Authorization in SAP NW BI 1. MODELING Difference between rssm and rsecadmin RSSM RSECADMIN Old transaction: RSSM Concept of authorization: 'Reporting Authorization' New transaction : RSECADMIN Concept of authorization: 'Analysis Authorization' Assignement of Reporting authorization:* by pfcg: mass distribution of auth by using role Assignement of Analysis authorization :* by pfcg: mass distribution of auth by using role, by rssm: generation way (use with Business Content and flat files loading) Full Authorization: SAP_ALL, SAP_NEW Full Authorization: SAP_ALL, SAP_NEW 0BI_ALL: * Allow full authorization for the IO authorization relevant, o o o o by rsecadmin: manual way -> Assignement -> Auth selection ->Insert, by rsecadmin: generation way (use with Business Content and flat files loading) Used in the authorization object: S_RS_AUTH, Report 'RSEC_GENERATE_BI_ALL' for the SAP_ALL user, Modeling:* IO marked as Authorization relevant, Modeling:* IO + Navigation ATTR can be Authorization relevant, rssm enable to flag relevant infoprovider, rssm are used to custom Auhthorization object, Authorization variable are used in Bex Query, Pfcg to assign reporting authorization trough the Object class: RSR, Query access manage by object S_RS_COMP, S_RS_COMP1, Area Button/ Access : S_RS_FOLD, Authorization for Cube, ODS, Hierarchy and infoset managed by: S_RS_ICUBE, S_RS_ODSO, S_RS_HIER, S_RS_ISET. An IO auth relevant is auth relevant for all the cube he is used, rsecadmin to define Analysis authorization with sepcial IO : 0TCAACTVT, 0TCAIPROV, 0TCAVALID, Authorization variable are used in Bex Query, pfcg to assign analysis authorization through the object S_RS_AUTH (Object Class: RS), Query access manage by object S_RS_COMP, S_RS_COMP1, Area Button/ Access : S_RS_FOLD, Authorization for Cube and ODS for reporting user are managed by the special authorization characteristic 0TCAIPROV, S_RS_ICUBE, S_RS_ODSO, S_RS_HIER, S_RS_ISET: are not checked anymoe for reporting user. S_RS_ICUBE, S_RS_ODSO, S_RS_HIER, S_RS_ISET: are used for allowing access to developper team, New object to manage acess for developper user: New object authorization for Web application Designer & Report Designer:* S_RS_BTMP, S_RS_BITM, S_RS_ERPT, S_RS_EREL. Step by Step RSSM 0. Pre-requisites RSECADMIN Activate all business content related to authorizations before you get started:* InfoObjects: 0TCA* and 0TCT* 1. Set Master data Authorization relevant RSA1 -> InfoObjects -> Business Explorer Tab -> Flag 'Authorization relevant 2. Create Authorization Object/ Analysis authorization RSSM -> Enter the name of your Authorization object -> Create -> Put IO Authorization relevant in the selected InfoObjects part -> Save 3. Set Infoprovider RSSM -> Select: 'Check for InfoCubes' -> Change -> Flag the related InfoCubes InfoCubes: 0TCA* Set the following InfoObjects as "authorization relevant":* 0TCAACTVT 0TCAIPROV 0TCAVALID 0TCAKYFNM (optional, if key figure restriction needed) Add 0TCAIFAREA as an external hierarchy characteristic to 0INFOPROV (optional) RSA1 -> InfoObjects -> Business Explorer Tab -> Flag 'Authorization relevant RSA1 -> InfoObjects > Attribute Tab -> Flag 'AuthorizRelevant' The IO authorization relevant are authorization relevant for all cubes 4. Create BEX variable for authorization 1. Right click on the IO -> choose 'Restrict' 2. Choose 'Selection' = 'Single Value' and 'from Hierarchy' = 'flat list' If a hierarchy exists, select the hierarchy for the IO 3. Go on the variables tab -> Right click -> 'New variable' 4. For a restriction without hierarchy, the type of variable is 'Characteristic Value' and if you have choose a hierarchy, the type of variable is 'Hierarchy node' 5. Select a variable name & a description 6. Choose 'Processing by': = 'Authorization' then check the characteristic and click 'next' 7. Choose the display area for the variable -> Variable represents: = 'Single Value' or 'Selection Option' 8. Choose if the variable entry is Optional or mandatory, 9. Don't select 'Ready for input' and 'Can be changed in query navigation 10. Next to the end 5. Insert Authorization in Role 6. Assign Authorization/ Role to Users 2. AUTHORIZATION Reporting User: Authorization for End User o o o o o S_RS_AUTH: Insert here the Analysis Authorization you customize in Rsecadmin. Allow right on IO marked as 'authorization relevant' (Data) S_RS_COMP : Query Accessibility Activity: 01 (Create or generate), 02 (Change), 03 (Display), 06 (Delete), 16 (Execute), 22 (Enter, Include, Assign) o o o o o o o InfoArea: '*' InfoCube: <Selected infoprovider> Name (ID) of a reporting component: <Selected query> Type of a reporting component: CKF (Calculated key figure), QVW (Query View), REP (Query), RKF (Restricted key figure), SOB (Selection object, New object !!!), STR (Template structure), VAR (Variable) S_RS_COMP1 : Query for specific users S_RS_FOLD ( Hide 'Folder' Pushbutton): 'False' or 'True' S_USER_AGR: Role Name S_RS_BITM : !!! NEW !!! S_RS_BTMP : !!! NEW !!! Developper o o o o o o o o o o o o o o o o o o o o o o S_DEVELOP S_RO_BCTRA in ECC side for activate (remote) Datasource S_RS_BC S_RS_BCS S_GUI S_RS_DS: Authorizations for working with the DataSource or its sub-objects (as of SAP NetWeaver 2004s) S_RS_ISNEW: Authorizations for working with new InfoSources or their subobjects (as of SAP NetWeaver 2004s) S_RS_DTP: Authorizations for working with the data transfer process and its subobjects S_RS_TR: Authorizations for working with transformation rules and their subobjects S_RS_CTT: Authorizations for working with currency translation types S_RS_UOM: Authorizations for working with quantity conversion types S_RS_THJT: Authorizations for working with key date derivation types S_RS_PLENQ: Authorizations for maintaining or displaying the lock settings S_RS_RST: Authorization object for the RS trace tool S_RS_PC: Authorizations for working with process chains S_RS_OHDEST: Open Hub Destination S_RS_DAS: Authorizations for working with Data Access Services S_RS_BTMP: Authorizations for working with BEx Web templates S_RS_BEXTX: Authorizations for the maintenance of BEx texts Authorization objects for the administration of analysis authorizations S_RSEC: Authorization for assignment and administration of analysis authorizations S_RS_AUTH: Authorization object to include analysis authorizations in roles S_RS_ADMWB: Changed Authorization Objects (Data Warehousing Workbench: Objects) General o o o o S_RFC: Authorization Check for RFC Access: Activity 16 Name of RFC to be protected * Type of RFC object to be protetected: FUGR o o o o o o o S_TCODE: Transaction Code Check at Transaction Start Transaction Code SE37,RRMX, RRMXP S_GUI: Authorization for GUI activities Activity 02, 60, 61 S_BDS_DBC-SRV-KPR-BDS: Authorizations for Accessing Documents Activity 03 BDS: Data element for LOIO cla * 3. ASSIGNEMENT Generation (rsecadmin) Role (pfcg) 4. TECHNICAL Tables o o RSECVAL : Authorization Value Status, RSECUSERAUTH : BI AS Authorizations: Assignment of User Auth. Function Modules: o o o o o o o o o o o o o o RSEC_AUTHORITY_CHECK_IPROV RSEC_AUTH_GET_IOBJ_RELEVANT RSEC_CHECK_IPROV RSEC_CHECK_VALIDITY RSEC_COMPLETE_HIERAUTH RSEC_GET_AUTH_FOR_USER RSEC_GET_AUTH_HIER_FOR_USER RSEC_ASSIGN_AUTHS_TO_USERS RSEC_GET_ALL_GENERATED_AUTHS RSEC_READ_ODS_HIER RSEC_READ_ODS_USER_AUTH RSEC_READ_ODS_VAL RSEC_AUTHORIZATIONS_OF_USER RSEC_GET_AUTH_FOR_USER_RFC Authority check Here some links: o o Get Authorization Detail (Function Module) Authorisation Check Program