Skip to Content

SAP NetWeaver 2004s BI Authorizations for Reporting


Recently, I did a webinar on Standard Reporting Authorizations within SAP NetWeaver 2004s BI. See the webinar presentation here: SAP NetWeaver 2004s BI Authorizations for Reporting. There has been lots of discussions about analysis authorizations because it is new, but I don’t want people to forget about their reporting authorizations. In this webinar I discuss how to authorize what reports people can see.

What is covered?

We cover an overview with the types of objects we’re authorizing (queries, workbooks, web templates, formatted reports, etc…). Also discussed is a delta of authorization objects between BW 3.x and SAP NetWeaver 2004s BI. After that, there is a discussion of different implementation scenarios with a specific focus on TCO (total cost of ownership). Then I talk about some personal lessons learned.


Definitely check out this webinar!

You must be Logged on to comment or reply to a post.
  • Hi Prakash,

    I have couple of questions on workbook about switching to design mode.

    1. Is there any way to turn off the design mode only for the casual user?
    2. If the casual users do not have access to change /delete workbook then will they be able to switch to design mode?
    We do not want the casual user to use design items.

    Please let me know your suggestion.


    • This cannot be controlled with authorizations directly. In general, the design toolbar is an "end user" interaction part of excel. If you want, you can disable this toolbar in excel functionality to not display it. Also, you can play with the registry to not show or allow this, but that isn't recommended or supported.
  • One recent question concerning migration of authorizations of a customer was the following: He has infoobject A in two infocubes. Infoobject A is authorization relevant. This infoobject is contained in two infocubes (as characteristic). For the first infocube authorization for infoobject A shall be checked, for the second infocube not.

    How can this situation be implemented with the new analysis authorization. The binding of infoobject to infocubes, as it was realized up to now, does not exist anymore.

    Could it help, if the two infocubes contain a second infoobject B, whose value distinguishes the cubes? I.e. can I give authorizations for combinations of infoobject A and B in the following way: (A,B)=(a,x) is allowed, but (A,B)=(a,y) is not allowed.


    • The special characteristic 0TCAIPROV should be added to the analysis authorization to specify the cube that this authorization is relevant for.

      For cube 2, if you want to grant authorization, you can have another analysis authorization with value=* for that object and cube to grant authorization to it.

      You are never restricting authorizations. You are only granting authorizations.

  • Hi Prakash,

    Within the IMG there is a switch where you can decide whether to choose the old concept of RSR-authorization objects or the new concept of analyis authorizations.

    Questions: 1) Is this an either-or decision? As far as I understood, no mixed mode is supported?
    2) What is the recommendation, if migration takes some time? First migrate and then switch to the new concept?
    3) What exactly is meant in the documentation, when it is said, that in exceptional cases you may switch back to the old concept? Concerning question 1) you cannot only switch back for one special authorization object, but you have to switch back for your whole concept? Is this correct?

    Thank you + regards,

    • 1. This is either or...
      2. Yes, first migrate, then switch to the new concept. Both objects can be available (3.x auth and 04s auth), but only one set of auth can be checked at any time.
      3. You have to switch back for the whole thing, not for one object. As stated, it is either/or...
      • Hi Prakash,
        I am a bit confused with the new analysis authorization in BI, can you mail me any document that gives the step by step procedure in creating / generating authorisation profiles to my email id

        Regards and Thanks in advance
        P venkata Devaraj

    • Hi Prakash,
      We have a situation in our project that we want to stay on old authorization concept but want to roll-out New BEx analyser from NetWeaver2004S. Can they co-exist .... can get the grasp of if i stay on old authorization model, what are the problems on migrated stuff and what i cannot use from new 2004S BI.
      • SAP only supports the new tools based on the new auth concept. Technically, the old concept may and probably will work, but you would be outside of the realm of SAP support.
  • Hello Prakash,

    I just stumbled upon your blog entry concerning SAP NetWeaver 2004s BI Authorizations for Reporting as I was searching for a solution to my current problem. This is going to be a bit lengthy, but I hope you will be able to help me.

    We currently use a SAP Neweaver 2004 BW system with BI 3.5 in combination with a SAP ERP 4.7 (Enterprise) system landscape (with WebAS 6.20) which is currently undergoing an update to SAP NetWeaver 2004s and ECC 6.0.

    Our controlling department wants a costcenter reporing to be set up in the BW system and we want  only the costcenter responsible persons and their backups to have access to the data of their costcenters. The "0COSTCENTER" info-object has already been activated as authorization relevant  and I also defined two custom authorization objects in RSSM and added them into a normal authorization role in PFCG (one with 0COSTCENTER and 0CO_AREA, the other one with addtion of 0TCTAUTHH).

    With the costcenters and the costcenter hierarchy - which are maintained by the controlling department in the ERP system and automatically imported into the BW system - changing relatively often creating several roles for different costcenters and assigning these to the users is far from being practical. So I wanted to use a variable in the value field within the custom costcenter authorization object.

    From the online documentation I got the impression that you could use a variable like "$VARCOST" and then add some coding to the custom part of the standard exit "EXIT_SAPLRRS0_001" (namely the include "ZXRSRU01"). I did that and used a self-defined function to get the allowed costcenter values for the current user from a table within the relevant data cube. Basically it is only a simple selection as our costcenter data already contains valid user names as the responsible persons.

    The exit function seems to work properly so far, but when I call up a costcenter test query with my test user, BEx always returns an error message saying that the user does not have the necessary authorizations for my custom authorization object. I am not sure if I set this up correctly - so far I only returned the costcenter values from the selection to the standard export parameters/tables of the exit funktion "EXIT_SAPLRRS0_001".

    Do I also have to fill the variable "$VARCOST" with the same values? If so, how do I do this correctly? The costcenter data always contains the costcenter value in combination with the controlling area (CO_AREA) value, but the COSTCENTER field in the authorization object will only accept the costcenter value, thus skipping the CO_AREA value.

    Can you offer any more insight on this? I guess the mechanic should also work in a NetWeaver 2004s/BI 7.x system, although the custom authorization objects will be maintained differently. Or does this work differently there?

    Kind regards,

    Markus Dieterle

    • Hey Markus,

      I wouldn't be able to offer too much more insight without looking at this more closely. Sounds like things are good. Are you using the new analysis auth or do you still have things flagged as BW 3.5 auth in this system. You won't need RSSM if you're using the new auth. Can you clarify this?

  • Hi Prakash,
    We have a requirement in our projects as below:
    1. There are two differenet fileds Created by and Chnaged by.
    2. At any point of time the values in both the fields might not be teh same
    3. Our current authorization is based on created by: meaning our BW users if they are created by can see the transactions
    4. We need another authorization: where even if the user not cretaed by but if he is changed by can see the transactions.
    How can we achieve this?
    • Hey Thejo,

      This article is on BI Query authorizations, not transcations authorizations. Please post your questions on the SDN forums if they are unrelated to this topic.


  • Hi Prakash,

    i have the following issue to solve in my project. We have a couple of queries w/ a couple of characteristics of course. We need an authorization for a user, that lets the user see records in a query with only certain char. values.  But there is another query which we have to authorize for the same user for the same characteristic but for diff. char. values. Say, there is a ‘Q1’ and a ‘Q2’ query. Q1 and Q2 includes the same, ‘C’ characteristic. Char. values for C are: ‘C1’, ‘C2’, ..., ‘C10’. User ‘A’ may see in Q1 only records with char. values C1, C2, C3; and the Q2 w/ char. values C5, C6, C7…
    How should I do it with the old/new/mixed authorization concept?

    Thank you for the answer in advance!