Sunteți pe pagina 1din 18

BI 7.0 Reporting Authorization Based on Characteristic Value Level

Reporting Authorization Based on Characteristic Value Level Applies to: SAP Business Intelligence (BW) 7.0.For more

Applies to:

SAP Business Intelligence (BW) 7.0.For more details, visit the EDW homepage.

Summary

This document will explain the steps to create Info object (characteristic value) level authorization for a reporting user in SAP BI 7.0

Author: Avinash Verma

Company: L&T Infotech

Created on: 09 February 2011

Author Bio

L&T Infotech Created on: 09 February 2011 Author Bio Avinash Verma is a SAP BI Consultant

Avinash Verma is a SAP BI Consultant currently working in Larsen & Toubro Infotech Ltd. He has involved in implementation and development of various BI/BW projects.

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

BI 7.0 Reporting Authorization Based on Characteristic Value Level

Table of Contents

Introduction

3

Business Scenario

3

Transactions used

3

Info Object Maintenance for Authorization

3

Management of Analysis Authorization

4

Step

1:

4

Step

2:

4

Step

3:

5

User Assignment for Analysis Authorizations

7

Assign Authorization to User through Role/Profiles

8

Step

1:

8

Step

2:

8

Step

3:

9

Query on InfoProvider with Authorization Objects

11

Step

1:

11

Step

2:

11

Step

3:

14

Related Content

17

Disclaimer and Liability Notice

18

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

BI 7.0 Reporting Authorization Based on Characteristic Value Level

Introduction

SAP BI Authorization/security is an integral part of any BI implementation. Integrating all the data coming from various source systems and providing the data access based on the user‟s role is one of the important part of all the BI Projects.

Security of SAP R/3-ECC systems are based on the activities e.g. transaction level, particular activity level etc. while SAP BI Authorization/security is focused on what data user can access.

Authorization in BI is categorized by major 2 categories:

Administrative Users The way we maintain security for administrative users is same as SAP R/3-ECC security but we have additional authorization objects in system which are defined only for BI objects.

Reporting Users Analysis Authorization using transaction RSECADMIN, to maintain authorizations for reporting users.

Business Scenario

There are 5 company codes and we are going to restrict BI reporting user (USER1) to access data of only 2 company codes out of 5. And Company code is also not a part of user input selection parameter in report. In this eg.1000 and 2000 are the Company codes of the user USER1 for which we are going to give access. So whenever the user USER1 executes the report, he will only be able to see the data relevant to Company codes 1000 and 2000 in the report.

Transactions used

RSD1 - To maintain info object authorization relevant.

PFCG To maintain roles.

RSECADMIN To maintain analysis authorization and role assignment to user.

Info Object Maintenance for Authorization

to user. Info Object Maintenance for Authorization Use RSD1 transaction to maintain infoobject. Mark the

Use RSD1 transaction to maintain infoobject. Mark the Infoobject Authorization Relevant and activate it. In this case Infoobject company code is used and authorization relevant field is checked.

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

BI 7.0 Reporting Authorization Based on Characteristic Value Level

Management of Analysis Authorization

For accessing Authorization tool, RSECADMIN transaction is used.

Step 1:

T-Code RSECADMIN -> Authorizations tab-> Maint. (Maintenance)

Create Authorization object. e.g. ZAUTH_COMP

(Maintenance) Create Authorization object. e.g. ZAUTH_COMP Step 2: Maintain Authorization object, first step of

Step 2:

Maintain Authorization object, first step of creating any Authorization Object is to add the 3 special characteristics as field for restriction.

add the 3 special characteristics as field for restriction. SAP COMMUNITY NETWORK SDN - sdn.sap.com |

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

BI 7.0 Reporting Authorization Based on Characteristic Value Level

These 3 special characteristics are mandatory while creating authorization object.

0TCAACTVT: This characteristic handles the general activity like create, change, display etc.

0TCAVALID: This characteristic handles the authorization for InfoProviders, by default it gives access to all the InfoProviders i.e. full access. We can restrict authorizations for particular InfoProviders using this characteristic.

0TCAVALID: This characteristic handles the validity of an authorization. Always valid (*) is set as the default for validity. You can restrict this validity. You can also specify a single value or an interval.

These special characteristics must be included in at least one authorization for a user; otherwise the user is not authorized to execute a query.

Step 3:

Add InfoObject to authorization structure and maintain value authorization for this infoObject as per requirement.

e.g. 0COMP_CODE (Company code) is inserted into authorization structure.

(Company code) is inserted into authorization structure. Note: Also include all Authorization Relevant Objects which

Note: Also include all Authorization Relevant Objects which are used in that infoProvider in addition to the above additional 3 objects otherwise you may get "No Authorization" error when you execute the query.

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

BI 7.0 Reporting Authorization Based on Characteristic Value Level

Double click on the 0COMP_CODE to maintain value authorizations, as per Business scenario Company code 1000 and 2000 has been added to value authorization and „Save‟ this authorization. Here we are using operator „EQ‟ for single value authorization

You can authorize single values, intervals, simple patterns, variables, and hierarchy nodes.

Hierarchy Nodes authorization are maintained in the tab „Hierarchy Authorizations‟

are maintained in the tab „Hierarchy Authorizations‟ SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX -

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

BI 7.0 Reporting Authorization Based on Characteristic Value Level

User Assignment for Analysis Authorizations

For User assignment go to T-Code RSECADMIN, User Tab and click on Assign button.

to T-Code RSECADMIN, User Tab and click on Assign button. Enter User Name and click on

Enter User Name and click on change button, select relevant Authorization object and save it.

button, select relevant Authorization object and save it. SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX
button, select relevant Authorization object and save it. SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

BI 7.0 Reporting Authorization Based on Characteristic Value Level

Assign Authorization to User through Role/Profiles

We can also assign the authorization to users through role/profile using the standard Authorization Object S_RS_AUTH.

Step 1:

Go to T- Code PFCG for Role maintenance or T-Code RSECADMIN -> User tab-> click Role Maintenance button, create role using “create single role button”

E.g. we have created ZCOMPAUTH_ROLE Role for company code authorization.

created ZCOMPAUTH_ROLE Role for company code authorization. Step 2: Click on “Change Authorization Data” under

Step 2:

Click on “Change Authorization Data” under Authorization Tab. Insert essential Authorization Objects related to Query, Save and Generate profile.

Objects related to Query, Save and Generate profile. In this scenario we are including Authorization objects

In this scenario we are including Authorization objects related to query. Authorization objects used are as follows:

S_RFC: (Authorization Check for RFC Access) requires for execution of query in Analyzer.

S_RS_AUTH: (BI Analysis Authorizations in Role) Analysis Authorizations objects can be added. E.g. ZAUTH_COMP

S_RS_COMP: (Business Explorer - Components), used for reporting relevant components.

S_RS_COMP1 (Business Explorer - Components: Enhancements to the Owner) used for reporting relevant components.

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com |

BOC - boc.sap.com | UAC - uac.sap.com

BI 7.0 Reporting Authorization Based on Characteristic Value Level

Reporting Authorization Based on Characteristic Value Level Step 3: Add user ID under User Tab to

Step 3:

Add user ID under User Tab to assign Role to the User, use User comparison to compare the user master record.

e.g. ZCOMPAUTH_ROLE role has been assigned to User „USER1‟.

ZCOMPAUTH_ROLE role has been assigned to User „USER1‟. SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

BI 7.0 Reporting Authorization Based on Characteristic Value Level

Reporting Authorization Based on Characteristic Value Level Note: 1.User with Authorization Object 0BI_ALL is having

Note: 1.User with Authorization Object 0BI_ALL is having full access to data, and can overwrite any other Authorization Objects assignment to it. 2. Authorizations can be assigned to User either through Analysis authorization (Manual or Generated)or through Roles/ Profile (Role-Based).

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

BI 7.0 Reporting Authorization Based on Characteristic Value Level

Query on InfoProvider with Authorization Objects

Step 1:

Create a query on Infoprovider where infoObject 0COMP_CODE is added for which we have created Authorization object. (ZAUTH_COMP)

for which we have created Authorization object. (ZAUTH_COMP) Step 2: Execute the query with the same

Step 2:

Execute the query with the same User ID (USER1) for which we have assigned the Authorization Object (ZAUTH_COMP)

which we have assigned the Authorization Object (ZAUTH_COMP) SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

BI 7.0 Reporting Authorization Based on Characteristic Value Level

Execution error shows No Authorization.

Value Level Execution error shows No Authorization. We can check error log using T-code RSECADMIN ->

We can check error log using T-code RSECADMIN -> Analysis Tab -> Execution as other User button

-> Analysis Tab -> Execution as other User button SAP COMMUNITY NETWORK SDN - sdn.sap.com |

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

BI 7.0 Reporting Authorization Based on Characteristic Value Level

Execute same query with logs, then come back to the page shown in above image i.e. RSECADMIN -> Analysis Tab-> Error logs button and display logs.

Analysis Tab-> Error logs button and display logs. Check for latest Error log available. Here, log

Check for latest Error log available. Here, log shows no any authorization related content present in query for 0COMP_CODE = 1000 and 2000.

content present in query for 0COMP_CODE = 1000 and 2000. SAP COMMUNITY NETWORK SDN - sdn.sap.com

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

BI 7.0 Reporting Authorization Based on Characteristic Value Level

Step 3:

Create Authorization Variable in Query Designer

Create an Authorization Variable - Variable with Processing by Authorization in Query Designer for 0COMP_CODE, which is used in Authorization object.

for 0COMP_CODE, which is used in Authorization object. In this scenario more than 1 company codes

In this scenario more than 1 company codes are used(2 Company code), so keep base setting details as multiple single values as shown in below image.

details as multiple single values as shown in below image. SAP COMMUNITY NETWORK SDN - sdn.sap.com

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

BI 7.0 Reporting Authorization Based on Characteristic Value Level

Save and execute query, company code 1000 and 2000 are automatically entered into variable screen for query and execution will be succeed.

variable screen for query and execution will be succeed. Query output showing data only for 2
variable screen for query and execution will be succeed. Query output showing data only for 2

Query output showing data only for 2 company codes i.e. 1000 and 2000; let‟s check this query for company code except 1000 and 2000.

check this query for company code except 1000 and 2000. Output shows error – No Authorization.

Output shows error No Authorization.

1000 and 2000. Output shows error – No Authorization. SAP COMMUNITY NETWORK SDN - sdn.sap.com |

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

BI 7.0 Reporting Authorization Based on Characteristic Value Level

But, in this Business scenario, Company code should not be a part of user input selection variable, it means output of query should directly display the data for company code on which User has access authorization.

for company code on which User has access authorization. Click on checkbox, save and execute query
for company code on which User has access authorization. Click on checkbox, save and execute query

Click on

checkbox, save and execute query with the same user ID i.e. USER1, this time output of query will not prompt for user input variable, it will directly show the data for authorized company code (1000 and 2000).

to edit authorization variable, in detail tab, uncheck the “Variable value can be entered by user”

tab, uncheck the “Variable value can be entered by user” SAP COMMUNITY NETWORK SDN - sdn.sap.com

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

BI 7.0 Reporting Authorization Based on Characteristic Value Level

Related Content

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com

BI 7.0 Reporting Authorization Based on Characteristic Value Level

Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.

SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk.

SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.

SAP COMMUNITY NETWORK

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com | UAC - uac.sap.com