Sunday, January 18, 2009

SAP BI 7.0 Authorization - Part 2: Creating and assigning authorization

I the previous articles I discussed InfoObjects level authorizations. Now I will focus on creating and assigning authorization.

Creating authorization

To create analysis authorization perform the following steps:
1. Use TCode RSECADMIN, go to the Authorizations tab.
2. Press Maint. button and enter a name (e.g., Z_USR_A1) and press Create.
3. Fill required Short Text field.
4. Insert special characteristics: 0TCAACTVT, 0TCAIPROV, and 0TCAVALID by pressing Insert Special Characteristics button.


5. Insert authorization-relevant characteristics and navigational attributes (Insert Row -> press F4 -> choose item). I described how to set InfoObjects as authorization-relevant in previous articles.
6. Press Details button to restrict values and hierarchy authorization of inserted items.
7. Save the authorization.

You must include special characteristics: 0TCAACTVT (activity), 0TCAIPROV (InfoProvider), and 0TCAVALID (validity) in at least one authorization for a user. They are used for:
  • 0TCAACTVT - to restrict the authorization to activities, default value: Display;
  • 0TCAIPROV - to restrict the authorization to InfoProviders, default value: all (*);
  • 0TCAVALID - to restrict the validity of the authorization, default value: always valid (*).
If you want to authorize access to key figures, add 0TCAKYFNM characteristic to the authorization. It is important to know that if this characteristic is authorization-relevant, it will be always checked during query execution.

0BI_ALL authorization

The 0BI_ALL authorization includes all authorization-relevant characteristics. It is automatically updated when you restrict a BI InfoObject. Use this authorization if you have users that are allowed to execute all queries.

Assigning authorization to a user

You may assign authorization directly to a user or to a role. To assign authorization directly use TCode RSECADMIN, go to the User tab and press Assign. Now enter the user name, press Change and select the authorization. To assign authorization to the role use TCode PFCG, enter the role name and press Change. Using Authorization tab change authorization data by adding S_RS_AUTH entry. The entry includes analysis authorization in roles. Enter here authorization that you previously created.

Summary

I encourage you to collect all requirements related to BI security, structure of the organization and authorization needs before starting authorization preparation. I have learned that it can save a lot of time. Organization's hierarchy can facilitate your work by providing structures and levels of authorization. Indirect authorization assignment can also save your time because it is more flexible and easier to maintain.

13 comments:

Clément said...

Hi,
Thanks for this article!
Do you know if there is a way to restrict access at query level?
The aim would be for some users to access only queries Y* for instance on a cube there are allowed to access.
Hope you can help, thanks.

PR said...

Hi Clement,
Analysis authorization grants permission to certain data. If you want to control access to particular report, you need to use S_RS_COMP & S_RS_COMP1 objects. Create a role, insert in the role authorization objects S_RS_COMP & S_RS_COMP1 and restrict/allow access to particular queries (e.g., RSZCOMPID = Y*). Another way is to create multiprovider for specific queries and restrict access to the multiprovider (special authorization characteristic 0TCAIPROV).
Regards,

Clément said...

Thanks a lot for your answer, it should help me :)

muddu sekhar said...

Hi,

It is extraordinary document..it helps me to create authorization to one of my requirement.

Thanks alot

PR said...

Hi Muddu Sekhar
I'm happy to hear this.

Pankaj said...

HI,

Can we restrict the on Infoobjects and HIER the the same time? Ex: I wanted to restrict user on
0INDUSTY infoobject (has data like Consumer, Retail, HighTech). And also I would like to set restriction on REGION Hierarchy (has structure like AMERICA, EUROPE, ASIA).

Koustubh said...

How can i Restrict Query View in Bi. i mean to say that if come once make a criteria and save this as view. but when i create i new role for new user then all that views are coming in analyzer. so how can we exclude those views.

Darkurion said...

@Koustubh

I would like to restrict on query view also. Through roles and not authorization. I mean not based on their technical name, but based on their assigned roles.

If you have information to share, thanks ..

Allu said...

Excellent Document

gcs88 said...

Hi thanks for posting upto date
Here is my query i'm sap bi learner
i have given authorization to infoobj at infoobject level and at query level also i gave some
authorizations . so when i execute the query which authorization are considered?

PR said...

Hi gcs88,
System checks authorization/many authorization objects. User should have all authorization to be able to see the results.

Anonymous said...

Thanks a lot it helped me a lot.

Sharu said...

Awesome document. Appreciate your effort.
So, when do we use the Special Characteristics 0TCAACTVT and S_RS_COMP & S_RS_COMP1 objects?