We take a brief look at the authorization objects that need to be included in a PFCG-role for a user that is only allowed to do the bare minimum in BPC embedded: Open a report or input form in the web frontend.

We assume that the report or input form is defined on model myModel of the environment myEnvironment.

Consuming Global BW Reporting/Planning Queries

BW Analysis Authorizations

As BPC embedded extends BW in the sense that BW objects (queries etc.) can also be consumed in BPC embedded, this comes as no surprise.

Object

Remark

S_RS_AUTH

Analysis authorization objects as maintained in RSECADMIN.

These can be extended by the BPC-specific concept of environment authorizations and Data Access Profiles

S_RS_COMP

Authorizations by query component

S_RS_COMP1

Authorization by query owner

Data Access Profiles

The concept of analysis authorizations is extended by environment authorizations and Data Access Profiles (DAPs) in BPC.
As our objective is to build a minimal example, we would like to keep the analysis authorizations as configured in the BW backend. To do so, we have to configure a DAP for the model our input form or report live on.
The resulting authorization for the user will be calculated as the intersection of the RSECADMIN analysis authorizations and the DAP. So we create a DAP for myModel, assign our user to the DAP and choose *-authorizations for all authorization relevant dimensions of this DAP.

Note that DAPs are mandatory. Not configuring a DAP means “no authorization”.

Authorizations for Library Access

Object

Value

Remark

S_USER_GRP

Act: 03 (Display)
Class: <Dummy>

Required for opening reports/input forms.
Also required for executing queries with authorization-relevant dimensions in an environment/model context (any client)

RSBPC_ID

App SetID: myEnvironment

Access (logon to) environment

RSBPC_WKSP

Act: 03 (Display)

App SetID: myEnvironment

Folder: *

Resource Type: *

See folders, input forms, reports.

If we want to be very strict, we can even restrict RSBPC_WKSP to Folder [PUBLIC] or [NON_PUBLIC]. Nonetheless, the user will always have read access to the team folders for all teams that he/she is a member of. Write access to team folders is determined by the “Team Lead” flag in the team maintenance UI.

Useful Extensions

Favorites

If our user should have the possibility to add input forms/reports to his/her favorites, we need to add

Object

Value

Remark

RSBPC_WKSP

Act: 23
App SetID: myEnvironment
Folder: <Dummy>

Resource Type: LINK

Allow things to be added to “favorites”

 

Consuming Local Objects

If our user should have permission to consume data from local providers, the authorization for the respective BW-workspace needs to be added. The name of this workspace corresponds to the name of the BPC environment:

Object

Value

Remark

S_RS_WSPAC

Act: 16 (Execute)

Name: myEnvironment

Access to local providers of the environment

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

Leave a Reply