Professional Documents
Culture Documents
Step-by-Step SAP BI Security: Kamaljeet - Kharbanda
Step-by-Step SAP BI Security: Kamaljeet - Kharbanda
Actions
kamaljeet.kharbanda
Login to follow, like, comment, share and
Step-by-Step SAP BI Security bookmark content.
Posted by Kamaljeet Kharbanda in kamaljeet.kharbanda on Feb 26, 2009 5:32:09 PM Login Register
Previous
Next
Share 4 2 Like 5
SAP BI security is an integral part of any BI implementation. Integrating all the data coming from various source
systems and providing the data access based on the user’s role is one of the major concerns of all the BI Projects.
Security of SAP R/3-ECC systems are based on the activities while SAP BI security is focused on what data user can
access. Security in BI is categorized by major 2 categories:
Administrative Users – The way we maintain security for administrative users is same as ECC security but we have
additional authorization objects in system which are defined only for BI objects.
Reporting Users– We have separate tools(Analysis Authorization) to maintain security for reporting users.
What is Authorization Object?
It allows to check whether a user is allowed to perform a certain action. Actions are defined on the fields, and each
field in authorization object should pass the check. We can check all the Standard BI Authorization Objects using postpost
tcode SU21 under the Business Warehouse folder:
Filter Blog
By date:
---
By tag:
data_mining dtp
Recent Posts
Step-by-Step SAP BI Security
With the SAP BI 7.0 we have new tool to maintain the reporting level security. We can access this new tool using tcode BEx : Characteristic Variable with Replacement Path
RSECADMIN which replaces the old RSSM tool of BW 3.x. 'Error DTP' - BI@2004s
Real-Time Data Acquisition -BI@2004s
## Below are the Step-by-Step instructions to create/maintain authorization objects for SAP BI Reporting:
I am covering the scenario where each employee (Sales Team) is assigned with one territory number, and the data SAP Analytics Applications Part-1
should be accessible to employee based on their territory only. For this scenario to work we have to set security XI-BI Integration
restriction for the corresponding territory InfoObject (ZDWSLTER). SAP NetWeaver.....complete information integration
platform
# The first step before we create any Authorization Object is to set all the InfoObjects as authorization relevant for
SAP Analytics Applications
which we want to restrict data access.
DISSIMILAR SIMILARITIES- THE CLUSTER ANALYSIS
Customer prioritization using ABC Classification Model
Incoming Links
Re: How to Create Authorization/Role based on
GL Account
Re: Analysis Authorization x S_RS_COMP
Re: BW Authorization
converted by Web2PDFConvert.com
Authorization Objects on InfoObject’s of type Characteristic:
# For accessing the new Analysis Authorization tools we use tcode RSECADMIN -> Authorizations Tab ->
Maintenance Button
# We have to give the technical name of the Authorization Object (ZDWKJTEST) then hit the create button:
converted by Web2PDFConvert.com
# The very first step of creating any Authorization Object is to add the special characteristics as field for restirction:
# The below 3 characteristics are mandatory for defining any Authorization Object. If we don’t have this we will get no
access to any InforProvider. By default this gives us access to all the InfoProvider(Full Access), but we can also set
the value of InfoProvider for which we want the Authorization Object to work.
converted by Web2PDFConvert.com
# We can double click on the newly added infobject, and can define the value which we want to allow for this
InfoObject. We can also set the dynamic value using Customer Exit Code which we will cover later in this blog.
converted by Web2PDFConvert.com
Assigning Authorization Objects to Users:
# Go back to previous screen (RSECADMIN) by hitting the back button, and click on assignment button under user
tab:
# Now we can assign the created Authorization Object to any user using this tool.
# Adding the created Authorization Object (ZDWKJTEST) to the user ZNBITSRTS. I will be using the same user
through out this blog for running any query so that it can use the restrictions which are applying using the
Authorization Object.
converted by Web2PDFConvert.com
# We can also assign the authorization to users through role/profile using the standard Authorization Object
S_RS_AUTH:
# We can check the Authorization Objects assigned using roles/profile for any user using tcode RSU01 or we can
also use the path tcode RSECADMIN->user tab->assignment->user->role-based
# User with Authorization Object 0BI_ALL is having full access to data, and can overwrite any other Authorization
Objects assignment to it.
converted by Web2PDFConvert.com
# Query on InfoProvider with Authorization Objects: Below is the test query in which I added the InfoObject for which
we created the test Authorization Object (ZDWKJTEST).
# I am running the query with the same user name (ZNBITSRTS) whom we assigned the Authorization Object
(ZDWKJTEST).:
# The query output displays the authorization error, and we can check the error log using tcode RSECPROT:
converted by Web2PDFConvert.com
# The below log explains we are missing with some of the characteristics for the created object. Logically we can
think that we are only using one characteristic in our query and we did add it in Authorization Object, but why still we
are getting Authorization Error? The reason is we always have to add all the authorization relevant InfoObject’s of the
InfoProvider on which we created query.
converted by Web2PDFConvert.com
# Now I added all the missing InfoObject’s with full access for the Authorization Object (ZDWKJTEST):
# I have restricted the query with input ready variable on InfoObject territory (ZDWSLTER):
# Running the query with the same territory what I assigned for territory field of Authorization Object:
converted by Web2PDFConvert.com
# The query returns output without any authorization error:
# We can check the log in RSECPROT for the last run of query:
# We got the authorization error because of the value which we assigned for the object is not same as what we
passed:
converted by Web2PDFConvert.com
# Authorization Variable on Query:
Using the Authorization Variable we can populate the value of InfoObject at run-time directly from the Authorization
Object field’s value.
# If we have authorization variable defined for the query and when we run the query it will not prompt us for the variable
selection screen & will run the query directly for the value we defined for the field of the Authorization Object.
converted by Web2PDFConvert.com
# Rather than assigning the fixed values in the authorization object, we can also define the technical name of the
customer exit variable in the field’s value starting with ‘$’ symbol which will read the value of Authorization at query
run-time based on the return value of customer exit code:
# Below is the sample code which reads the territory based on the portal login-id from the reference table which we
have in our BI system:
converted by Web2PDFConvert.com
# Even though the division object is having full authorization access, still when we run the query we get authorization
error:
# By checking authorization log we can clearly see even though the query is not using territory InfoObject it still checks
for its value at query runtime because this object is part of InfoProvider on which we have defined the query:
converted by Web2PDFConvert.com
# To avoid the authorization check for the objects which are not being used in the query definition we should always
add ‘:’ symbol in the authorization object field value which allows queries to run for all the values of object even if the
object is not the part of the query:
# Once we defined ‘:’ now the query works fine (without any authorization failure):
converted by Web2PDFConvert.com
# Output of query:
# We can restrict this query to show the data only for one key figure. For this we just have to add the required key figure
(Record Count - ZDWCOUNT) as value for the field 0TCAKYFNM of our test authorization object (ZDWKJTEST).
# Now if we run the same query it will not show data for any other key figure except the one which we added in the
authorization object definition.
converted by Web2PDFConvert.com
# The log also explains the reason of authorization error for 2nd key figure:
# When we run the query it shows data for all the data brands as well the not-assigned brands:
# We can restrict the hierarchy using Authorization Object to show data only for 1st Node of above displayed hierarchy:
converted by Web2PDFConvert.com
# We can restrict the hierarchy using Authorization Object to show data only for 1st Node of above displayed hierarchy:
# Selected the Type of Authorization as ‘1’ which will allow the hierarchy to show all the nodes which are below the
selected node:
converted by Web2PDFConvert.com
# After adding the authorization on brand hierarchy now we only see the data for node which we restricted in the
hierarchy authorization value:
16871 Views
Share 4 2 Like 5
23 Comments
Thank you for the great information. This helps me understand the Analysis Authorization concept
well.
I have one question regarding Customer Exit. Could you please let me know how to create a
customer exit variable like what you did for $ZTA?
Thank you.
Inkyung
Like (0)
converted by Web2PDFConvert.com
You don't have to create any variable for it, just define it in your CMOD code and it will take
care of it automatically.
Basically when you run any query it always check for authorization of all the auth relevant
objects, and if in the auth object you have defined any value starting with '$' it checks the
code of CMOD to get the value of that field at runtime.
Kamaljeet
Like (0)
Birgit Stephan Sep 18, 2009 8:43 AM (in response to Kamaljeet Kharbanda)
Hello Kamaljeet,
thank you very much for this great blog.
I created also authorization object with filling by customer exit variable, so I was a
little unsure about your comment:"You don't have to create any variable for it, just
define it in your CMOD code and it will take care of it automatically. "
When I assign a variable for example $ABC in
rsecadmin and this variable is not available
I get the following message:
"This variable does not exist or does not have type Customer Exit.
Create a variable in the Query Designer ..."
I also get this message, when the variable is
available in cmod.
Kamaljeet
Like (0)
Kamaljeet Kharbanda Mar 11, 2009 7:31 PM (in response to Kamaljeet Singh)
Thanks Kamaljeet ... good to see someone by same name as mine and that too in the
same field :o)
Like (0)
converted by Web2PDFConvert.com
In portal, I need to restrict users based on company code.
When US users logged on to portal, they needs to look at the reports, which has the company code
value CC10
When Canadian users logged on to portal, they needs to look at the report, which has the company
value CC20
When Europian users logged on to portal, they needs to look at the report, which has the company
value CC30
Director of the company needs to look at all the reports, Company code values CC10, CC20 and
CC30.
For this I followed these steps:
1. Info object 0COMP_CODE, checking Authorization relevent flag in business explorer flag
2. Tran RSECADMIN, Click Maintenance, create Authorization object, then add special characteristics
(0TCAACTVT, 0TCAIPROV, 0TCVALID) and adding the 0COMP_CODE and double click on
0COMP_CODE and giving the value $ZCOMP and save it.
3. Assigning this Authorization object to the role using standard authorization object S_RS_AUTH
4. In the report, for the 0COMP_CODE, create a new variable ZAUTH_VAR with processing by option
Authorization
5. Based on user logon id, there is a process to identify which company code he belongs --> This is
gap
for me --> Please advise
6. CMOD, variable exit
CASE I_VNAM.
WHEN 'ZCOMP'or 'ZAUTH_VAR' ?
IF I_STEP = 0.
---> This is gap for me. Please advise.
Thanks,
Ashh.
Like (0)
For this I'm planning to make 0CRM_SALESP as authorization relavent and create a variable
authorization objects with $ value and based on user exit it will pull reports related with that partner.
Problem is if I go with this option then the employees who need to view all reports will not be able to
do so.
Is there a alternate way where I can be able to both at the same time.
Best Regards,
Kishore
Like (0)
Regards,
Madhu
Like (0)
Regards
L.Prathap
Like (0)
converted by Web2PDFConvert.com
Hello Sir.. thnz for the blog and itz very easy and simple to understand ... will implement soon in som
escenario.... thnx again and will wait for next blog
Like (0)
This is BY FAR the very best and most complete description of BI 7x Analysis Authorizations available
- I am sure many people are grateful to you for putting it together and explaining some of the things
that are not clear from the help or TechEd/Portals conference presentations.
-Dave Samuels
Like (0)
Regards,
Meghasyam
Like (0)
MOHAN CHAND REDDY A Oct 31, 2012 2:12 PM (in response to Prashant Tripathi)
Thanks Kamaljeet for providing a valuable information with easy steps which we can
follow.Thanks a lot.
Like (0)
converted by Web2PDFConvert.com
Hi Kamaljeet and all,
I am trying to use a scenario where I would dynamically fill the object S_RS_COMP-RSZCOMPID (for
query name component) with the customer exit ZXRSRU01. This way we can maintain in a table the
security at query level rather than hardcoding it into the security object. So my code looks like this:
case i_vnam.
when 'Z_QRY_VAR'.
if i_step = 0.
clear l_s_range.
l_s_range-low = 'Z_QRY_001'. (this is just an example to make it work)
l_s_range-sign = 'I'.
l_s_range-opt = 'EQ'.
APPEND l_s_range to e_t_range.
endif.
endcase.
I created the variable from the query designer attached to a dummy infoobject (0INFOPROV) with
processing by customer exit, not ready for input, several single values. Looks fine.
There is many blogs around populating an object like 0COUNTRY, etc. but in my case I want directly
to populate the query ID into object S_RS_COMP-RSZCOMPID.
converted by Web2PDFConvert.com