Authorization BI Reporting : Characteristic Selection Based (Authorization Relevant)
In any BW Implementation Authorizations and Roles play an important and integral role. The USERS using the system are of various levels: like Super Users, Developer User, Business User etc.
All this is maintained by means of various SAP Authorization techniques and implemented by Security team.
There are broadly two types of authorizations:
- Standard Authorizations
- Analysis Authorizations
Standard authorizations are required by all users that
- work in the Data Warehousing Workbench
- work in the Business Explorer
- work in the planning workbench
- work with the analysis process designer and the Data Mining Workbench.
Analysis Authorizations: Wherever and whenever an authorization is required based on any Authorization Relevant Characteristic or any Authorization Relevant Navigational Attribute, this type of analysis concept is used. This is not supported by SAP Standard Authorizations concept. A prerequisite as obvious with the arguments here would be presence of such Authorization Relevant Characteristics or Navigational Attributes (or Creation of such).
The Authorizations for Analysis Authorizations can be created in transaction code RSECADMIN . The same can also be used to role assignment of users.
In Maintain tab of RSECADMIN one needs to add all the created Authorization Relevant Attributes. (Please note that single such created Analysis Authorization can be used for all the Authorization relevant Objects for one development/report or multiple can also be used,).
One important thing while creation is to add 3 mandatory objects in maintenance screen along-with these objects. These are:
- 0TCAACTVT: This characteristic is to handle general activity like create, change, display
- 0TCAVALID: This handles the authorization for InfoProviders and by default it gives access to all the InfoProviders i.e. full access. Restricted authorizations for particular InfoProviders can be provided using this characteristic.
- 0TCAVALID: This is to take care of validity of an authorization. Always valid (*) is set as the
default for validity.
For first time use, maybe one might need to activate the above mentioned three objects from BI Content.
Also, it is important that the user is for sure assigned all these three objects via roles or authorization objects because if even a single is missing, user will not be able to see data in queries.
These added characteristics and the special three objects mentioned above are referred as dimensions of created analysis object.
These individual characteristics when double clicked provide options to put individual (I) values as authorization individual values or Range (BT) or comparative values (< or >). Characteristic 0TCAKYFNM is the special characteristic for key figure authorizations and this is used when any Key figure is used as Authorization relevant (in addition to the three special mentioned above).
Following are the basic steps in creating Authorization objects:
1. Go To Transaction RSECADMIN –> Authorization Tab
2. Press Maintain button and give it a name (e.g. Z_Account_Auth) and press Create.
3. Fill in text descriptions for this object
4. Insert special characteristics: 0TCAACTVT, 0TCAIPROV, and 0TCAVALID
5. Insert all other required authorization relevant characteristics and navigational attributes etc.
6. Press Details button to restrict values and hierarchy authorization of inserted items.
7. Save the authorization.
Now, once you are done with creation of authorization object e.g. Z_Account_Auth in our example above (remember, all customer area authorization objects start with Z or Y). You are free to select either of the two approaches for granting authorization:
A. Directly Assigning an Authorization to a User
Go back again to transaction RSECADMIN–> User tab and click on Assign button. Here put the user name of desired user and click on Change button. Here again in next screen you can one-by-one insert all the created Authorization object names (e.g. Z_Account_Auth in our example) or select hierarchy node created for authorization relevance. Save and done. Transport it to desired system in landscape to have results visible to these users.
B. Assigning an Authorization Using Profiles
The created authorization can also be assigned to user using standard authorization object S_RS_AUTH. This can be done by simply adding this to S_RS_AUTH. object in PFCG Authorization tab. the entries for this S_RS_AUTH. authorization object is individual Analysis Authorization objects name. (e.g. Z_Account_Auth in our example).
In a release of development a combination of both approach or either of them can be used. One can also directly assign the created Authorization object to any role and then assign users to this role.