How to restrict Query View creation authorization from user roles
In this blog I will explain how to deactivate the Query View creation authorization from user roles. To achieve this, along with the modifications in the user roles, we need to maintain a parameter manually to enable the restriction.
Step 1: Identify the roles which uses the query.
Step 2: Go to T-Code PFCG and open the role to be modified.
Step 3: Go to the Authorizations tab, and click on the button Display Authorization Data (bottom left)
Step 4: In the next window, all the authorizations pertaining to the role will be displayed. Expand the nodes -> Business Warehouse -> Business Explorer Components (highlighted).
Step 5: Click on beside Type of a reporting component node and deselect Query View from the pop-up list. Other selections should be done as per business requirement. In this example, I have given access only to the query.
Though the aforementioned steps should be sufficient to revoke access, many a times this does not work. In that case, perform the additional steps as below.
Step 6: Check if the correct support package (as per the list below) is implemented in your system. If not you need to first import the support package before proceeding to the further steps.
SAP NW BW 7.00 – SP29
SAP NW BW 7.01 – SP 12
SAP NW BW 7.02 – SP 12
SAP NW BW 7.11 – SP 10
SAP NW BW 7.30 – SP 08
SAP NW BW 7.31 – SP 04
(In case, you want to check Support Package in more details please refer to the SAP Note 1639960.)
Step 7: If the correct Support Package exists, go to SE38, give the program name as SAP_RSADMIN_MAINTAIN and click on execute.
Step 8: In the next screen, give the object name as ‘OSD_CHECK_VIEW_AUTHORIZATION’, value as ‘X’, check the INSERT radio button & click on execute.
Step 9: Check the RSADMIN table to see if this value is maintained in the table.
After performing all these steps, try creating a query view using a test user for the role you have just modified. It will abort the creation and throw an authorization error.