Skip to Content
Technical Articles
Author's profile photo Jakub Krolak

Using SAP BW authorization relevant InfoObject in SAP Profitability and Performance Management 3.0 – more complex scenarios

In previous blog about SAP BW Authorizations, my friend guided you step by step how to manage Analytic Authorization of an InfoObject and how you can use it in query function of SAP Profitability and Performance Management 3.0 (SAP PaPM). In this part I will focus about showing you how to create more complex scenarios and how you can use this kind of authorizations on query level.

If you didn’t check his blog post about simple cases of BW authorization usage in SAP PaPM, I encourage you to visit this one first before continuing with the next section of this blog post.

First of all: let’s have a quick presentation of more complex choices that you can display on query level. Let us assume that user has restrictions not only for one characteristic, but on few of them. In this example those characteristics will be: Company code: YBW_COMP, Country: /NXI/CNTR and Version: 0VERSION.

As you can see, we have characteristics with all possible technical naming conversion including standard one: 0VERSION, Characteristics delivered with certain product/add-on: /NXI/CNTR and created by user: YBW_COMP. Additionally we added one key figure: YQA_AMT. In the end, the data in Model Table function will look like this:

Fig.%201.%20Transactional%20data%20saved%20in%20model%20table%20function

Fig. 1. Transactional data saved in model table function

In the screenshot above, you can find such values for given characteristic:

  • Company code: CC_A, CC_B and CC_C
  • Version: 1, 2 and 3
  • Country: US, DE and PL

Just a bit of a side note, regarding the authorization user – DBW_ATH_PAPM. DBW_ATH_PAPM authorizations for these more complex scenarios are maintained like on the screenshot (from RSECADMIN) given below:

Fig.%202.%20SAP%20BW%20authorization%20assignment%20for%20particular%20user%20%28RSECADMIN%29

Fig. 2. SAP BW authorization assignment for particular user (RSECADMIN)

Now going back to Model Table — So we have Model Table and let’s create query on top of that. However, did you think about one question: “What results will be shown by query?” Query will show data according to authorizations meaning it will show common part of authorization values, visualized as on figure below:

Fig.%203.%20Visual%20representation%20of%20part%20of%20common%20of%20chosen%20authorizations

Fig. 3. Visual representation of part of common of chosen authorizations

In other manner, data that will be shown will have such filter: (Company: CC_A OR CC_B) AND (Country: US) AND (Version: 1 OR 2).

Note:

When you create a query, you have to remember that authorization relevant characteristic need to have variable set as: Authorization.

Fig.%204.%20SAP%20PaPM%20query%20definition%20with%20%u201CAuthorization%u201D%20variable

Fig. 4. SAP PaPM query definition with “Authorization” variable

If you miss to do that, you will get message:

Fig.%205.%20An%20error%20message%20%28SAP%20PaPM%20view%29

Fig. 5. An error message (SAP PaPM view)

Let us analyze results of a query:

Fig.%206.%20Query%20results%20%28SAP%20PaPM%20view%29%20when%20using%20SAP%20BW%20reporting%20authorization

Fig. 6. Query results (SAP PaPM view) when using SAP BW reporting authorization

As you can clearly see, query results match what I stand for earlier. Query will display only records which are matching certain filters done by authorizations.

But how about displaying records that are in Model Table or Model BW function via Analyze screen? Let’s try it:

Fig.%207.%20SAP%20PaPM%20Model%20table%20function%20output%20when%20using%20SAP%20BW%20reporting%20authorization%20from%20our%20example

Fig. 7. SAP PaPM Model table function output when using SAP BW reporting authorization from our example

You will get a message that you haven’t got authorization to display results of that InfoProvider. But why? To be able to answer that question let us have a look about what Analyze button would like to display. When you do the same thing with user which has no restrictions, data will be displayed as given:

Fig.%208.%20SAP%20PaPM%20Model%20table%20function%20output%20when%20using%20no%20restriction%20for%20SAP%20BW%20reporting%20authorization

Fig. 8. SAP PaPM Model table function output when using no restriction for SAP BW reporting authorization

As you can see, by default results that are shown were created by aggregation of key figure (or all of key figures used), and since our DBW_ATH_PAPM user doesn’t have authorizations to display all of characteristic’s values or aggregated key figure value, we must attach aggregation authorizations for that user to be able to analyze display that kind of data. You can create them as I explained in first part of my blog, but instead of giving precise value, you need to fill field with colon sign “:” as shown on screenshot below.

Fig.%209.%20Definition%20of%20SAP%20BW%20%u201Caggregation%u201D%20authorization

Fig. 9. Definition of SAP BW “aggregation” authorization

You can create all of those aggregation authorizations for all 3 characteristics from our example and add them to your user. Then we can try to Analyze function model table again:

Fig.%2010.%20SAP%20PaPM%20Model%20table%20function%20output%20when%20using%20SAP%20BW%20reporting%20authorization%20from%20our%20example%20extended%20by%20SAP%20BW%20%u201Caggregation%u201D%20authorization

Fig. 10. SAP PaPM Model table function output when using SAP BW reporting authorization from our example extended by SAP BW “aggregation” authorization

Nevertheless, you still cannot see and add any characteristic to rows/columns freely due to the fact that we have restrictions on values of those characteristics. When you want to add Company code to rows you will get a message that you haven’t got authorizations to display that. Only way to display those is to filter them up according to your authorizations, e.g. we will be able to see CC_A for company code:

Fig.%2011.%20SAP%20PaPM%20Model%20table%20function%20output%20when%20using%20SAP%20BW%20reporting%20authorization%20%28filtering%20data%20to%20authorized%20values%29

Fig. 11. SAP PaPM Model table function output when using SAP BW reporting authorization (filtering data to authorized values)

Note:

You may ask: why the system doesn’t automatically filter data according to those authorizations? When we run Analyze, PaPM is trying to display all InfoProvider’s data in aggregated form and doesn’t know if you want to display those values or not – remember that the only way to pass information about variables is the query function. This is why it is important to select authorization variables on authorization relevant characteristics in definition of query.

To exhaust the topic about authorization on characteristics we must mention one more: Hierarchy authorization. As you know you can use hierarchy of characteristic can be display when analyzing a query. You can provide this information in query definition:

Fig.%2012.%20SAP%20PaPM%20query%20definition%20with%20hierarchy%20in%20the%20rows

Fig. 12. SAP PaPM query definition with hierarchy in the rows

So, when you would like to Analyze query with no restricted values (by authorization feature) you will see such results:

Fig.%2013.%20SAP%20PaPM%20query%20output%20when%20using%20hierarchies%20in%20the%20rows

Fig. 13. SAP PaPM query output when using hierarchies in the rows

Hierarchy for Company code has given definition:

Fig.%2014.%20SAP%20PaPM%20hierarchy%20definition%20for%20characteristic/field%20%u201CCompany%20code%u201D

Fig. 14. SAP PaPM hierarchy definition for characteristic/field “Company code”

Ok, so how you can maintain authorization on specific hierarchy node level? It is pretty simple: You can go to RSECADMIN and create such authorization, but it needs to be a hierarchy authorization as given on screenshot below:

Fig.%2015.%20SAP%20BW%20hierarchy%20authorization%20definition

Fig. 15. SAP BW hierarchy authorization definition

So, as you expect, user DBW_ATH_PAPM with such authorizations will be able to display only values given under specific node of hierarchy – in this case N03:

Fig.%2016.%20SAP%20PaPM%20query%20output%20when%20using%20hierarchies%20authorization%20in%20query%20definition

Fig. 16. SAP PaPM query output when using hierarchies authorization in query definition

Key figures can also be restricted by authorizations – some people could see only authorized key figures on the same query/report. Authorization for specific key figure should look like this:

Fig.%2017.%20SAP%20BW%20key%20figure%20authorization%20definition

Fig. 17. SAP BW key figure authorization definition

And for technical InfoObject 0TCAKYFNM you can select technical name of the key figure that you want to authorize:

Fig.%2018.%20SAP%20BW%20key%20figure%20authorization%20definition%20for%20key%20figure%20%u201CYQA_AMNT%u201D

Fig. 18. SAP BW key figure authorization definition for key figure “YQA_AMNT”

Meaning – user will only be able to see values for that specific key figure. So, let’s have a look into SAP PaPM Environment. Let’s create simple example with two characteristics and two key figures. So, Analyze screen in SAP PaPM for user with authorizations for all characteristics values and key figures:

Fig.%2019.%20SAP%20PaPM%20query%20output%20for%20user%20with%20no%20authorization%20restriction

Fig. 19. SAP PaPM query output for user with no authorization restriction

For our DBW_ATH_PAPM user, we restrict authorizations only for key figure Net result – YQA_AMT. As you can see key figure Quantity is not available for this user to analyze.

Fig.%2020.%20SAP%20PaPM%20query%20output%20for%20user%20with%20authorization%20restriction%20to%20key%20figure%20%u201CNet%20result%20%u2013%20YQA_AMT%u201D

Fig. 20. SAP PaPM query output for user with authorization restriction to key figure “Net result – YQA_AMT”

You can see that using BW authorizations is not that difficult, and I think you will be able to re-create that examples on your system. I strongly encourage you to try it by yourself and make some of examples which can have all of authorizations mentioned in this blog and in the previous part.

In next blog I will go through other SAP Profitability and Performance Management functions that can use BW Authorizations, so watch out!

Assigned Tags

      5 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Philipp Sathasivam
      Philipp Sathasivam

      Hi Jakub,

      very nice article. Is it possible to depict BW-Authorizations in another function type than in a query ?

      Regards, Philipp

      Author's profile photo Jakub Krolak
      Jakub Krolak
      Blog Post Author

      Hi Philipp,

      It is possible to use it also in writer function type planning. Please stay tuned for 3rd part of that blog related to BW authorizations.

      Best Regards,
      Jakub Krolak

      Author's profile photo Denis Vikhrev
      Denis Vikhrev

      Hi Jakub Krolak ,

      Thanks for your articles.

      Do you know if PaPM queries authorizations support customer $varables instead of hardcoded values (CC_C, CC_A)? In this case, auth check will run customer exit ABAP to derive authorization value from the setting table on-fly. This technique is very helpful when you have many users with all different authorization combinations since you can maintain one single table instead of multiple roles.

      Best regards, Denis

      Author's profile photo Denis Vikhrev
      Denis Vikhrev

      Hi Andrzej Jedrzejczyk,

      Maybe you know if BW authorization check works for PaPM with $variable instead of hardcode value?

      Best regards, Denis

      Author's profile photo Andrzej Jedrzejczyk
      Andrzej Jedrzejczyk

      Hi Denis

      Yes it works with variables type "authorization" for Environment Queries - the same functionality like in SAP BW. Such variable is defined on SAP PaPM query function.

      Regards

      Andrzej