For SAP BW, we define who is able to perform actions and on which data. There are two authorization concepts to manage these two requirements. With SAP BW/4HANA, there is no change to this framework.
- Standard authorizations: (authorizations on objects): You use these authorizations to determine who can do what when working with SAP BW/4HANA tools. These authorizations are required by all users who model or load data, and who work in the planning workbench or define queries. The authorization concept for standard authorizations is based on the Application Server for ABAP authorization concept. It is based on authorization objects defining allowed activities per object type. Each authorization refers to an authorization object and defines one or more values for each field that is contained in the authorization object.
For example, if you are allowed to create advanced DataStore objects, you need an authorization of activity 23 for the S_RS_ADSO authorization object. Individual authorizations are grouped into roles (transaction
PFCG) by system administration. You can copy the roles delivered by SAP and adjust them as necessary. Please refer to the Authorization Object Maintenance (transactionSU21) with filter on Object Class = RS for a complete list of authorization objects including documentation in your system. - Analysis authorizations: (authorizations on data): All users who want to display data from authorization-relevant characteristics in a BW query require analysis authorizations for these characteristics. Publishing queries allows a much larger group of users to access query data. With the special SAP BW/4HANA authorization concept for displaying query data, you can better protect especially critical data. Authorizations of this type are not based on the standard SAP authorization concept. They use their own SAP BW/4HANA concept based on the reporting and analysis features instead (transaction
RSECADMIN). For example, if you are allowed to see controlling data for your cost center 4711 only, you need an analysis authorization for cost center = 4711 in the advanced DataStore object containing this data. The analysis authorizations can be assigned to users directly or via roles.
Although SAP BW/4HANA leverages the same authorization concepts as SAP BW, the simplification of object types in SAP BW/4HANA has an impact on authorization objects. When converting an SAP BW system to SAP BW/4HANA, authorizations for object types that are not available in SAP BW/4HANA (such as InfoCubes) have to be replaced by authorizations for corresponding object types (like ADSOs). In this example, authorization object S_RS_CUBE requires a replacement with S_RS_ADSO.
Due to the simplification, the number of authorization objects in SAP BW/4HANA is reduced. The list above presents all authorization objects that become obsolete in SAP BW/4HANA, while the list below provides existing SAP BW/4HANA authorization objects.
Conversion aspects
The impact of a conversion to SAP BW/4HANA on authorization is the following:
Standard authorizations need manual adjustments in general. However, the Transfer Cockpit (transaction
RSB4HCONV) provides tool support for in-place conversion projects.Analysis authorizations, which are maintained directly in transaction
RSECADMIN, are automatically adjusted when using the SAP BW/4HANA transfer tools.
Note
Please refer to following sources for additional details:SAP note 2468657 (including attachments): SAP BW/4HANA Standard Authorizations
SAP BW/4HANA Simplification List - chapters 2.9 and 3.9 on "Security": https://help.sap.com/doc/16e3352bd6c342ec9fb1cd90adb9fbf4/2.0/en-US/SAP_BW4HANA_20_Simplification_List.pdf
SAP BW/4HANA Conversion Guide - "4.7 Preparing Transfers of Standard Authorizations": https://help.sap.com/doc/c8e1ac37fee64e0f887a2d6d6af32a33/2021.02/en-US/SAP_BW4HANA_2021_Conversion_Guide_v1.1.pdf