BW Architechture


Assigning Authorization objects to Users in BI/BW


 Assigning Authorization Objects to Users:
 
# Go to the screen (RSECADMIN) , and click on assignment button under user tab: 


# Now we can assign the created Authorization Object to any user using this tool. 



# Adding the created Authorization Object (ZDWKJTEST) to the user ZNBITSRTS. I will be using the same user through out this blog for running any query so that it can use the restrictions which are applying using the Authorization Object.






# We can also assign the authorization to users through role/profile using the standard Authorization Object S_RS_AUTH:




# User with Authorization Object 0BI_ALL is having full access to data, and can overwrite any other Authorization Objects assignment to it. 


# Query on InfoProvider with Authorization Objects: Below is the test query in which I added the InfoObject for which we created the test Authorization Object (ZDWKJTEST).



Maintaining Authorizations in BI/BW


SAP BI security is an integral part of any BI implementation. Integrating all the data coming from various source systems and providing the data access based on the user’s role is one of the major concerns of all the BI Projects.
Security of SAP R/3-ECC systems are based on the activities while SAP BI security is focused on what data user can access. Security in BI is categorized by major 2 categories:
Administrative Users – The way we maintain security for administrative users is same as ECC security but we have additional authorization objects in system which are defined only for BI objects.
Reporting Users– We have separate tools(Analysis Authorization) to maintain security for reporting users.
What is Authorization Object?
It allows to check whether a user is allowed to perform a certain action. Actions are defined on the fields, and each field in authorization object should pass the check. We can check all the Standard BI Authorization Objects using tcode SU21 under the Business Warehouse folder: 


With the SAP BI 7.0 we have new tool to maintain the reporting level security. We can access this new tool using tcode RSECADMIN which replaces the old RSSM tool of BW 3.x.


## Below are the Step-by-Step instructions to create/maintain authorization objects for SAP BI Reporting:
I am covering the scenario where each employee (Sales Team) is assigned with one territory number, and the data should be accessible to employee based on their territory only. For this scenario to work we have to set security restriction for the corresponding territory InfoObject (ZDWSLTER).

# The first step before we create any Authorization Object is to set all the InfoObjects as authorization relevant for which we want to restrict data access. 










Authorization Objects on InfoObject’s of type Characteristic:
 
# For accessing the new Analysis Authorization tools we use tcode RSECADMIN -> Authorizations Tab -> Maintenance Button 












We can also use tcode RSECAUTH directly to come to maintenance screen: 











# We have to give the technical name of the Authorization Object (ZDWKJTEST) then hit the create button: 












# The very first step of creating any Authorization Object is to add the special characteristics as field for restirction: 











# The below 3 characteristics are mandatory for defining any Authorization Object. If we don’t have this we will get no access to any InforProvider. By default this gives us access to all the InfoProvider(Full Access), but we can also set the value of InfoProvider for which we want the Authorization Object to work. 





  # Now I am adding the infoobject(ZDWSLTER) for which we want to add restriction









# We can double click on the newly added infobject, and can define the value which we want to allow for this InfoObject. We can also set the dynamic value using Customer Exit Code which we will cover later in this blog. 




Authorizations in SAP NW BI



TOPICS
*                               Difference between rssm and rsecadmin
*                               Step by Step
*                               Reporting User
*                               Developper
*                               General
*                               Generation (rsecadmin)
*                               Role (pfcg)
*                               Tables
*                               Authority check

1. MODELING
Difference between rssm and rsecadmin


RSSM
RSECADMIN

Old transaction: RSSM
Concept of authorization: 'Reporting Authorization'

New transaction : RSECADMIN
Concept of authorization: 'Analysis Authorization'
Assignement of Reporting authorization:* by pfcg: mass distribution of auth by using role
*                               by RSSM: generation way (use with Business Content and flat files loading)

Assignement of Analysis authorization :* by PFCG: mass distribution of auth by using role,
*                               by RSECADMIN manual way -> Assignement -> Auth selection ->Insert,
*                               by RSECADMIN: generation way (use with Business Content and flat files loading)
Full Authorization: SAP_ALL, SAP_NEW

Full Authorization: SAP_ALL, SAP_NEW
 0BI_ALL: * Allow full authorization for the IO authorization relevant,
*                               Used in the authorization object: S_RS_AUTH,
*                               Report 'RSEC_GENERATE_BI_ALL' for the SAP_ALL user,

Modeling:* IO marked as Authorization relevant,
*                rssm enable to flag relevant infoprovider,
*             rssm are used to custom Auhthorization object,
*              Authorization variable are used in Bex Query,
*        Pfcg to assign reporting authorization trough the Object class: RSR,
*                               Query access manage by object S_RS_COMP, S_RS_COMP1,
*                               Area Button/ Access : S_RS_FOLD,
*                               Authorization for Cube, ODS, Hierarchy and infoset managed by:
*                                                       S_RS_ICUBE,
*                                                       S_RS_ODSO,
*                                                       S_RS_HIER,
*                                                       S_RS_ISET.

Modeling:* IO + Navigation ATTR can be Authorization relevant,
*                               An IO auth relevant is auth relevant for all the cube he is used,
*                               rsecadmin to define Analysis authorization with sepcial IO : 0TCAACTVT, 0TCAIPROV, 0TCAVALID,
*                               Authorization variable are used in Bex Query, 
*                               pfcg to assign analysis authorization through the object S_RS_AUTH (Object Class: RS),
*                               Query access manage by object S_RS_COMP, S_RS_COMP1,
*                               Area Button/ Access : S_RS_FOLD,
*                               Authorization for Cube and ODS for reporting user are managed by the special authorization characteristic 0TCAIPROV,
*                               S_RS_ICUBE, S_RS_ODSO, S_RS_HIER, S_RS_ISET: are not checked anymoe for reporting user.

*                               S_RS_ICUBE, S_RS_ODSO, S_RS_HIER, S_RS_ISET: are used for allowing access to developper team,
*                               New object to manage acess for developper user:
-

New object authorization for Web application Designer & Report Designer:* S_RS_BTMP,
*                               S_RS_BITM,
*                               S_RS_ERPT,
*                               S_RS_EREL.
Step by Step

RSSM
RSECADMIN
0. Pre-requisites
-

Activate all business content related to authorizations before you get started:* InfoObjects: 0TCA* and 0TCT*
*                               InfoCubes: 0TCA*
Set the following InfoObjects as "authorization relevant":* 0TCAACTVT
*                               0TCAIPROV
*                               0TCAVALID
*                               0TCAKYFNM (optional, if key figure restriction needed)
Add 0TCAIFAREA as an external hierarchy characteristic to 0INFOPROV (optional)
1. Set Master data Authorization relevant
RSA1 -> InfoObjects -> Business Explorer Tab -> Flag 'Authorization relevant

RSA1 -> InfoObjects -> Business Explorer Tab -> Flag 'Authorization relevant 
RSA1 -> InfoObjects -> Attribute Tab -> Flag 'AuthorizRelevant'
2. Create Authorization Object/ Analysis authorization
RSSM -> Enter the name of your Authorization object -> Create -> Put IO Authorization relevant in the selected InfoObjects part -> Save

3. Set Info provider
RSSM -> Select: 'Check for Info Cubes' -> Change -> Flag the related Info Cubes
 The IO authorization relevant are authorization relevant for all cubes
4. Create BEX variable for authorization
1. Right click on the IO -> choose 'Restrict'
2. Choose 'Selection' = 'Single Value' and 'from Hierarchy' = 'flat list'
If a hierarchy exists, select the hierarchy for the IO
3. Go on the variables tab -> Right click -> 'New variable'
4. For a restriction without hierarchy, the type of variable is 'Characteristic Value' and if you have choose a hierarchy, the type of variable is 'Hierarchy node'
5. Select a variable name & a description
6. Choose 'Processing by': = 'Authorization' then check the characteristic and click 'next'
7. Choose the display area for the variable -> Variable represents: = 'Single Value' or 'Selection Option'
8. Choose if the variable entry is Optional or mandatory,
9. Don't select 'Ready for input' and 'Can be changed in query navigation
10. Next to the end

5. Insert Authorization in Role


6. Assign Authorization/ Role to Users


2. AUTHORIZATION
*                               Reporting User: Authorization for End User
*                                
*                                                       S_RS_AUTH:
*                                                                               Insert here the Analysis Authorization you customize in Rsecadmin.
*                                                                               Allow right on IO marked as 'authorization relevant' (Data)
*                                                       S_RS_COMP : Query Accessibility
*                                                                               Activity: 01 (Create or generate), 02 (Change), 03 (Display), 06 (Delete), 16 (Execute), 22 (Enter, Include, Assign)
*                                                                               InfoArea: '*'
*                                                                               InfoCube: <Selected infoprovider>
*                                                                               Name (ID) of a reporting component: <Selected query>
*                                                                               Type of a reporting component: CKF (Calculated key figure), QVW (Query View), REP (Query), RKF (Restricted key figure), SOB (Selection object, New object !!!), STR (Template structure), VAR (Variable)
*                                                       S_RS_COMP1 : Query for specific users
*                                                       S_RS_FOLD ( Hide 'Folder' Pushbutton): 'False' or 'True'
*                                                       S_USER_AGR: Role Name
 S_RS_BITM : !!! NEW !!!
 S_RS_BTMP : !!! NEW !!!
*                               Developper
*                                
*                                                       S_DEVELOP
*                                                       S_RO_BCTRA -in ECC side for activate (remote) Datasource
*                                                       S_RS_BC
*                                                       S_RS_BCS
*                                                       S_GUI
*                                                       S_RS_DS: Authorizations for working with the DataSource or its sub-objects (as of SAP NetWeaver 2004s)
*                                                       S_RS_ISNEW: Authorizations for working with new InfoSources or their subobjects (as of SAP NetWeaver 2004s)
*                                                       S_RS_DTP: Authorizations for working with the data transfer process and its subobjects
*                                                       S_RS_TR: Authorizations for working with transformation rules and their subobjects
*                                                       S_RS_CTT: Authorizations for working with currency translation types
*                                                       S_RS_UOM: Authorizations for working with quantity conversion types
*                                                       S_RS_THJT: Authorizations for working with key date derivation types
*                                                       S_RS_PLENQ: Authorizations for maintaining or displaying the lock settings
*                                                       S_RS_RST: Authorization object for the RS trace tool
*                                                       S_RS_PC: Authorizations for working with process chains
*                                                       S_RS_OHDEST: Open Hub Destination
*                                                       S_RS_DAS: Authorizations for working with Data Access Services
*                                                       S_RS_BTMP: Authorizations for working with BEx Web templates
*                                                       S_RS_BEXTX: Authorizations for the maintenance of BEx texts Authorization objects for the administration of analysis authorizations
*                                                       S_RSEC: Authorization for assignment and administration of analysis authorizations
*                                                       S_RS_AUTH: Authorization object to include analysis authorizations in roles
*                                                       S_RS_ADMWB: Changed Authorization Objects (Data Warehousing Workbench: Objects)
*                               General
*                                
*                                                       S_RFC: Authorization Check for RFC Access:
*                                                                               Activity 16
*                                                                               Name of RFC to be protected *
*                                                                               Type of RFC object to be protetected: FUGR
*                                                       S_TCODE: Transaction Code Check at Transaction Start
*                                                                               Transaction Code SE37,RRMX, RRMXP
*                                                       S_GUI: Authorization for GUI activities
*                                                                               Activity 02, 60, 61
*                                                       S_BDS_DBC-SRV-KPR-BDS: Authorizations for Accessing Documents
*                                                                               Activity 03
*                                                                               BDS: Data element for LOIO cla *
3. ASSIGNEMENT
*                               Generation (rsecadmin)


*                               Role (pfcg)


4. TECHNICAL
*                               Tables
*                                
*                                                        RSECVAL : Authorization Value Status,
*                                                        RSECUSERAUTH : BI AS Authorizations: Assignment of User Auth.
*                                Function Modules:
*                                
*                                                        RSEC_AUTHORITY_CHECK_IPROV
*                                                        RSEC_AUTH_GET_IOBJ_RELEVANT
*                                                        RSEC_CHECK_IPROV
*                                                        RSEC_CHECK_VALIDITY
*                                                        RSEC_COMPLETE_HIERAUTH
*                                                        RSEC_GET_AUTH_FOR_USER
*                                                        RSEC_GET_AUTH_HIER_FOR_USER
*                                                        RSEC_ASSIGN_AUTHS_TO_USERS
*                                                        RSEC_GET_ALL_GENERATED_AUTHS
*                                                        RSEC_READ_ODS_HIER
*                                                        RSEC_READ_ODS_USER_AUTH
*                                                        RSEC_READ_ODS_VAL
*                                                        RSEC_AUTHORIZATIONS_OF_USER
*                                                        RSEC_GET_AUTH_FOR_USER_RFC