Sunday, January 18, 2009

SAP BI 7.0 Authorization - Part 1: InfoObjects level authorization

New SAP BI 7.0 Authorization concept (analysis authorization) change a lot in accessing, analyzing and displaying BI information. The approach allow to restrict data access on Key figure, Characteristic, Characteristic value, Hierarchy node, and InfoCube levels. It enables more flexible data access management.

Analysis authorization is active by default in SAP BI 7.0 systems and I think it is worth to spend some time to look closer at the new concepts and the features. In part one of this two-article series, I will show you how you can restrict access to SAP BW reports on InfoObjects level.

Initial settings

At the beginning activate business content objects (TCode RSORBCT) related to authorizations:
  • InfoObjects 0TCA*
  • InfoCubes 0TCA*
and set the following InfoObjects as Authorization-Relevant:
  • 0TCAACTVT (activity such as Display)
  • 0TCAIPROV (InfoProvider authorization)
  • 0TCAVALID (validity period of authorization)
  • 0TCAKYFNM (if you want to restrict access to key figure)

Characteristics authorization

Use TCode RSA1, go to Modelling -> InfoObjects. Display properties of the characteristic to which you want to restrict access and set it as Authorization-Relevant.


Characteristics values authorization

To authorize characteristics values you need to create new authorization object through TCode RSECADMIN. The following pictures show how allow users to access to specific sale organization (e.g., New York, San Francisco, Dallas).
1. Create new authorization object (e.g., Z_SORG_B).


2. Choose characteristic and press Details button.


3. Select sales organization (e.g., 1612 - New York, 1614 - San Francisco, 1615 - Dallas). Available operators: EQ - single value, BT - range of values, CP - pattern ending with (*) (e.g., abc*). You have also option to Include (I) or Exclude (E) values.

Attributes authorization

To authorize navigational attributes, set them as Authorization-Relevant.

Hierarchies authorization

To grant authorization on hierarchy level edit or create authorization object (e.g., Z_SORG_B), add hierarchy and nodes, and choose type of authorization.

Key figure authorization

To grant authorization to particular key figure, add special object 0TCAKYFNM to authorization object (e.g., Z_SORG_B), and choose the key figure to be authorized.

Summary

InfoObject level authorization gives you a great flexibility, but keep in mind system limitations. Avoid setting too many characteristics as authorization relevant (more than 10 in a query). All marked characteristics are checked for existing authorization if they are in a query or in an InfoProvider that is being used. Too much authorization objects may slow query execution. Exception are characteristics with all (*) authorization. If you want to check which InfoObjects are authorization relevant in your BI system, use TCode RSECADMIN -> Authorization Maintenance and display 0BI_ALL authorization. More about 0BI_ALL you will find in the article on creating and assigning authorization.

Remember that authorization do not work as a filters do. It means that the user who is executing the query, where characteristics are authorization relevant, must have sufficient authorization to the characteristics ("all-or-nothing" rule). Exceptions are hierarchies in the drill down and variables which are dependent on authorization.

In part two, I will describe how to create and assign SAP BI authorization .

8 comments:

pmainente said...

Excelent explanation. It is very clear and useful. Thank you so much!

Sawa Amana Jaha said...

Very comprehensive overview and explanation of the new BI 7 analysis authorization concept and usage....excellent!

Manu said...

Hi, very nice tutorial, but I had this implemented already a few years ago. However, I want to restrict some queries to users who have a higher role, hereby preventing users who do not have this role, running BI Bex-queries that show sensitive data such as margins. I've tried publishing these queries to that specific role, but that does not prevent the other users from running this query! Do you know how to implement my requirement?

Jonathan said...

Helpful post. Thanks. And yes Manu, you are the smartest person in the room for implementing it ages ago.

Anonymous said...

Hery helpful post. Great Help. Thanks

Anonymous said...

The Exclude option is disabled. I wnat to use the exclude option to exclude certian key figures. Do you know how to do it. Thanks.

Anonymous said...

i HAVE A QUESTION. Can i have in BI these two scenarios:
Scenario 1.

User 1. Has access to query 1, with access to Cost Center = 1

Scenario 2.

User 1 has access to query 2 with access to Cost Center = 2 ?

Can i have these two scenarios implemented in BI?

Regards, Jen

PR said...

Hi Jen, You may grant access to both CC in both queries and then in Q1 and Q2 use different filters to filter out not needed data. It depends on report requirements.