Restricting the Hierarchy node variable values during report execution using Analysis authorization concept in sap BW 7.3
Applies to:
SAP BW 7.3
Summary
This paper gives a clear picture about how to use SAP BW Analysis authorization concept to restrict the query variable screen (input) and output based on customer exit hierarchy node variable.
While executing the report, the hierarchy node variable values would be populated or restricted based on the authorizations of the user to the profit centres, executing the report.
These authorization mappings are maintained in the DSO so that if any change in the information can be overwritten and easily maintained in the DSO data.
Introduction
Analysis Authorization concept is not based on standard authorization concept of SAP but based on BW objects. Any BW object could be marked as authorization relevant, the objects 0TCAIPROV, 0TCAVALID AND 0TCAACTVT are checked default.
0TCAACTVT – to restrict the authorization to activities
0TCAIPROV – to restrict the authorization to Info Providers
0TCAVALID – to restrict the validity of the authorization
Advantages:-
1) As we are handling the authorization concept at BW level itself the involvement of Basis team will be eliminated
2) The changes of authorizations to the profit centre hierarchy and hierarchy nodes can be easily handled by making the changes to the flat file data
which we will feed to the DSO in BW.
3) As the authorization check is applied at variable of the specific report the remaining objects and data structures which will use the profit centre will not be affected.
Business scenario:
While executing the query, hierarchy node variable values would be populated or restricted based on the authorization of the user who is executing the report. These authorization mappings will be provided over excel sheet.
steps:
1) Make 0PROFIT_CTR as Authorization Relevant :-
In the 0PROFIT_CTR info object Business explorer tab we need to select the Authorization Relevant check box
2) Need to create customer exit based hierarchy node variable in the report
Below are the settings which need to be maintained for creation of customer exit Hierarchy node variable
3) Create Analysis Authorization object using RSECADMIN
We need to create custom analysis authorization object i.e. ZPROTS using RSECADMIN T code.
In RSECADMIN screen we need to press on Individual Maintenance button.
In the next screen we need to give the name of the custom authorization object and press on create button
In the next screen we need to add the required Info objects which needs to be made authorization specific
We need to double click on the each added info object in above screen and specify the detail values for each object like below screen
In above screen I have mentioned hierarchy name which needs to be made authorization specific and also added the name of the customer exit variable for hierarchy node under Technical node name are indetails screen and also specified Type of Authorization Hierarchy, Hierarchy Level and Area of Validity.
After all the above settings the custom analysis authorization object will look like below screen shot.
4) Assigned this Authorization object to the user using RSECADMIN
In the RSECADMIN T code, in User tab we need to select Individual Assignment
In the next screen we need to give the user id and need to press on change button
In the next screen we need select Manual or Generated tab and enter the technical name of the authorization object and press on insert button in order to insert relationship between custom authorization object ZPROTS and particular user ID.
We need to save the settings which we made in above screen using save button at the top.
5) Create standard DSO to store the data which will be read through the customer exit variable when the particular report is executed by the user
ZANA_AUT DSO has been created with the required below fields in the screen shot
Need to create the flat file data source using which we can load the data containing the authorization mappings in excel spread sheet.
6) Required code need to be written for this customer exit variable under include ZXRSRU01
Testing Method:-
I have restricted only 4 hierarchy nodes in the data of DSO with the user id (EXVY101) and 3 hierarchy nodes with different user id (EXMG232) for testing.
When the report is executed with the user id EXVY101 in RSRT as desired we are able to see only those 4 hierarchy node values restricted directly to the hierarchy node variable which we created with the customer exit processing type.
Dear kiran very useful document you have posted for BW users
Dear Kiran,
This is very useful information with related screen shots for BW users.
What if the customer has multiple division for same salesorg?
Can we create multiple objects with different nodes or single object with multiple nodes?
We do not have the authorizationrelevant option checked out. Do you have any suggestions to achieve this without the authorization concept. We need to display only the 1st level node informatioin.
Thanks
DR
We have implemented this solution,you can use i step= 0 ,instead of i step=1 in the code above.
This is because i step=0 works on authorization variable and not i step=1.
Thanks,
Amruta.
I have everything worked out but one issue I don't know how to resolve. I am hoping someone here knows how to do it. Is there a way to stop pre-populating the authorized values. Users don't like the long list of values if they are assigned 30 different cost centers
Hi,
How do we pass if the costcenter is compounded? If the costcenter is 100457 and the CO area is 1002 then variable expects the value as 1002/100447. We tried the pass the exact value but we getting an error.
I appreciate your help with this.
Cheer,
S