Authorization in SAP NW BI

1. MODELING
Difference between rssm and rsecadmin

RSSM RSECADMIN
 Old transaction: RSSM
Concept of authorization: 'Reporting
Authorization'
Assignement of Reporting
authorization:* by pfcg: mass
distribution of auth by using role
 by rssm: generation way (use with
Business Content and flat files loading)
Full Authorization: SAP_ALL,
SAP_NEW
Modeling:* IO marked as Authorization
relevant,
 rssm enable to flag relevant
infoprovider,
 rssm are used to custom
Auhthorization object,
 Authorization variable are used in Bex
Query,
 Pfcg to assign reporting authorization 
trough the Object class: RSR,
 Query access manage by object
S_RS_COMP, S_RS_COMP1,
 Area Button/ Access : S_RS_FOLD, 
 Authorization for Cube, ODS,
Hierarchy and infoset managed by:
o S_RS_ICUBE,
o S_RS_ODSO,
o S_RS_HIER,
o S_RS_ISET.
New transaction : RSECADMIN
Concept of authorization: 'Analysis
Authorization'
Assignement of Analysis authorization :* by
pfcg: mass distribution of auth by using role,
 by rsecadmin: manual way -> Assignement ->
Auth selection ->Insert,
 by rsecadmin: generation way (use with
Business Content and flat files loading)
Full Authorization: SAP_ALL, SAP_NEW
0BI_ALL: * Allow full authorization for the IO
authorization relevant,
 Used in the authorization object: S_RS_AUTH,
 Report 'RSEC_GENERATE_BI_ALL' for the
SAP_ALL user,
Modeling:* IO + Navigation ATTR can be
Authorization relevant,
 An IO auth relevant is auth relevant for all the
cube he is used,
 rsecadmin to define Analysis authorization with
sepcial IO : 0TCAACTVT, 0TCAIPROV,
0TCAVALID,
 Authorization variable are used in Bex Query,
pfcg to assign analysis authorization through
the object S_RS_AUTH (Object Class: RS),
 Query access manage by object
S_RS_COMP, S_RS_COMP1,
Area Button/ Access : S_RS_FOLD,
 Authorization for Cube and ODS for reporting
user are managed by the special authorization
characteristic 0TCAIPROV,
 S_RS_ICUBE, S_RS_ODSO, S_RS_HIER,
S_RS_ISET: are not checked anymoe for
reporting user.
 S_RS_ICUBE, S_RS_ODSO, S_RS_HIER,
S_RS_ISET: are used for allowing access to
developper team,
 New object to manage acess for developper
 user:

-
New object authorization for Web application
Designer & Report Designer:* S_RS_BTMP,

 S_RS_BITM,
 S_RS_ERPT,
 S_RS_EREL.

Step by Step
RSSM RSECADMIN

0. Pre-requisites -
Activate all business content
related to authorizations
before you get started:*
InfoObjects: 0TCA* and 0TCT*

 InfoCubes: 0TCA*
Set the following InfoObjects
as "authorization relevant":*
0TCAACTVT
 0TCAIPROV
 0TCAVALID
 0TCAKYFNM (optional, if key
figure restriction needed)
Add 0TCAIFAREA as an
external hierarchy
characteristic to 0INFOPROV
(optional)

1. Set Master data RSA1 -> InfoObjects -> Business

Authorization Explorer Tab -> Flag RSA1 -> InfoObjects ->
relevant 'Authorization relevant Business Explorer Tab -> Flag
'Authorization relevant
RSA1 -> InfoObjects -
> Attribute Tab -> Flag
'AuthorizRelevant'

2. Create RSSM -> Enter the name of your

Authorization Authorization object -> Create ->
Object/ Analysis Put IO Authorization relevant in
authorization the selected InfoObjects part ->
Save

3. Set Infoprovider RSSM -> Select: 'Check for The IO authorization relevant
InfoCubes' -> Change -> Flag the are authorization relevant for
related InfoCubes all cubes
 4. Create BEX 1. Right click on the IO -> choose
variable for 'Restrict'
authorization 2. Choose 'Selection' = 'Single
Value' and 'from Hierarchy' = 'flat
list'
If a hierarchy exists, select the
hierarchy for the IO
3. Go on the variables tab ->
Right click -> 'New variable'
4. For a restriction without
hierarchy, the type of variable is
'Characteristic Value' and if you
have choose a hierarchy, the type
of variable is 'Hierarchy node'
5. Select a variable name & a
description
6. Choose 'Processing by': =
'Authorization' then check the
characteristic and click 'next'
7. Choose the display area for the
variable -> Variable represents: =
'Single Value' or 'Selection
Option'
8. Choose if the variable entry is
Optional or mandatory,
9. Don't select 'Ready for input'
and 'Can be changed in query
navigation
10. Next to the end

5. Insert
Authorization in
Role

6. Assign
Authorization/ Role
to Users

2. AUTHORIZATION
 Reporting User: Authorization for End User


o S_RS_AUTH:
o Insert here the Analysis Authorization you customize in Rsecadmin.
o Allow right on IO marked as 'authorization relevant' (Data)
o S_RS_COMP : Query Accessibility
o Activity: 01 (Create or generate), 02 (Change), 03 (Display), 06 (Delete), 16 (Execute),
22 (Enter, Include, Assign)
o InfoArea: '*'
o InfoCube: <Selected infoprovider>
o Name (ID) of a reporting component: <Selected query>
o Type of a reporting component: CKF (Calculated key figure), QVW (Query View), REP
(Query), RKF (Restricted key figure), SOB (Selection object, New object !!!), STR
(Template structure), VAR (Variable)
o S_RS_COMP1 : Query for specific users
o S_RS_FOLD ( Hide 'Folder' Pushbutton): 'False' or 'True'
o S_USER_AGR: Role Name
S_RS_BITM : !!! NEW !!!
S_RS_BTMP : !!! NEW !!!
 Developper


o S_DEVELOP
o S_RO_BCTRA in ECC side for activate (remote) Datasource
o S_RS_BC
o S_RS_BCS
o S_GUI
o S_RS_DS: Authorizations for working with the DataSource or its sub-objects (as of SAP
NetWeaver 2004s)
o S_RS_ISNEW: Authorizations for working with new InfoSources or their subobjects (as
of SAP NetWeaver 2004s)
o S_RS_DTP: Authorizations for working with the data transfer process and its subobjects
o S_RS_TR: Authorizations for working with transformation rules and their subobjects
o S_RS_CTT: Authorizations for working with currency translation types
o S_RS_UOM: Authorizations for working with quantity conversion types
o S_RS_THJT: Authorizations for working with key date derivation types
o S_RS_PLENQ: Authorizations for maintaining or displaying the lock settings
o S_RS_RST: Authorization object for the RS trace tool
o S_RS_PC: Authorizations for working with process chains
o S_RS_OHDEST: Open Hub Destination
o S_RS_DAS: Authorizations for working with Data Access Services
o S_RS_BTMP: Authorizations for working with BEx Web templates
o S_RS_BEXTX: Authorizations for the maintenance of BEx texts Authorization objects for
the administration of analysis authorizations
o S_RSEC: Authorization for assignment and administration of analysis authorizations
o S_RS_AUTH: Authorization object to include analysis authorizations in roles
o S_RS_ADMWB: Changed Authorization Objects (Data Warehousing Workbench:
Objects)
 General


o S_RFC: Authorization Check for RFC Access:

o Activity 16
o Name of RFC to be protected *
o Type of RFC object to be protetected: FUGR
o S_TCODE: Transaction Code Check at Transaction Start
o Transaction Code SE37,RRMX, RRMXP
o S_GUI: Authorization for GUI activities
o Activity 02, 60, 61
o S_BDS_DBC-SRV-KPR-BDS: Authorizations for Accessing Documents
o Activity 03
o BDS: Data element for LOIO cla *
3. ASSIGNEMENT
 Generation (rsecadmin)

 Role (pfcg)

4. TECHNICAL
 Tables


o RSECVAL : Authorization Value Status,

o RSECUSERAUTH : BI AS Authorizations: Assignment of User Auth.
 Function Modules:


o RSEC_AUTHORITY_CHECK_IPROV
o RSEC_AUTH_GET_IOBJ_RELEVANT
o RSEC_CHECK_IPROV
o RSEC_CHECK_VALIDITY
o RSEC_COMPLETE_HIERAUTH
o RSEC_GET_AUTH_FOR_USER
o RSEC_GET_AUTH_HIER_FOR_USER
o RSEC_ASSIGN_AUTHS_TO_USERS
o RSEC_GET_ALL_GENERATED_AUTHS
o RSEC_READ_ODS_HIER
o RSEC_READ_ODS_USER_AUTH
o RSEC_READ_ODS_VAL
o RSEC_AUTHORIZATIONS_OF_USER
o RSEC_GET_AUTH_FOR_USER_RFC
 Authority check
Here some links:

o Get Authorization Detail (Function Module)

o Authorisation Check Program