Applies to

SAP BI 7.0 version and higher

For more information, for more information, visit the EDW homepage.

Summary

This document will provide information regarding implementing multi-dimensional authorization concept in BW reports. Also it contains the information regarding analysis Authorization and customer exit variable etc

Pic1.jpg

Author: Arvind Tekra     

Company: Infosys Technologies.

Created on: 4th June 2014

Author Bio

Arvind Tekra has been working in various technologies in SAP BI. He is mainly responsible for implementing SAP BI/BO projects and has worked extensively on SAP BI Modeling.

Introduction

Whenever the analysis authorization of a user is combined, the authorization variable implemented in the report is not able to restrict the data at the appropriate combination which might lead to user getting message of “No appropriate authorization” when executing the report. This is explained better with the scenario explained below:

Objective

In the below example is a requirement from the user that the user should be able to see all the Sales Org for a particular Sales Division (as part of the global team) and for a specific Sales Org he should see all Sales Divisions (as per his role of a regional manager).  As per the requirement two analysis authorization objects were created and assigned to the user. The analysis authorizations would make sure at the database level that the users see the appropriate data as per the user’s access, however the BW query is not able to read it appropriately and it throws an error message to the user.

Analysis Authorization

Sales Org

Sales Division

TEST

1000

*

TEST12

*

10

Pic2.jpg

Both the analysis authorization are assigned to the TESTUSER1.

Pic3.jpg

A simple BW query is built for the demo purpose, it has authorization variables in the selection screen.

Pic4.jpg

Pic5.jpg

If we execute this report in Tcode-RSRT with a user with all access we get the below data.

Pic6.jpg

Selection Screen:

Pic7.jpg

Output:

Pic8.jpg

From the above output we can see the  combination for which TESTUSER1 is authorized for has data available in the report.

If we now run the report with TESTUSER1:

Selection screen:

Pic9.jpg

The values are not populated as for individual charactersitics, it reads as * access from the authorizations.

If we execute the report, then we get the error message that no authorization is there as he only has access for combinations of data and not all the data.

Pic10.jpg

The above example takes into consideration only two characteristics and in other business scenario we may have scenarios where the access can be defined on combination of 3-4 characteristics.

Solution

The solution can be divided into two parts:

·         Automatic generation of analysis authorization for the user for the desired combination.

·         Introduction of a concatenated object which is a combination of Sales Org/Division, this object can be used to restrict the output of the BW report as per the users authorization.

The following design can be implemented for the solution. The user access matrix can be maintained in an ECC table by the business itself. The business team can enter the user and the combination matrix on which the users should have access.

ECC table:

User

Sales Org

Sales Division

TESTUSER1

1000

*

TESTUSER1

*

10

In ECC a customized extractor (data source) can be built which fetches this information and passes it to BW system. The below data model can be built to fetch the user access matrix in BW.

/wp-content/uploads/2014/06/pic1_466883.png

In DSO1 we need to add an additional object which is concatenation of the two objects with a differentiator in between. The differentiator will help in distinguishing the values of the Sales Org/ Sales Division. In the below example we have used “/” as the differentiator, the differentiator can be any special symbol which is allowed in the BW and is not used in the value of the characteristics used for the combination. The concatenated object can be populated in the DSO by writing this logic in the transformation.

DSO1 sample entries:

User

(ZUSER)

Sales Org

(ZSA_ORG)

Sales Division (ZSA_DIV)

Sales Org/Division

(ZSA_ORDI)

TESTUSER1

1000

*

1000/*

TESTUSER1

*

10

*/10

The concatenated object is also added to the cube and the data is populated by defining the logic in transformation same as the DSO1 transformation.

DSO entries:

/wp-content/uploads/2014/06/pic12_466884.jpg

Cube entries:

  /wp-content/uploads/2014/06/pic13_466885.jpg

To fully automate this solution the following design can be used.

/wp-content/uploads/2014/06/pic2_466886.png

Copy DSO’s for authorization can be created

DSO2: copy of Authorization data (values) (0TCA_DS01)

DSO3: copy of Description texts for authorizations (0TCA_DS03)

The authorization DSO’s are used to generate the authorizations on Sales Org and Sales Division

/wp-content/uploads/2014/06/pic15_466887.jpg

  1. In the transformation from DSO1 (ZUSER_1) à DSO2 (Z_DS01) the below expert routine can be used, this would convert the entries into the format of authorization generation.

Data: WA_SOURCE_PACKAGE LIKE LINE OF SOURCE_PACKAGE.


   
SORT SOURCE_PACKAGE BY TCTUSERNM.

    LOOP AT SOURCE_PACKAGE INTO WA_SOURCE_PACKAGE.


      RESULT_FIELDS
tctusernm = WA_SOURCE_PACKAGETCTUSERNM.

      RESULT_FIELDStctobjvers = ‘A’.

      RESULT_FIELDStctoption = ‘EQ’.

      RESULT_FIELDStctsign   = ‘I’.

      RESULT_FIELDStctadfrom = ‘19000101’.

      RESULT_FIELDStctadto   = ‘99991231’.

***********Sales Org*******************
      RESULT_FIELDS
tctauth = ‘SALESORG’.
      RESULT_FIELDS
tctiobjnm = ‘0TCAACTVT’.
      RESULT_FIELDS
tctlow = ’03’.
     
APPEND RESULT_FIELDS TO RESULT_PACKAGE.

      RESULT_FIELDStctiobjnm = ‘0TCAVALID’.
      RESULT_FIELDS
tctlow = ‘*’.
     
APPEND RESULT_FIELDS TO RESULT_PACKAGE.

      RESULT_FIELDStctiobjnm = ‘0TCAIPROV’.
      RESULT_FIELDS
tctlow = ‘ZSALES_M1’.
     
“Mention the cube on which the report is built
     
APPEND RESULT_FIELDS TO RESULT_PACKAGE.

“This name can be changed as per the description you require for the aut“horization
      RESULT_FIELDS
tctiobjnm = ‘ZSA_ORG’.“Sales org object
      RESULT_FIELDS
tctlow = WA_SOURCE_PACKAGE/BIC/ZSA_ORG.
     
APPEND RESULT_FIELDS TO RESULT_PACKAGE.

***************Sales Division*******************

      RESULT_FIELDStctauth = ‘SALESDIV’.
      RESULT_FIELDS
tctiobjnm = ‘0TCAACTVT’.
      RESULT_FIELDS
tctlow = ’03’.
     
APPEND RESULT_FIELDS TO RESULT_PACKAGE.

      RESULT_FIELDStctiobjnm = ‘0TCAVALID’.
      RESULT_FIELDS
tctlow = ‘*’.
     
APPEND RESULT_FIELDS TO RESULT_PACKAGE.
      RESULT_FIELDS
tctiobjnm = ‘0TCAIPROV’.
      RESULT_FIELDS
tctlow = ‘ZSALES_M1’.
     
“Mention the cube on which the report is built
     
APPEND RESULT_FIELDS TO RESULT_PACKAGE.
“This name can be changed as per the description you require for the aut“horization
      RESULT_FIELDS
tctiobjnm = ‘ZSA_DIV’.“Sales Division object
      RESULT_FIELDS
tctlow = WA_SOURCE_PACKAGE/BIC/ZSA_DIV.
     
APPEND RESULT_FIELDS TO RESULT_PACKAGE.

          CLEAR RESULT_FIELDS.
     
ENDLOOP.

The entries of DSO after loading.

/wp-content/uploads/2014/06/pic16_466888.jpg

The text for the TCTAUTH (authorizations) defined above can be loaded in copy of DSO 0TCA_DS03, this text appears in the user profile for the authorization. After loading the DSO1 and DSO3 execute the report “RSEC_GENERATE_AUTHORIZATIONS” with the DSO’s and generate the profile.

Screenshot of user profile in RSECADMIN:

/wp-content/uploads/2014/06/pic17_466898.jpg

The loading and generation of the analysis authorization can be done using a Process chain.

The BW query is enhanced and the concatenated object is added in the filter selection, the variable used is of type “customer exit”. In the customer exit code the DSO ZUSER_1 can be read for the allowed concatenated values. This way the overall report would be restricted to the allowed values only and the report will not throw any error message for authorization.

/wp-content/uploads/2014/06/pic18_466900.jpg

Sample code for the exit.

DATA:   l_s_range TYPE rsr_s_rangesid,

             lv_user TYPE syuname,

            lv_zconcobj TYPE STRING,

             L_S_VAR_RANGE LIKE LINE OF I_T_VAr_RANGE.


Data
: I_ZUSER_1 type STANDARD TABLE OF /BIC/AZUSER_100,“INTERNAL TABLE TO DETERMINE AUTH VALUES

         WA_ZUSER_1 like line of I_ZUSER_1.

CASE I_STEP.

        WHEN  ’01’. “BEFORE USER INPUT

************FUNCTION TO DETERMINE THE USER NAME********

          CALL FUNCTION ‘RSEC_GET_USERNAME’
           
IMPORTING

                e_username = lv_user.

*******************************************************
         
“SELECT FROM ZUSER_1 FOR USER
         
SELECT *
         
FROM /BIC/AZUSER_100
         
INTO TABLE I_ZUSER_1
         
WHERE TCTUSERNM = LV_USER.

          if sysubrc eq ‘0’. ”AUTH VALUES ARE MAINTAINED IN MATRIX TABLE
           
“LOOP AT THE INTERNAL TABLE
           
LOOP AT I_ZUSER_1 INTO WA_ZUSER_1.

              l_s_rangeSIGN = ‘I’.
              L_S_RANGE
OPT = ‘CP’.
              L_s_RANGE
LOW = WA_ZUSER_1/BIC/ZSA_ORDI.
             
APPEND l_s_range TO e_t_range.
             
CLEAR L_S_RANGE.

              CLEAR WA_ZUSER_1.
           
ENDLOOP.

          else. ”STOP THE PROCESSING AND DISPLAY MESSAGE
           
CALL FUNCTION ‘RRMS_MESSAGE_HANDLING’
             
EXPORTING
                I_CLASS 
= ‘RSBBS’
                I_TYPE  
= ‘E’
                I_NUMBER
= ‘000’
                I_MSGV1 
= ‘No Authorization’
             
EXCEPTIONS
                DUMMY   
= 1
               
OTHERS   = 2.
           
raise no_processing.

          endif.

        WHEN ’02’. “AFTER USER INPUT

        WHEN ’03’.”FOR CHECKING EXCEPTIONS

      ENDCASE.

Now when the query is executed with the test user, the variable restricts the access

/wp-content/uploads/2014/06/pic19_466902.jpg

Note: This solution does not uses concatenated object as authorization relevant as the values which can be passed into the authorization is restricted, we cannot maintain value wildcard entry (*) with pattern */10. This entry would generate authorization with ‘*’ access only. More details about the valid interval and patterns for authorization is given in the below mentioned SAP note.

1053989 – Intervals and Patterns [(*),(+)] in Analysis Authorizations

The authorizations are generated individually i.e. Sales org independently and Sales Division independently so that it does not give error message in the BW report when the report checks for * access. With this design the Customer exit variable becomes mandatory with all the queries on top of that MultiCube, if the variable is not used then the users might get access to data they are not authorized for. The analysis authorization generated individually would make sense in scenarios where the user not authorized for * access. An example is shown below.

User

(ZUSER)

Sales Org

(ZSA_ORG)

Sales Division (ZSA_DIV)

Sales Org/Division

(ZSA_ORDI)

TESTUSER1

1000

10

1000/20

TESTUSER1

2000

20

2000/10

In the above scenario the authorizations would be generated for Sales Org: 1000,2000 and Sales Division 10,20 and these values would appear in the selection screen in authorization variable.

This solution is only 100% correct if the customer exit on concatenated object is used in all the queries.

Related Content

Combining Authorizations

Generation of Analysis Authorizations

SAP Note 1053989 – Intervals and Patterns [(*),(+)] in Analysis Authorizations

Variable Customer exit

Authorization variable

Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.

SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk.

SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.

To report this post you need to login first.

8 Comments

You must be Logged on to comment or reply to a post.

  1. HS Kok

    What happens as the number of authorization-relevant objects in the landscape increases? Do you advise for the concatenated custom field to increase in length as well?

    (0) 
    1. Arvind Tekra Post author

      The number of objects can be increased, the only thing to keep in mind is that the overall length of the concatenated object does not exceed 60.

      (0) 
      1. HS Kok

        So what’s the solution when this limit is reached?

        I can see this easily happening as the number of authorization-relevant objects increase in the system, or if the master data values to be used are long.

        (0) 
        1. Arvind Tekra Post author

          First of all this solution is not replacement for the Analysis authorization concept. This solution is only for cases where the overlapping of the access will occur as mentioned in the example. The worst case which i saw was a combination of 5 characteristics which defined a unique value, and the concatenation of these objects was still less than 60 chars.

          (0) 

Leave a Reply