Using SAP BW authorization relevant InfoObject in SAP Profitability and Performance Management 3.0 – more complex scenarios
In previous blog about SAP BW Authorizations, my friend guided you step by step how to manage Analytic Authorization of an InfoObject and how you can use it in query function of SAP Profitability and Performance Management 3.0 (SAP PaPM). In this part I will focus about showing you how to create more complex scenarios and how you can use this kind of authorizations on query level.
If you didn’t check his blog post about simple cases of BW authorization usage in SAP PaPM, I encourage you to visit this one first before continuing with the next section of this blog post.
First of all: let’s have a quick presentation of more complex choices that you can display on query level. Let us assume that user has restrictions not only for one characteristic, but on few of them. In this example those characteristics will be: Company code: YBW_COMP, Country: /NXI/CNTR and Version: 0VERSION.
As you can see, we have characteristics with all possible technical naming conversion including standard one: 0VERSION, Characteristics delivered with certain product/add-on: /NXI/CNTR and created by user: YBW_COMP. Additionally we added one key figure: YQA_AMT. In the end, the data in Model Table function will look like this:
In the screenshot above, you can find such values for given characteristic:
- Company code: CC_A, CC_B and CC_C
- Version: 1, 2 and 3
- Country: US, DE and PL
Just a bit of a side note, regarding the authorization user – DBW_ATH_PAPM. DBW_ATH_PAPM authorizations for these more complex scenarios are maintained like on the screenshot (from RSECADMIN) given below:
Now going back to Model Table — So we have Model Table and let’s create query on top of that. However, did you think about one question: “What results will be shown by query?” Query will show data according to authorizations meaning it will show common part of authorization values, visualized as on figure below:
In other manner, data that will be shown will have such filter: (Company: CC_A OR CC_B) AND (Country: US) AND (Version: 1 OR 2).
When you create a query, you have to remember that authorization relevant characteristic need to have variable set as: Authorization.
If you miss to do that, you will get message:
Let us analyze results of a query:
As you can clearly see, query results match what I stand for earlier. Query will display only records which are matching certain filters done by authorizations.
But how about displaying records that are in Model Table or Model BW function via Analyze screen? Let’s try it:
You will get a message that you haven’t got authorization to display results of that InfoProvider. But why? To be able to answer that question let us have a look about what Analyze button would like to display. When you do the same thing with user which has no restrictions, data will be displayed as given:
As you can see, by default results that are shown were created by aggregation of key figure (or all of key figures used), and since our DBW_ATH_PAPM user doesn’t have authorizations to display all of characteristic’s values or aggregated key figure value, we must attach aggregation authorizations for that user to be able to analyze display that kind of data. You can create them as I explained in first part of my blog, but instead of giving precise value, you need to fill field with colon sign “:” as shown on screenshot below.
You can create all of those aggregation authorizations for all 3 characteristics from our example and add them to your user. Then we can try to Analyze function model table again:
Nevertheless, you still cannot see and add any characteristic to rows/columns freely due to the fact that we have restrictions on values of those characteristics. When you want to add Company code to rows you will get a message that you haven’t got authorizations to display that. Only way to display those is to filter them up according to your authorizations, e.g. we will be able to see CC_A for company code:
You may ask: why the system doesn’t automatically filter data according to those authorizations? When we run Analyze, PaPM is trying to display all InfoProvider’s data in aggregated form and doesn’t know if you want to display those values or not – remember that the only way to pass information about variables is the query function. This is why it is important to select authorization variables on authorization relevant characteristics in definition of query.
To exhaust the topic about authorization on characteristics we must mention one more: Hierarchy authorization. As you know you can use hierarchy of characteristic can be display when analyzing a query. You can provide this information in query definition:
So, when you would like to Analyze query with no restricted values (by authorization feature) you will see such results:
Hierarchy for Company code has given definition:
Ok, so how you can maintain authorization on specific hierarchy node level? It is pretty simple: You can go to RSECADMIN and create such authorization, but it needs to be a hierarchy authorization as given on screenshot below:
So, as you expect, user DBW_ATH_PAPM with such authorizations will be able to display only values given under specific node of hierarchy – in this case N03:
Key figures can also be restricted by authorizations – some people could see only authorized key figures on the same query/report. Authorization for specific key figure should look like this:
And for technical InfoObject 0TCAKYFNM you can select technical name of the key figure that you want to authorize:
Meaning – user will only be able to see values for that specific key figure. So, let’s have a look into SAP PaPM Environment. Let’s create simple example with two characteristics and two key figures. So, Analyze screen in SAP PaPM for user with authorizations for all characteristics values and key figures:
For our DBW_ATH_PAPM user, we restrict authorizations only for key figure Net result – YQA_AMT. As you can see key figure Quantity is not available for this user to analyze.
You can see that using BW authorizations is not that difficult, and I think you will be able to re-create that examples on your system. I strongly encourage you to try it by yourself and make some of examples which can have all of authorizations mentioned in this blog and in the previous part.
In next blog I will go through other SAP Profitability and Performance Management functions that can use BW Authorizations, so watch out!
very nice article. Is it possible to depict BW-Authorizations in another function type than in a query ?
It is possible to use it also in writer function type planning. Please stay tuned for 3rd part of that blog related to BW authorizations.
Hi Jakub Krolak ,
Thanks for your articles.
Do you know if PaPM queries authorizations support customer $varables instead of hardcoded values (CC_C, CC_A)? In this case, auth check will run customer exit ABAP to derive authorization value from the setting table on-fly. This technique is very helpful when you have many users with all different authorization combinations since you can maintain one single table instead of multiple roles.
Best regards, Denis
Hi Andrzej Jedrzejczyk,
Maybe you know if BW authorization check works for PaPM with $variable instead of hardcode value?
Best regards, Denis
Yes it works with variables type "authorization" for Environment Queries - the same functionality like in SAP BW. Such variable is defined on SAP PaPM query function.