Transaction RSECADMIN

Inhalt

General difference between old and new authorization concept..........................................................2

How to start...........................................................................................................................................2
Authorizations / Maintenance................................................................................................................3
Definition of the analysis authorization role......................................................................................3
Naming convention for the new analysis roles...................................................................................6
User / Assignment.................................................................................................................................6
Connection between Analysis Authorization and Role ( PFCG ).............................................................8
Authorization for the Info Area – Object S_RS_COMP...........................................................................8
We need 3 new roles..............................................................................................................................8
Analysis Authorization Role................................................................................................................8
PFCG Role to connect the Analysis Authorization Role with PFCG.....................................................9
PFCG Role for the Info area (objects S_RS_COMP and S_RS_COMP1),..............................................9

1
 Transaction RSECADMIN

General difference between old and new authorization concept.

The new analysis authorization will replace only the old RSR authorization objects. The roles for the
menu’s will not be changed. And also the S_RS_COMP objects will not be changed.

The logic between old and new is different.

We should not define 2 roles with the same objects for the same info provider.

Example:

Object Plant: Authorization *  global and

Authorization Plant 0100.

With RSR the user has a global authorization. With the new analysis authorization it is only allowed to
have success for plant 0100.

A more detailed limitation has always a higher authorization.

Possible is to assign global to Info area Sales and only one Plant for Info area Logistic.

Avoid cannibalization !

How to start
One main transaction for the analysis authorization

 RSECADMIN

2
 Transaction RSECADMIN

Authorizations / Maintenance

Definition of the analysis authorization role.

Example SD_SAOR_0180

Each analysis authorization role has a structure with several entries.

5 standard authorizations

0TCAACTVT Activity in Analysis Authorizations

 Limitation of the activity

3
 Transaction RSECADMIN

0TCAIFAREA InfoArea for Analysis Authorizations

 Limitation of the info area

0TCAIPROV Authorizations for InfoProvider

 Limitation of the info provider

0TCAKYFNM Key Figure in Analysis Authorizations

 Limitation of the key figure

0TCAVALID Validity of an Authorization

In case of validity, key figure and info provider in most cases the authorization is global.

4
 Transaction RSECADMIN

In case of activity the value is 03 = display.

Only the info area is individual.

Individual authorizations

Depending on the requirement individual authorization objects must be added.

There is a function in the icon list to check which objects are required for one infoprovider.

It depends how many info objects with flag authorization relevance are used in that cube.

In case of Cube ZVISMOWO 5 relevant info objects are included.

That means we must add 4 objects (key figure is already including ) and assign authorizations.

The example ZSALORG_0180 is an authorization for info object 0salesorg for value 0180.

That means:

 0country global authorization

 0industry global authorization
 0plant global authorization
 0salesorg 0180

Naming convention for the new analysis roles

The technical name has a max length of 12 digits.

5
 Transaction RSECADMIN

 Digit 1-2 = Info Area

SD = Sales Delivery (Statistic)
SO = Sales Order
SL = Strategic Logistics
ST = Stocksegmentation (Logistic)
LO = Logomate
MA = Master data
SH = Shipment
AR = Accounts Receivable
AP = Accounts Payable
GL = General Ledger
QM = QM
DL = Delivery Service Level
GEA = Gross Earning Analysis
CO = Controlling
CI = CIT internal / BW Metadata
PR = Prices
PU = Purchasing
CRM = CRM
MD = Meta Data
MM = Material Management
EWM = Extended Warehouse Management

 Digit 3 _ ( delimeter )
 Digit 4 – 7 = Main authorization Object
SAOR = Sales Organisation
PLAN = Plant
COUN = Country
INDU = Industry key
COMC = Company code
COAR = Controlling area
ALL = global authorization

 Digit 8 _ ( delimeter )
 Digit 9 – 12 Subsidiary

User / Assignment

6
 Transaction RSECADMIN

With the push button “Assignment” users can be assigned to an analysis role.

The push button “User Maintenance” is a link to SU01.

The push button “Role Maintenance” is a link to PFCG

7
 Transaction RSECADMIN

Connection between Analysis Authorization and Role ( PFCG )

We create a new role and add only one object manually .

 Object S_RS_AUTH

The name of this roll is constant Z_AUTH + name of the analysis authorization.

Authorization for the Info Area – Object S_RS_COMP

In the old RSR roles we joined RSR and S_RS_COMP objects in one role.

Now we will split it in 2 roles. We define a role for each info area and add the objects S_RS_COMP
and S_RS_COMP1.

The name of the role starts with Z_AREA + name of the infoarea

We need 3 new roles

Analysis Authorization Role
Naming convention

The technical name has a max length of 12 digits.

 Digit 1-2 = Info Area

SD = Sales Delivery (Statistic)
SO = Sales Order
SL = Strat. Logistic
 Digit 3 _ ( delimeter )
 Digit 4 – 7 = Main authorization Object
SAOR = Sales Organisation
PLAN = Plant

8
 Transaction RSECADMIN

COUN = Country
INDU = Industry key
COMC = Company code
COAR = Controlling area )
 Digit 8 _ ( delimeter )
 Digit 9 – 12 Subsidiary

PFCG Role to connect the Analysis Authorization Role with PFCG

Naming convention

The technical name has a max length of 30 digits.

 Digit 1-5 = Constant “Z_AUTH”

 Digit 6 _ ( delimeter )
 Digit 7 – 18 = Name of Analysis Authorization role

PFCG Role for the Info area (objects S_RS_COMP and S_RS_COMP1),
Naming convention

The technical name has a max length of 30 digits.

 Digit 1-6 = Constant “Z_AERA”

 Digit 7 _ ( delimeter )
 Digit 7 – 8 = Infoarea
SD = Sales Delivery (Statistic)
SO = Sales Order
SL = Strat. Logistic
FI = Finance
CO = Controlling
GA = GEA

Analysis / Executed as

9
 Transaction RSECADMIN

For testing you can use the function Executed as.

Note: Don’t forget to mark the option “with Log”

Enter the Id of the user you want to analyse and click on <Start Transaction>

 Transaction RSRT will be opened

As query display option choose HTML.

Choose a query and execute (normal)

After the execution go back to RSECADMIN and click on <authorization Log>

10
 Transaction RSECADMIN

Example for successful authorization check

Example when the authorization is sufficient.

11