Asish Sahu

March 27, 2012 9 minute read

How to Implement & Mantain Mass Authorization in SAP BW/BI.

Applies to:

SAP BW3.5. For more information, visit the EDW homepage. We can implement the below solutions in SAP BI7 also.

Summary

This article explains how to implement & maintain mass authorizations in BW system.

Author(s): Asish Kumar Sahu, Sharad Nadkarni

Company: Accenture Services Pvt. Ltd.

Created on: 22 March 2012

Author Bio

Asish & Sharad are working as SAP BI Consultant with Accenture. Skill set includes SAP Business Intelligence, ABAP and Business Objects .

Business Scenario

This article explains how to implement & configure mass authorization in BW. The company has the authorization requirement to limit the access of employee information based on the entity responsibility. The responsible managers/users can view information for his/her assigned entity nodes and the subordinate entity nodes. Each employee (SAP User ID) belongs to an organization under a hierarchical entity structure as depicted in the following sample diagram. It illustrates the person responsible (Respective user) for Hierarchy Node 1 who is allowed to view all entity nodes belonging to Hierarchy node 1 and employee records under it. Customer also wants to be able to control authorization at hierarchy node level. Entity nodes assignments changes from time to time. Currently, BW Incorporated maintains these authorization data in various tables (In our case Flat files). To maintain this ever changing information again in BW environment would be a very time consuming effort. Customer wishes to reuse what has been setup. You have heard about the new BW authorization profile generator function and you want to setup a regularly scheduled refresh process to bring your flat file authorizations data (SAP user ID & Entity Nodes) into the BW environment on a periodic basis(In this article on daily basis).

Advantages

Security is well maintained.
Reduce the effort of the developers by having a single role for all users in an application.
Easy maintenance and future enhancements can be done.
Performance can be tuned by way of an optimized ABAP code.

Background Scenario

This article explains how to implement mass authorization in BW system. Everyday entity nodes (Hierarchy node) which are assigned to users along with their SAP User ID’s are getting changed. These details (SAP USER ID, Authorized Entity nodes) are getting stored in different flat files by users in local server.

As the entity nodes are getting changed as per users requirement due to various reasons (ex – movement across different regions, managerial access, super users access etc…), it will be difficult to maintain BW authorizations on regular / daily basis. In this scenario we are having more than 15,000 users who are accessing one global report based on authorization relevant object i.e. entity hierarchy node.

Prerequisites

You have to transfer the DataStore objects 0TCA_DS01 and 0TCA_DS02 from BI Content & install in your BW system. These DataStore objects should be copied for each application for which you want a complete data load.

Note the naming convention with the digits 1 to 5 at the end.

You need sufficient authorization for generation activities such as deleting, changing and generating analysis authorizations, changing user assignments (authorization object R_SEC), along with any other activities for creating or changing system users using NetWeaver authorization objects for user maintenance

The DataStore objects for generating authorizations have an analogous structure to the authorizations and contain the following authorization values:

● Authorization data (values) (0TCA_DS01)

● Authorization data (hierarchy) (0TCA_DS02)

● Description texts for authorizations (0TCA_DS03)

● Assignment of authorization users (0TCA_DS04)

● Generation of users for authorizations (0TCA_DS05)

The actual data to be used in the generated authorizations can be found in the two template DataStore objects 0TCA_DS01 and 0TCA_DS02.

In this scenario we have copied these above DSO’s & created our own DSO’s (A21_DS01, A21_DS02).

The Step By Step Solution

1. Create authorization relevant Infoobject. In our scenario we have used Infoobject – A0ENTITY for the same which is time dependent hierarchy.

2. As mentioned earlier we have more number of users (above 14000) who are accessing the global report which is based on Entity Hierarchy authorization based which is getting varied from year to year (Depends on users requirement).

Expert users are updating the flat files which stores the relevant SAP USER ID’s, Entity nodes assigned to them which are getting changed frequently.

In this scenario we have used file – A21_DS01_P. Please find the below screenshot of the file which contains SAP User ID’s & Assigned Entity Nodes for all the users/employees.

3. Create authorization object through transaction “RSSM”-> enter authorization object name(ZA2AUTH1) -> Click Create -> Provide the description -> Highlight Infoobjects on the right pane of the screen -> Use left arrow to move to the left.

Note – 0TCTAUTHH is mandatory for hierarchy authorizations.

4. Switch the Reporting Authorization Object (ZA2AUTH1) on for the Multiprovider (A2M001), as our Global report is based on this Multiprovider, on which the report is based on.

5. Generate Authorization Profiles

To generate authorization profile, execute transaction “RSSM” ->Authorization -> Click Generate Authorization -> Click Change Authorization -> Check your DSO’s(A21_DS01, A21_DS02) -> Push Generate Authorization.

After generating the authorizations for User ID – TESTID1, we can observe that in file – A21_DS01_P.CSV for this user ID are having Entity nodes access for ROOT, N003 & N0108 which generated as per the below screenshot.

A21_DS01_P.CSV File for User ID – TESTID1:

6. You can verify by checking one of the user master record via transaction SU01 -> Profiles -> Generated Profile.

7. In the local server where users are maintaining the files are getting updated & through program we are transferring these files (A21_DS01_P) from local server to BW Application server on daily basis.

8. We have creates a Process Chain to automate this activity & generate the profiles on daily basis. In this process everyday for all the users profiles are getting deleted & again re-generating through FM – RSSB_AUTH_GEN_FROM_INFOPROV.

9. Input selection in Report where Entity is the hierarchy node from where users can select the required entity nodes as per their authorizations & maintained entity nodes in A21_DS01_P.CSV file,

Appendix

ABAP code used to generate the Profiles in Process Chain

report za2_auth_generate.

type-pools : rs.

data : l_infoprov type rssbr_t_infoprov_auth,

i_infoprov type rssbr_s_infoprov_auth.

parameters : au21 type rsinfoprov default ”,

au22 type rsinfoprov default ”,

au23 type rsinfoprov default ”,

au24 type rsinfoprov default ”,

au25 type rsinfoprov default ”.

if au21 <> space or

au22 <> space or

au23 <> space or

au24 <> space or

au25 <> space.

clear l_infoprov. refresh l_infoprov.

i_infoprov-value = au21.

i_infoprov-hierarchy = au22.

insert i_infoprov into table l_infoprov.

call function ‘RSSB_AUTH_GEN_FROM_INFOPROV’

exporting

i_t_infoprov_auth = l_infoprov

i_appl_log_initialized = rs_c_false

i_display_log = ‘ ‘

i_detlevel = ‘1’

i_packagesize = 10000.

message ‘Authorization 2 generated’ type ‘I’.

endif.