Hi, in the post I would like to demonstrate a possibility of creation SAP BW authorization restrictions based on Open ODS view fields.
I am using BW/4HANA SP04 for demo, but as I know this option availible from NW BW 7.4 on HANA.
I am going to use Sales Table from one of my previous posts. It contain only 12 records with Sales Id, Manager, Product, Date and Volume. For more information see here.
- Create Open ODS view based on DB Table ZSALES. This table is in HANA system of BW/4.
2. Analyse query result with full authorizations. All data are shown.
3. Switch Manager field to Authorization relevant. Please note that I am not using any characteristics here, just fields.
4. Execute query once again and get authorization error. So check is working.
5. Create an new authorization object (rsecadmin) and create a new role with standard BW objects (pfcg).
- For demo purpose include only 1 and 3 manager.
- Colon (:) – for by available to summary result if authorization object in not in drill-down.
- 3 0TCA* characteristics also included in authorization object ZSALES.
Add this object with S_RS_AUTH to the role.
6. Create test user and assign the role to it.
7. Modify query in BWMT
- Create input-ready authorization variable with default values 1 and 3
- Add restriction filter to the query
8. Run query again and see data results. Enter multiple values 1, 3 in the variable.
9. Check colon (:) authorization, remove manager from drill-down and change input of variable nothing (no restriction). Notify that Result quantity was changed. Now sales quantities of manager 2 are also included.
I demonstrate a standard SAP BW authorization functionality based on Open ODS fields. It is very similar to approach with info-objects.
Why is it important?
- With field-based modeling approach you could not only prototyping very fast, but create a real user reports which almost always need to be properly restricted.
- You don’t need integrated data first and create report after, instead you could start from field based Open ODS views and if needed (for example, due to performance) generate data flow and a persistent data model (aDSO). It is much more agile approach compared to a classical SAP BW approach.
- Creation of info-objects just for using BW authorization concept is not mandatory anymore.
- Even if data are externally managed and SAP BW only get virtual access to it, you could make authorizations control in SAP BW.
- Now Open ODS views can’t be defined for hierarchies as a consequence hierarchical authorizations not available.
Thank you for attention!