Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Help regarding BI Authorization

Former Member

‎04-19-2010 10:34 AM

0 Kudos

Hi Experts,

I am working for first time on BI analysis authorization and I am having below queries to be clarified. Can you all please clarify my queries and help me.

1. In the project, we will not use HR and will therefore have to do local maintenance of authorizations in each system (for data access, we will also use a central identity management system). This will for sure affect the possibility of the automatic generation of authorizations. My first question is: can it still be used at all (can we load some data via flat-file or maintain some master data in BI)?

2. Is the concept of having queries linked to PFCG roles to be used at all in BI 7 (according to SAP standard), or is the thought that InfoProvider authorization should be used instead via 0TCAIPROV?

3. Is the following a correct way to do authorizations in BI 7, or if there is something that should be changed to comply with standard?

- Make the following characteristics authorization relevant: 0COMP_CODE, 0SALESORG, 0PLANT

- Activate the technical content for analysis authorizations: 0TCA*

- Create authorizations in RSECADMIN, where we link a authorization object to a characteristic value (for instance, assign object: "XY" to characteristic=0comp_code with value=1010)

- Link the authorizations just created to PFCG roles (for instance create a PFCG role "XY access" which gives access to company code 1010).

- Create PFCG roles for "Report User" and "BW Developer" which have access to read respective create/change/delete rights of queries.

- Create PFCG roles with certain queries linked to them.

- Assign the PFCG roles to BW Users.

4. Does the BI 7 authorization concept enable the use of user groups, or should authorizations be assigned on a user to user basis?

5. What happens if I make a characteristic authorization relevant and then include this characteristic in a query and do not do any restriction on this characteristic (i.e. I do not provide any auth values to the system), will I then get an authorization error?

6. If automatic generation of user authorizations is used together with for instance SAP HR and loaded daily, does this mean that any other manual authorization assignments will be deleted/reset upon the next automatic generation?

7. Is the following a correct way to do authorizations in BI 7, or if there is something that should be changed to comply with standard?

- Make the following characteristics authorization relevant: 0COMP_CODE, 0SALESORG, 0PLANT

- Activate the technical content for analysis authorizations: 0TCA*

- Create authorizations in RSECADMIN, basically one object that has a restriction for each of the authorization relevant characteristics and that uses different customer exit variables to determine which values to use. This customer exit then reads some table (which we maintain manually in BI) to find the values for each user based on user name.

- Link the authorization just created to a PFCG role.

- Give all reporting users this PFCG role.

- Create PFCG roles with certain queries linked to them.

- Assign the PFCG query roles to users.

Thank you very much in advance for helping.

Thanks & Regards,

Sharath

3 REPLIES 3

Former Member

‎04-19-2010 10:47 AM

0 Kudos

Hi Sharath,

This looks like project plan / steps that you have been given and refers to HR. It would be helpful to distill this into a specific list of questions rather than asking for comments on someone's design doc/plan.

Former Member

‎04-19-2010 10:32 PM

0 Kudos

Sharath,

Here are some insights/replies to the list of questions you supplied. BW Security can be complicated but the trick is NOT to allow the requirements to allow it to be complicated.

1) Are you sure you dont mean the IdM system will assist with role-based access assignments? If that is the question then, yes. For the data access (linked to roles via S_RS_AUTH : Analysis Authorizations) you could employee a flat-file load to DSOs and variable security on the authorizaiton relevant charactistics.

2) Yes, you will need to have authorizations to queries/reports via S_RS_COMP/S_RS_COMP1 still maintained in the roles. The InfoProvider (data access) will be maintained in the Analysis Authorization (S_RS_AUTH). You need to have both in order to successfully pass the auth checks from query/report to data.

3) Fundimentally (BW Security 101) sounds correct but again it typcially depends on the implementation and requirements on how you setup the anaylsis authoriations along with the roles.

4) No sure what you mean about "user groups" Analysis Authorizations can be assigned to "Users" or "Roles". You could always assign roles to user groups via SU10 or via IdM solution.

5) Depends on how its used in the query. If the query is dependant on a value to render the report (included in intial SQL stmt) then you will get "No Authoriation". If its setup as a free characteristic or drill-down, then you wont get authorization error until a statment checks values for authorization.

6) Depends on how it was implemented. refer to #3

Hope that helps a little.

Thanks,

Matt

Former Member

‎04-20-2010 10:13 AM

0 Kudos

Hi Matthew,

Thanks for your valuable time and reply.

Regards,

Sharath