SAP BW 7.3 Analysis Authorization and SSO with BO — PART 1
These days, there are lot of projects happening in the BW-BO Integration Space. Obviously the data level security also place a very crucial role both in BW and BO side.Here am trying to show how exactly an Analysis Authorization(Hereafter referred to as AA) works in BW and how it is further leveraged in BO side.
Part 1 covers the step by step activities to be done at the BW side.
Part 2 covers the step by step activities to be done at the BO side.(http://scn.sap.com/docs/DOC-47671)
SAP NetWeaver Business Warehouse (formerly BI).
Author: Prabhith Prabhakaran
Company: Capgemini India Private Limited
Prabhith is a Senior SAP BW-BOBJ Consultant with more than six years of experience and is currently working with Capgemini Consulting, India.
His area of expertise includes BW, BODS, BOBJ and HANA.
Other popular articles from the same Author:
- Points to be considered while integrating BW Bex queries with BO WEBI –> http://scn.sap.com/docs/DOC-35444
- SAP BW 7.3 Promising Features –> http://scn.sap.com/docs/DOC-30461
- House Keeping / Performance Tuning Activities in SAP BW Systems (4 Parts)
Scenario: We will take a scenario in an automotive industry where Vehicles are sold in different Regions(say, Within India) .In the company, we have a Regional Manager user who is supposed to see vehicles sold under his Region and in the Area which is hierarchically under his Region.
For document purpose, the Regional Manager username is BOUSR_BAN. He is supposed to see only Bangalore Region(Key is R002) and the Area under his Bangalore Region which is ‘Bangalore’ and ‘Hubli’.
Region object in our scenario is 0SALES_OFF and we also have a navigational attribute 0CUST_SALES__0SALES_OFF.Since both these objects will be used for deriving Regions in different queries under the same Multi provider, both the objects are made as ‘Authorization Relevant’ and the same should be collected in a BW transport request.
Basis Rule is: Authorisation Object to be created and added to Role and role to be further added to User
For ease in creation and mass maintenance of AA objects, we can leverage the use of the Sap delivered ‘DSO 0TCA_DS01 (Template for ODS with Authorization Data (Values))’, whose structure is shown below:
Create a Flat file data source, like the one shown in below screen shot:
Create a Transformation connecting the FF Datasource and DSO.
Now the down ward flow of the DSO would be as follows:
Create a Flat file(csv format) containing all the fields in the DSO. Load the excel data to DSO and activate the same.
Please find more details about the objects that are included in the above excel sheet.
0TCTAUTH –> ZAA_1010_BAN (This is the AA object which will be created for Bangalore Region).
0TCTADTO –> Gives the date up to which the AA object is valid. Here it is set as 99991231.
0TCTIOBJNM –> This is the most important of all columns where we restrict the info object with the actual authorization values. Here 0SALES_OFF and 0CUST_SALES_0SALES_OFF is set as ‘R002’.
We use the EQ function (means equal to) for that: 0SALES_OFF EQ R002
0CUST_SALES_0SALES_OFF EQ R002.
Additionally, 0SALES_OFF and 0CUST_SALES_0SALES_OFF EQ : ( is done for aggregation.)
Further we need to give the necessary values for 0TCAACTVT, 0TCAIPROV and 0TCAVALID(authorization relevant objects)
0TCAACTVT EQ 3 (only display)
0TCAIPROV CP * (means access to all Info providers)
0TCAVALID CP * (Validity is set as *)
Go to T-code RSECADMIN and click Generation:
Give the above loaded DSO Name:
Click on Start Generation and thus and AA object named ZAA_1010_BAN will be automatically created by the system with all the restrictions that we have mentioned in he the above excel csv format.
Go inside each Charact./Dimensions and ensure that everything has been created as expected.
If everything is fine, we can collect the newly created AA objects, again by going to the T-code RSECADMIN. Click, Transport.
Collect only the newly created AA object from the complete list of AA objects by using the checkbox.(in this case, ZAA_1010_BAN)
Add the AA object to a BW transport request.
Now we need to create a Role which contains the above authorisation object which will restrict the user to see the Bangalore Region Vehicle sales.
Go to PFCG and create a role. Take Basis help to create the role(if required)
Now we will create a user ‘BOUSR_BAN’ in SU01 and add the above role to the user.
Now we can test the AA concept, again using RSECADMIN, this time click ‘Execution As’:
Give the user name ‘BOUSR_BAN’ , click ‘With Log’ check box and start transaction(RSRT)
Enter a query technical name which you want to test.
I have given a mandatory prompt for this query.
Now you can see that, when the particular user selects the LOV’s, he is able to see only Bangalore.
Give the other Mandatory prompts value as well.
After executing, we will get the result as follows in Bex:
Points to Note:
1) During the execution time, if the query has any missing authorisation, it will fail to execute and a message ‘No Authorisation’ will be displayed.
If you have marked with log check box, you can press the back button and see the detailed log why the query failed to execute.
2) When a query executes on the MP and if the MP contains cubes which have other ‘Authorization Objects’ and if have not added all those objects authorization criteria to the roles of the user who executes the query, it will fail. At that point, you might need to consider creating further AA objects and the corresponding roles which need to be additionally added to the user for executing the query.
3) If you plan to change the setting of an object to ‘Authorisation relevant’ , as a best practise, it is always better that you inform about the same to all the other BW team members as-well.
4) RSECAUTH T-code can also be used for the maintenance of AA objects.
5) Always try to follow a company wide naming convention when you create the AA objects and the corresponding Roles.
Hope this document was useful for you!
Expecting your feedback and comments.
Another Great work!!! Thanks for sharing your efforts...
Thanks a lot.
Thanks for sharing.
Very nicely presented.
Thanks a lot.
Thanks for sharing such nice document.
Thanks a lot..
Your always rocking dude. good presentation and useful article.
Thanks for making and sharing.
Thanks a lot , Raman.
Its always a pleasure to hear such comments.
These type of step by step docs are always useful.
Thanks for sharing.
I have done SSO too 😎 , but SAP - Windows and Sharepoint and SAP BO, this stuff will give me more learning 🙂 . Thanks for sharing.
Nice document, thanks for sharing. We need to work on Analysis Authorization sometimes in future. This would be a good help. Seems, you have read my requirement 🙂
Really very good and useful document! Thanks Dude...
Thanks to all of you for your valuable comments.
It really motivates..
Nice and Useful..where is the Part 2 ..can you please provide the link
Nice doc and useful...
Another great doc Prabhith, thanks for sharing!
Thanks a lot for your comments.
@Naveen_Kumar: Sorry for the delay as I was a bit a buy with the project Go-live.
Anyway, please find the link to the Part 2 which was just released today.
thank you for this excellent document. very valuable.
I just wanted to ask you if you know how to automate the role assignment to user, instead of doing this manually. The main idea is to put everything in a process chain.
2) When a query executes on the MP and if the MP contains cubes which have other 'Authorization Objects' and if have not added all those objects authorization criteria to the roles of the user who executes the query, it will fail. At that point, you might need to consider creating further AA objects and the corresponding roles which need to be additionally added to the user for executing the query.
I always thought that the Auth checks on the MP were all that was required. the system does not look at the Auths in the underlying cubes.