Yes, 0TCAACTVT (activity), 0TCAIPROV (InfoProvider) and 0TCAVALID (validity) have to be made authorization relevant. For the info objects you want to use to control security, also make them authorization relevant in RSD1, imagine the object you want relevant is ZZ_VKORG (sales organization).

Then use RSCEADMIN transcation and 0BI_ALL will include the objects from above, copy 0BI_ALL into a object such as Z_1000 and then change the value for the specific info object that you want to control, imagine that you want sales org 1000 only to be allowed within Z_1000.

Now, you have 2 choices: You can use the normal security maintenance (SU01, PFCG) and you can asssign RSRS_AUTHBIAUTH and set BIAUTH requal to Z_1000 or you can use user maintenance directly within RSCEDAMIN and assign Z_1000 to the user. Either way, it becomes part of the authorization of the user.

You may find that you need to introduce colon authorization concept ( for mixed levels of data and that is just a matter of adding a second line to the allowable values and setting it like "EQ :".

Things to consider:

1. This authorization concept is water tight and will do everything you need, but will do at the expense that if you don't model it first, you will kill yourself trying to make it right. This becomes evident when you trace a security issue (via RSCEADMIN) because the way BI7.0 works is that it will build a minimized superset of authorizations, so it is best to know where you want to get to, rather than starting off by where you know you need to go.

2. To control change or display mode, you will need to influence 0TCAACTVT, even though you might think to use C_APO_SEL3 for ACTVT, the BI7.0 concept works within the BI space and 0TCAACTVT doesn't impact it.

3. If you activate more info objects, 0BI_ALL will get updated automatically but your custom authorization objecst will not. So, it is best to activate them all at the same time so that you don't have to manually change them.

4. Do the work in development and transport it to the TEST/QA/PROD environments, there are transprt tools within the RSCEADMIN.

This is probably enough to get you going, reply back if you have specific questions or issues.

I've been thru this in a painful way, sometimes the best things learned are learned the hard way

Hi Dave,

Thanks a lot for a very detailed feedback. I have another question on this. The moment I activate any info-object to be authorization relevant, does it automatically get updated into 0BI_ALL. I observed this behavior bcos I had not gone and made any changes to 0BI_ALL. However it has got updated with both the info-objects that I have made authorization relevant.

Regards,

Kedar