Skip to Content

In SAP NetWeaver BW release 7.3 a new Analysis Authorizations BAdI was introduced: BAdI RSEC_VIRTUAL_AUTH_BADI as part of Enhancement Spot RSEC_VIRTUAL_AUTH. The authorized values or hierarchy nodes can be determined dynamically during query runtime. It does not require any Analysis Authorization objects and PFCG Roles. Virtual Authorizations can be used to enhance any existing “classic” authorization model. I.e. you do not have to make an exclusive choice for one or the other, both classic and virtual can be used simultaneously and complementary.

I would like to share my implementation experience with virtual Profit Center and Cost Center authorizations. Please refer to my blogs Virtual Analysis Authorizations – Part 1: Introduction for an introduction and Virtual Analysis Authorizations – Part 2: Solution Details for the solution details.

In this document I will provide you with detailed implementation instructions for creating the control tables and their table maintenance views, implementing BAdI RSEC_VIRTUAL_AUTH_BADI and how to maintain the Implementing Class.

Please have a look here to download the attachment.

Step 1: Create Tables

SAP Menu: Tools > ABAP Workbench > Development > ABAP Dictionary

T/code: SE11

 

Create the following Tables and their corresponding Table Maintenance Dialog as shown in the screenshots:

  • ZBW_VIRTAUTH_HIE – Virtual Authorizations – Hierarchy;
  • ZBW_VIRTAUTH_VAL – Virtual Authorizations – Value;
  • ZBW_VIRTAUTH_DEF – Virtual Authorizations – Default Hierarchy.

 

The Delivery and Maintenance settings as shown in the next screenshot are applicable for all tables.

 

Figure_01_Delivery_Maintenance_Settings.jpg

Figure 1: Delivery and Maintenance Settings

 

Figure_02_Table_Hierarchy_Authorizations.jpg

Figure 2: Table Hierarchy Authorizations

 

Figure_03_Table Maintenance_Dialog_Hierarchy_Authorizations.jpg

Figure 3: Table Maintenance Dialog Hierarchy Authorizations

 

Figure_04_Table_Value_Authorizations.jpg

Figure 4: Table Value Authorizations

 

Figure_05_Table_Maintenance_Dialog_Value_Authorizations.jpg

Figure 5: Table Maintenance Dialog Value Authorizations

 

Figure_06_Table_Default_Hierarchy.jpg

Figure 6: Table Default Hierarchy

 

Figure_07_Table_Maintenance_Dialog_Default_Hierarchy.jpg

Figure 7: Table Maintenance Dialog Default Hierarchy

Step 2: Implement Enhancement Spot

SAP Menu: Tools > ABAP Workbench > Utilities > Business Add-Ins > Implementation

T/code: SE19

 

Implement Enhancement Spot RSEC_VIRTUAL_AUTH as shown in the screenshots.

 

Figure_08_Creating_an_Enhancement_Implementation_1.jpg

Figure 8: Creating an Enhancement Implementation (1)

 

Figure_09_Creating_an_Enhancement_Implementation_2.jpg

Figure 9: Creating an Enhancement Implementation (2)

 

Figure_10_Creating_an_Enhancement_Implementation_3.jpg

Figure 10: Creating an Enhancement Implementation (3)

 

As shown in the next screenshot you should either choose for Copy Sample Class or Empty Class.

 

Figure_11_Creating_an_Enhancement_Implementation_4.jpg

Figure 11: Creating an Enhancement Implementation (4)

 

Figure_12_Enhancement_Implementation_General_Settings.jpg

Figure 12: Enhancement Implementation – General Settings

 

Figure_13_Enhancement_Implementation_Implementing_Class.jpg

Figure 13: Enhancement Implementation – Implementing Class

 

If you previously chose for the option Empty Class, then don’t forget to implement method IF_RSEC_VIRTUAL_AUTHS~GET_AUTHS. Entering a comment will do for this moment.

Step 3: Maintain Class

SAP Menu: Tools > ABAP Workbench > Development > Class Builder

T/code: SE24

 

In Step 2 as part of the Enhancement Spot Implementation, Implementing Class YCL_RSEC_VIRTUAL_AUTHS was created without actual coding (in case of option Empty Class) or with samplecoding (in case of option Copy Sample Class). You now have to maintain the class to provide the appropriate coding.

Refer to the attached file YCL_RSEC_VIRTUAL_AUTHS_v2.txt. From here you can quite easily copy & paste the source code (part 1) and the descriptions (part 2).

To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Ivan Bakalov

    Hi Sander,

    and first of all thanks for the great blog posts on the topic!!

    One of the strong aspects of using analysis authorizations is that they apply to the whole system. Once such concept is successfully implemented, one need not worry, that someone would be able to see data they are not supposed to. It is also good for managing super-users, who can not overcome their authorization restrictions, by creating a new query for example.

    How would You characterize the virtual analysis authorization based on this criteria? If implemented, is it also applicable for the whole system? Does it require an explicit activation for this purpose or does the BAdI always get executed per default?

     

    (1) 
    1. Sander van Willigen Post author

      Hi Ivan,

      Thanks for your positive feedback.

      It is hard for me to completely understand your question or doubts. Let me try to give some comments.

      In my opinion you can consider using virtual analysis authorizations to enhance the authorization model. I.e. you can add analysis authorization objects in a virtual way to complement the existing model.

      You are entirely flexible and it offers very powerful functionality. Depending on the implementation it will be applicable system-wide unless otherwise programmed. However, it will be hard or impossible to revoke the 0BI_ALL authorization using virtual analysis authorizations. It is not unusual that super users have the 0BI_ALL authorization.

      One final remark: I suggest to cover the system authorization (e.g. authorization objects S_RS_COMP and S_RS_COMP1) in the classic way using PFCG roles.

      Best regards,

      Sander

      (0) 
  2. Christian Ortig

    Hi Sander,

    great Job.

    It seems that the YCL_RSEC_VIRTUAL_AUTHS_v1.txt attachment got lost while migration. Could you please provide the coding?

     

    Kind regards,

    Christian

     

    (1) 

Leave a Reply