Skip to Content

Analysis Authorization Simplified (Part 1)

Applies to:

SAP BW 7.x system, for more information, visit the Business Intelligence, https://help.sap.com/saphelp_nw73ehp1/helpdata/en/b2/e50138fede083de10000009b38f8cf/frameset.htm

Author Bio

Lakshminarasimhan Narasimhamurthy is BW certified and ABAP certified consultant and worked on multiple implementation, development and support project’s within India and outside of India. He has worked for fortune 500 clients like Nestle, Warner Bros, GCC, General Electric etc. He is strong in BW, BW related ABAP, HANA modeling, BW-HANA modeling, BODS and BO/BI tools like WEBI, Design Studio, IDT and Lumira.

Summary:

This document shows the steps to be followed while implementing authorization is SAP BW system. The data stored in the InfoProvider and it is made visible to the end user via BEx query.  For any organization having global presence likely to have multiple company codes, plants, sale org etc. We need to authorize or restrict the user to look into the data to which they are responsible for.

Ex: When running “Purchase order quantity report” (0PUR_C01_Q0011) the user needs to see only to the plants he is confined to and not others.

Details:

Following are the steps that need to be followed to enable the authorization. To make the explanation simple, I will be explaining using an example.  When running “Purchase order quantity report” (0PUR_C01_Q0011) the user needs to see only to the plants he is confined to and not others.

As the first step, make sure that the given below InfoObject’s are “Authorization Relevant”,

* 0PLANT                Plant

* 0TCAACTVT       Activity in Analysis Authorizations

* 0TCAIPROV        Authorizations for InfoProvider

* 0TCAVALID         Validity of an Authorization is made authorization relevant

* 0TCTIFAREA      InfoArea

Untitled.png

If the 0Plant is not “Authorization Relevant”, just click the “Check box” and make it authorization relevant and do the same for all the InfoProvider’s 0TCAACTVT, 0TCAVALID, 0TCAIPROV, 0TCTIFAREA.

0TCAACTVT  – This defines the activity of authorization either Display or Change.

0TCAVALID    – This defines the validity (Time Period) of the authorization (From date and till date)

0TCAIPROV  – This defines the Authorizations for InfoProvider. We can specify the list of  InfoProvider’s  upon which the report lies.

0TCTIFAREA – This defines the Authorizations for InfoArea.

Then login into the “Analysis Authorization”, t-code RSECADMIN

/wp-content/uploads/2016/07/pic_994221.jpg

Select the “Ind. Maint.”(Individual Maintenance).

We have the “0BI_ALL” authorization delivered by SAP. As the name says, this authorization gives access to everything!!!

Now copy the 0BI_ALL to ZBI_PUR

/wp-content/uploads/2016/07/pic_994221.jpg

After copying then edit the “ZBI_PUR” to retain only the required objects.

/wp-content/uploads/2016/07/pic_994221.jpg

/wp-content/uploads/2016/07/pic_994221.jpg

Now click in the “Intervals” of 0PLANT InfoObject

/wp-content/uploads/2016/07/pic_994221.jpg

We have the following options,

  • Single value (This is what we have used in previous screen shot)
  • Between
  • Contains Pattern

/wp-content/uploads/2016/07/pic_994221.jpg

Now click in the “Intervals” of 0TCAACTVT InfoObject and select the display option(03)

/wp-content/uploads/2016/07/pic_994221.jpg

Now click in the “Intervals” of 0TCAIPROV InfoObject and select the InfoProvider 0PUR_C01.

(We are selecting the InfoProvider(s) on which the BEx query is dependent on).

/wp-content/uploads/2016/07/pic_994221.jpg

Now click in the “Intervals” of 0TCAVALID InfoObject and select the value *.

(* assures that the validity is valid for ever. If required the time intervals can be specified).

/wp-content/uploads/2016/07/pic_994221.jpg

Now click in the “Intervals” of 0TCTIFAREA and specify values of the InfoArea.

/wp-content/uploads/2016/07/pic_994221.jpg

Now that all the parameters are filled and activated

/wp-content/uploads/2016/07/pic_994221.jpg

Now create a single role in PFCG

/wp-content/uploads/2016/07/pic_994221.jpg

Click on “Change Authorization Data”

/wp-content/uploads/2016/07/pic_994221.jpg

/wp-content/uploads/2016/07/pic_994221.jpg

/wp-content/uploads/2016/07/pic_994221.jpg

/wp-content/uploads/2016/07/pic_994221.jpg

Select the “Edit” button and add the “Analysis Authorization” we have created before.

/wp-content/uploads/2016/07/pic_994221.jpg

Enter the value” ZBI_PUR” and Save

/wp-content/uploads/2016/07/pic_994221.jpg

/wp-content/uploads/2016/07/pic_994221.jpg

Now add the following authorizations too,

  • S_RS_COMP
  • S_RS_COMP1
  • S_RFC

S_RFC is required to login into the BW system from BEx.

S_RS_COMP & S_RS_COMP1 is required to add the BEx Queries.

/wp-content/uploads/2016/07/pic_994221.jpg

/wp-content/uploads/2016/07/pic_994221.jpg

Now this role is assigned to my user “TEST_MM”

/wp-content/uploads/2016/07/pic_994221.jpg

Now we can have created authorization then assigned it to a role and this role is assigned to the user. Let’s test the user. We can test any user authorization from RSECADMIN.

Go to RSECADMIN and then select the tab “Analysis” and select the button “Execution as”

/wp-content/uploads/2016/07/pic_994221.jpg

Specify the user name and test the report using the t-code RSRT

/wp-content/uploads/2016/07/pic_994221.jpg

Give the query name and execute

/wp-content/uploads/2016/07/pic_994221.jpg

In the BEx query, plant is the input variable

/wp-content/uploads/2016/07/pic_994221.jpg

Now I have specified value 2006, which the user is authorized. So the query executes.

/wp-content/uploads/2016/07/pic_994221.jpg

I again executed the query with different value 2005.

/wp-content/uploads/2016/07/pic_994221.jpg

Now as expected the query throws the below message,

/wp-content/uploads/2016/07/pic_994221.jpg

So our results are positive. We have successfully tested the authorization.

Please continue to read part 2 of this document…

12 Comments
You must be Logged on to comment or reply to a post.
  • Hello LakshmiNarasimhan,

    Thanks for sharing the document. Mighty useful.

    Can you post some documents on troubleshooting BI Analysis Authorization Issues please.

    Regards,

    Rakesh Ram M

  • HI,

    Can anyone please let me know what EQ represents, suppose say if it is Maintained as value "*" what does it states? what all a user can have access to? give me any case or real time scenario on this.

    Thanks in advance for the support.

    Amith

    • Hello Amith,

      In the context of BW Analysis Authorizations, the operator EQ is used to assign single/specific authorization values. For generic assignments, such as *, you should use the CP operator (CP = Contains Pattern). For example, CP then US* could be used to assign all values having US as the first two character values. For complete access to all values you should use CP * instead of EQ *

      Good luck!

      Regards

       

    • Analysis authorisation has not changed for BW4HANA 2.0 SP4. but the objects have changed multiprovider replaced with composite provider, cube with ADSO etc. Also you can check the virtual authorisation

  • Hi Lakshminarayana,

    your document is very helpful.

    can you help me answer my question.

     

    Is it possible to display the data for the authorized plants without specifying the values?

    For example: If I have authorization to plant 2006 and 2007, whenever i execute the query it should display the output for only those plants without prompting me for values selection.

     

    Likewise, whoever has authorization to this query with respective plant values whenever the query is executed the output must display the results with respective plant values only.

     

    Regards

    Srujan

     

    • Hi Srujan,

      Yes its possible. You can create two Analysis Authorization objects on Plant and in that Analysis authorization for Plant InfoObject you can restrict 2006 and in the other analysis authorization restrict Plant to 2007.

      Now create two more roles and assign each analysis authorization to respective role. And in each of the role assign the users who should see only data for Plant 2006 and in the other with users for Plant 2007.

      When the user runs the query he will see data for the role for which he has got access to that is either 2006 or 2007.

      Regards,

      Pavan.