Monday 7 December 2015

BI analysis Authorization:

BI analysis Authorization:
Analysis Authorizations are used to secure individual InfoObjects during execution of queries. If we get a requirement of the form – “user should be only able to see for sales for the US companies but not for the European ones”, Analysis Authorizations are the way forward. In this post we will try to take a closer look at how these authorizations work and how to maintain them.
SAP provides the transaction RSECADMIN for working on different aspects of analysis authorizations. The different tabs of the transaction allow authorization maintenance, user assignment, transport and tracing potential errors. Analysis Authorizations are also be directly maintained through the transaction RSECAUTH. In addition to the tcodes, A person needs access to the authorization object S_RSEC to work with analysis authorizations.
The figures below shows an analysis authorization to secure 0COSTCENTER 

Individual values can be maintained for 0COSTCENTER as shown below
Analysis Authorizations 2
In addition to EQ (Equals) which is used to give access to actual values as shown below, we might also use CP (Character Pattern) for wildcards or BT (Between) for ranges. Also, instead of values, individual hierarchy authorizations or user exit variables might also used for InfoObjects. In addition to actual values or hierarchies, two special characters are often used in authorizations. These are
  • Colon (:) – Colon is used to authorize access to aggregate data. For example, a person with : for 0COSTCENTER would be able to see aggregate data for all cost centers (cost center in the free characteristics section of the query) but would get an authorization error when trying to drill down on 0COSTCENTER. Colon (:) authorization is also needed for all authorization relevant characteristics which are not used in a query.
  • Hash (#) – While loading data into cubes, there might be some fields for which no values are maintained in the data source. Hash is used to authorize these undefined values as otherwise a full acces (*) would be needed for them.
If we look at the first screenshot showing the definition of the analysis authorization, we find that in addition to 0COSTCENTER, the analysis authorization uses three other characteristics. These are
  • 0TCAACTVT (Activity in Analysis Authorizations) – Default value 03(display) is sufficient for reporting. However, 02 (change) is needed for using planning functionality of BI as planning essentially allows updation of data into InfoProviders.
  • 0TCAIPROV (Authorizations for InfoProvider) – We maintain the InfoProviders for which the authorization is meant to give access. Default is *
  • 0TCAVALID (Validity of an Authorization) – Default value is * but can be used to restrict analysis authorization by validity dates.
It is imperative that all three of the above InfoObjects are part of at least one of the analysis authorizations assigned to a user but its good practice to add them to each authorization that you create.
Once created, there are two ways of assigning analysis authorizations to users.
  • Direct Assignment – Direct assignment of analysis authorizations to users is possible by following the path RSECADMIN >> User >> Assignment which calls transaction RSU01 transaction.









  •  Assignment through roles - SAP provides the authorization object S_RS_AUTH with the single field BIAUTH. Individual analysis authorization values can be maintained for this field and added to the users’ roles.

BW Security (Authorizations)
The following are some of the relevant SAP BW Security T- codes.
Transaction Code
Description
RSA1
Transaction RSA1 is the main transaction for administrative functions in SAP BW (Administrator Workbench)
RSD1
This transaction code can be used to mark objects as relevant for authorization (InfoObject Maintainence)
RSSM
This transaction code can be used to create and modify authorization objects in SAP BW
RSZV
This transaction code is used to create or modify the variables for authorization checks. (Variable Maintenance)
RRMX
Business Explorer is the reporting tool in SAP BW and is used for analyzing data.
GLOBAL_TEMPLATES
Templates for modelling and evaluating data


How to Activate Authorizations In BW:-
The following steps explains how to activate the authorizations in BW.
  1)  Mark InfoObject as relevant for authorization tcode => RSD1
  2)  Create report authorization object tcode => RSSM
  3)  Select InfoCubes tcode => RSSM
  4)  Manually integrate authorization object in role tcode => PFCG
  5) Change / Maintain authorization values => PFCG
  6)  Assign role to user tcode => PFCG or via Central User Administration

Hierarchical Authorizations in BW
The following steps describe the steps to control authorizations for hierarchies
  1) Transfer and activate InfoObject 0TCTAUTHH tcode => RSD1
  2) Mark InfoObject 0TCTAUTHH as relevant for authorization tcode =>RSD1
  3) Mark Leaf InfoObject as relavant for authorization tcode => RSD1
  4)  Create authorization objects with 0TCTAUTHH and Leaf InfoObject =>RSSM
  5) Define hierarchical authorizations tcode => RSSM
  6) Manual intrgration of authorization object in role tcode => PFCG
  7)  Maintain authorization values tcode => PFCG
  8)  Assign role to user tcode => PFCG or via Central User Administration
  For extracting structural authorizations from HR (mySAP ERP HCM)  and to map it in SAP BW to maintian consistency between the two systems the tables of interest are:
  1)  T77PR -for Structural Authorization profiles
  2)  T77UA -for user assignments
  3)  T77UU -for users (in this table you can select the users for extraction. You can either select all or specific users)

Structural Authorizations in SAP BW

The following steps show the way Structural Authorization is enforced in SAP BW.
The following steps to be carried out in the mySAP ERP HCM system.
1) Call program RHBAUS02 for uploading Table T77UU and enter users.
  2) Call program RHBAUUS00 for generating an index for structural authorization profile
  3)  Activate Data source 0HR_PA_2.

The following steps to be carried out in the SAP BW system

  1) Replicate Data source 0HR_PA_2
  2) Activate ODS InfoProvider 0HR_PA_2
  3) Create an InfoPackage to perform an extraction for 0HR_PA_2
  4) Load ODS data from mySAP ERP HCM
  5) Mark InfoObjects as relevant for authorization (In order to use structural authorizations in SAP BW, all characteristic values like position, employee etc. which are relevant to reporting should be marked asauthorization relevant InfoObjects.)
  6)  Create reporting authorization objects
  7)  Link authorization objects to InfoCubes
  8)  Call program RSSB_Generate_Authorizations.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)