SBS Series: Setting Authorization on InfoObject/Data Level in SAP BW
Often, we get the requirement to set authorization on our BW/BO reports like same report should show only user-relevant data. In this blog, I will take one requirement and will show you that how we can achieve this.
There are two type of end users in any organization who can view the data of same Bex Query differently as described below:
1 – Manager: They can view data for all Org Units
2 – Team Lead: They can view data for Org units on which they are assigned
First we will create role for user type “Manager”.
1- First make sure that the info object on which you need to set authorization is authorization-relevant or not.
2- List down all the Authorization-Relevant info objects which are used in the said Bex Query.
(It does not matter if you only want to restrict data on one info object. All authorization-relevant info objects included in said bex query need to be added in authorization role otherwise your query will throw “No Authorization” error on execution)
3- Go to t-code RSECADMIN to create authorization and click on “Ind. Maint.” at Authorization Tab.
4- Enter you Authorization Name and press CREATE button.
5- After entering descriptions, Press “Insert Special Character” button. This will add three info objects in your role which are MANDATORY for your role.
0TCAACTVT : Activity in Analysis Authorizations
0TCAIPROV : Authorizations for InfoProvider
0TCAVALID : Validity of an Authorization
6- Now add all the info objects which you have listed down in step number two above.
7- Now select the rows of info objects which you have added and press the two buttons highlighted in below image.
is the Aggregation Authorization button. Keyfigures in your query will be aggregated against the dimensions (Info objects) so if you have not given this aggregation authorization to all the infoobjects then your query will throw “Not Authorized” error.
This button will add the following value against your info objects.
This button will authorize you to view data against all the values in said info object and will add following highlighted value.
If you want to restrict data against specific value(s) then you will restrict here accordingly.
8 – These both values should be maintained for all the info Objects added in your authorization role otherwise “No Authorization” error will be thrown on query execution.
9- Now Activate this authorization as your authorization creation is complete.
10- Now create a role in PFCG and add this authorization.
11- And assign this role to the said user.
12- If you want to restrict any info object on specific value then you are not finished yet. You have to restrict the said info object in Bex Query with authorization Variable.
Sometimes your query will be throwing “No Authorization” error on execution but you will not be able o find the actual reason. Don’t worry we can debug the authorization and find out the actual reason.
1- Go to RSECADMIN and press “Execution as” in Analysis Tab.
2- Enter Username, check the “With log” option and press “Start Transaction” button.
3- It will execute the RSRT transaction. Execute the said Bex query here and on error press back button to come back to same screen shown in above step and press “Display Log” button. Go through the complete Log, you will find the actual reason.
Sometimes we get a requirement for which we create so many roles i.e. every user should be able to see only his/her orgunit data. What if there are 30 org units? Will you create 30 different roles?
Let me tell you how can you achieve this thing with just a single role. You need to create one “Customer Exit Variable” for the said info object and restrict it in your authorization role. You can add the variable by clicking on the highlighted button shown below.
Now code this customer exit variable as a regular customer exit in CMOD.
CASE i_vnam. WHEN 'ZORGUNIT_CE'. "Variable for Dynamic Authorization IF NOT sy-uname IS INITIAL. SELECT employee objvers dateto orgunit /bic/zuserid FROM /bi0/qemployee INTO TABLE lt_employee WHERE /bic/zuserid EQ sy-uname AND objvers EQ 'A' AND dateto EQ '99991231'. ENDIF. LOOP AT lt_employee ASSIGNING <fs_employee>. CLEAR: l_s_range. l_s_range-low = <fs_employee>-orgunit. l_s_range-sign = 'I'. l_s_range-opt = 'EQ'. APPEND l_s_range TO e_t_range_c. ENDLOOP. IF e_t_range_c IS INITIAL. l_s_range-low = ''. l_s_range-sign = 'I'. l_s_range-opt = 'EQ'. APPEND l_s_range TO e_t_range_c. ENDIF. ENDCASE.
Rest everything will remain same as shown in the Step by step process in start of this blog.
I hope this will help you a lot. 🙂