Financial Management Blogs by SAP
Get financial management insights from blog posts by SAP experts. Find and share tips on how to increase efficiency, reduce risk, and optimize working capital.
cancel
Showing results for 
Search instead for 
Did you mean: 
marc_roeder
Product and Topic Expert
Product and Topic Expert


We take a brief look at the authorization objects that need to be included in a PFCG-role for a user that is only allowed to do the bare minimum in BPC embedded: Open a report or input form in the web frontend.

We assume that the report or input form is defined on model myModel of the environment myEnvironment.


Consuming Global BW Reporting/Planning Queries


BW Analysis Authorizations


As BPC embedded extends BW in the sense that BW objects (queries etc.) can also be consumed in BPC embedded, this comes as no surprise.




















Object



Remark



S_RS_AUTH



Analysis authorization objects as maintained in RSECADMIN.


These can be extended by the BPC-specific concept of environment authorizations and Data Access Profiles



S_RS_COMP



Authorizations by query component



S_RS_COMP1



Authorization by query owner




Data Access Profiles


The concept of analysis authorizations is extended by environment authorizations and Data Access Profiles (DAPs) in BPC.
As our objective is to build a minimal example, we would like to keep the analysis authorizations as configured in the BW backend. To do so, we have to configure a DAP for the model our input form or report live on.
The resulting authorization for the user will be calculated as the intersection of the RSECADMIN analysis authorizations and the DAP. So we create a DAP for myModel, assign our user to the DAP and choose *-authorizations for all authorization relevant dimensions of this DAP.

Note that DAPs are mandatory. Not configuring a DAP means "no authorization".


Authorizations for Library Access


























Object



Value



Remark



S_USER_GRP



Act: 03 (Display)
Class: <Dummy>



Required for opening reports/input forms.
Also required for executing queries with authorization-relevant dimensions in an environment/model context (any client)



RSBPC_ID



App SetID: myEnvironment



Access (logon to) environment



RSBPC_WKSP



Act: 03 (Display)


App SetID: myEnvironment


Folder: *


Resource Type: *



See folders, input forms, reports.



If we want to be very strict, we can even restrict RSBPC_WKSP to Folder [PUBLIC] or [NON_PUBLIC]. Nonetheless, the user will always have read access to the team folders for all teams that he/she is a member of. Write access to team folders is determined by the “Team Lead” flag in the team maintenance UI.


Useful Extensions


Favorites


If our user should have the possibility to add input forms/reports to his/her favorites, we need to add














Object



Value



Remark



RSBPC_WKSP



Act: 23
App SetID: myEnvironment
Folder: <Dummy>


Resource Type: LINK



Allow things to be added to "favorites"



 

Consuming Local Objects


If our user should have permission to consume data from local providers, the authorization for the respective BW-workspace needs to be added. The name of this workspace corresponds to the name of the BPC environment:














Object



Value



Remark



S_RS_WSPAC



Act: 16 (Execute)


Name: myEnvironment



Access to local providers of the environment



1 Comment