Using Variables in Authorizations

Objective

After completing this lesson, you will be able to use variables in authorizations.

Business Example

Person thinking about how the customer needs a streamlined solution to efficiently manage analysis authorizations for cost center managers, reducing administrative efforts and minimizing query complexity.

It is important for cost center managers to have access to data specific to their cost centers. This requires creating and assigning analysis authorizations to their user master data. However, the administrative effort to maintain these authorizations can be substantial, especially in organizations with regularly changing cost centers.

This lesson covers simplifying the maintenance of analysis authorizations for cost center managers in organizations with changing cost centers, while also minimizing the number of different queries.

Authorization Variables

Variable with Processing Type Authorization ("Authorization Variable")

When you're running queries, keep in mind that value authorizations don't serve as selections for the characteristic but must include at minimum the selection given in the query.

Defining different queries to match the analysis authorizations of different users is not practical. Instead, use variables in the queries. You can work with variables with manual entry, but there is also the option of using Variables with the Processing Type Authorization, known as Authorization Variables.

Controller A has the following analysis authorizations applied on 0CO_Area 1000, display all key figures at any time for infoprovider COSTS_ACTUAL, Controller B has the following analysis authorizations applied on 0CO_Area 2000, display all key figures at any time for infoprovider COSTS_ACTUAL. A comparison table is showing that a Query with characteristic: 0CO_AREA restricted by variable with processing type authorization is displaying 0CO_AREA 1000 data for controller A and is displaying 0CO_AREA 2000 data for controller B.

An authorization variable functions as follows:

An Authorization Variable is a characteristic value variable or a hierarchy node variable with the processing type, Authorization.
The system automatically populates it with the values from the analysis authorization of the user executing the query.
It is used in query definitions to configure dynamic selections based on the authorizations of the executing user.
As a result, the chosen query aligns with the user's analysis authorizations, ensuring that they receive the appropriate query results.
There is an option to make the variable ready for input:
If Input-Ready checkbox is selected, the user gets a prompt automatically filled with all authorized values either to confirm those values or to select only a part of those values.
If the Input-Ready checkbox is not selected, the user is not prompted and the report automatically displays all the values for which the user is authorized.

Here's how you implement Authorization Variables in your queries:

Screenshot highlighting the name field with value U00_V_CA4 and processing field with value Authorization in the BW Modeling Tools in SAP HANA Studio, the query shown with highlights on the filter details and the default values.

For the authorization-relevant characteristic controlling area 0CO_AREA, define a Characteristic Value variable, such as U00_V_CA4 with processing type Authorization.
Note: The variable type Hierarchy Node is also possible.
The recommended setting for Var represents is Selection option.
Include the variable in the query within the filter area or within a restricted key figure.

Customer Exit Variables in Analysis Authorizations

The Customer Exit processing type gives you the flexibility to customize variables based on your unique needs. This feature serves as an enhancement that allows you to incorporate custom logic specific to your business. With the customer exit, you can effortlessly generate default values for variables or establish variable values from specified variables. Also, you can review all variables once they have been entered.

Usage of Customer Exit Variables

Customer exit variables can be used for the following:

In Queries for dynamically determining filter values
In Analysis Authorizations for dynamically determining authorized values

Customer Exit Variables in Analysis Authorizations

In Analysis Authorizations, instead of defining single values or intervals, you can use customer exit variables. The customer exit is called for these variables while the authorization check is running. The call is carried out with I_STEP = 0. The intervals of characteristic values or hierarchies for which the user is authorized can be returned here. By running this check, the maintenance effort for authorizations and profiles can be considerably reduced. For example, because the user-specific authorization values are stored in a table that the customer exit accesses. Thus, you can assign all users the same analysis authorization.

Implementing customer exit variables in Analysis Authorizations involves a few key steps to ensure success.

Screebshots of BW modelling tools showing steps to implementing customer exit variables in analysis

For the authorization-relevant characteristic controlling area 0CO_AREA, define a Characteristic Value variable, such as U00_VAR_COA_EX with processing type Customer Exit.
Implementation is in the RSROA_VARIABLES_EXIT_BADI enhancement, for example, dynamic value access from a table or DataStore Object (Advanced) with user-dependent authorization values.
Create an analysis authorization for the characteristic 0CO_AREA and enter $U00_VAR_COA_EX instead of fixed values or intervals. You can now assign this analysis authorization to multiple users.

Advantages and Disadvantages of Customer Exit Variables in Analysis Authorizations

Advantages:
- Fewer different roles necessary
- Less maintenance effort
- Eventually no transport necessary, changes are immediately active
Disadvantages
- Authorization values are not visible in RSECADMIN
- Programming is necessary

Utilizing Customer Exit Variables in Analysis Authorizations does not alter the fundamental principle that the query's selection, or in other words, the filtering of the query, must be fully encompassed by the analysis authorizations of the user executing the query. Failure to do so will result in no data being displayed.

Queries be filtered in order to interplay with the dynamic analysis authorization values realized with the Customer Exit Variable:

By fixed filter values or intervals.
By using the same Customer Exit Variable which is used in the Analysis Authorization.
The selection of the query is then exactly covered by the analysis authorizations.
The Customer Exit Variable is processed twice, first to determine the selection of the query, the second to determine the analysis authorizations.
By using a different Customer Exit Variable or Variables of other processing types, such as manual input or replacement path.
By using a Variable with processing type Authorization ("Authorization Variable"). This method is the most flexible one. The Authorization Variable is responsible for transferring the combination of authorized values to the query in order to determine its selection.
Note
Caution: Authorization Variables can result in unexpected authorization check failures. The upcoming lesson on Multidimensional Analysis Authorizations provides more detail.

Summary

Using Customer Exit Variables in Analysis Authorizations can greatly streamline the number, complexity, and upkeep of Analysis Authorizations for various users or user groups.

By using Customer Exit Variables, Authorization Variables and variables of other processing types in Queries, the number and maintenance effort for Queries can be reduced as well.

Using Variables in the context of Analysis Authorizations

This table provides an overview of different uses for variables in query filtering and authorization processing.

Processing Type	Used in	Function
Customer Exit	Analysis Authorizations $<variable name>	Dynamic determining of analysis authorizations by processing a customer-specific logic
Customer Exit	Queries <variable name>	Dynamic filtering of queries by processing a customer-specific logic
Authorization ("Authorization Variable")	Queries	Dynamic filtering of queries by reading the complete Analysis Authorizations of the executing user.

Processing Type

Used in

Function

Customer Exit

Analysis Authorizations

$<variable name>

Dynamic determining of analysis authorizations by processing a customer-specific logic

Customer Exit

Queries

<variable name>

Dynamic filtering of queries by processing a customer-specific logic

Authorization ("Authorization Variable")

Queries

Dynamic filtering of queries by reading the complete Analysis Authorizations of the executing user.

Multidimensional Analysis Authorizations

With multidimensional analysis authorizations (meaning: an analysis authorization contains more than one authorization-relevant characteristic) it is possible to authorize certain combinations of characteristic values.

When using Authorization Variables, authorization check failures can happen.

Just a reminder: When creating a query selection, it's important to consider the set of characteristics filters that will be applied. While users and administrators expect the selection to automatically match the user's authorizations and return relevant data, this is not always the case. There is no direct link between a query and analysis authorizations, so it's essential to enable the queries to be filtered to match the authorizations to avoid potential failures. This can be achieved using fixed filters or variables (dynamic filters), with possible extra support from Authorization Variables, but this can also lead to authorization check failures.

A query selection cuts a rectangular subset out of all possible combinations of characteristic values. Even more precisely, a query selection accesses the cartesian product of the filters on the individual characteristics.

The same is true for one authorization. However, if a user has two or more authorizations, these authorizations cannot always be combined into one.

Overview: Query Selections and Analysis Authorizations

Remember the distinction between Query Selections and Analysis Authorizations.

Query selections have the following features:

They belong to a query.
The are defined by fixed and dynamic filters.
They are checked at runtime for matching analysis authorizations.
They are a rectangular subset of the multidimensional space.
If Authorization Variables are used, ALL authorized values of the user are collected.
The standard mechanism for filling authorization-variables works independently for each variable and thus for each characteristic. This leads to the selection of the rectangular superset of the assigned analysis authorizations.

Analysis authorizations have the following features:

Analysis authorizations are defined independently of queries.
The combination of two or more analysis authorizations is not necessarily rectangular.

The following figure provides an example of where the expectation to display all authorized values is not met.

Example: Multidimensional Query Selections and Analysis Authorizations. Authorization-relevant characteristics Country and Customer-Group. Analysis Authorization 1: Country DE / Customer-Group A, B. Analysis Authorization 2: Country US / Customer-Group B, C. The user possesses Analysis Authorizations 1 and 2. The query contains both characteristics; each of them is filled by the authorization variable. The query selection is the Kartesian product of the Analysis Authorizations 1 and 2 (rectangular superset DE, US / A, B, C). Selection is not covered by the authorization; query execution fails.

There are Two Multidimensional Analysis Authorizations.

The user is assigned to both of them.

The selection in the query is realized by Authorization Variables for both characteristics, Country and Customer-Group.

This results in the selection for Country with the values DE and US, and for Customer-Group with the values A, B, and C.

This selection of the query is the kartesian product of the Analysis Authorizations 1 and 2, which is the rectangular superset DE, US / A, B, C.

This subset is not encompassed by the analysis authorization, as it does not result from the Kartesian product of Analysis Authorizations 1 and 2, thus it is not a rectangular superset.

How Can This Conflict Be Solved:

If possible, define one multidimensional Analysis Authorizations instead of two multidimensional Analysis Authorizations containing Country with the values DE and US, and Customer-Group with the values A, B, and C.

If this is not possible, make the authorization variables input-ready to be able to narrow the proposed selection in the prompt when executing the query.

Or use Customer Exit Variables instead of Authorization Variables. The input-help for the second variable can then be restricted dependent of the values of the first variable.

Or use variables with manual input, possibly supported by variable personalization.

Note

Refer to the following additional information:

SAP Note 1000004 - Merging and optimizing analysis authorizations

SAP Note 1736473 - Usage of authorization variables results in "no authorization" when multidimensional auths are assigned.

SAP Note 1632677 - Query with Multiple Authorization variables failing with "No Authorization"

SAP Note 2166248 - Optimizing of analysis authorizations [VIDEO]. This is a short introduction on how authorizations are optimized during the OLAP authorization check. This video describes the steps which OLAP performs to combine and optimize authorizations at query runtime.

Continue to quiz