SAP BW/4HANA usually manages a lot of sensitive data. We need to ensure that we take steps to safeguard the data. This means providing a robust authorization mechanism that controls what developers and business users can and can't do, and which data they are allowed to access.
SAP BW/4HANA provides tools to define authorizations. There are two type of authorization that every SAP BW/4HANA user needs. Tools are provided to create both types.
We need to ensure users do not perform activities that they are not authorized to, for example, deleting data, executing data loads or creating or executing queries.
Clearly, we need to protect these activities so we assign the authorizations to the relevant users in the team.
An Authorization Object consists of fields where the authorized settings are specified. SAP provides many Authorization Objects to secure common activities across SAP BW/4HANA.
Here is an example of the Authorization Object : S_RS_COMP which is used to provide authorizations for working with BW Queries:
Notice how we define the allowed action such as create, execute etc. For a business user to execute a query, they simply need the Execute (16) authorization, they do not need Display (03) unless you would like them to be able to open the query definition to view the settings.
Notice we then specify the type of objects the action applies to, for example REP is the code for a BW Query. There is a code for every type of object in SAP BW/4HANA. Finally, you see the value of the object, in this case the * means any query. But notice that the InfoProvider P_V_SO_1 is specified which means any query can be displayed or executed as long as it was built on the specified InfoProvider.
So that is the authorization of a task taken care of. We now come to the Analysis Authorization setup. This is all about data access.
To set up an Analysis Authorization we need to perform three steps:
Not all data in SAP BW/4HANA is relevant for authorization. For example, color or weight of product. In this case you would not enable the setting for Authorization Relevance. Once you enable this setting, each user must have an Analysis Authorization assigned to their user profile to grant access to the data of the object.
So, with the combination of the two types of authorization we have seen how our user could now execute any query (as long as it is based on the CompositeProvider P_V_SO_1) and display the data only for company code 1000, 2000, 2200 and 3000.