Tell us what you think

We want to create the best possible experience for our learners. Your feedback helps us to improve the experience for everyone.

Maintaining Standard Authorizations

Objective

After completing this lesson, you will be able to maintain standard authorizations

Business Example

This lesson covers the implementation of standard authorizations and how SAP's user roles and templates support this.

Standard Authorizations

Remember: In SAP BW/4HANA, Authorizations based on the Application Server (AS) for ABAP Authorization concept dictate permissions for users' actions within the SAP BW/4HANA system.

In SAP BW/4HANA, these authorizations are called Standard Authorizations to distinguish them from Analysis Authorizations.

Users need standard authorizations to perform tasks such as:

Model data by creating, changing, or delete metadata objects, such as InfoObjects, InfoProviders, and data flow elements.
Load and administer data.
Define and execute queries.
Work in the planning workbench.

Each authorization refers to an authorization object and defines one or more values for each field that is contained in the authorization object. Authorization objects are delivered for the various areas.

Individual authorizations are grouped into roles by system administration. You can copy the roles delivered by SAP and adjust them as necessary. The system administrator creates these authorizations and enters them into individual users' master records in the form of profiles.

Authorization Objects for Modelers and Administrators

Modelers and Administrators must have access to the numerous SAP BW/4HANA metadata objects, such as InfoObjects, InfoProviders, data transfer processes, process chains, open hub destinations, and DataSources.

Administrators must also create and maintain many other data warehousing objects. Authorization object S_RS_ADMWB protects these objects.

Authorization Object for Data Warehousing Workbench Objects:

Authorization Object/Technical Name	Description
Data Warehousing Workbench – Objects / S_RS_ADMWB	Authorizations for working with the Data Warehousing Workbench and the BW Modeling Tools. These include the following: source system, InfoObject, monitor, application component, InfoArea, Data Warehousing Workbench, settings, metadata, documents (for metadata, master data, hierarchies, and transaction data), document store administration, and (customer) content system administration. There are only two fields in this authorization object: Data warehousing object. Activity.

Authorization Object/Technical Name

Description

Data Warehousing Workbench – Objects / S_RS_ADMWB

Authorizations for working with the Data Warehousing Workbench and the BW Modeling Tools.

These include the following: source system, InfoObject, monitor, application component, InfoArea, Data Warehousing Workbench, settings, metadata, documents (for metadata, master data, hierarchies, and transaction data), document store administration, and (customer) content system administration.

There are only two fields in this authorization object:

Data warehousing object.
Activity.

Authorization Objects for InfoObjects and Master Data:

Authorization Object/Technical Name	Description
InfoObject / S_RS_IOBJA	Authorizations for working with individual InfoObjects and their subobjects, processing, and activating master data.
Hierarchy / S_RS_HIER	Authorizations for working with hierarchies.

Authorization Objects for InfoProvider:

Authorization Object/Technical Name	Description
DataStore Object (Advanced) / S_RS_ADSO	Authorizations for working with DataStore objects (advanced) and their subobjects.
Central CompositeProvider / S_RS_HCPR	Authorizations for working with (central) CompositeProviders and their subobjects.
Authorization object for local and ad hoc CompositeProviders / S_RS_CPRO	Authorizations for working with local and ad-hoc CompositeProviders and their subobjects .
Open ODS View / S_RS_ODSV	Authorizations for working with Open ODS Views.
BAdI Provider / S_RS_BDPR	Authorizations for working with BAdI providers and their subobjects.

Authorization Objects for Data Flow Objects (Object Class RS):

Authorization Object/Technical Name	Description
DataSource / S_RS_DS	Authorizations for working with DataSources and their subobjects.
InfoSource (InfoArea) / S_RS_TRCS	Authorizations for working with InfoSources for BW systems that are using an SAP HANA database.
Transformation rules / S_RS_TR	Authorizations for working with transformation rules and their subobjects.
Data Transfer Process / S_RS_DTP	Authorizations for working with data transfer processes (DTP). The authorizations assigned for the DTP object have higher priority than the authorizations for the underlying TLOGO objects. Users with DTP authorization for a source/target combination do not require read authorization for the source object or write authorization for the target object to execute the DTP.
Open hub destination / S_RS_OHDST	Authorizations for working with open hub destinations.
Process chains / S_RS_PC	Authorizations for working with process chains.
ODP: Extraction from SAP HANA / S_RS_ODSP_H	Authorizations for extraction from SAP HANA using ODP.

Authorization Objects for Currency and Quantity Conversion (Object Class RS):

Authorization Object/Technical Name	Description
Data Warehousing Workbench – currency translation type / S_RS_CTT	Authorizations for working with currency translation types.
Data Warehousing Workbench - quantity conversion type / S_RS_UOM	Authorizations for working with quantity conversion types.
Data Warehousing Workbench – key date derivation type / S_RS_THJT	Authorizations for working with key date derivation types.

Authorization Objects for Business Planning (Object Class RS):

Authorization Object/Technical Name	Description
Planning: Aggregation Level / S_RS_ALVL	Authorizations for working with aggregation levels.
Planning function / S_RS_PLSE	Authorizations for working with planning functions.
Planning sequence / S_RS_PLSQ	Authorizations for working with planning sequences.
Planning service type / S_RS_PLST	Authorizations for working with planning function types.
Lock settings / S_RS_PLENQ	Authorizations for maintaining or displaying lock settings.

Authorization Objects for SAP HANA Analysis Process (Object Class RS):

Authorization Object/Technical Name	Description
Authorizations for the SAP HANA analysis process / RSHAAP	Authorizations for working with SAP HANA analysis processes.
Authorizations for SAP HANA analysis elements / RSHAOT	Authorizations for working with SAP HANA analysis elements.

Authorization for SAP Demo Content

Authorization Object/Technical Name	Description
S_RS_RSFC	Authorization for SAP Demo Content.

Authorization Objects for Working with Queries (Object Class RS):

Authorization Object/Technical Name	Description
Authorizations for working with Queries / S_RS_COMP	Authorization object S_RS_COMP has the fields InfoArea, InfoProvider, Component Type, Name (ID), and Activity.
Authorizations for working with Queries of specific owners / S_RS_COMP1	Authorization object S_RS_COMP1 has the fields: Component Type, Name (ID), Owner, and Activity. Use the variable $USER to give all users the authorization for queries that they created themselves. During the authorization check, $USER is replaced by the corresponding user name.

Authorization Object/Technical Name

Description

Authorizations for working with Queries / S_RS_COMP

Authorization object S_RS_COMP has the fields InfoArea, InfoProvider, Component Type, Name (ID), and Activity.

Authorizations for working with Queries of specific owners / S_RS_COMP1

Authorization object S_RS_COMP1 has the fields: Component Type, Name (ID), Owner, and Activity.

Use the variable $USER to give all users the authorization for queries that they created themselves. During the authorization check, $USER is replaced by the corresponding user name.

Authorization Objects for Working with Report Types:

Authorization Object/Technical Name	Description
Analysis Office: Authorization object / S_RS_AO	Authorizations for working with SAP Analysis for Microsoft Office.

Authorization Objects for Working on BW/4HANA Objects via the BW Modeling Tools in SAP HANA Studio:

Authorization Object/Technical Name	Description
Authorization Check for RFC Access / S_RFC	Authorizations for the RFC Access.
Transaction Code Check at Transaction Start / S_TCODE	Authorizations for transaction codes. The BW Modeling Tools need to start specific transactions for SAP GUI integration in Eclipse. Therefore, the BW Modeling Tools need access to the following transactions, which are specified in authorization object S_TCODE: SADT_START_TCODE SADT_START_WB_URI
Authority object for ABAP Development Tool Resource Access / S_ADT_RES	Authorizations for connecting to BW/4HANA system.
System Authorizations / S_ADMI_FCD	This authorization object checks access to several basic functions, for example, spool administration and monitoring, checked against the value PADM when displaying, and deleting the trace files.
ABAP Workbench / S_DEVELOP	Necessary when editing SAP BW/4HANA objects.

Authorization Objects for Working with the SAP BW∕4HANA Cockpit:

Authorization Object/Technical Name	Description
S_BW4_REST	We recommend assigning the authorization on /sap/bw4/*.
S_SERVICE	Authorization for OData services. List of OData services: Authorizations for Working with the SAP BW∕4HANA Cockpit.
S_RS_ADSO, S_RS_IOBJ, S_RS_PC	Authorizations for all BW objects that can be displayed and edited using the SAP BW∕4HANA Cockpit.

Further Authorization Objects:

Authorization Object/Technical Name	Description
Authorization object for the RS trace tool / S_RS_RSTT	Authorizations for the RS trace tool.
Document Store /S_RS_DOCA	Authorizations for working with the document store.
Authorizations for TLOGO object history / S_RS_HIST	Authorizations for working with version management.
Background Processing: Background Administrator / S_BTCH_ADM	Authorizes a user to manage background processing (for example, running a DTP in batch).
Background Processing: Operations on Background Jobs / S_BTCH_JOB	The authorization object S_BTCH_JOB consists of the authorization fields JOBACTION and JOBGROUP. JOBGROUP must always have the value '*' . For JOBACTION, you can assign the values: PLAN, DELE, LIST, RELE, SHOW, PROT, MODI.

User Roles Provided by SAP

When creating roles, you can access user roles delivered by SAP. These roles include the authorizations required for performing basic user tasks.

In addition to the SAP BW∕4HANA user roles, users need the SAP_BC_DWB_WBDISPLAY role to display objects from the ABAP Dictionary and ABAP environment.

Note

You can use the roles in Role Maintenance (transaction PFCG). To assign these roles to users, you should first copy the roles to prevent them from being overwritten by new standard roles during a subsequent upgrade or release change.

Roles specifically for SAP BW/4HANA start with SAP_BW4.

Roles valid for BW in general start with SAP_BW.

For SAP BW∕4HANA, the following roles are predefined:

BW Modeler (SAP_BW4_MODELER).
Reporting Developer (SAP_BW4_REPORTING_DEVELOPER).
BW Administrator (production system) (SAP_BW4_ADMINISTRATOR_PROD).
BW Operator (production system) (SAP_BW4_OPERATOR).
BW Authorization Administrator (development system) (SAP_BW4_AUTHORIZATION_ADMIN).
Reporting User (SAP_BW4_REPORTING_USER).

We will examine these roles in more detail.

BW Modeler (SAP_BW4_MODELER)

The BW Modeler role connects source systems, models data flows, performs data transfer processes, and schedules process chains. This takes place in the development system.

The BW Modeler role has the following authorizations:

Create/change/delete data flows, InfoObjects, InfoProviders (DataStore object (advanced), CompositeProvider, Open ODS View), transformations, data transfer processes, and process chains in the BW Modeling Tools and in the back end.
Administration of InfoProviders.
Execute data transfer processes.
Schedule process chains.
Transport objects in existing transport requests.

Reporting Developer (SAP_BW4_REPORTING_DEVELOPER)

The Reporting Developer role creates queries, executes queries, administrates analysis authorizations, including their assignments to roles, creates currency, unit conversion types, and key data derivation types. This normally occurs in the development system, but this role can also be used in the production system for key users.

The Reporting Developer role has the following authorizations:

Create and execute queries.
Create currency and quantity conversion types and key date derivation types.

BW/4HANA Administrator (production system) (SAP_BW4_ADMINISTRATOR)

The BW/4HANA Administrator in the production system loads data from the source system, monitors processes, analyzes errors in detail, and creates and executes data archiving processes.

The BW/4HANA Administrator role (production system) has the following authorizations:

Load data from the source system.
Schedule process chains.
Display data flows.
Administration of InfoProviders.
Create and execute data archiving processes.
Load data from the source system.
Analyze runtime errors (transaction ST22).
Check the system log (transaction SM21).
Check the database performance (transaction ST04).
Check authorizations (transaction SU53 and SU56).

Operator (productive system) (SAP_BW4_OPERATOR)

The Operator (production system) role loads data from the source system, schedules process chains, monitors processes, and performs basic troubleshooting.

The Operator (production system) role has the following authorizations:

Load data from the source system.
Schedule process chains.
Display data flows.
Administration of InfoProviders.
Create and execute data archiving processes.

BW/4HANA Authorization Administrator (development system) (SAP_BW4_AUTHORIZATION_ADMIN)

The BW/4HANA Authorization Administrator is responsible for the creation and administration of analysis authorizations. Assignment of analysis authorizations should be performed by the role administrator however.

The BW/4HANA Authorization Administrator role has the following authorizations

Create and manage analysis authorizations.
Set objects to authorization-relevant.
Authorization analysis (transaction RSUDO).
Check authorization logs (transaction RSECPROT).

Reporting User (SAP_BW4_REPORTING_USER)

The Reporting User role executes queries in SAP Analysis for Microsoft Office and SAP BusinessObjects Cloud or BI Clients of third-party providers.

The Reporting User role has the following authorizations:

Execute queries.
Analyse own authorization issues.

Note

For more information, see https://help.sap.com → SAP BW/4HANA → Application Help → Administration → Authorizations → Standard Authorizations → User Roles.

Templates Provided by SAP

Templates to Support Creating Roles

Templates enable you to easily insert a set of authorizations into a role. Templates are maintained in the role maintenance transaction PFCG (in former releases under the transaction SU24) under Utilities → Templatesand are used in the authorizations section of the role.

Sample of SAP-provided Templates

The following is a sample list of SAP-provided templates:

S_RS_RDEAD: Administrator on Development System
S_RS_ROPAD: Administrator on Production System
S_RS_RREDE: Reporting Developer on Development System
S_RS_RDEMO: Modeler on Development System

Integrating Templates into Roles

You can choose or change the templates provided by SAP or create your own templates.

Once you are in the authorization section of the roles, the Choose Template window appears automatically if the menu is empty. Otherwise, to integrate a template into a role, choose Edit → Insert Authorizations → From template. After inserting the template, you can update, insert, and delete authorizations as needed.

Master Data Authorizations

To change or display master data, authorization checks are made. Authorization assignments and checks are defined by characteristic, and additionally by characteristic values.

Authorizations for Master Data

Screenshot of the Master Data/Texts: Characteristic U00_COST1. Authorization Object S_RS_IOMAD grants authorization for MAster Data Maintenance for InfoArea/InfoObject. Additionally, when the Master Data Maintenance with Authorization Check indicator is activated, the authorization check for characteristic values takes place using Authorization Object S_TABU_LIN.

As shown here, you can define how authorization assignments and checks take place, either by characteristic or characteristic value.

The following authorization objects exist:

S_RS_IOMAD
With this authorization object you can grant authorization for the maintenance of master data of one or more InfoObjects within one or more InfoAreas.
Activities:
- 03 = Display
- 23 = Maintain
- 06 = Delete
S_TABU_LIN
S_TABU_LIN controls access to individual table rows, that means an authorization check takes place by characteristic value.
Activities:
- 02 = Add, change or delete table entries
- 03 = Display table entries
The object complements the authorization objects S_TABU_DIS, S_TABU_NAM, and S_TABU_CLI.

With authorization checks by characteristic value, the system generates an organization criterion for the characteristic. The organization criterion generates a connection between table key fields and the authorization fields for the S_TABU_LIN authorization object.

You can use the S_TABU_LIN authorization object to enter characteristic values in each key field of the master data table for which the user requires authorization. This is performed in the profile generator in role maintenance. In this way, you are able to use authorizations to protect the maintenance and display of master data/texts for this characteristic at single record level.

Characteristic values that don't have user authorization are not displayed in the input help.

Next lesson