Applies to

SAP BI 7.0 version and higher

For more information, for more information, visit the EDW homepage.

Summary

This document will provide information regarding implementing multi-dimensional authorization concept in BW reports. Also it contains the information regarding analysis Authorization and customer exit variable etc

Author: Arvind Tekra     

Company: Infosys Technologies.

Created on: 4^th June 2014

Author Bio

Arvind Tekra has been working in various technologies in SAP BI. He is mainly responsible for implementing SAP BI/BO projects and has worked extensively on SAP BI Modeling.

Introduction

Whenever the analysis authorization of a user is combined, the authorization variable implemented in the report is not able to restrict the data at the appropriate combination which might lead to user getting message of “No appropriate authorization” when executing the report. This is explained better with the scenario explained below:

Objective

In the below example is a requirement from the user that the user should be able to see all the Sales Org for a particular Sales Division (as part of the global team) and for a specific Sales Org he should see all Sales Divisions (as per his role of a regional manager).  As per the requirement two analysis authorization objects were created and assigned to the user. The analysis authorizations would make sure at the database level that the users see the appropriate data as per the user’s access, however the BW query is not able to read it appropriately and it throws an error message to the user.

Both the analysis authorization are assigned to the TESTUSER1.

A simple BW query is built for the demo purpose, it has authorization variables in the selection screen.

If we execute this report in Tcode-RSRT with a user with all access we get the below data.

Selection Screen:

Output:

From the above output we can see the  combination for which TESTUSER1 is authorized for has data available in the report.

If we now run the report with TESTUSER1:

Selection screen:

The values are not populated as for individual charactersitics, it reads as * access from the authorizations.

If we execute the report, then we get the error message that no authorization is there as he only has access for combinations of data and not all the data.

The above example takes into consideration only two characteristics and in other business scenario we may have scenarios where the access can be defined on combination of 3-4 characteristics.

Solution

The solution can be divided into two parts:

·         Automatic generation of analysis authorization for the user for the desired combination.

·         Introduction of a concatenated object which is a combination of Sales Org/Division, this object can be used to restrict the output of the BW report as per the users authorization.

The following design can be implemented for the solution. The user access matrix can be maintained in an ECC table by the business itself. The business team can enter the user and the combination matrix on which the users should have access.

ECC table:

In ECC a customized extractor (data source) can be built which fetches this information and passes it to BW system. The below data model can be built to fetch the user access matrix in BW.

In DSO1 we need to add an additional object which is concatenation of the two objects with a differentiator in between. The differentiator will help in distinguishing the values of the Sales Org/ Sales Division. In the below example we have used “/” as the differentiator, the differentiator can be any special symbol which is allowed in the BW and is not used in the value of the characteristics used for the combination. The concatenated object can be populated in the DSO by writing this logic in the transformation.

DSO1 sample entries:

The concatenated object is also added to the cube and the data is populated by defining the logic in transformation same as the DSO1 transformation.

DSO entries:

Cube entries:

To fully automate this solution the following design can be used.

Copy DSO’s for authorization can be created

DSO2: copy of Authorization data (values) (0TCA_DS01)

DSO3: copy of Description texts for authorizations (0TCA_DS03)

The authorization DSO’s are used to generate the authorizations on Sales Org and Sales Division

1. In the transformation from DSO1 (ZUSER_1) à DSO2 (Z_DS01) the below expert routine can be used, this would convert the entries into the format of authorization generation.

Data: WA_SOURCE_PACKAGE LIKE LINE OF SOURCE_PACKAGE.

    SORT SOURCE_PACKAGE BY TCTUSERNM.

    LOOP AT SOURCE_PACKAGE INTO WA_SOURCE_PACKAGE.

      RESULT_FIELDS-tctusernm = WA_SOURCE_PACKAGE-TCTUSERNM.

      RESULT_FIELDS-tctobjvers = 'A'.

      RESULT_FIELDS-tctoption = 'EQ'.

      RESULT_FIELDS-tctsign   = 'I'.

      RESULT_FIELDS-tctadfrom = '19000101'.

      RESULT_FIELDS-tctadto   = '99991231'.

      RESULT_FIELDS-tctauth = 'SALESDIV'.
      RESULT_FIELDS-tctiobjnm = '0TCAACTVT'.
      RESULT_FIELDS-tctlow = '03'.
      APPEND RESULT_FIELDS TO RESULT_PACKAGE.

      RESULT_FIELDS-tctiobjnm = '0TCAVALID'.
      RESULT_FIELDS-tctlow = '*'.
      APPEND RESULT_FIELDS TO RESULT_PACKAGE.
      RESULT_FIELDS-tctiobjnm = '0TCAIPROV'.
      RESULT_FIELDS-tctlow = 'ZSALES_M1'.
      "Mention the cube on which the report is built
      APPEND RESULT_FIELDS TO RESULT_PACKAGE.
"This name can be changed as per the description you require for the aut"horization
      RESULT_FIELDS-tctiobjnm = 'ZSA_DIV'."Sales Division object
      RESULT_FIELDS-tctlow = WA_SOURCE_PACKAGE-/BIC/ZSA_DIV.
      APPEND RESULT_FIELDS TO RESULT_PACKAGE.

          CLEAR RESULT_FIELDS.
      ENDLOOP.

The entries of DSO after loading.

The text for the TCTAUTH (authorizations) defined above can be loaded in copy of DSO 0TCA_DS03, this text appears in the user profile for the authorization. After loading the DSO1 and DSO3 execute the report “RSEC_GENERATE_AUTHORIZATIONS” with the DSO’s and generate the profile.

Screenshot of user profile in RSECADMIN:

The loading and generation of the analysis authorization can be done using a Process chain.

The BW query is enhanced and the concatenated object is added in the filter selection, the variable used is of type “customer exit”. In the customer exit code the DSO ZUSER_1 can be read for the allowed concatenated values. This way the overall report would be restricted to the allowed values only and the report will not throw any error message for authorization.

Sample code for the exit.

DATA:   l_s_range TYPE rsr_s_rangesid,

             lv_user TYPE sy-uname,

            lv_zconcobj TYPE STRING,

             L_S_VAR_RANGE LIKE LINE OF I_T_VAr_RANGE.

Data: I_ZUSER_1 type STANDARD TABLE OF /BIC/AZUSER_100,"INTERNAL TABLE TO DETERMINE AUTH VALUES

         WA_ZUSER_1 like line of I_ZUSER_1.

CASE I_STEP.

        WHEN  '01'. "BEFORE USER INPUT

************FUNCTION TO DETERMINE THE USER NAME********

          CALL FUNCTION 'RSEC_GET_USERNAME'
            IMPORTING

                e_username = lv_user.

*******************************************************
          "SELECT FROM ZUSER_1 FOR USER
          SELECT *
          FROM /BIC/AZUSER_100
          INTO TABLE I_ZUSER_1
          WHERE TCTUSERNM = LV_USER.

          if sy-subrc eq '0'. ”AUTH VALUES ARE MAINTAINED IN MATRIX TABLE
            "LOOP AT THE INTERNAL TABLE
            LOOP AT I_ZUSER_1 INTO WA_ZUSER_1.

              l_s_range-SIGN = 'I'.
              L_S_RANGE-OPT = 'CP'.
              L_s_RANGE-LOW = WA_ZUSER_1-/BIC/ZSA_ORDI.
              APPEND l_s_range TO e_t_range.
              CLEAR L_S_RANGE.

              CLEAR WA_ZUSER_1.
            ENDLOOP.

          else. ”STOP THE PROCESSING AND DISPLAY MESSAGE
            CALL FUNCTION 'RRMS_MESSAGE_HANDLING'
              EXPORTING
                I_CLASS  = 'RSBBS'
                I_TYPE   = 'E'
                I_NUMBER = '000'
                I_MSGV1  = 'No Authorization'
              EXCEPTIONS
                DUMMY    = 1
                OTHERS   = 2.
            raise no_processing.

          endif.

        WHEN '02'. "AFTER USER INPUT

        WHEN '03'.”FOR CHECKING EXCEPTIONS

      ENDCASE.

Now when the query is executed with the test user, the variable restricts the access

Note: This solution does not uses concatenated object as authorization relevant as the values which can be passed into the authorization is restricted, we cannot maintain value wildcard entry (*) with pattern */10. This entry would generate authorization with ‘*’ access only. More details about the valid interval and patterns for authorization is given in the below mentioned SAP note.

1053989 - Intervals and Patterns [(*),(+)] in Analysis Authorizations

The authorizations are generated individually i.e. Sales org independently and Sales Division independently so that it does not give error message in the BW report when the report checks for * access. With this design the Customer exit variable becomes mandatory with all the queries on top of that MultiCube, if the variable is not used then the users might get access to data they are not authorized for. The analysis authorization generated individually would make sense in scenarios where the user not authorized for * access. An example is shown below.

In the above scenario the authorizations would be generated for Sales Org: 1000,2000 and Sales Division 10,20 and these values would appear in the selection screen in authorization variable.

This solution is only 100% correct if the customer exit on concatenated object is used in all the queries.

Related Content

Combining Authorizations

Generation of Analysis Authorizations

SAP Note 1053989 - Intervals and Patterns [(*),(+)] in Analysis Authorizations

Variable Customer exit

Authorization variable

Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.

SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk.

SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.