Hi All,

These days, there are lot of projects happening in the BW-BO Integration Space. Obviously the data level security also place a very crucial role both in BW and BO side.Here am trying to show how exactly an Analysis Authorization(Hereafter referred to as AA) works in BW and how it is further leveraged in BO side.

Part 1 covers the step by step activities to be done at the BW side.

Part 2 covers the step by step activities to be done at the BO side.(http://scn.sap.com/docs/DOC-47671)

Applies to:

SAP NetWeaver Business Warehouse (formerly BI).

Author:      Prabhith Prabhakaran

Company: Capgemini India Private Limited

Author Bio:

/wp-content/uploads/2013/10/pho_296161.png

Prabhith is a Senior SAP BW-BOBJ Consultant with more than six years of experience and is currently working with Capgemini Consulting, India.

His area of expertise includes BW, BODS, BOBJ and HANA.

Other popular articles from the same Author:

  1. Points to be considered while integrating BW Bex queries with BO WEBI  –> http://scn.sap.com/docs/DOC-35444
  2. SAP BW 7.3 Promising Features –>  http://scn.sap.com/docs/DOC-30461
  3. House Keeping / Performance Tuning Activities in SAP BW Systems (4 Parts)

        –> http://scn.sap.com/community/data-warehousing/netweaver-bw/blog/2013/10/02/house-keeping-activities-in-sap-bw-systems

Scenario: We will take a scenario in an automotive industry where Vehicles are sold in different Regions(say, Within India) .In the company, we have a Regional Manager user who is supposed to see vehicles sold under his Region and in the Area which is hierarchically under his Region.

For document purpose, the Regional Manager username is BOUSR_BAN. He is supposed to see only Bangalore Region(Key is R002) and the Area under his Bangalore Region which is  ‘Bangalore’ and ‘Hubli’.

Region object in our scenario is 0SALES_OFF and we also have a navigational attribute 0CUST_SALES__0SALES_OFF.Since both these objects will be used for deriving Regions in different queries under the same Multi provider, both the objects are made as ‘Authorization Relevant’ and the same should be collected in a BW transport request.

/wp-content/uploads/2013/10/0_295294.png/wp-content/uploads/2013/10/1_295310.png

Basis Rule is:  Authorisation Object to be created and added to Role and role to be further added to User

For ease in creation and mass maintenance of AA objects, we can leverage the use of the Sap delivered ‘DSO 0TCA_DS01 (Template for ODS with Authorization Data (Values))’, whose structure is shown below:

/wp-content/uploads/2013/10/1_295312.png

Create a Flat file data source, like the one shown in below screen shot:

/wp-content/uploads/2013/10/2_295316.png

Create a Transformation connecting the FF Datasource and DSO.

/wp-content/uploads/2013/10/3_295317.png

Now the down ward flow of the DSO would be as follows:

/wp-content/uploads/2013/10/4_295323.png

Create a Flat file(csv format) containing all the fields in the DSO. Load the excel data to DSO and activate the same.

/wp-content/uploads/2013/10/5_296157.png

Please find more details about the objects that are included in the above excel sheet.

0TCTAUTH –>  ZAA_1010_BAN (This is the AA object which will be created for Bangalore Region).

0TCTADTO –> Gives the date up to which the AA object is valid. Here it is set as 99991231.

0TCTIOBJNM –> This is the most important of all columns where we restrict the info object with the actual authorization values. Here 0SALES_OFF and 0CUST_SALES_0SALES_OFF is set as ‘R002’.

We use the EQ function (means equal to) for that: 0SALES_OFF EQ R002

                                                                                0CUST_SALES_0SALES_OFF  EQ  R002.

Additionally, 0SALES_OFF and 0CUST_SALES_0SALES_OFF EQ : ( is done for aggregation.)

Further we need to give the necessary values for 0TCAACTVT, 0TCAIPROV and 0TCAVALID(authorization relevant objects)

0TCAACTVT  EQ 3 (only display)

0TCAIPROV  CP  * (means access to all Info providers)

0TCAVALID   CP  * (Validity is set as *)

Go to T-code RSECADMIN and click Generation:

/wp-content/uploads/2013/10/6_295324.png

Give the above loaded DSO Name:

/wp-content/uploads/2013/10/7_295326.png

Click on Start Generation and thus and AA object named ZAA_1010_BAN will be automatically created by the system with all the restrictions that we have mentioned in he the above excel csv format.

/wp-content/uploads/2013/10/8_296158.png

Go inside each Charact./Dimensions and ensure that everything has been created as expected.

/wp-content/uploads/2013/10/9_295327.png

/wp-content/uploads/2013/10/10_295331.png

If everything is fine, we can collect the newly created AA objects, again by going to the T-code RSECADMIN. Click, Transport.

/wp-content/uploads/2013/10/11_295332.png

Collect only the newly created AA object from the complete list of AA objects by using the checkbox.(in this case, ZAA_1010_BAN)

/wp-content/uploads/2013/10/11a_295333.png

Add the AA object to a BW transport request.

/wp-content/uploads/2013/10/12a_295345.png

Now we need to create a Role which contains the above authorisation object which will restrict the user to see the Bangalore Region Vehicle sales.

Go to PFCG and create a role. Take Basis help to create the role(if required)

/wp-content/uploads/2013/10/13_296159.png

Now we will create a user ‘BOUSR_BAN’ in SU01 and add the above role to the user.

/wp-content/uploads/2013/10/14_296160.png

Now we can test the AA concept, again using RSECADMIN, this time click ‘Execution As’:

/wp-content/uploads/2013/10/15_295348.png

Give the user name ‘BOUSR_BAN’ , click ‘With Log’ check box and start transaction(RSRT)

/wp-content/uploads/2013/10/16_295349.png

Enter a query technical name which you want to test.

/wp-content/uploads/2013/10/17_295350.png

I have given a mandatory prompt for this query.

/wp-content/uploads/2013/10/18_295351.png

Now you can see that, when the particular user selects the LOV’s, he is able to see only Bangalore.

/wp-content/uploads/2013/10/19_295357.png

Give the other Mandatory prompts value as well.

/wp-content/uploads/2013/10/20_295358.png

After executing, we will get the result as follows in Bex:

/wp-content/uploads/2013/10/21_295359.png

Points to Note:

1) During the execution time, if the query has any missing authorisation, it will fail to execute and a message ‘No Authorisation’ will be displayed.

If you have marked with log check box, you can press the back button and see the detailed log why the query failed to execute.

2) When a query executes on the MP and if the MP contains cubes which have other ‘Authorization Objects’ and if have not added all those objects authorization  criteria to the roles of the user who executes the query, it will fail. At that point, you might need to consider creating further AA objects and the corresponding roles which need to be additionally added to the user for executing the query.

3) If you plan to change the setting of an object to ‘Authorisation relevant’ , as a best practise, it is always better that you inform about the same to all the other BW team members as-well.

4) RSECAUTH T-code can also be used for the maintenance of AA objects.

5) Always try to follow a company wide naming convention when you create the AA objects and the corresponding Roles.

Hope this document was useful for you!

Expecting your feedback and comments.

BR

Prabhith

To report this post you need to login first.

20 Comments

You must be Logged on to comment or reply to a post.

  1. Manna Das

    Hello Prabhith,

    I have done SSO too 😎 , but SAP – Windows and Sharepoint and SAP BO, this stuff will give me more learning 🙂 . Thanks for sharing.

    Kind Regards

    Manna Das

    (0) 
  2. Prasad Damoder

    I Prabhith,

    Nice document, thanks for sharing. We need to work on Analysis Authorization sometimes in future. This would be a good help. Seems, you have read my requirement 🙂

    Regards,

    Prasad

    (0) 
  3. Pierrick Horpin

    Hi Prabhith,

    thank you for this excellent document. very valuable.

    I just wanted to ask you if you know how to automate the role assignment to user, instead of doing this manually. The main idea is to put everything in a process chain.

    Regards

    Pierrick

    (0) 
  4. Carl Shepherd

    Hi Prabhith,

    2) When a query executes on the MP and if the MP contains cubes which have other ‘Authorization Objects’ and if have not added all those objects authorization  criteria to the roles of the user who executes the query, it will fail. At that point, you might need to consider creating further AA objects and the corresponding roles which need to be additionally added to the user for executing the query.

    I always thought that the Auth checks on the MP were all that was required. the system does not look at the Auths in the underlying cubes.

    Cheers,

    Carl

    (0) 

Leave a Reply