Below is an example of the methodology on how to build a security model for SAP BW using Customer Exit and Analysis Authorizations.  Edit where necessary for your particular project.

Create a Z-table in the BW systems: ZCOUNTRY_USER



Use SM30 to add the appropriate mappings to this table.  This should only be completed by the security team as this mapping will allow users entered into the table to see the corresponding countries they are assigned to.



Create a BEx Variable of Processing By “Customer Exit”.  Note: You will not add this variable into the query.



When a BW Query with ZSLDTO_EX_REG authorization variable in it is executed, it will pull values taken from the Exit variable.

To input cmod code for the exit access the include for CMOD Project: #### (choose the Project for your project)



and Component EXIT_SAPLRRS0_001



and inside INCLUDE: ZXRSRU01

Insert the following code:

*** Declarations for Security Customer Exit ZSLDTO_EX_REG ***
DATA: it_zcountry_user TYPE STANDARD TABLE OF zcountry_user,
wa_zcountry_user TYPE zcountry_user.
DATA: low_country like loc_var_range-low.
*** End of Declaration for Security Customer Exit ***

&

NOTE: Using i_step 0 was found to be a better fit in this particular case but i_step 1 can also be used in customer exits used to fill authorization values. Test both out to find the best fit for the requirements.

* This code will perform the security lookup for Country (0COUNTRY) based upon the user --> country mapping in the table ZCOUNTRY_USER.
WHEN 'ZSLDTO_EX_REG'.
DATA: l_uname type xubname.

IF i_step EQ '0'.
CALL FUNCTION 'RSEC_GET_USERNAME'
IMPORTING
e_username = l_uname.
REFRESH it_zcountry_user.
SELECT * FROM zcountry_user INTO TABLE it_zcountry_user WHERE uname = l_uname.
IF sy-subrc = 0.
LOOP AT it_zcountry_user into wa_zcountry_user.
CLEAR l_s_range.
l_s_range-low  = wa_zcountry_user-country.
l_s_range-sign = 'I'.
l_s_range-opt  = 'EQ'.
APPEND l_s_range TO e_t_range.
CLEAR wa_zcountry_user.
ENDLOOP.
ENDIF.
ENDIF.

 

 

&

Note: This step is optional and should only be used if you want to display the variable on the variable screen (ready for input on variable definition).

 

*** Validation on BW Security - Variable Screen
IF i_step EQ '3'.
LOOP AT i_t_var_range INTO loc_var_range WHERE vnam = 'ZSLDTO_EX_REG'.
CLEAR: l_s_range.
low_country = loc_var_range-low.

*** Get values if stored in custom mapping table ***
SELECT SINGLE * FROM zcountry_user INTO wa_zcountry_user
WHERE country EQ low_country AND uname EQ sy-uname.

IF sy-subrc NE 0.
CALL FUNCTION 'RRMS_MESSAGE_HANDLING'
EXPORTING
i_class  = 'RSBBS'
i_type   = 'E'
i_number = '000'
i_msgv1  = 'No authorization for Country - '
i_msgv2  = loc_var_range-low
i_msgv3  = ' , Enter different Country or request access.'
i_msgv4  = sy-uname
EXCEPTIONS
OTHERS   = 2.
* raise the exception
RAISE again.
ENDIF.
ENDLOOP.
ENDIF.

Refer to OSS Note 1561635 as this was used to base the code on.

Assign the variable ZSLDTO_EX_REG to the Analysis Authorization Z_GD_COUNTRY by clicking the Variable button or by putting a $ sign in front of the variable technical name.



When the Z_GD_COUNTRY Analysis Authorization is assigned to the user (or role for more broad access), it will pull the data from the ZTABLE mentioned above even though that variable is not in the query, the analysis authorization sees the exit variable and executes it prior to i_step 1, 2 or 3.

Next step is to create the second variable for the authorization.



This is the variable that needs to be assigned to the query for Sold-To Country.  This variable can be made “ready for input” or not, depending upon the requirements needed.