Creating Analysis Authorizations

Objective

After completing this lesson, you will be able to create Analysis Authorizations

Business Example

Person using tablet thinking about how the customer needs to master transaction RSECADMIN to effectively define and manage analysis authorizations.

This lesson covers how to define analysis authorizations effectively by using the transaction RSECADMIN for the maintenance and management of analysis authorizations.

Transaction RSECADMIN

Accessible through the execution of the transaction RSECADMIN, the Management of Analysis Authorizations panel serves as a central hub for managing, assigning, and tracing analysis authorizations. This interface presents three tabs: Authorizations,User, and Analysis. In this lesson, we delve into the details of each tab individually before showcasing two video demonstrations to provide context.

Transaction RSECADMIN - Authorizations Tab Page

The basic features of the Authorizations tab page are:

  • Individual Maintenance for creating and changing individual analysis authorizations = transaction RSECAUTH
  • Mass maintenance for maintaining multiple analysis authorizations.
Screenshot of RSEADMIN management of Analysis Authorizations panel with the Authorizations tab highlighted. The Ind. Maint. button is highlighted with an arrow indicating that the Maintain Authorizations:U00_C01000 Edit panel opens from here.

The analysis authorization U00_CO1000 shown earlier consists of several authorization relevant characteristics and special characteristics.

Defining Authorization Values

Screenshot of Maintain Authorizations opening panel with highlights on 1. the characteristic 0CO_AREA and 2. Details button

To maintain authorization values, select the relevant characteristic (1) and choose Details (2).

Screenshot of Maintain Authorizations opening panel with highlights on 1. the characteristic 0CO_AREA and 2. Details button with a further screeenshot of the U00_CO1000 value authorizations

On the Value Authorizations tab page, you can specify single values, intervals, and patterns. You have the following options:

Including/Excluding

Using the information in the Including/Excluding column, you define whether this value or value interval is included or excluded.

  • I: Including
  • E: Excluding

Note

Excluding is only possible for the special characteristic 0TCAVALID.

Operators

  • EQ: Equal to a single value
  • BT: Between a range of values
  • CP: Contains pattern, for example ABC*

Note

Only for the special characteristic 0TCAVALID, the operators GT (greater than), GE (greater or equal), LT (less than), and LE (less or equal) are existing.

Values for Technical Character Fields

You can make the following general entries to define authorization values:

Single value

Example: Characteristic value = 1000

Including/ExcludingOperatorTechnical Characteristic Value (from)
I (Including)EQ (equal: single value)1000
Interval

Example: A <=Characteristic value <= B

Including/ExcludingOperatorTechnical Characteristic Value (from)Technical Characteristic Value (to)
I (Including)BT (between; interval)10002000
Pattern

* (Asterisk) for any number of characters or + (Plus) for exactly one character

Only patterns that end with a single pattern symbol, with an asterisk (*) for any character string or with a plus sign (+) for exactly one character, are permitted.

A*A and A+A are not allowed as entries. The pattern + is currently not checked. You can enter it, but it will not return the expected results.

Including/ExcludingOperatorTechnical Characteristic Value (from)
I (Including)CP (contains pattern: find pattern)100*
Aggregation Authorization

: (Colon) for the authorization for aggregated values

Including/ExcludingOperatorTechnical Characteristic Value (from)
I (Including)EQ (equal: single value):

Note

The meaning of the value: (Colon) is explained in lesson: Creating Analysis Authorizations for Aggregated Values
Character Groups and Cases
The entry of values can depend on uppercase and lowercase notation. Use the input help to ensure the correct notation. The order in which the characters are stored in the system is of importance for intervals. For example, the lowercase letter a comes after the uppercase letter A.

For characteristics of type CHAR with a length greater than one, define separate intervals for number and letter values. Valid examples are the intervals from A to Z and from 1 to 9.

Do not define an interval from A to 9. An interval can result in a message that you do not have authorization or too much data would be displayed.

Automatic Corrections
When you define authorizations, the system tries to correct intervals based on interpretations. However, this does not mean that the interpretation is always correct.

Note

Examples of Automatic Corrections

Transaction RSECADMIN - User Tab Page

The basic features of the User tab page are:

  • Individual Assignment for assigning analysis authorizations to users directly = transaction RSU01
  • Mass Assignment maintaining multiple assignments.
  • User Maintenance = transaction SU01
  • Role Maintenance = transaction PFCG
Screenshot showing the result of selecting the user tab. An arrow shows that selecting the button Indvl. Assignment button opens the assignment of user authorizations editing panel, 4 highlights show important information in this panel.

The preceding figure shows the result of selecting the User tab and Indvl Assignment.

The (1) analysis authorization U00_CO1000 was assigned to (2) user R_CLARK00 by the authorization administrator (3) Student00.

The symbol (4) indicates that this assignment of the analysis authorization to the user is a direct one and not one by a role.

Remember that analysis authorizations can also be assigned to users indirectly by using the authorization object, S_RS_AUTH, and assigning it to a role and then the role to the user.

Screenshot of authorization object S_RS_AUTH showing the role based assignment

Such an indirect assignment is also visible in RSECADMIN on the User tab page but cannot be edited there: switch to the Role-based tab, the indirectly assigned Analysis Authorization uses the role symbol.

Screenshot of the indirect assignment of the role visible in RSECADMIN

Transaction RSECADMIN - Analysis Tab Page

The basic features of the Analysis tab page are:

  • Authorization Log = transaction RSECPROT: The system generates a log of the authorization check.
  • Execution as....= transaction RSUDO: You can execute various transactions as other users to check their authorizations. This is password-protected.

Authorization Log

To trace a user's Analysis Authorizations, follow these steps:

Screenshots showing steps 1 and 2 of the authorization log process

Screenshots showing steps 3, 4 and 5 of the authorization log process

Screenshots showing steps 6 and 7 of the authorization log process

  1. Choose Authorization Log.
  2. Select Configure Log Recording.
  3. Add the user to be traced to the list.
  4. Ask the user to run the query, for example, using SAP Analysis for Microsoft Excel.
  5. The selection criteria are updated to include the user.
  6. Select the Display button.
  7. Check the Authorization Check Log.

Execution As

To execute a query with the authorizations of another user and trace this other user's Analysis Authorizations, follow these steps:

Screenshots showing steps 1 to 3 of the trace another user's Analysis Authorizations
Screenshots showing step 3 of the trace another user's Analysis Authorizations
Screenshots showing steps 4 and 5 of the trace another user's Analysis Authorizations

  1. Choose Execution as …
  2. Enter the user to be traced and flag With Log, as Possible Transactions, retain the default transaction RSRT, which is the Query Monitor, and choose Start Transaction.
  3. In the Query Monitor, enter the query and choose Execute.
  4. After viewing the results, choose Back twice and then Display Log.
  5. Finally, check the Authorization Check Log

Note

Executing a query as other user can also be started by using the transaction RSUDO.

The following authorizations are checked when an authorization admin user executes a query as other user:

  • For the admin user, the authorization object S_TCODE for the transactions RSECADMIN, RSUDO, and RSRT is checked.
  • For the admin user, the authorization object S_RSEC is checked. If this authorization is missing, the password of the other user is required to authenticate the request. The authorization object S_RSEC is explained in more detail later in the course.
  • For the other user, authorization objects S_RS_COMP and S_RS_COMP1 are checked .
  • For the other user, analysis authorizations are checked.

Analysis Authorization Check

A diagram that illustrates the Analysis Authorization check. The diagram is described in the text below.

The following describes the logic of the query and analysis authorization checks:

  1. The query is run by a user or by the administrator as other user.
  2. The system checks the authorization of the InfoProvider to carry out the activity. If access is granted, more detailed checks follow. Otherwise, this message is displayed: You do not have sufficient authorization for the InfoProvider ...(message EYE 001).
  3. The list of authorization-relevant characteristics of the InfoProvider is determined. These are the characteristics that are authorization-relevant and for which the user does not have full authorization.
  4. Access to the selected data is checked. Remember that the selected set of data must be a subset of the authorized data. Value authorizations do not automatically work as query filters.
  5. If this check fails, the following message is displayed: Youdo not have sufficient authorization (message EYE 007).
  6. When navigating in the report, the detailed checks are processed again.

Note

In the videos of this lesson, some examples of the Authorization Check Logs are shown.

Note

For more information, see SAP Note 1234567 - The authorization log RSECADMIN.

Creating Analysis Authorizations

Example

In this demo, you see how to set up analysis authorizations for accessing all data in a specific InfoProvider. The demo also walks you through tracing user analysis authorizations.

In this demo, you see how to set up analysis authorizations for accessing specific data in a specific InfoProvider. The demo also walks you through tracing user analysis authorizations by executing the query in the name of the user to be traced.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn