Maintaining Analysis Authorizations

Objective

After completing this lesson, you will be able to maintain analysis authorizations

Business Example

A person smiling and thinking that the customer needs an efficient and straightforward method for assigning and managing authorizations, particularly in the analysis authorization area.

In SAP BW/4HANA, you want to assign various authorizations to several users, mostly in the analysis authorization area. You want to maintain these authorizations as efficiently and clearly as possible.

This lesson covers the options for authorization maintenance, particularly focusing on analysis authorizations. At runtime, the crucial aspect is ensuring the correct authorizations are assigned, regardless of how they were initially allocated to the user. There are various maintenance options available to you, irrespective of the specific authorization scenario.

Maintenance Options

Various maintenance options are required to simplify authorization processes, ensure clarity in authorizations, and minimize effort when handling many users.

Selecting an Authorization Maintenance Approach

Using the following criteria, you can decide which method is the most appropriate:

  • How large is the number of users?
  • Do many users have the same authorizations?
  • If the users have different authorizations, do these authorizations differ only in the form of individual values?
  • Are there many hierarchy authorizations to maintain?
  • Is the authorization data available in any other form, such as another system or a file?
  • What are the various security requirements for the relevant maintenance scenarios, for example, the dual control principle?

Options for Authorization Maintenance

The following are the options for authorization maintenance:

  • Roles maintenance
  • Analysis authorizations maintenance
  • Analysis authorizations mass maintenance
  • Customer Exit Variables for dynamic authorization assignment
  • Automatic generation of analysis authorizations

Note

For more information about Customer Exit Variables, see the lesson: Using Variables in Authorizations.

Roles Maintenance

Role maintenance is defined as the use of roles to assign activities and authorizations. 

The following are best practices for building a modular and flexible role concept:

  • Keep reusable basic roles separate from customized roles.

  • Build up a role hierarchy. For example:

    • Reusable basic role

    • Department-specific role

    • Job-specific role

  • Keep menu roles separate from authorization roles.

  • Avoid overlapping roles and overlapping authorizations.

  • Combine single roles in composite roles.

Shown here is an example of a menu role containing workbooks organized in the role menu.

An example of a menu role containing workbooks organized in the role menu.

The approach to separate menu roles from authorization roles has the following advantages:

  • Menus and attached workbooks can be used by many users.

  • Different results can be displayed based on user authorization.

  • Menus don’t get lost in the productive system when transporting authorization changes.

Note

You don't usually create and assign exactly one role per user. Instead, you customize the roles to be as reusable as possible.

Differentiating by User Type

You might set up the following roles, for example, to differentiate roles by user type:

  • Project Team Member

  • System Administrator

  • Authorization Administrator

  • User Administrator

  • Power User

  • Reporting User

Modular Reporting Role Concept Example

The following is an example for a modular reporting role concept:

  • Basic Reporting Role

    • Authorization Objects S_RFC, S_TCODE: SU53, RAAOE, RAAOP

  • Standard Role

    • Authorization Objects S_RS_COMP, S_RS_COMP1

    • Authorization Objects S_RS_AO

    • Authorization Objects S_USER_AGR, S_USER_TCD

  • Analysis Authorizations Role

    Separate from a Standard Role to increase flexibility.

    • Authorization Object S_RS_AUTH

Analysis Authorizations Maintenance

Remember that the RSEADMIN transaction allows the administrator direct access to the Management of Analysis Authorizations screen, serving as a centralized hub for all tasks related to analysis authorization management.

Analysis authorization maintenance can be carried out as follows:

  • Analysis authorizations are created and maintained on the Authorizations tab.
  • Users are assigned to analysis authorizations through the User tab.
  • Trace analysis authorizations by utilizing the Analysis tab.

To carry out any function in the management of analysis authorizations, the administrator requires authorization for an authorization object S_RSEC. This authorization object covers all relevant objects with namespace authorizations for specific activities.

The authorization object S_RSEC and the authorization example are presented in the text below.

(1) This is the authorization object S_RSEC.

(2) The authorization object S_RSEC has three fields: RSECADMOBJ, RSEADMVAL, and Activity.

In the Authorization example for S_RSEC is shown:

  • (3) The user is allowed to work with Analysis Authorizations.
  • (4) These Analysis Authorizations must begin with HR.
  • (5) The allowed activities are Add or Create (01), Change (02), Display (03), and Delete (06).

The S_RSEC authorization object is intended to authorize the work with the infrastructure of analysis authorizations in the SAP BW/4HANA system. The options seen in the following figure are checked.

The checked options for Authorization Object S_RSEC from the documentation integrated into the system. All the entries are explained in the text below.

Other options are ignored because they correspond to combinations that are not currently implemented or that will be implemented or replaced with a later release.

Object Types (RSECADMOBJ)

The available Object Types are the following:

  • Authorization (AUTH), for actions concerning analysis authorizations

  • User (USER), for actions concerning user assignments

  • Logs (PROT), for actions concerning the protocol

  • Change Logs (LOGS), for actions concerning the change log

  • RSUDO or Password (RSUDO), for the action Execute As User without requiring the password of the other user

  • InfoObject (IOBJ), for the action to mark InfoObjects as authorization-relevant.

For a concrete authorization, the RSECADMOBJ value will be combined with a concrete Object Value (RSEADMVAL) and an Activity (ACTVT), whereby not all combinations are possible.

Examples in Authorization Object S_RSEC:

The following are some typical examples of authorizations in the S_RSEC authorization object:

  • Authorization to maintain Analysis Authorization in the HR area:

    Object AUTH / Object Value HR* / Activity 01, 02, 03, 06

    See the example in the previous figure.

  • Authorization to assign Analysis Authorizations directly to all users:

    Object USER / Object Value * / Activity 02, 03

  • Authorization for the execution of the simulation for all users:

    Object RSUDO/ Object Value * / Activity 16

  • Authorization to mark all InfoObjects authorization-relevant:

    Object IOBJ / Object Value * / Activity 02

Other Remarks

The following extra considerations also apply:

  • For the buffering mode, a value BUFF for the field MODI is checked with the activity Change.
  • USER, for example, Smith, stands for assignment of user authorization relations to user Smith.
  • Users are created, deleted, and so on, with the usual standard authorization objects.
  • Logs are checked for the names of the users that generated them.
  • The change to the property of the authorization relevance for an InfoObject is not checked in the InfoObject maintenance; it is checked using the IOBJNM field in the S_RSEC authorization object.

Assigning Analysis Authorizations to Roles

Remember that Analysis Authorizations can be assigned directly to users through the transaction RSECADMIN, and indirectly by assigning them to roles via the S_RS_AUTH authorization object.

The analysis authorizations are assigned directly to users through the transaction RSECADMIN. The BI Analysis Authorization in Role is highlighted.

Analysis Authorizations Mass Maintenance

You can use Mass Maintenance of analysis authorizations to change multiple authorizations or multiple authorization assignments at the same time.

Example:

The new analysis authorization P_COA_002 has to be assigned to all users beginning with R_ to which the already existing analysis authorization P_COA_001 has also been assigned.

Analysis Authorizations Mass Maintenance example; the steps 1 to 3 are presented in the text below.
Analysis Authorizations Mass Maintenance example; the steps 4 to 6 are presented in the text below.
Analysis Authorizations Mass Maintenance example; the steps 7 to 9 are presented in the text below.
Analysis Authorizations Mass Maintenance example; the steps 10 and 11 are presented in the text below.

After creating the new analysis authorization P_COA_002, for instance by copying it from the existing analysis authorization P_COA_001 and adapting it afterward, perform the following steps:

  1. In the transaction RSECADMIN, on the Authorizations tab, choose Mass Maintenance.
  2. On the Mass Search screen, select the radio button User and choose Complex Search.
  3. In the Mass Search dialog box, on the Users By Authorizations tab, in the BW Authorization field, enter P_COA_001, and in the User field, enter R_*.
  4. Select All users and choose Copy to transfer these users to the worklist.
  5. Choose Mass Maintenance.
  6. On the Mass Maintenance: Display screen, choose Change <-> Display. The new authorization can now be assigned to the users in the worklist.
  7. For that, on the right-hand side of the screen, choose Insert Row.
  8. Type in the new analysis authorization P_COA_002 manually or choose the Input Help and the Authorization dialog box to search for P_COA_002.
  9. Highlight the new row containing the analysis authorization P_COA_002 and choose Assign to All Users. Then choose Save and answer the following question with Yes.
  10. In the Mass Maintenance: Change screen, choose Yes to all.
  11. Result: The new P_COA_002 analysis authorization has been assigned to all users in the worklist, which is indicated in the Cardinality column by this symbol: (All Assigned).

The symbol (Part Assigned) indicates that the analysis authorization is only assigned to a certain user or certain users in the worklist.

Updating Authorizations for Many Users Simultaneously

Watch this video to learn how to update authorizations for many users simultaneously.

Automatic Generation of Analysis Authorizations

By generating analysis authorizations, you can load authorized values from other systems into DataStore Objects (advanced) and generate authorizations from them. This process makes it possible to generate the required authorizations using data from an application (such as HR). The data that users are permitted/not permitted to see in SAP BW/4HANA is therefore the same as in the application transactions, even if the authorization concepts are different.

You can use this function to generate either single authorizations or mass authorizations. It is suitable for scenarios that generate new authorizations periodically and are therefore constantly changing. It does not necessarily make sense to assign these authorizations to the users in roles and profiles.

A prerequisite for the generation of authorizations is that the authorization data exists in some form in a source system. This system can be brought into SAP BW/4HANA with the usual data loading process. The data could come from another SAP system, an external system, or a file. With this process, you can avoid duplicate maintenance of data (in the original system and in SAP BW/4HANA).

The authorization data and eventually user data as well have to be loaded into up to five DataStore Objects (advanced).

The following five DataStore Objects (advanced) are delivered with Business Content and serve as templates:

  • Authorization data (values) (0TCA_AD01)

  • Authorization data (hierarchy) (0TCA_AD02)

  • Description texts for authorizations (0TCA_AD03)

  • Assignment of authorizations to users (0TCA_AD04)

  • Generation of users for authorizations (0TCA_AD05)

Diagram of the loading authorization data into the DataStore Objects (Advanced).

After loading the authorization data and eventually user data into the DataStore Objects (advanced), authorizations, users, and authorization assignments can be generated by referring to the data contained in these DataStore Objects (advanced).

The Management of Analysis Authorizations system window with the Generation button highlighted. The Generating Authorizations in BW from Data in the InfoProviders window.

Note

Read more about Generating Analysis Authorizations.

Useful Tables and Transactions for Analysis Authorizations

Useful Tables for Analysis Authorizations

TableDescription
RSDCHAAuthorization-relevant characteristics
RSECUSERAUTHAssignments of Analysis Authorizations to Users
RSECUSERAUTH_CLChanges to Assignments of Analysis Authorizations to Users
RSECVALAnalysis Value Authorizations
RSECVAL_CLChanges to Analysis Value Authorizations
RSECHIEAnalysis Hierarchy Authorizations
RSECHIE_CLChanges to Analysis Hierarchy Authorizations

Useful Transactions for Analysis Authorizations

TransactionDescription
RSECADMINManagement of Analysis Authorizations
RSECAUTH (included in RSECADMIN)Individual Maintenance of Analysis Authorizations
RSU01 (included in RSECADMIN)Individual Assignment of Analysis Authorizations to Users
RSUDO (included in RSECADMIN)Execute as User with Restricted Authorizations
RSECPROT (included in RSECADMIN)Analysis Authorization Log

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn