Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Objectlevel Security in SAP BI

Former Member
0 Kudos

Hi Gurus,

Implementation of Object level security in BI system. Customer is looking to Implement BI security model for a new piece of functionality that they are setting up in BI (Commissions processing) specifically in the area of SD (Sales Distict, Office, Group, etc.).

Kindly suggest me how do i apply Object level security in BI for large number of People.

I have 3 characteristics to Restrict in Analysis Authorization.

0SALES_DIST: 300001, 300002, 300003, 300004

0SALES_OFF: 3010, 3011, 3012, 3020, 3021, 3022

0SALES_GRP: 3AA ,3AB, 3AC, 3AF, 3AG, 3AH

Kindly suggest me the best method to Implement. System is BI 7.0.

1 ACCEPTED SOLUTION

Former Member
0 Kudos

Hi Syed,

Your question is at a very high level. Without knowing what your users require, no one can recommend a better solution. However, ensure to have 1 PFCG role that gives authorization to S_RS_COMP with the required Infoarea/Infocubes and queries.

If you are making any of the below characterstic values as authorization relevant, you need to create analysis authorizations for the same.

0SALES_DIST: 300001, 300002, 300003, 300004

0SALES_OFF: 3010, 3011, 3012, 3020, 3021, 3022

0SALES_GRP: 3AA ,3AB, 3AC, 3AF, 3AG, 3AH

If you wish to seperate the authorizations on indiviidual sales off, dist, and group, you need to have indiviudal AA. If you need a mix and match like 1st sales_dist, and 2nd Sales off, and 3rd sales groups, you will have to have 4X6X6 Analysis authorizations.

Regards,

Raghu

7 REPLIES 7

Former Member
0 Kudos

Hi Syed,

Your question is at a very high level. Without knowing what your users require, no one can recommend a better solution. However, ensure to have 1 PFCG role that gives authorization to S_RS_COMP with the required Infoarea/Infocubes and queries.

If you are making any of the below characterstic values as authorization relevant, you need to create analysis authorizations for the same.

0SALES_DIST: 300001, 300002, 300003, 300004

0SALES_OFF: 3010, 3011, 3012, 3020, 3021, 3022

0SALES_GRP: 3AA ,3AB, 3AC, 3AF, 3AG, 3AH

If you wish to seperate the authorizations on indiviidual sales off, dist, and group, you need to have indiviudal AA. If you need a mix and match like 1st sales_dist, and 2nd Sales off, and 3rd sales groups, you will have to have 4X6X6 Analysis authorizations.

Regards,

Raghu

0 Kudos

Thanks Raghu,

Role Design is in Place. They have restriction to Query based on S_RS_COMP and Created AA and made Info object Authorization Relevant. I am sorry for the high level description earlier. Hope this is explanatory.

Now there are 3 characteristics 0SALES_DIST, 0SALES_OFF, 0SALES_GRP to be Maintained in Analysis Authorization. These 3 characteristics have Huge values (Example 0 - 1000) Individually. And there are 400 End Users. Characteristic Values for each User is different. So one way is to create individual AA for each specific Combination and create separate Role and Assign it to User. But this will create huge Number of AA and Roles.

So if there is any other alternative to solve this, Please Suggest

0 Kudos

Hi Syed,

You might be able to do something with hierarchy authorizations. If you create a hierarchy out of sales district / office / group, you can secure based on the hierarchy levels rather than individual values. That would help reduce the number of AA you need. Of course, that won't work if authorization will be different for every user.

Another thing to think about is whether you want to include your AA in roles. You can assign them manually instead. So you'd have a single, generic reporting role for instance and many AA. Then each user would get the reporting role and whatever combination of AA meets their needs. But that means more work for the security team when setting up users. So you have to decide which will save more time - maintaining fewer roles or updating users.

Regards,

Krysta

0 Kudos

Thanks Krysta Osborn,

I have come up with a Model. I would create Individual AA for each Value of Sales district, sales office and sales group and add it an Individual Role.

So that the combination of above Roles will give the Required access to end user. I found this as a easy way. Rather than to create AA for permutation and combination of all values of sales area which will go up to 2500+ AA and Roles.

Thank you for your suggestions.

Regards

Syed Zameer

0 Kudos

Hi Syed,

Analaysis authorizations are more flexible than Hirerachy authorizations.

However, the solution is simple. You doesn't require to create 100s of Analysis authorization and can use the user exits, or the variables instead. The below articles provides you detailed information on implementing them, which means you can achieve with a single anaysis authorization

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/9000928e-dd3d-2e10-9ca1-a00f24930...

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b0b3fb3f-a21c-2e10-3a9c-efc3e5999...

Regards,

Raghu

0 Kudos

Thanks Raghu, These links are very helpful.

Former Member
0 Kudos

I have adopted the idea shared by Raghu bodda. Thanks to him.