assignement of Analysis authorization :* by PFCG: mass distribution of

auth by using role,
by RSECADMIN manual way -> Assignement -> Auth selection
->Insert,
by RSECADMIN: generation way (use with Business Content
and flat files loading)

Full Authorization: SAP_ALL, SAP_NEW

Full Authorization: SAP_ALL, SAP_NEW
0BI_ALL: * Allow full authorization for the IO authorization relevant,
Used in the authorization object: S_RS_AUTH,
Report 'RSEC_GENERATE_BI_ALL' for the SAP_ALL user,

Modeling:* IO marked as Authorization relevant, Modeling:* IO + Navigation ATTR can be Authorization relevant,
rssm enable to flag relevant infoprovider,
An IO auth relevant is auth relevant for all the cube he is
rssm are used to custom Auhthorization object, used,
Authorization variable are used in Bex Query,
Pfcg to assign reporting authorization trough the
Object class: RSR,
Query access manage by object
S_RS_COMP, S_RS_COMP1,
Area Button/ Access : S_RS_FOLD,

rsecadmin to define Analysis authorization with sepcial IO :

0TCAACTVT, 0TCAIPROV, 0TCAVALID,

Authorization variable are used in Bex Query,
pfcg to assign analysis authorization through the object
S_RS_AUTH (Object Class: RS),
Query access manage by object S_RS_COMP,

Authorization for Cube, ODS, Hierarchy S_RS_COMP1,

Area Button/ Access : S_RS_FOLD,
and infoset managed by:
S_RS_ICUBE,
S_RS_ODSO,

Authorization for Cube and ODS for reporting user are

S_RS_HIER,

managed by the special authorization characteristic 0TCAIPROV,

S_RS_ICUBE, S_RS_ODSO, S_RS_HIER, S_RS_ISET: are

S_RS_ISET.

not checked anymoe for reporting user.

S_RS_ICUBE, S_RS_ODSO, S_RS_HIER, S_RS_ISET: are
used for allowing access to developper team,
New object to manage acess for developper user:

New object authorization for Web application Designer & Report

Designer:* S_RS_BTMP,
S_RS_BITM,
S_RS_ERPT,
S_RS_EREL.

Step by Step
RSSM
0. Pre-requisites

RSECADMIN

Activate all business content related to

authorizations before you get started:*

InfoObjects: 0TCA* and 0TCT*
InfoCubes: 0TCA*
Set the following InfoObjects as
"authorization relevant":* 0TCAACTVT
0TCAIPROV
0TCAVALID
0TCAKYFNM (optional, if key
figure restriction needed)
Add 0TCAIFAREA as an external hierarchy
characteristic to 0INFOPROV (optional)
1. Set Master data

RSA1 -> InfoObjects -> Business Explorer Tab ->

Authorization relevant

Flag 'Authorization relevant

RSA1 -> InfoObjects -> Business Explorer

Tab -> Flag 'Authorization relevant
RSA1 -> InfoObjects -> Attribute Tab ->
Flag 'AuthorizRelevant'

2. Create Authorization

RSSM -> Enter the name of your Authorization object

Object/ Analysis

-> Create -> Put IO Authorization relevant in the

authorization

selected InfoObjects part -> Save

3. Set Info provider

RSSM -> Select: 'Check for Info Cubes' -> Change ->
Flag the related Info Cubes

4. Create BEX variable

1. Right click on the IO -> choose 'Restrict'

for authorization

2. Choose 'Selection' = 'Single Value' and 'from

Hierarchy' = 'flat list'
If a hierarchy exists, select the hierarchy for the IO
3. Go on the variables tab -> Right click -> 'New
variable'
4. For a restriction without hierarchy, the type of
variable is 'Characteristic Value' and if you have
choose a hierarchy, the type of variable is 'Hierarchy
node'
5. Select a variable name & a description
6. Choose 'Processing by': = 'Authorization' then
check the characteristic and click 'next'
7. Choose the display area for the variable -> Variable
represents: = 'Single Value' or 'Selection Option'
8. Choose if the variable entry is Optional or
mandatory,
9. Don't select 'Ready for input' and 'Can be changed
in query navigation
10. Next to the end

5. Insert Authorization in
Role
6. Assign Authorization/

The IO authorization relevant are

authorization relevant for all cubes

Role to Users

2. AUTHORIZATION
Reporting User: Authorization for End User
S_RS_AUTH:
Insert here the Analysis Authorization you customize in Rsecadmin.
Allow right on IO marked as 'authorization relevant' (Data)
S_RS_COMP : Query Accessibility
Activity: 01 (Create or generate), 02 (Change), 03 (Display), 06
(Delete), 16 (Execute), 22 (Enter, Include, Assign)
InfoArea: '*'
InfoCube: <Selected infoprovider>
Name (ID) of a reporting component: <Selected query>
Type of a reporting component: CKF (Calculated key figure), QVW (Query View),
REP (Query), RKF (Restricted key figure), SOB (Selection object, New object !!!), STR (Template structure),
VAR (Variable)
S_RS_COMP1 : Query for specific users
S_RS_FOLD ( Hide 'Folder' Pushbutton): 'False' or 'True'
S_USER_AGR: Role Name
S_RS_BITM : !!! NEW !!!
S_RS_BTMP : !!! NEW !!!

Developper
S_DEVELOP
S_RO_BCTRA -in ECC side for activate (remote) Datasource
S_RS_BC
S_RS_BCS
S_GUI
S_RS_DS: Authorizations for working with the DataSource or its sub-objects (as of
SAP NetWeaver 2004s)
S_RS_ISNEW: Authorizations for working with new InfoSources or their subobjects
(as of SAP NetWeaver 2004s)
S_RS_DTP: Authorizations for working with the data transfer process and its
subobjects
S_RS_TR: Authorizations for working with transformation rules and their subobjects
S_RS_CTT: Authorizations for working with currency translation types
S_RS_UOM: Authorizations for working with quantity conversion types
S_RS_THJT: Authorizations for working with key date derivation types
S_RS_PLENQ: Authorizations for maintaining or displaying the lock settings
S_RS_RST: Authorization object for the RS trace tool
S_RS_PC: Authorizations for working with process chains
S_RS_OHDEST: Open Hub Destination
S_RS_DAS: Authorizations for working with Data Access Services
S_RS_BTMP: Authorizations for working with BEx Web templates
S_RS_BEXTX: Authorizations for the maintenance of BEx texts Authorization objects
for the administration of analysis authorizations

S_RSEC: Authorization for assignment and administration of analysis

authorizations
S_RS_AUTH: Authorization object to include analysis authorizations in roles
S_RS_ADMWB: Changed Authorization Objects (Data Warehousing Workbench: Objects)

General
S_RFC: Authorization Check for RFC Access:
Activity 16
Name of RFC to be protected *
Type of RFC object to be protetected: FUGR
S_TCODE: Transaction Code Check at Transaction Start
Transaction Code SE37,RRMX, RRMXP
S_GUI: Authorization for GUI activities
Activity 02, 60, 61
S_BDS_DBC-SRV-KPR-BDS: Authorizations for Accessing Documents
Activity 03
BDS: Data element for LOIO cla *

3. ASSIGNEMENT
Generation (rsecadmin)
Role (pfcg)

4. TECHNICAL
Tables
RSECVAL : Authorization Value Status,
RSECUSERAUTH : BI AS Authorizations: Assignment of User Auth.

Function Modules:
RSEC_AUTHORITY_CHECK_IPROV
RSEC_AUTH_GET_IOBJ_RELEVANT
RSEC_CHECK_IPROV
RSEC_CHECK_VALIDITY
RSEC_COMPLETE_HIERAUTH
RSEC_GET_AUTH_FOR_USER
RSEC_GET_AUTH_HIER_FOR_USER
RSEC_ASSIGN_AUTHS_TO_USERS
RSEC_GET_ALL_GENERATED_AUTHS
RSEC_READ_ODS_HIER
RSEC_READ_ODS_USER_AUTH
RSEC_READ_ODS_VAL
RSEC_AUTHORIZATIONS_OF_USER
RSEC_GET_AUTH_FOR_USER_RFC

# Now we can assign the created Authorization Object to any user using this
tool.

# Adding the created Authorization Object (ZDWKJTEST) to the user

ZNBITSRTS. I will be using the same user through out this blog for running
any query so that it can use the restrictions which are applying using the
Authorization Object.

# We can also assign the authorization to users through role/profile using

the standard Authorization Object S_RS_AUTH:

# User with Authorization Object 0BI_ALL is having full access to data, and
can overwrite any other Authorization Objects assignment to it.

# Query on InfoProvider with Authorization Objects: Below is the test query

in which I added the InfoObject for which we created the test Authorization
Object (ZDWKJTEST).

Steps to Transport SAP BI Queries from Development to Quality Server

In this post I present basic steps to transport SAP BI queries from development to
quality server. The steps are performed in source and target system, so you need
authorizations to release and import objects.
Source system
Start with transaction RSOR (Transport Connection), insert initial and target source
system names using Conversion button (2) and choose grouping type (3). Select
queries you would like to transport to target system and press Execute and than
Transport objects (truck) button.

Release the change request to transport using SE10 transaction. Press Display,
choose tasks and requests you would like to release and press the button with single
truck (or F9). When both task and request have been released successfully, start
transport in target system.
Target system
To import queries to quality system start STMS transaction > Import Overview (F5)
> Display Import Queue. On the Import Queue screen select the request and press
Import (truck with a small loading). Choose target client's number and press enter.
The queries will be written to the target system.
Standard BEx Transport Request
When the request, you have released, was set as Standard BEx Transport Request,
you need to created a new standard request. If there is no standard request, nobody
is able to process queries or workbooks on the system. When you try to do so, you
will receive the error: The query could not be saved due to a problem in
transport. BEx transport request is not available or not suitable.
To create a new request you need to press BEx and than Assign / Delete button,
add the request and save the choice.

Now all new objects and modifications will be written to the chosen BEx
transport request. For more information on the standard transport request see this
note:194051.
Additional resource:
Transporting: role and objects.
Authorizations for change and transport: S_TRANSPRT and S_CTS_ADMI

SAP BI 7.0 Authorization concept (analysis authorization)

New SAP BI 7.0 Authorization concept (analysis authorization)
change a lot in accessing, analyzing and displaying BI information. The
approach allow to restrict data access on Key figure, Characteristic,
Characteristic value, Hierarchy node, and InfoCube levels. It enables
more flexible data access management.
Analysis authorization is active by default in SAP BI 7.0 systems and I think
it is worth to spend some time to look closer at the new concepts and the
features. In part one of this two-article series, I will show you how you can
restrict access to SAP BW reports on InfoObjects level.

Initial settings
At the beginning activate business content objects (TCode RSORBCT) related
to authorizations:
InfoObjects 0TCA*
InfoCubes 0TCA*
and set the following InfoObjects as Authorization-Relevant:
0TCAACTVT (activity such as Display)
0TCAIPROV (InfoProvider authorization)

0TCAVALID (validity period of authorization)

0TCAKYFNM (if you want to restrict access to key figure)

Characteristics authorization
Use TCode RSA1, go to Modelling -> InfoObjects. Display properties of the
characteristic to which you want to restrict access and set it as
Authorization-Relevant.

Characteristics values authorization

To authorize characteristics values you need to create new analysis authorization
object through TCode RSECADMIN. The following pictures show how to allow users
to access the specific sale organization (e.g., New York, San Francisco, Dallas).
1. Create new analysis authorization object using Tcode RSECADMIN (e.g.,
Z_SORG_B).

2. Choose characteristic and press Details button.

3. Select sales organization (e.g., 1612 - New York, 1614 - San Francisco, 1615 - Dallas).
Available operators: EQ - single value, BT - range of values, CP - pattern ending with
(*) (e.g., abc*). You have also option to Include (I) or Exclude (E) values.

Attributes authorization
To authorize navigational attributes, set them as Authorization-Relevant.

Hierarchies authorization
To grant authorization on hierarchy level edit or create authorization object
(e.g., Z_SORG_B), add hierarchy and nodes, and choose type of authorization.

Key figure authorization

To grant authorization to particular key figure, add special object 0TCAKYFNM to
authorization object (e.g., Z_SORG_B), and choose the key figure to be authorized.

Summary
InfoObject level authorization gives you a great flexibility, but keep in mind system
limitations. Avoid setting too many characteristics as authorization relevant
(more than 10 in a query). All marked characteristics are checked for existing
authorization if they are in a query or in an InfoProvider that is being used. Too much
authorization objects may slow query execution. Exception are characteristics
with all (*) authorization.
If you want to check which InfoObjects are authorization relevant in your BI
system, use TCode RSECADMIN -> Authorization Maintenance and display
0BI_ALL authorization. More about 0BI_ALL you will find in the article on creating
and assigning authorization.
Remember that authorization do not work as a filters do. It means that the user who is
executing the query, where characteristics are authorization relevant, must have
sufficient authorization to the characteristics ("all-or-nothing" rule). Exceptions are
hierarchies in the drill down and variables which are dependent on authorization.

BW Security (Authorizations)

BW Security (Authorizations)
The following are some of the relevant SAP BW Security transaction
codes.
Transaction Code
RSA1

Description
Transaction RSA1 is the main transaction for
administrative functions in SAP BW (Administrator
Workbench)
RSD1
This transaction code can be used to mark objects as
relevant for authorization (InfoObject Maintainence)
RSSM
This transaction code can be used to create and
modify authorization objects in SAP BW
RSZV
This transaction code is used to create or modify the
variables for authorization checks. (Variable
Maintenance)
RRMX
Business Explorer is the reporting tool in SAP BW
and is used for analyzing data.
GLOBAL_TEMPLATES Templates for modelling and evaluating data
How to Activate Authorizations In BW:The following steps explains how to activate the authorizations in BW.
1) Mark InfoObject as relevant for authorization tcode => RSD1
2) Create report authorization object tcode => RSSM
3) Select InfoCubes tcode => RSSM
4) Manually integrate authorization object in role tcode => PFCG
5) Change / Maintain authorization values => PFCG
6) Assign role to user tcode => PFCG or via Central User Administration
Hierarchical Authorizations in BW
The following steps describe the steps to control authorizations for
hierarchies
1) Transfer and activate InfoObject 0TCTAUTHH tcode => RSD1
2) Mark InfoObject 0TCTAUTHH as relevant for authorization tcode =>
RSD1
3) Mark Leaf InfoObject as relavant for authorization tcode => RSD1
4) Create authorization objects with 0TCTAUTHH and Leaf InfoObject =>
RSSM
5) Define hierarchical authorizations tcode => RSSM
6) Manual intrgration of authorization object in role tcode => PFCG

7) Maintain authorization values tcode => PFCG

8) Assign role to user tcode => PFCG or via Central User Administration
For extracting structural authorizations from HR (mySAP ERP HCM) and
to map it in SAP BW to maintian consistency between the two systems the
tables of interest are:
1) T77PR -for Structural Authorization profiles
2) T77UA -for user assignments
3) T77UU -for users (in this table you can select the users for extraction. You
can either select all or specific users)
Structural Authorizations in SAP BW
The following steps show the way Structural Authorization is enforced in SAP
BW.
The following steps to be carried out in the mySAP ERP HCM system.
1) Call program RHBAUS02 for uploading Table T77UU and enter users.
2) Call program RHBAUUS00 for generating an index for structural
authorization profile
3) Activate Data source 0HR_PA_2.
The following steps to be carried out in the SAP BW system
1) Replicate Data source 0HR_PA_2
Activate ODS InfoProvider 0HR_PA_2
Create an InfoPackage to perform an extraction for 0HR_PA_2
Load ODS data from mySAP ERP HCM
Mark InfoObjects as relevant for authorization (In order to use structural
authorizations in SAP BW, all characteristic values like position,
employee etc. which are relevant to reporting should be marked as
authorization relevant InfoObjects.)
6) Create reporting authorization objects
7) Link authorization objects to InfoCubes
8) Call program RSSB_Generate_Authorizations.
2)
3)
4)
5)

http://wiki.scn.sap.com/wiki/display/BOBJ/Business+Intelligence

http://wiki.scn.sap.com/wiki/display/BOBJ/Business+Intelligence