Apr 22, 2014

Authorization in BI 7 - Part 1


This blog will give the information related to Authorization concept available in SAP BW. Also, steps are given to maintain report related authorization.

Why is Authorization required in SAP BW?
  • To avoid the unwanted access to various objects as well as data in SAP BW system.
  • To assign restricted access of data to report users.

Authorization in SAP BW 3.x 
  • BW 3.x required Infoprovider Check to activate or deactivate authorization on the given reports.

What's new in SAP BI  7 for Authorization?

Prerequisites for authorization
  • Decide for which all reports an authorization is required.
  • Make list of infoobjects which will act as authorization specific infoobjects in reports.
  • Check whether all the required infoobjects are Authorization Relevant or not, if not marked then activate the flag.
  • Auth flag.JPG
  • Now check the Authorization Mode in SPRO
    • For SAP BW 3.x - Obsolete concept with RSR authorization objects.
    • For SAP BI 7 or above - Current procedure with analysis authorizations.
    • Auth_Mode.JPG
    • SPRO path
      • SAP Customizing Implementation Guide
        • SAP NetWeaver
          • Business Intelligence
            • Settings for Reporting and Analysis
              • General Settings for Reporting and Analysis
                • Analysis Authorizations: Select Concept
  • If you want to use any navigational attribute in authorization then it has to be authorization relevant in master data infoobject as shown in following screen.
  • Nav_attribute.JPG

Steps to create authorization object for SAP BI 7
  • Go to t-code RSECADMIN
  • Select Maintenance button 
RSECADMIN.JPG
  • Maintain Authorization : Initial Screen will appear.
  • Enter the technical name of authorization object to be created.
  • Click on Create Authorization (F5)
  • Auth_ini_scrn.bmp
  • Maintain Authorizations : Create screen will appear with message in status bar 'Special Characteristics Missing'.
  • spl_char_msg.JPG
  • Why these special char s are required, see what SAP has to say about it
  • spl_char_msg1.JPG
  • Fill up short, medium & long text fields.
  • Click on the button 'Insert Special Charact.' as shown below.spl_char_ins1.JPG
  • Following objects with default selection will get added.
  • Further, get the list of all the 'Infoproviders' you want to add in this authorization object.
  • Each infoprovider has set of 'Authorization Relevant Infoobjects', all of them have to be added.
  • Check one by one infoprovider for the 'Authorization Relevant Infoobjects' as shown below.
  • chk_info.JPG
  • New window will pop-up for Infocube Authorizations.
  • You can specify required infoprovider's name directly or can use F4 help to get the name of infoprovider from the list.
  • As per the reporting requirement user either
    • Insert Aggregation Authorizations: For the Totals in report, aggregation authorization ':' is used.
    • Insert Full Authorizations: It will assign '*'.
  • Once you specify the name of infoprovider and hit enter, list of all authorization relevant infoobjects, from the given cube/DSO will appear.
  • list.JPG
  • Select all the infoobjects from the list using Select All (F7) and hit enter.
  • All the selected objects will get added as shown below.
  • list1.JPG
  • Repeat the procedure for all the infoproviders.
  • As shown in the above screen shot, all infoobjects have value (*) in the intervals field. If you want to change value for any of the infoobjects, use following steps.
    • Use Details button to go to the maintenance screen OR
    • Double click the infoobject to reach the maintenance screen.
  • In the maintenance screen, 2 options are given.
    • Value Authorizations: You can specify single, multiple single or range of values.
    • Hie rarchy Authorizations: Hierarchy node values can be assigned.
  • options.JPG
  • Value Authrozations.
    • 1st column - Including/Excluding : Specify either I or E to include of exclude the assigned value.
    • 2nd column - Operator : Specify value from the given list as per your requirement.
  • comp_op.JPG
    • 3rd & 4th column - Technical Character : Here you have to mention values which are required for the authorizati on.
      • Value (*) can be mentioned to assign Full Authorization.
      • Use Add/ Delete Rows option to add more single values.
      • Whenever single, multiple single or range values are maintained add ( : ) as 1 more row to avoid the summary calculation related errors at runtime. 
  • Once you are done by assigning all the required values, click on Save button and exit.
  • If you make changes in the existing authorization object, on saving it pops up following message
  • savemsg.JPG
  • Select Yes and new changes with old definition will be saved.

  • Hierarchy Based Authorization
    • To assign hierarchy node go to Hierarchy Authorizations in details of particular infoobject.
    • Click on Create button to assign hierarchy node.
    • Following window will pop up where you can select the required hierarchy and particular node.
    • hierarchy.JPG
    • Click on Select Hierarchy button to open the hierarchy variant screen.
    • New window will show the available variants of hierarchy.
    • hier_var.JPG
    • Double click on the required variant and Hierarchy variant name will get populated.
    • Now, detail node needs to be selected. Click on Select Node option.
    • detailnode.JPG
    • Select the required node from the list given
    • Once the values for Hierarchy & Nodes are selected, you have to set Type of Authorization.
    • For Type of Authorization following 4 options are given
      • 0 - Only the selected nodes
      • 1 - Subtree below nodes
      • 2 - Subtree below nodes to Level ( Incl. )

  • 3 - Complete hierarchy
  • 4 - Subtree below nodes to ( and Incl. ) Level ( Relative )
  • Now hit enter and main screen will appear where you can see Hierarchy Node value with type of authorization maintained.
  • When you are maintaining hierarchy node value then in the Value Authorizations only ( : ) value needs to be maintained to avoid the error at runtime.
  • Save the authorization object.
  • No comments: