Tell us what you think

We want to create the best possible experience for our learners. Your feedback helps us to improve the experience for everyone.

Differentiating Between Standard and Analysis Authorizations in SAP BW/4HANA

Objective

After completing this lesson, you will be able to differentiate between standard and analysis authorizations in SAP BW/4HANA

Business Example

Person holding laptop smiling thinking that the customer needs to understand that there are two different types of authorizations: standard authorizations and analysis authorizations.

To ensure SAP BW∕4HANA represents the structure of your company and meets your company's requirements, define who can perform which actions in SAP BW∕4HANA and who has access to what data.

In this lesson, we cover the two different authorization concepts, depending on the role and tasks of the user:

Standard Authorizations
You use these authorizations to determine who can do what when working with SAP BW∕4HANA tools. The authorization concept for standard authorizations is based on the Application Server (AS) for ABAP Authorization concept.
Analysis Authorizations
You use these authorizations to provide access to transactional data belonging to authorization-relevant characteristics, to sales data for example. Authorizations of this type are not based on the Application Server (AS) for ABAP Authorization concept. It's an own concept based on the needs of analytics with SAP BW∕4HANA instead.

Compare Standard and Analysis Authorizations in SAP BW/4HANA

Different Tasks in SAP BW/4HANA

The following video presents different SAP BW/4HANA system tasks performed by various roles. The data modeler builds and manages the data models. The data administrator stores and monitors the transactional data. The data analyst analyzes the consolidated data. Each role requires the appropriate authorizations for their tasks.

Standard and Analysis Authorizations

To summarize, authorizations are categorized into two types in SAP BW/4HANA:

Controlling access to modeling objects.
Regulating data analysis permissions.

Comparison of Standard and Analysis Authorizations

Authorization Type	Grant Access	Typical Use	Structure Designer
Standard	Metadata objects (InfoProvider = U00_COMPO1)	Object maintenance and high-level access control	SAP
Analysis	Semantic data slices (Controlling Area = 1000)	Granular access to data slices or subsets of data	Customer

Standard Authorizations

The first type of authorization is based on structures (Authorization Objects) delivered by SAP. Technically, this is the Application Server (AS) ABAP Authorization Concept that is also used in SAP S/4HANA.

In SAP BW/4HANA, these authorizations are called Standard Authorizations.

They allow users to perform administration tasks or to create, change, or delete metadata objects (such as InfoObjects and InfoProviders).

Using Authorization Objects in the BW authorization object class, SAP preconfigures the structure of these authorizations and implements the authorization check. The customer must use these Authorization Objects to grant authorization to the users. In other authorization object classes, standard authorizations are also used to control access to more generic tasks, such as calling a transaction code to access user management.

Analysis Authorizations

The second type of authorizations in SAP BW/4HANA is Analysis Authorizations. This technical concept does not exist in SAP S/4HANA.

Analysis Authorizations define the semantic, or business-related, data slices that a user is allowed to see in analysis (such as all data belonging to controlling area 1000). The structure and values of these authorizations are customer-defined. It is the customer’s responsibility to define the components (InfoObjects) that are relevant for the authorization checks.

While there are clearly defined differences between these two types of authorizations, they often must be used in combination.

Examples of some use cases:

Data Analyst Use Case: A data analyst requires both the Standard Authorization to run a specific query based on an InfoProvider and the Analysis Authorization to visualize the data delivered by the InfoProvider and query effectively.
Data Modeler Use Case: For data modelers, extensive Standard Authorizations are crucial for creating data models, with additional Standard Authorizations necessary for data loading and testing. Analysis Authorizations play a key role in ensuring the displayed data is consistent.
Interplay of Authorizations: Standard and Analysis Authorizations can complement each other, exemplified by granting a user access to a query with a fixed filter using standard authorizations, displaying data restricted by controlling area without the need for further analysis authorizations. However, while this simplifies data security in simple scenarios, it may fall short in addressing complex security requirements and maintenance needs in more intricate settings.

ABAP Authorization Concept

The ABAP authorization concept protects transactions, programs, and services in SAP systems from unauthorized access. Based on the authorization concept, the administrator assigns authorizations to users. After a successful logon, these authorizations determine the actions a user can execute in the SAP system.

Note

SAP BW∕4HANA utilizes the user administration and authentication mechanisms from the Application Server for ABAP. The security recommendations and guidelines for user administration and authentication described in the Security Guide for Application Server ABAP therefore also apply to SAP BW∕4HANA.

Authorizations represent instances of generic authorization objects and are defined according to the activity and responsibilities of the employee. Authorizations are combined in an authorization profile, which is associated with a role. To enable the user to carry out the activities relevant to their job, the administrator assigns the appropriate roles in the user master record.

In the following video, you explore the principles and most important components of the ABAP Authorization concept.

Examples for Activities in SAP BW/4HANA That Require Standard Authorizations

All users working with the applications require standard authorizations including:

BW modeling (model InfoObjects, InfoProviders, Data Flows, Queries).
Build process chains.
BW administration (load and administer data).
Set up and execute planning functions.

Note

For more details, please refer to: ABAP Authorization Concept

Displaying Authorization Objects in an Object Class

In this video, you get an overview of authorization objects of the authorization object class RS.

Analysis Authorizations

In SAP BW/4HANA, Analysis Authorizations define the semantic, or business-related, data slices that a user is allowed to see in reporting (such as all data belonging to controlling area 1000). In contrast to the standard authorization objects of the ABAP authorization concept, the structure and values of these analysis authorizations are customer-defined.

The starting point is that the customer, not SAP, decides which data are relevant for the authorization checks by flagging the corresponding Characteristics as Authorization-Relevant.

The data can then only be accessed if the user has the required analysis authorizations.

In the Characteristic 0CO_AREA screen, the General tab is opened. The Authorization-Relevant check box is ticked.

Creating Analysis Authorization

Using the transaction RSECADMIN, you create analysis authorizations for a group of characteristics and restrict the values for the characteristics.

An example of Analysis Authorization P_COA_002. The key details are presented in the text below.

This simple Analysis Authorization provides authorization for the following values:

Controlling Area (Characteristic 0CO_AREA): values between 1000 and 200
Cost Element (Characteristic 0COSTELMNT): all values
Cost Center (Characteristic 0COSCENTER): all values

An example of the Analysis Authorization Assignment. Direct Assignment using transaction RSECADMIN. Assignment by Role with transaction PFCG, is recommended.

Analysis Authorizations can be assigned to the users:

Directly with the user assignment in transaction RSECADMIN, or
Recommended method: Indirectly by assigning them to profiles respectively roles by using the authorization object, S_RS_AUTH.

Note

In previous releases, authorizations for data were based on customer-defined authorization objects of the authorization object class RSR. Mandatory in SAP NetWeaver BW 7.3 and higher, authorizations for data are defined directly with much the more flexible Analysis Authorizations. This type of authorizations is specific to SAP BW/4HANA.

Continue to quiz