Skip to Content

How to restrict users with Query Access

I have seen many scenarios where you were asked to restrict access for queries. Okay we will take a scenario where user should be able to Change /Delete/Display or execute his queries but he need to be restricted with just Display/Execute access to other’s queries.

Well, how will you handle the scenario?

First and foremost you should know the authorization objects for Query Components to restrict the access. Below two are the Authorization objects for Query components

1. S_RS_COMP–Business Explorer – Components

2. S_RS_COMP1–Business Explorer – Components: Enhancements to the Owner

Let the user know the naming convention for his Queries should start with C*(you can use some unique naming conventions as well).

Now, create a new role in PFCG and go to Authorization Tab and Click on Display Authorization Data.


Add the authorization objects S_RS_COMP and S_RS_COMP1 from and make the Activity as Display/Execute and Name (ID) of a reporting component as * which gives Display/Execute authorization for all queries as below and generate the profile(Red and White Circle Icon).


Technical names of the Authorizations can be seen from Utilities section from Menu bar.


Create another role in PFCG and add the authorization objects S_RS_COMP and S_RS_COMP1 and make the Activity as * and Name (ID) of a reporting component as C* which gives all authorizations for queries starting with C as below.


Assign these Roles to the user.

Suppose if another role which has Query component Authorizations for changing all the Queries i.e. Activity as * and Name of a Reporting Component as *, then all our work is waste as obviously this will overwrite our Display/Execute authorizations. So, make sure apart from these two roles other roles should not have Query component Authorizations.

Now the user can only Change his Queries but still he can Execute or Display other’s Queries.

1 Comment
You must be Logged on to comment or reply to a post.
  • I know that is one of the things we eventually are going to have to lock down a little bit more.  I do know we have some GMP queries that are locked down.

    Another way to do it - the quickest for us was to restrict access via the infoset.  SQ02 for the infoset and SQ03 for the user group. 

    However, the way you have described is more like what we do for a normal security role.  The challenge would be keeping the naming convention the same when our business users can build their own query.

    Nice alternative!