New SAP BI
7.0 Authorization concept (analysis authorization) change a lot in accessing,
analyzing and displaying BI information. The approach allow to restrict data
access on Key figure, Characteristic, Characteristic value, Hierarchy node, and
InfoCube levels. It enables more flexible data access management.
Analysis authorization is active by default in SAP BI 7.0 systems and I think it is worth to spend some time to look closer at the new concepts and the features. In part one of this two-article series, I will show you how you can restrict access to SAP BW reports on InfoObjects level.
Analysis authorization is active by default in SAP BI 7.0 systems and I think it is worth to spend some time to look closer at the new concepts and the features. In part one of this two-article series, I will show you how you can restrict access to SAP BW reports on InfoObjects level.
Initial settings
At the
beginning activate business content objects (TCode RSORBCT) related to
authorizations:
- InfoObjects 0TCA*
- InfoCubes 0TCA*
and set the
following InfoObjects as Authorization-Relevant:
- 0TCAACTVT (activity such as Display)
- 0TCAIPROV (InfoProvider authorization)
- 0TCAVALID (validity period of authorization)
- 0TCAKYFNM (if you want to restrict access to key figure)
Characteristics authorization
Use TCode RSA1, go to Modelling -> InfoObjects. Display properties of the characteristic to which you want to restrict access and set it as Authorization-Relevant.Characteristics values authorization
To authorize characteristics values you need to create new analysis authorization object through TCode
RSECADMIN. The following pictures show how to allow users to access the specific
sale organization (e.g., New York, San Francisco, Dallas).
1. Create new analysis authorization object using Tcode RSECADMIN (e.g., Z_SORG_B).
2. Choose characteristic and press Details button.
3. Select sales organization (e.g., 1612 - New
York, 1614 - San Francisco, 1615 - Dallas). Available operators: EQ -
single value, BT - range of values, CP - pattern ending with (*)
(e.g., abc*). You have also option to Include (I) or Exclude (E)
values.
Attributes authorization
To authorize navigational attributes, set them as Authorization-Relevant.
Hierarchies authorization
To grant authorization on hierarchy level edit or create
authorization object (e.g., Z_SORG_B), add hierarchy and nodes, and choose type
of authorization.
Key figure authorization
To grant authorization to particular key figure, add special
object 0TCAKYFNM to authorization object (e.g., Z_SORG_B), and choose
the key figure to be authorized.
Summary
InfoObject
level authorization gives you a great flexibility, but keep in mind system
limitations. Avoid setting too many characteristics as authorization relevant
(more than 10 in a query). All marked characteristics are checked for existing
authorization if they are in a query or in an InfoProvider that is being used.
Too much authorization objects may slow query execution. Exception are
characteristics with all (*) authorization.
If you want to check which
InfoObjects are authorization relevant in your BI system, use TCode RSECADMIN
-> Authorization Maintenance and display 0BI_ALL authorization. More
about 0BI_ALL you will find in the article on creating
and assigning authorization.
Remember that authorization do not work as a filters do. It means that the user who is executing the query, where characteristics are authorization relevant, must have sufficient authorization to the characteristics ("all-or-nothing" rule). Exceptions are hierarchies in the drill down and variables which are dependent on authorization.
Remember that authorization do not work as a filters do. It means that the user who is executing the query, where characteristics are authorization relevant, must have sufficient authorization to the characteristics ("all-or-nothing" rule). Exceptions are hierarchies in the drill down and variables which are dependent on authorization.
All the contents you mentioned in post is too good and can be very useful. I will keep it in mind, thanks for sharing the information keep updating, looking forward for more posts.
ReplyDeletesap bi training in hyderabad