Skip to Content
Author's profile photo Sander van Willigen

Implementing Virtual Analysis Authorizations

In SAP NetWeaver BW release 7.3 a new Analysis Authorizations BAdI was introduced: BAdI RSEC_VIRTUAL_AUTH_BADI as part of Enhancement Spot RSEC_VIRTUAL_AUTH. The authorized values or hierarchy nodes can be determined dynamically during query runtime. It does not require any Analysis Authorization objects and PFCG Roles. Virtual Authorizations can be used to enhance any existing “classic” authorization model. I.e. you do not have to make an exclusive choice for one or the other, both classic and virtual can be used simultaneously and complementary.

I would like to share my implementation experience with virtual Profit Center and Cost Center authorizations. Please refer to my blogs Virtual Analysis Authorizations – Part 1: Introduction for an introduction and Virtual Analysis Authorizations – Part 2: Solution Details for the solution details.

In this document I will provide you with detailed implementation instructions for creating the control tables and their table maintenance views, implementing BAdI RSEC_VIRTUAL_AUTH_BADI and how to maintain the Implementing Class.

Please have a look here to download the attachment.

Step 1: Create Tables

SAP Menu: Tools > ABAP Workbench > Development > ABAP Dictionary

T/code: SE11


Create the following Tables and their corresponding Table Maintenance Dialog as shown in the screenshots:

  • ZBW_VIRTAUTH_HIE – Virtual Authorizations – Hierarchy;
  • ZBW_VIRTAUTH_VAL – Virtual Authorizations – Value;
  • ZBW_VIRTAUTH_DEF – Virtual Authorizations – Default Hierarchy.


The Delivery and Maintenance settings as shown in the next screenshot are applicable for all tables.



Figure 1: Delivery and Maintenance Settings



Figure 2: Table Hierarchy Authorizations


Figure_03_Table Maintenance_Dialog_Hierarchy_Authorizations.jpg

Figure 3: Table Maintenance Dialog Hierarchy Authorizations



Figure 4: Table Value Authorizations



Figure 5: Table Maintenance Dialog Value Authorizations



Figure 6: Table Default Hierarchy



Figure 7: Table Maintenance Dialog Default Hierarchy

Step 2: Implement Enhancement Spot

SAP Menu: Tools > ABAP Workbench > Utilities > Business Add-Ins > Implementation

T/code: SE19


Implement Enhancement Spot RSEC_VIRTUAL_AUTH as shown in the screenshots.



Figure 8: Creating an Enhancement Implementation (1)



Figure 9: Creating an Enhancement Implementation (2)



Figure 10: Creating an Enhancement Implementation (3)


As shown in the next screenshot you should either choose for Copy Sample Class or Empty Class.



Figure 11: Creating an Enhancement Implementation (4)



Figure 12: Enhancement Implementation – General Settings



Figure 13: Enhancement Implementation – Implementing Class


If you previously chose for the option Empty Class, then don’t forget to implement method IF_RSEC_VIRTUAL_AUTHS~GET_AUTHS. Entering a comment will do for this moment.

Step 3: Maintain Class

SAP Menu: Tools > ABAP Workbench > Development > Class Builder

T/code: SE24


In Step 2 as part of the Enhancement Spot Implementation, Implementing Class YCL_RSEC_VIRTUAL_AUTHS was created without actual coding (in case of option Empty Class) or with samplecoding (in case of option Copy Sample Class). You now have to maintain the class to provide the appropriate coding.

Refer to the attached file YCL_RSEC_VIRTUAL_AUTHS_v2.txt. From here you can quite easily copy & paste the source code (part 1) and the descriptions (part 2).

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hi Sander,

      and first of all thanks for the great blog posts on the topic!!

      One of the strong aspects of using analysis authorizations is that they apply to the whole system. Once such concept is successfully implemented, one need not worry, that someone would be able to see data they are not supposed to. It is also good for managing super-users, who can not overcome their authorization restrictions, by creating a new query for example.

      How would You characterize the virtual analysis authorization based on this criteria? If implemented, is it also applicable for the whole system? Does it require an explicit activation for this purpose or does the BAdI always get executed per default?


      Author's profile photo Sander van Willigen
      Sander van Willigen
      Blog Post Author

      Hi Ivan,

      Thanks for your positive feedback.

      It is hard for me to completely understand your question or doubts. Let me try to give some comments.

      In my opinion you can consider using virtual analysis authorizations to enhance the authorization model. I.e. you can add analysis authorization objects in a virtual way to complement the existing model.

      You are entirely flexible and it offers very powerful functionality. Depending on the implementation it will be applicable system-wide unless otherwise programmed. However, it will be hard or impossible to revoke the 0BI_ALL authorization using virtual analysis authorizations. It is not unusual that super users have the 0BI_ALL authorization.

      One final remark: I suggest to cover the system authorization (e.g. authorization objects S_RS_COMP and S_RS_COMP1) in the classic way using PFCG roles.

      Best regards,


      Author's profile photo Former Member
      Former Member

      Hi Sander,

      great Job.

      It seems that the YCL_RSEC_VIRTUAL_AUTHS_v1.txt attachment got lost while migration. Could you please provide the coding?


      Kind regards,



      Author's profile photo Sander van Willigen
      Sander van Willigen
      Blog Post Author

      Hi Christian,

      Thanks for your positive feedback and sorry for my late reaction. The attachment was lost during migration and cannot be added anymore in the blog.
      Please have a look at Q&A to download the attachment.

      Best regards,

      Author's profile photo Lakshminarasimhan Narasimhamurthy
      Lakshminarasimhan Narasimhamurthy

      Hi Sander,

      Thanks for the documentation.

      I doubt if SAP has released any official document for the same. Also I went through the code and I have below query.

      1. In the query in few places you had used “tctauth   = ‘VIRTUAL_D'” and in other places you have used “tctauth   = ‘VIRTUAL'”. Are these just dummy assignments ? or do we need to create any custom Authorization object ?
      2. Usually the authorization variables are filled in i_step zero automatically or via customer exit variable in the i_step 1. In our case we need to create the query with authorization variable on profit center for this code to work?
      Author's profile photo Sander van Willigen
      Sander van Willigen
      Blog Post Author


      Let me try to answer your questions:

      1. 'VIRTUAL' and 'VIRTUAL_D' are virtual Analysis Authorization (or Analysis Security) objects. No classic persistent Analysis Authorization (or Analysis Security) objects are required.
      2. We do not need any Variable of type customer-exit (i_step = 0) in this scenario. Those Variables are required to include in classic persistent Analysis Authorization (or Analysis Security) objects. Variables of type authorization are still needed in the Query for any authorization-relevant Characteristics (so that part does not change!).

      Best regards,