In this blog I have documented the steps we followed while setting up authorizations and row level security in our SAC Planning project.
As authorization requirements are different in each project, this blog will be a good starting point if you are working on SAC Planning and using BPC Live Connection.
We used BPC Live Connection in SAC to create planning application with planning sequences, planning templates and reports.
ZTAXGEPHY was the authorization relevant InfoObject that we used in all the reports for row level security. Whichever Geography the user is authorized to, whenever he runs any report, he will only view data related to those Geographies. The InfoObject is defined as authorization relevant in InfoObject maintenance as shown below:
2. Create a custom table in the backend where we maintained which users will have access to which geographies. Currently we have maintained this as *, which means that the users has access to all the geographies.
3. Create analysis authorization for the InfoObject
As shown below analysis authorization is created for this InfoObject and this analysis authorization is added to all the roles in the backend that have access to our project.
So in the analysis authorization you will add the dimension members for which the user should have access, so here we haven’t maintained any particular dimension values, we have just provided the name of the customer exit variable.
4. Create customer exit variable and write the user exit code
In the Customer exit variable, we will read the backend user access table that we created in step 2. In this table the User id will be maintained along with which geographies the user has access to. When we run the report, this variable will be prepopulated with only the geographies that user has access to.
At runtime, the customer exit code will read this table and get the list of geographies and pass it in the exit variable. With this method we keep the flexibility with us to change the access of users if required. We can directly maintain the table in production and update the values. We don’t need security team’s help to update the authorizations.
WHEN 'ZEX_ZTAXGEPHY_MO'.
IF i_step = 0 OR i_step = 2 OR i_step = 1.
CALL FUNCTION 'RSEC_GET_USERNAME'
IMPORTING
e_username = l_uname.
REFRESH it_zfipc_ptjur.
SELECT *
FROM zfipc_ptjur
INTO TABLE it_zfipc_ptjur
WHERE uname = l_uname.
IF sy-subrc EQ 0.
REFRESH it_ztaxgephy.
SELECT * FROM /bic/mztaxgephy INTO TABLE it_ztaxgephy WHERE objvers = 'A'.
LOOP AT it_ztaxgephy INTO wa_ztaxgephy.
CLEAR ls_range.
ls_range-low = wa_ztaxgephy-/bic/ztaxgephy.
ls_range-sign = 'I'.
ls_range-opt = 'EQ'.
APPEND ls_range TO c_t_range.
CLEAR wa_ztaxgephy.
ENDLOOP.
ENDIF.
ENDIF.
So till now we saw what has to be done in the backend for row level security now lets look at the configuration steps that have to be performed in SAC.
5. Lets understand the Folder Structure and the Roles we created in SAC.
Main Project Folder
Sub Folder – Models/Stories
Sub Folder – Open Area
All the models and stories that we built were stored in the Models/Stories Sub Folder. There was an Open Area Sub Folder created where users could place their own ad-hoc stories that they create.
Three Roles were created in SAC and assigned to the users based on the task that they would perform in the system.
2. Controller
3. Reviewer
Three Composite Roles were created in the backend in the BW System.
The analysis authorization that we created earlier based on Geography InfoObject would be added to each of these Composite Roles. In addition these Roles will also have all the access for all the backend BPC Objects like Composite Provider, Aggregational Level, Queries, DSOs, Planning Sequences etc.
Also the Analyst and Controller roles look similar but they are not. The Controller will have access to all the transaction codes to maintain data like the access to maintain data in the Geography User access custom table. In addition he can also run the planning sequences. The analyst will be able to analyze and plan on the data while the reviewer can only view the data.
6. Teams Creation in SAC
Analyst, Controller and Reviewer, three teams were created in SAC. In SAML User mapping we provided the Distribution List. So when an user needs access, we give access to the DL, so whichever teams have access to the DL, they get assigned to those teams and roles associated with it.
7. Data Access Profile
In order to provide access to the users to the BPC Models we have to create Data Access Profile in BPC UI.
All the BPC models for which the users need access are added here in the DAP.
The Data access Profile are then mapped to the teams that we had created before.
The team that needs read access will get access to the read Data Access Profile.
And the one that needs write access will get access to the write Data Access Profile.
As shown below in the teams maintenance from the BPC Web UI, you can add the Users as well as the DAP.
I would like to thank pranab.parhi who was the solution architect for this project and mayurwalhe701 for his help while we were working to implement this.
As authorization requirements are different in each project, this blog will be a good starting point if you are working on SAC Planning and using BPC Live Connection.
We used BPC Live Connection in SAC to create planning application with planning sequences, planning templates and reports.
- Lets start with Row level security first.
ZTAXGEPHY was the authorization relevant InfoObject that we used in all the reports for row level security. Whichever Geography the user is authorized to, whenever he runs any report, he will only view data related to those Geographies. The InfoObject is defined as authorization relevant in InfoObject maintenance as shown below:
2. Create a custom table in the backend where we maintained which users will have access to which geographies. Currently we have maintained this as *, which means that the users has access to all the geographies.
3. Create analysis authorization for the InfoObject
As shown below analysis authorization is created for this InfoObject and this analysis authorization is added to all the roles in the backend that have access to our project.
So in the analysis authorization you will add the dimension members for which the user should have access, so here we haven’t maintained any particular dimension values, we have just provided the name of the customer exit variable.
4. Create customer exit variable and write the user exit code
In the Customer exit variable, we will read the backend user access table that we created in step 2. In this table the User id will be maintained along with which geographies the user has access to. When we run the report, this variable will be prepopulated with only the geographies that user has access to.
At runtime, the customer exit code will read this table and get the list of geographies and pass it in the exit variable. With this method we keep the flexibility with us to change the access of users if required. We can directly maintain the table in production and update the values. We don’t need security team’s help to update the authorizations.
WHEN 'ZEX_ZTAXGEPHY_MO'.
IF i_step = 0 OR i_step = 2 OR i_step = 1.
CALL FUNCTION 'RSEC_GET_USERNAME'
IMPORTING
e_username = l_uname.
REFRESH it_zfipc_ptjur.
SELECT *
FROM zfipc_ptjur
INTO TABLE it_zfipc_ptjur
WHERE uname = l_uname.
IF sy-subrc EQ 0.
REFRESH it_ztaxgephy.
SELECT * FROM /bic/mztaxgephy INTO TABLE it_ztaxgephy WHERE objvers = 'A'.
LOOP AT it_ztaxgephy INTO wa_ztaxgephy.
CLEAR ls_range.
ls_range-low = wa_ztaxgephy-/bic/ztaxgephy.
ls_range-sign = 'I'.
ls_range-opt = 'EQ'.
APPEND ls_range TO c_t_range.
CLEAR wa_ztaxgephy.
ENDLOOP.
ENDIF.
ENDIF.
So till now we saw what has to be done in the backend for row level security now lets look at the configuration steps that have to be performed in SAC.
5. Lets understand the Folder Structure and the Roles we created in SAC.
Main Project Folder
Sub Folder – Models/Stories
Sub Folder – Open Area
All the models and stories that we built were stored in the Models/Stories Sub Folder. There was an Open Area Sub Folder created where users could place their own ad-hoc stories that they create.
Three Roles were created in SAC and assigned to the users based on the task that they would perform in the system.
- Analyst
- Full View Access to Main Project Folder
- Edit Access to Sub Folder Open Area
- Use Standard Template for BI Planner Role in SAC
2. Controller
- Full View Access to Main Project Folder
- Edit Access to Sub Folder Open Area
- Use Standard Template for BI Planner Role in SAC
3. Reviewer
- Full View Access to Main Project Folder
- Edit Access to Sub Folder Open Area
- Use Standard Template for BI Standard Role in SAC
Three Composite Roles were created in the backend in the BW System.
- Controller
- Analyst
- Reviewer
The analysis authorization that we created earlier based on Geography InfoObject would be added to each of these Composite Roles. In addition these Roles will also have all the access for all the backend BPC Objects like Composite Provider, Aggregational Level, Queries, DSOs, Planning Sequences etc.
Also the Analyst and Controller roles look similar but they are not. The Controller will have access to all the transaction codes to maintain data like the access to maintain data in the Geography User access custom table. In addition he can also run the planning sequences. The analyst will be able to analyze and plan on the data while the reviewer can only view the data.
6. Teams Creation in SAC
Analyst, Controller and Reviewer, three teams were created in SAC. In SAML User mapping we provided the Distribution List. So when an user needs access, we give access to the DL, so whichever teams have access to the DL, they get assigned to those teams and roles associated with it.
7. Data Access Profile
In order to provide access to the users to the BPC Models we have to create Data Access Profile in BPC UI.
All the BPC models for which the users need access are added here in the DAP.
The Data access Profile are then mapped to the teams that we had created before.
The team that needs read access will get access to the read Data Access Profile.
And the one that needs write access will get access to the write Data Access Profile.
As shown below in the teams maintenance from the BPC Web UI, you can add the Users as well as the DAP.
I would like to thank pranab.parhi who was the solution architect for this project and mayurwalhe701 for his help while we were working to implement this.
- SAP Managed Tags:
