Skip to Content

Hi All,

These days, there are lot of projects happening in the BW-BO Integration Space. Obviously the data level security also place a very crucial role both in BW and BO side. Here am trying to show how exactly an Analysis Authorization(Hereafter referred to as AA) works in BW and how it is further leveraged in BO side.

Part 1 covers the step by step activities to be done at the BW side.(

Part 2 covers the step by step activities to be done at the BO side.


Applies to:

SAP NetWeaver Business Warehouse (formerly BI).

Author:      Prabhith Prabhakaran

Company: Capgemini India Private Limited

Author Bio:


Prabhith is a Senior SAP BW-BOBJ Consultant with more than six years of experience and is currently working with Capgemini Consulting, India.

His area of expertise includes BW, BODS, BOBJ and HANA.

Other popular articles from the same Author:

  1. Points to be considered while integrating BW Bex queries with BO WEBI  –>
  2. SAP BW 7.3 Promising Features –>
  3. House Keeping / Performance Tuning Activities in SAP BW Systems (4 Parts)


Scenario: We will take a scenario in an automotive industry where Vehicles are sold in different Regions(say, Within India) .In the company, we have a Regional Manager user who is supposed to see vehicles sold under his Region and in the Area which is hierarchically under his Region.

For document purpose, the Regional Manager username is BOUSR_BAN. He is supposed to see only Bangalore Region(Key is R002) and the Area under his Bangalore Region which is  ‘Bangalore’ and ‘Hubli’.

We have seen this scenario working perfectly at the BW side in the Part 1.

Now let’s move ahead and log into the BO side.

Before moving ahead to BO, please be informed that the administrative/ Basis activities pertaining to the BW-BO SSO integration have not been been explained as the same has been explained adequately elsewhere.

This scope of this document will the modifications/activities required to make SSO working in BO side.


First log into to the BO CMC.(assuming that the BW-BO SSO technical integration is completed).


Change Authentication to SAP.


Import the required roles to BO. The roles created in BW would be available in the left pane, select and manually add to the right pane.

In this case, we are manually adding the Bangalore Role.(BAN)


Perform the user update activities.


PS: The users attached with the imported role will now be available in BO side.

Take OLAP Connections and navigate to the BICS connection which you want to make as SSO enabled.


Right click on the connection and edit the same:


Enable SSO authentication:


Now we are all set for testing the security in BO.

Login to a Webi report using the SSO user id BOUSR_BAN(Created in BW as mentioned in Part 1) and authentication as SAP.


Run the corresponding Webi report for which we tested the data level security (for the Bex counterpart) in Part 1.


You can find that only Bangalore Region is available for the user BOUSR_BAN.

After giving the required prompts, we will get the following output in Webi.


Earlier, the output we received in Bex was as follows:


This completes the step by step SSO authorization activity in BO.

Hope this document was useful for you!

Expecting your feedback and comments.



To report this post you need to login first.


You must be Logged on to comment or reply to a post.

  1. Former Member

    Hi Prabhith

    I could not see the attached screenshots. Can you please upload again. We have also implemented SSO between BO-BW system in our project, faced few issues earlier but now its working fine..

    Nice blog both part1 and part 2..Hope this article could have come few months before πŸ™‚ …



        1. Former Member

          Hi Prabhith,

          Very useful article and good presentation. Thanks for sharing.

          Me too, am also seeing screen shots thru google chrome/mozille. its fine.


  2. François MAZAUD


    Would that work for  a relational connection, too ? (ie, scenario where BO accesses BW infoproviders, mirrored as Universes, instead of accessing queries).  I can’t see this property “use SSO” for relational connections… Maybe its because only BICS handles security ?


Leave a Reply