Tell us what you think

We want to create the best possible experience for our learners. Your feedback helps us to improve the experience for everyone.

Creating Standard Authorizations for Reporting Users

Objective

After completing this lesson, you will be able to understand and create standard authorizations for reporting users

Business Example

Person smiling thinking about the needs of reporting users to execute standard Authorizations and possibly Analysis Authorizations for analytical tasks in SAP BW/HANA

An essential task for reporting users in your company is to run SAP BW/4HANA Queries embedded in analytical applications like SAP Analysis for Microsoft Excel or SAP Analytics Cloud.

This lesson covers how certain standard authorizations are essential. SAP predefines standard authorizations with corresponding authorization objects. Also, clients must determine if they also want to incorporate analysis authorizations.

Remote Function Call (RFC) Authorization

To run SAP BW/4HANA Queries in SAP Analysis for Microsoft Excel, users must establish a remote connection to the SAP BW/4HANA system. The authorization object S_RFC secures remote access and is validated for RFC access to program modules like function groups or function modules.

Screenshot of the Authorization Object S_RFC

The following table provides an overview of the authorization fields contained in the authorization object S_RFC.

Authorization Object S_RFC - Fields

Authorization Field	Description
RFC_TYPE	Specifies the type of RFC object: FUGR = Function Group FUNC = Function Module
RFC_NAME	Specifies the name of the function groups respectively function modules.
ACTVT	Specifies the activity. For S_RFC, the only activity possible is Execute (16).

Authorization Field

Description

RFC_TYPE

Specifies the type of RFC object:

FUGR = Function Group

FUNC = Function Module

RFC_NAME

Specifies the name of the function groups respectively function modules.

ACTVT

Specifies the activity. For S_RFC, the only activity possible is Execute (16).

Examples for values to be checked when connecting from SAP Analysis for Microsoft Excel are shown in this figure:

Screenshot showing the table of values to be checked

Authorizations for Working with Queries

SAP BW/4HANA reporting components include queries, query views, and query components. The following authorization objects are used to limit the extent to which a user can work with different types of SAP BW/4HANA Reporting Components:

S_RS_COMP authorizes the work with queries, query views, and query components.
S_RS_COMP1 is checked with authorization object S_RS_COMP. It authorizes the work with queries, query views, and query components belonging to specific owners (owner = creator of the elements).

Note

Query Components are:

Selection Objects that include reusable filters defined on the InfoProvider level.
Restricted Key Figures that are defined on InfoProvider level.
Calculated Key Figures that are defined on InfoProvider level.
Structures that are defined on InfoProvider level.
Variables

Let's Examine the Authorization Object S_RS_COMP:

Screenshots of the authorization object S_RS_COMP , fields and an example implementation

(1) Shown here is the authorization object S_RS_COMP.

(2) The authorization object S_RS_COMP has five fields:InfoArea, InfoProvider, Reporting Component Type, Name (ID) of the Reporting Component, and Activity.

In the Authorization example for S_RS_COMP shown:

(3) The user is allowed to display definitions (03) of all types of reporting components and execute (16) all queries and query views.
(4) The reporting components must begin with U00_CC.
(5) The reporting components can be based on all InfoProviders that belong to the InfoArea U00_BW465.

Let's Examine the Authorization Object S_RS_COMP1:

Screenshots of the authorization object S_RS_COMP1 , fields and an example implementation

(1) After the successful check of authorization object S_RS_COMP, the authorization object S_RS_COMP1 is also checked.

(2) S_RS_COMP1 has four fields: Name (ID) of the Reporting Component, Type of Reporting Component, Owner of Reporting Component, and Activity.

In the authorization for S_RS_COMP1 shown:

(3) The authorized user is allowed to display definitions (03) of all types of reporting components and execute (16) all queries and query views.
(4) The reporting components can have any technical name.
(5) Any user can own the reporting components. The owner is the creator of the component.

An Example for the Use of S_RS_COMP1:

When multiple development teams work on queries and query components in the same system, you can grant the users' authorizations for queries and query components according to the team. As a result, developers are authorized to work with queries and components created by their team, not others.

To grant authorizations for self-created queries (as opposed to a team), enter the variable $USER. The maintenance effort required is low and $USER is replaced with the current user name during the authorization check.

Next lesson