Tell us what you think

We want to create the best possible experience for our learners. Your feedback helps us to improve the experience for everyone.

Explaining Analysis Authorizations

Objective

After completing this lesson, you will be able to explain analysis authorizations

Business Example

Person thinking about how the customer needs to seek to differentiate and deepen their understanding of analysis authorizations

This lesson covers how to implement the analysis authorizations, and details about how analysis authorizations work.

Analysis Authorizations Basics

Before delving further into details, let's briefly summarize what you have learned about Analysis Authorizations thus far:

The customer, not SAP, decides which data is relevant for the authorization checks by flagging the corresponding Characteristics and Navigation Attributes as Authorization-Relevant.
With the transaction RSECADMIN, you create Analysis Authorizations consisting of a group of authorization-relevant characteristics and navigation attributes and assign the authorized values.
Analysis Authorizations can be assigned to the users:
1. Directly with the user assignment in transaction RSECADMIN
2. Indirectly by using the authorization object, S_RS_AUTH and assigning it to a profile and then the profile to a role
The Analysis Authorization 0BI_ALL consisting of all characteristics and navigation attributes flagged as authorization relevant and authorized for all values (*) grants access to all authorization-relevant data.

Restricted Access to Levels of Data

With analysis authorizations, you can restrict access to data at any of the following levels and combinations of them:

InfoProvider
Characteristics and Characteristic Values
Characteristic's Hierarchies and Hierarchy Node Values
Key Figures

Also, access to data can be restricted to the type of activity and to specific time periods.

The following two tables show examples of those restrictions:

Restricted Access to Levels of Data

Levels of Data	Planner is allowed to access data of	Controller is allowed to access data of
InfoProvider	COSTS_PLAN	COSTS_ACTUAL
Characteristics and Characteristic Values	CO_Area 3000	CO_Area 1000 - 2000
Characteristic‘s Hierarchy and Hierarchy Node Vales	Costcenter Hierarchy H2, Hierarchy Node H2_1000	Costcenter Hierarchy H1, all Hierarchy Nodes
Key Figures	Gross Amount	Gross Amount, Net Amount

Restricted Access Concerning Activity and Time Period

Access to data	Planner is allowed to	Controller is allowed to
Activity	Display data and plan data (value 03 and 02	Display data (value 03)
Time Period	only in the first month of a year	at any time (value *)

While restricting users to the data of a certain InfoProvider can be an easy way to set up and maintain analysis authorizations, this severely restricts access. This action means that users can access either all the data in an InfoProvider or none of the data in the InfoProvider. When securing reporting users, it is recommended that you define authorizations at a lower level than the InfoProvider.

Special Characteristics

Within the Technical Business Content, SAP provides so called special characteristics to enable implementation of analysis authorization concepts described earlier.

0TCAIPPROV grants authorization to data of specific InfoProviders
0TCAKYFNM grants authorization to specific key figures
0TCAACTVT grants authorization to activities on the data, for example Display (03) or Change (02) (in case of planning)
0TCAVALID grants authorization to data limited to specific time periods

The Analysis Authorization P is assigned to a user with the planning task. This Analysis Authorization P includes the following: 0TCAIPPROV: COSTS_PLAN, 0TCAKYFNM: Gross amount, 0TCAACTVT 03 = Display and 02 = Change, and 0TCAVALID: first month of the year. The Analysis Authorization A is assigned to a user with the controlling task. This Analysis Authorization A includes the following: 0TCAIPPROV: COSTS_ACTUAL, 0TCAKYFNM: * = all key figures, 0TCAACTVT 03 = Display, and 0TCAVALID: * = any time.

The customer must first activate Special Characteristics from Technical Business Content and then flag them as Authorization-Relevant in the InfoObject maintenance.

Note

For more information, refer to:

Analysis Authorizations:
SAP Note 2318942: InfoObjects starting with 0TCA* cannot be edited in SAP BW modeling tools.

Securing Data Access on Characteristic InfoObject Level

Limiting users to data from a specific InfoProvider simplifies analysis authorization setup but restricts them to full or no data access within the InfoProvider.

To secure reporting users, you want to define authorizations on a lower level than InfoProvider. Suppose you wish two users to perform the same query but receive different results based on their responsibilities, secure analysis authorization down to the Characteristic InfoObject level. This option is the closest parallel to the field-level security in traditional SAP ERP or SAP S/4HANA.

Remember the prerequisite for securing data access on Characteristic InfoObject level is to flag them as Authorization-Relevant.

The General: Characteristic 0CO_AREA screen with the Authorization-Relevant check box selected and highlighted.

The Analysis Authorization CO1000 contains: 0TCAIPROV: COSTS_ACTUAL, 0TCAKYFNM: * = all key figures, 0TCAACTVT: 03 = Display, 0TCAVALID: * = any time, and 0CO_AREA: 1000. Controller A is assigned to this authorization. The Analysis Authorization CO2000 contains: 0TCAIPROV: COSTS_ACTUAL, 0TCAKYFNM: * = all key figures, 0TCAACTVT: 03 = Display, 0TCAVALID: * = any time, and 0CO_AREA: 2000. Controller B is assigned to this authorization. The following information is presented in a table: Query selected on 0CO_AREA 1000: Data Display for Controller A: Yes, and Controller B: No. Query selected on 0CO_AREA 2000: Controller A: No, and Controller B: Yes. Query selected on 0CO_AREA 1000 + 2000: Controller A: No, and Controller B: No. Query selected on 0CO_AREA 1000 + 3000: Controller A: No, and Controller B: No.

As shown in the preceding figure, Controller A and Controller B have nearly identical analysis authorizations. The only difference concerns the authorization-relevant characteristic 0CO_AREA (Controlling Area).

Controller A is allowed to display data of 0CO_AREA = 1000 within InfoProvider COSTS_ACTUAL.
Controller B is allowed to display data of 0CO_AREA = 2000 within InfoProvider COSTS_ACTUAL.

The users will only see data if the query selection meets their analysis authorizations.

They won't see data if the query selection meets their analysis authorizations only partially.

Analysis Authorization Check During Query Execution

A query always selects data from the InfoProvider. For the authorization-relevant characteristics, you have to ensure that the user performing the query has sufficient authorization for the complete selection of the query. Selection means the query's filter situation. Otherwise, no query result is displayed, but an error message indicates that the user doesn't have the required authorization.

Authorization Check OK: When the query selection is a proper subset of the authorization, query results are displayed.

Authorization Check Not OK: When the query selection is not a subset of the authorization, query results are not displayed, even if part of the selection is a subset of the authorization.

Diagram of Authorization Check OK when the query selection is a proper subset of the authorization, and Authorization Check Not OK when the query selection is not a proper subset of the authorization.

In general, the authorizations don't work as filters. Nevertheless, in the following instances when the user has partial analysis authorization only, the system still displays data.

Authorized key figure values are displayed while unauthorized ones are omitted, showing only the key figures permitted for user access.
Display hierarchies are automatically filtered on authorization, the nodes the user is authorized to see are displayed, the unauthorized nodes are not displayed.
Variables filled from authorizations ("Authorization Variables") act like filters for the authorized values for the characteristics in question.

These three aspects are explained in the lessons Creating Analysis Authorizations for Key Figures, Creating Hierarchy Authorizations, and Using Variables in Authorizations.

Next lesson