Restricting the Hierarchy node variable values during report execution using Analysis authorization concept in sap BW 7.3
SAP BW 7.3
This paper gives a clear picture about how to use SAP BW Analysis authorization concept to restrict the query variable screen (input) and output based on customer exit hierarchy node variable.
While executing the report, the hierarchy node variable values would be populated or restricted based on the authorizations of the user to the profit centres, executing the report.
These authorization mappings are maintained in the DSO so that if any change in the information can be overwritten and easily maintained in the DSO data.
Analysis Authorization concept is not based on standard authorization concept of SAP but based on BW objects. Any BW object could be marked as authorization relevant, the objects 0TCAIPROV, 0TCAVALID AND 0TCAACTVT are checked default.
0TCAACTVT – to restrict the authorization to activities
0TCAIPROV – to restrict the authorization to Info Providers
0TCAVALID – to restrict the validity of the authorization
1) As we are handling the authorization concept at BW level itself the involvement of Basis team will be eliminated
2) The changes of authorizations to the profit centre hierarchy and hierarchy nodes can be easily handled by making the changes to the flat file data
which we will feed to the DSO in BW.
3) As the authorization check is applied at variable of the specific report the remaining objects and data structures which will use the profit centre will not be affected.
While executing the query, hierarchy node variable values would be populated or restricted based on the authorization of the user who is executing the report. These authorization mappings will be provided over excel sheet.
1) Make 0PROFIT_CTR as Authorization Relevant :-
In the 0PROFIT_CTR info object Business explorer tab we need to select the Authorization Relevant check box
Below are the settings which need to be maintained for creation of customer exit Hierarchy node variable
3) Create Analysis Authorization object using RSECADMIN
We need to create custom analysis authorization object i.e. ZPROTS using RSECADMIN T code.
In RSECADMIN screen we need to press on Individual Maintenance button.
In the next screen we need to give the name of the custom authorization object and press on create button
In the next screen we need to add the required Info objects which needs to be made authorization specific
We need to double click on the each added info object in above screen and specify the detail values for each object like below screen
In above screen I have mentioned hierarchy name which needs to be made authorization specific and also added the name of the customer exit variable for hierarchy node under Technical node name are indetails screen and also specified Type of Authorization Hierarchy, Hierarchy Level and Area of Validity.
After all the above settings the custom analysis authorization object will look like below screen shot.
4) Assigned this Authorization object to the user using RSECADMIN
In the RSECADMIN T code, in User tab we need to select Individual Assignment
In the next screen we need to give the user id and need to press on change button
In the next screen we need select Manual or Generated tab and enter the technical name of the authorization object and press on insert button in order to insert relationship between custom authorization object ZPROTS and particular user ID.
We need to save the settings which we made in above screen using save button at the top.
5) Create standard DSO to store the data which will be read through the customer exit variable when the particular report is executed by the user
ZANA_AUT DSO has been created with the required below fields in the screen shot
Need to create the flat file data source using which we can load the data containing the authorization mappings in excel spread sheet.
I have restricted only 4 hierarchy nodes in the data of DSO with the user id (EXVY101) and 3 hierarchy nodes with different user id (EXMG232) for testing.
When the report is executed with the user id EXVY101 in RSRT as desired we are able to see only those 4 hierarchy node values restricted directly to the hierarchy node variable which we created with the customer exit processing type.