Maintaining Authorizations in BI/BW


SAP BI security is an integral part of any BI implementation. Integrating all the data coming from various source systems and providing the data access based on the user’s role is one of the major concerns of all the BI Projects.
Security of SAP R/3-ECC systems are based on the activities while SAP BI security is focused on what data user can access. Security in BI is categorized by major 2 categories:
Administrative Users – The way we maintain security for administrative users is same as ECC security but we have additional authorization objects in system which are defined only for BI objects.
Reporting Users– We have separate tools(Analysis Authorization) to maintain security for reporting users.
What is Authorization Object?
It allows to check whether a user is allowed to perform a certain action. Actions are defined on the fields, and each field in authorization object should pass the check. We can check all the Standard BI Authorization Objects using tcode SU21 under the Business Warehouse folder: 


With the SAP BI 7.0 we have new tool to maintain the reporting level security. We can access this new tool using tcode RSECADMIN which replaces the old RSSM tool of BW 3.x.


## Below are the Step-by-Step instructions to create/maintain authorization objects for SAP BI Reporting:
I am covering the scenario where each employee (Sales Team) is assigned with one territory number, and the data should be accessible to employee based on their territory only. For this scenario to work we have to set security restriction for the corresponding territory InfoObject (ZDWSLTER).

# The first step before we create any Authorization Object is to set all the InfoObjects as authorization relevant for which we want to restrict data access. 










Authorization Objects on InfoObject’s of type Characteristic:
 
# For accessing the new Analysis Authorization tools we use tcode RSECADMIN -> Authorizations Tab -> Maintenance Button 












We can also use tcode RSECAUTH directly to come to maintenance screen: 











# We have to give the technical name of the Authorization Object (ZDWKJTEST) then hit the create button: 












# The very first step of creating any Authorization Object is to add the special characteristics as field for restirction: 











# The below 3 characteristics are mandatory for defining any Authorization Object. If we don’t have this we will get no access to any InforProvider. By default this gives us access to all the InfoProvider(Full Access), but we can also set the value of InfoProvider for which we want the Authorization Object to work. 





  # Now I am adding the infoobject(ZDWSLTER) for which we want to add restriction









# We can double click on the newly added infobject, and can define the value which we want to allow for this InfoObject. We can also set the dynamic value using Customer Exit Code which we will cover later in this blog. 




4 comments:

  1. Excellent blog Thanks for sharing a good information, This Article is useful to learners.
    SAP BI/BE Online Training

    ReplyDelete
  2. It was so nice article.I was really satisfied by seeing this article sap wm video.

    ReplyDelete
  3. Thank you. for wonderful article. It has more Information in Your Website sap learning videos.

    ReplyDelete
  4. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
    Cyber Security Projects for CSE

    JavaScript Training in Chennai

    Project Centers in Chennai for CSE

    JavaScript Training in Chennai


    ReplyDelete