Roles and Authorization strategy for SAP BIBO

Hello All,
We are doing an implementation where Source is a Oracle, SAP BI warehouse and BO XI3.1 as reporting solution.
Our customer has asked for the authorization strategy that will be implemented in SAP BI. Currently the users belong to different companies or plants or countries
Current structure is like,
User 1 belongs to Plant1 of Country1
User 2 belongs to Plant2 of Country2
user 3 belongs to Plant3 of Country1 etc..     
We have more than 500 users who will use the reports. The user belonging to a particular plant should only see the plant data/Country data he belongs to.
As I understand, we need to create the roles in BW and these roles to be imported into BO to use for the row and column level security.
The options we considered are,
1. Use Bex queries in BW to with ABAP code in CMOD to identify the user belongs to Plant  1, 2 or 3 and provide necessary authorizations.
2. Create user groups based on the country or company they belong to and create as many roles as required. This will however impact the maintenance of so many roles in the BI system.
We are also forced to avoid Bex queries in BW and hence,  trying to connect Multiproviders directly in BO universe.
How should we go forward in designing the authorization concept? Any better ideas?
Thanks and Regards,

There are two ways which we can implement this kind of authorization based on my knowledge.
1. Data Security purely at BW
If the data is secured based on roles and users, there is no  need of additional authorization from BO side except at report and folder level if you go for SAP Authentication.
Once you use SAP authenication and enable single sign on option in universe connection, the SAP users can access data based on their profile set at BW.
2. Data Security from BO
Let's assume that, if nothing is set at BW and every thing to be take care from BO.
Then you could create one multiple provider for each plant / country. Create one connection for each multiprovider
Create restrictions (Tools--> Manage Access Restrictions) for each plant/country. There you can change connection names.
So you would need to create many restrictions for different permutations and combinations.
I never tries this option with Multiprovider. But It worked well with NON-SAP data.
Hope this helps!

Similar Messages

  • What Roles and Authorization Req

    Hi All,
    I am getting the Error in SOAP to RFC Sync secnario.
    User using one URL through that URL he is trying the send the data to before sending the req user have the USER ID and Password. what are the Roles and Authorization req for that user id and password. Are they service user id ?

    This user ID have roles similar to Service user PIAPPLUSER or XIAPPLUSER. However, it is recommended not to provide this user detail directly to sender system. Instead create a new user and provide that to your partner.

  • SAP XI Roles and Authorizations

    Hi All,
              Could u pls tell which are the main roles and authorizations a SAP XI Developer should have. Also how to set them up?

    Hi Ashish
    the necessary roles to be provided for a developer in XI system are mentioned below.
    2) SAP_XI_Developer_J2EE
    for further details, visit the link given below...
    Reward Points if found useful **

  • Deleting FICO Roles and Authorizations

    Hi Guys,
    i want to Delete some roles and authorizations from a user profile.I have the user id and I want to know what roles are assigned to the user.
    Which tcode can be used for the same and how to delete the fico roles assigned to that sap user id.

    I got the solution. It is SUIM.
    Anyways thanks for the help

  • As XI developer what are the roles and authorization i shoul have in realti

    Hi Experts,
                    As XI developer what are the roles and authorization i shoul have in realtime, as a dveloper is it possible for me to crate namespace and business system, can any one please exaplain me abt business system  in real time scenario.

    Hi Dhanush,
    your authorizations will be decided depends on your role in your team.
    yes you will have authorization for creating name space ,but your bussiness system will be created by Basis pesron and assign it to your scenario.
    Business System is a logical entity which represents logical view of your technical system. (eg a client in R3 system can be respresented as business system in SLD) For one technical system you can have multiple business systems.
    Look in to these links for detalis of bussiness systems.
    Reward points if found usefull......

  • Portal roles and Authorization in NW2004s

    Hi Gurus,
    In earlier Portal implementation of ESS/MSS which was ITS based we used to maintain roles in EP by doing a role upload and maintaining authorizations in the backend R/3 system and if any new changes being made in the role is being distributed to the r/3 system using system administrator -> Permissions -> sap authorization and role distributions are sent to R/3. where we can go to W3PR transaction can create authorization profile for that role there.
    Now my question is in ESS/MSS implementation based on Web dynpro how are portal roles and authorization maintained?
    please do tell me as to how they are maintained in the NW2004s implementations.

    plz take a break for few minutes and start.... u will get it..

  • Travel Management: Role and authorization

    Dear forumers!
    What standard travel management role can I copy and modify according to my requirements in order to let the user only watch t-codes TRIP, PR05, etc. without a right to edit data? Or there should be some other actions with a role to make it for watch only without editing?
    Standard roles are:
    SAP_FI_TV_TRAVELER - we don't need this one
    SAP_FI_TV_ADMINISTRATOR - I already use this role
    SAP_FI_TV_ADVANCE_PAYER - we don't need this one
    SAP_FI_TV_TRAVEL_MANAGER - I already use this role
    Best regards,

    Always the best process to do is to copy the standard role and customize it for own authorization concept (Business requirement). I think there is an another thread with the same issue in SAP HCM as well.

  • RFC Sender - Logon User - What Roles and Authorizations?

    Scenario: RFC Sender --> XI --> JDBC
    What necessary Roles and Authorizations has to be given for Logon User (in Sender RFC Communication Channel).
    It has to be moved to production soon. My Client wants to give only Roles and Authorization that are necessary for the Logon User.
    With Regards,
    Manikandan R

    Hi ,
    U need to give ECC Authorisation
    Application server : ECC Server
    Sytsem no : ECC system number
    Logoon User : ECC any username
    password : password for above user
    clientr : ECC client ( From which client u are sending to RFC adapter)
    Jayasimha jangam

  • Business Explorer Roles and Authorizations

    I am using Business Explorer Query Designer and Analyzer ( Excel Work book add on) with BI 7.0.
    I need to create roles and authorizations for the end users to create queries and view queries in excel by using Business Explorer Query Analyzer.
    Kindly suggest me what are the standard transactions, roles and authorizations to be given to the end users.
    Thanks and regards

    I dont have idea about Bi 7.0 ..
    If its bw 3.X i jusz used rrmx --->>excel ->addins-->>queries --->pop up window --->here we need rfs object S_RFC
    Finally rrmx tcode and general roles which has S_RFC  autorisation object and the query .

  • Roles and authorizations in BI content

    Hi experts,
    I'm trying to define a very simple scheme of roles and authorizations for my queries.
    So, i'm trying to limit the acess by infocube and DSO, but I'm missing the authorizations objects for Cube and DSO.
    I know that authorization object for queries it's S_RS_COMP.
    So my roles would be something like
    Authorization Object                                  Autorization Object Value
    Acess query (S_RS_COMP)                         NA                              
    Infoobject (whats the object???)                   0FIGL_C01
    DSO (whats the object???)                            0FIGL_O14
    Authorization Object                                  Autorization Object Value
    Acess query (S_RS_COMP)                         NA                              
    Infoobject (whats the object???)                   0PUR_C01
    Can you help me find out whats the missing information
    Thanks and regards

    Iu2019ve gave authorization to the object youu2019ve mentioned, but itu2019s still not working.
    Basically what I have is the following:
    One role that allows me to execute queries, workbooks, etc.
    A second role, dependent on the area of work, that should allow me only to have access to queries  from cubes/MP/DSO that are specific to users area.
    I will then give each user role 1 + the adequate role 2, depending on their work area.
    For role 1 I have got:
    Activity: 16
    Name of RFC to be protected: *
    Name of RFC object to be protected: *
    Transaction code: RRMX
    Activity: 16
    Activity: 01, 02, 03
    Role Name: ANLG_BI_01
    Transaction code: RRMX
    BI Analysis Authorization: BI_ALL
    Activity: 03, 16
    InfoCube: *
    Name (ID) of a reporting component: *
    Type of a reporting component: *
    Activity: 03, 16, 22
    Name (ID) of a reporting component: *
    Type of a reporting component: *
    Owner (Person Responsible) for a reporting Component: *
    Logical Command Name: THEMES
    Iu2019ve tested this role, and it works u2013 they can access queries, create workbooks, create permanent model workbooks
    For role 2 u2013 Finance I have     
    Activity: 01, 02, 03
    Role Name: ROLE2
    Activity: 03,66
    Data warehousing workbench Object: INFOAREA
    Activity: 03
    Infoarea: 0FIGL_ERP
    DataStore Object: 0FIGL_014
    SubObject for ODS Object: *
    Activity: 03, 66
    Infocube SubObject: *
    Infoarea: 0FIAP
    InfoCube: 0FIAP_C02
    Activity: 03
    Infoarea: 0FIN_REP_SIMPL_1_ERP
    MultiProvider: 0FIAP_M20, 0FIAP_M30
    MultiProvider SubObject: *
    I then gave to my test user this 2 roles, and with that user I can still see every infoarea, and access all reports.
    I will have more specific roles u2013 to other areas (SCM, TV, etc), but I chose this one has an example.
    First question I have: can I manage my requirement in 2 different roles: one for action that can be performed (role 1) and other for areas that they can access data from (role 2)?
    What objects/restrictions am I missing in role 2?
    Many thanks

  • About roles and authorizations

    hai friends,
    who will create roles and authorizations plz
    thanks in advance
    suitable answer will be given suitabel points

    Roles and authorizations have to be done with Basis team and HR team together, because they are not the usual roles that other modules use. For instance, HR authorizations have different objects for PA, PY, Clusters, BM and CM. For OM and PD, you use transaction OOSP for authorization profiles.
    For my personal experience, when the consulting team ask the basis team to deal with authorizations for HR, they become paralized when they find Structural Authorizations Profiles, Period of responsibility, etc., because they don't know (and it is not their responsibility) about HR objects and concepts handled in txn OOSP.
    In order to avoid this problems, take an extra time for this in your implementation project. Roles and authorizations in HR, when done correctly, takes more time than other modules.

  • OAM manage roles and Authorization in WebLogic integration

    Had anyone done weblogic integration where OAM manages roles and Authorization?
    I could read in Oracle WebLogic integration document that,
    "The Security Provider only supports authentication for portals."
    I wanted to figure out if anyone has done this before or Is it possible to delegate role management and Authorization responsibility to OAM?
    Kiran Thakkar

    Thanks for the quick response.
    Kiran Thakkar

  • Configure security-role and method permission for EJB 3.0 using Jdev 11g

    The EJB 3.0 session bean created by Jdev 11g EJB wizard does not have ejb-jar.xml. Where and how can security-role and method permission for the EJB be configured?
    For example,

    By default annotations are used. However, you can create a new descriptor and that will take presidence over any declared annotation.

  • Information on SAP XI and Informatica PowerConnect for SAP.

    Hi all,
    Need information on SAP XI as well as on Informatica and Informatica Powerconnect for SAP .
    Thanks santosh

    BW and Informatica

  • "Java and BAPI Technology for SAP" by by Ken Kroes - Is this book useful?

    Howdy partners,
    I've got a 'book' called "Java and BAPI Technology for SAP" by by Ken Kroes, Anil Thakur, Gareth M. deBruyn, Robert Lyfareff.
    Now, does anyone know if the info in this book is still relevant to the modern SAP world? I mean its still talking about ITS and stuff like that?
    Any input will be appreciated.

    With the blue cover? I have one with the something similar title, but it's quite out of date. There was lot of improvement on the Java side.
    So I would prefer something newer from SAP-PRESS. Check the SAP-PRESS site.
    BTW I don't consider ITS as an old was just integrated recently into WAS 640 to make it more powerful. This is the only available technology, which converts classic Dynpro to Webpage dynamically.

Maybe you are looking for

  • Profit center for AUC settlement

    Hi Friends, I am trying to settle AUC to final asset with KO88. Posting goes like  Cr AUC gl acct Dr. final asset GL.  But I am not getting any profit centers in that posting. Final asset is assigned to a cost center which is linked to profit center

  • Satellite P series - I can no longer scroll using edge of the touch pad

    Please can anyone tell me why I can no longer scroll using the edge of the touch pad. This seems to have occurred since I had to reinstall Vista following a problem with some faulty Ram. Thanks

  • NEW itunes... album cover collapse option gone??

    NEW itunes... album cover collapse option gone?? Before I could collapse the option of album covers so it was just a big list by clicking the mini triangle in that nav bar - but now it seems that the view stays with mini covers on left!!! or its big

  • Safari can't access orange email?

    Any known problems with safari accessing orange email on an ipad?

  • Red color of negative numbers

    Hello, I have a great table, generated by a repeat region, out of access, in an asp page on my website. I use a css style sheet. My mouse get over the number then the cel wil be changed by color. Now I want to make the generated negative mumbers red