Creating and Assigning Authorization in BW
In the past I created a blog post describing the Infoobjects Level authorizations:
SAP BW Authorization – InfoObjects level authorization
Now I will focus on creating and assigning authorization to BW:
To create analysis authorization perform the following steps:
1. Use TCode RSECADMIN, go to the Authorizations tab.
2. Press Maint. button and enter a name (e.g., Z_USR_A1) and press Create.
3. Fill required Short Text field.
4. Insert special characteristics: 0TCAACTVT, 0TCAIPROV, and 0TCAVALID by pressing Insert Special Characteristics button.
5. Insert authorization-relevant characteristics and navigational attributes (Insert Row -> press F4 -> choose item). I described how to set in my previous blog SAP BW Authorization – InfoObjects level authorization.
6. Press Details button to restrict values and hierarchy authorization of inserted items.
7. Save the authorization.
You must include special characteristics: 0TCAACTVT (activity), 0TCAIPROV (InfoProvider), and 0TCAVALID (validity) in at least one authorization for a user. They are used for:
- 0TCAACTVT – to restrict the authorization to activities, default value: Display;
- 0TCAIPROV – to restrict the authorization to InfoProviders, default value: all (*);
- 0TCAVALID – to restrict the validity of the authorization, default value: always valid (*).
If you want to authorize access to key figures, add 0TCAKYFNM characteristic to the authorization. It is important to know that if this characteristic is authorization-relevant, it will be always checked during query execution.
The 0BI_ALL authorization includes all authorization-relevant characteristics. It is automatically updated when you restrict an infoobject. Use this authorization if you have users that are allowed to execute all queries.
Assigning authorization to a user
You may assign authorization directly to a user or to a role. To assign authorization directly use TCode RSECADMIN, go to the User tab and press Assign. Now enter the user name, pressChange and select the authorization. To assign authorization to the role use TCode PFCG, enter the role name and press Change. Using Authorization tab change authorization data by adding S_RS_AUTH entry. The entry includes analysis authorization in roles. Enter here authorization that you previously created.
I encourage you to collect all requirements related to BW security, structure of the organization and authorization needs before starting authorization preparation. I have learned that it can save a lot of time. Organization’s hierarchy can facilitate your work by providing structures and levels of authorization. Indirect authorization assignment can also save your time because it is more flexible and easier to maintain.