Authorization in SAP NW BI

1. MODELING

Difference between rssm and rsecadmin

RSSM RSECADMIN

Old transaction: RSSMConcept of authorization: 'Reporting Authorization'

New transaction : RSECADMINConcept of authorization: 'Analysis Authorization'

Assignement of Reporting authorization:* by pfcg: mass distribution of auth by using role

by rssm: generation way (use with Business Content and flat files loading)

Assignement of Analysis authorization :* by pfcg: mass distribution of auth by using role,

by rsecadmin: manual way -> Assignement -> Auth selection ->Insert, by rsecadmin: generation way (use with Business Content and flat files loading)

Full Authorization: SAP_ALL, SAP_NEW Full Authorization: SAP_ALL, SAP_NEW

 0BI_ALL: * Allow full authorization for the IO authorization relevant,

Used in the authorization object: S_RS_AUTH, Report 'RSEC_GENERATE_BI_ALL' for the SAP_ALL user,

Modeling:* IO marked as Authorization relevant,

rssm enable to flag relevant infoprovider, rssm are used to custom Auhthorization object, Authorization variable are used in Bex Query, Pfcg to assign reporting authorization trough the Object class: RSR, Query access manage by object S_RS_COMP, S_RS_COMP1, Area Button/ Access : S_RS_FOLD, Authorization for Cube, ODS, Hierarchy and infoset managed by: S_RS_ICUBE, S_RS_ODSO, S_RS_HIER, S_RS_ISET.

Modeling:* IO + Navigation ATTR can be Authorization relevant,

An IO auth relevant is auth relevant for all the cube he is used, rsecadmin to define Analysis authorization with sepcial IO : 0TCAACTVT, 0TCAIPROV, 0TCAVALID, Authorization variable are used in Bex Query,  pfcg to assign analysis authorization through the object S_RS_AUTH (Object Class: RS), Query access manage by object S_RS_COMP, S_RS_COMP1, Area Button/ Access : S_RS_FOLD, Authorization for Cube and ODS for reporting user are managed by the special authorization characteristic 0TCAIPROV, S_RS_ICUBE, S_RS_ODSO, S_RS_HIER, S_RS_ISET: are not checked anymoe for reporting user.

S_RS_ICUBE, S_RS_ODSO, S_RS_HIER, S_RS_ISET: are used for allowing access to developper team, New object to manage acess for developper

user:

-New object authorization for Web application Designer & Report Designer:* S_RS_BTMP,

S_RS_BITM, S_RS_ERPT, S_RS_EREL.

Step by StepRSSM RSECADMIN

0. Pre-requisites -Activate all business content related to authorizations before you get started:* InfoObjects: 0TCA* and 0TCT*

InfoCubes: 0TCA* Set the following InfoObjects as "authorization relevant":* 0TCAACTVT 0TCAIPROV 0TCAVALID 0TCAKYFNM (optional, if key figure restriction needed) Add 0TCAIFAREA as an external hierarchy characteristic to 0INFOPROV (optional)

1. Set Master data Authorization relevant

RSA1 -> InfoObjects -> Business Explorer Tab -> Flag 'Authorization relevant

RSA1 -> InfoObjects -> Business Explorer Tab -> Flag 'Authorization relevant RSA1 -> InfoObjects -> Attribute Tab -> Flag 'AuthorizRelevant'

2. Create Authorization Object/ Analysis authorization

RSSM -> Enter the name of your Authorization object -> Create -> Put IO Authorization relevant in the selected InfoObjects part -> Save

3. Set Infoprovider RSSM -> Select: 'Check for InfoCubes' -> Change -> Flag the related InfoCubes

 The IO authorization relevant are authorization relevant for all cubes

4. Create BEX variable for authorization

1. Right click on the IO -> choose 'Restrict'2. Choose 'Selection' = 'Single Value' and 'from Hierarchy' = 'flat list'If a hierarchy exists, select the hierarchy for the IO3. Go on the variables tab -> Right click -> 'New variable'4. For a restriction without hierarchy, the type of variable is 'Characteristic Value' and if you have choose a hierarchy, the type of variable is 'Hierarchy node'5. Select a variable name & a description6. Choose 'Processing by': = 'Authorization' then check the characteristic and click 'next'7. Choose the display area for the variable -> Variable represents: = 'Single Value' or 'Selection Option'8. Choose if the variable entry is Optional or mandatory,9. Don't select 'Ready for input' and 'Can be changed in query navigation10. Next to the end 

5. Insert Authorization in Role

6. Assign Authorization/ Role to Users

2. AUTHORIZATION Reporting User: Authorization for End User

o S_RS_AUTH: o Insert here the Analysis Authorization you customize in Rsecadmin. o Allow right on IO marked as 'authorization relevant' (Data) o S_RS_COMP : Query Accessibility o Activity: 01 (Create or generate), 02 (Change), 03 (Display), 06 (Delete), 16 (Execute),

22 (Enter, Include, Assign)

o InfoArea: '*' o InfoCube: <Selected infoprovider> o Name (ID) of a reporting component: <Selected query> o Type of a reporting component: CKF (Calculated key figure), QVW (Query View), REP

(Query), RKF (Restricted key figure), SOB (Selection object, New object !!!), STR (Template structure), VAR (Variable)

o S_RS_COMP1 : Query for specific users o S_RS_FOLD ( Hide 'Folder' Pushbutton): 'False' or 'True' o S_USER_AGR: Role Name

 S_RS_BITM : !!! NEW !!! S_RS_BTMP : !!! NEW !!!

Developper

o S_DEVELOP o S_RO_BCTRA in ECC side for activate (remote) Datasource o S_RS_BC o S_RS_BCS o S_GUI o S_RS_DS: Authorizations for working with the DataSource or its sub-objects (as of SAP

NetWeaver 2004s) o S_RS_ISNEW: Authorizations for working with new InfoSources or their subobjects (as

of SAP NetWeaver 2004s) o S_RS_DTP: Authorizations for working with the data transfer process and its subobjects o S_RS_TR: Authorizations for working with transformation rules and their subobjects o S_RS_CTT: Authorizations for working with currency translation types o S_RS_UOM: Authorizations for working with quantity conversion types o S_RS_THJT: Authorizations for working with key date derivation types o S_RS_PLENQ: Authorizations for maintaining or displaying the lock settings o S_RS_RST: Authorization object for the RS trace tool o S_RS_PC: Authorizations for working with process chains o S_RS_OHDEST: Open Hub Destination o S_RS_DAS: Authorizations for working with Data Access Services o S_RS_BTMP: Authorizations for working with BEx Web templates o S_RS_BEXTX: Authorizations for the maintenance of BEx texts Authorization objects for

the administration of analysis authorizations o S_RSEC: Authorization for assignment and administration of analysis authorizations o S_RS_AUTH: Authorization object to include analysis authorizations in roles o S_RS_ADMWB: Changed Authorization Objects (Data Warehousing Workbench:

Objects)

General

o S_RFC: Authorization Check for RFC Access: o Activity 16 o Name of RFC to be protected * o Type of RFC object to be protetected: FUGR

o S_TCODE: Transaction Code Check at Transaction Start o Transaction Code SE37,RRMX, RRMXP o S_GUI: Authorization for GUI activities o Activity 02, 60, 61 o S_BDS_DBC-SRV-KPR-BDS: Authorizations for Accessing Documents o Activity 03 o BDS: Data element for LOIO cla *

3. ASSIGNEMENT Generation (rsecadmin)

Role (pfcg)

4. TECHNICAL Tables

o  RSECVAL : Authorization Value Status, o  RSECUSERAUTH : BI AS Authorizations: Assignment of User Auth.

 Function Modules:

o  RSEC_AUTHORITY_CHECK_IPROV o  RSEC_AUTH_GET_IOBJ_RELEVANT o  RSEC_CHECK_IPROV o  RSEC_CHECK_VALIDITY o  RSEC_COMPLETE_HIERAUTH o  RSEC_GET_AUTH_FOR_USER o  RSEC_GET_AUTH_HIER_FOR_USER o  RSEC_ASSIGN_AUTHS_TO_USERS o  RSEC_GET_ALL_GENERATED_AUTHS o  RSEC_READ_ODS_HIER o  RSEC_READ_ODS_USER_AUTH o  RSEC_READ_ODS_VAL o  RSEC_AUTHORIZATIONS_OF_USER o  RSEC_GET_AUTH_FOR_USER_RFC

Authority checkHere some links:

o Get Authorization Detail (Function Module) o Authorisation Check Program