Authorizations concept in SAP BI

Similar Messages

• SAP Authorizations Concept Project

  Hello,
  Before, i would like to say that this thread will stay open, with questions and answers. Thanks
  I am starting a little project on authorizations. The company has only 9 users, and all of them have the SAP_ALL, SAP_NEW profiles, wich after an audit generated the need to have them removed and the need to implement an Authorization Concept from the root.
  The first step and most important is to get the profiles fixed before the next audit, wich i think will only give me time to create generic profiles based on a List of Transactions and Reports, that each one of them, or a group, executes. I've been reading the ADM940 module, and i have some experience in SAP BI Authorizations, but no experience in Authorizations at a higher level.
  My questions are, Recomendations and attentions i must have to implement this concept i've described and
  Is the automatic profile generator, based only on transactions and reports enough to fullfil the needs i described before enough? Or after that i'll have to maintain some Authorizations objects manually?
  Thank you very much
  JO

  Closing the thread, as it has a lot of days by now

• Roles and Authorization strategy for SAP BIBO

  Hello All,
  We are doing an implementation where Source is a Oracle, SAP BI warehouse and BO XI3.1 as reporting solution.
  Our customer has asked for the authorization strategy that will be implemented in SAP BI. Currently the users belong to different companies or plants or countries
  Current structure is like,
  User 1 belongs to Plant1 of Country1
  User 2 belongs to Plant2 of Country2
  user 3 belongs to Plant3 of Country1 etc..     
  We have more than 500 users who will use the reports. The user belonging to a particular plant should only see the plant data/Country data he belongs to.
  As I understand, we need to create the roles in BW and these roles to be imported into BO to use for the row and column level security.
  The options we considered are,
  1. Use Bex queries in BW to with ABAP code in CMOD to identify the user belongs to Plant  1, 2 or 3 and provide necessary authorizations.
  2. Create user groups based on the country or company they belong to and create as many roles as required. This will however impact the maintenance of so many roles in the BI system.
  We are also forced to avoid Bex queries in BW and hence,  trying to connect Multiproviders directly in BO universe.
  How should we go forward in designing the authorization concept? Any better ideas?
  Thanks and Regards,
  Srinivas

  There are two ways which we can implement this kind of authorization based on my knowledge.
  1. Data Security purely at BW
  If the data is secured based on roles and users, there is no  need of additional authorization from BO side except at report and folder level if you go for SAP Authentication.
  Once you use SAP authenication and enable single sign on option in universe connection, the SAP users can access data based on their profile set at BW.
  2. Data Security from BO
  Let's assume that, if nothing is set at BW and every thing to be take care from BO.
  Then you could create one multiple provider for each plant / country. Create one connection for each multiprovider
  Create restrictions (Tools--> Manage Access Restrictions) for each plant/country. There you can change connection names.
  So you would need to create many restrictions for different permutations and combinations.
  I never tries this option with Multiprovider. But It worked well with NON-SAP data.
  Hope this helps!
  Regards
  Gowtham

• Role creation and authorization objects in sap

  Hi
  i want to know the full relationship between  creation of roles , authorization objects ,authorizations in web as abap
  Please explain the process in detail the use of PFCG and all its options and how to create Z roles

  Although, It would be a very long document to explain the query, I have briefed you on the concept. I hope it leads you well.
  - Roles are nothing but a container for authorizations. A role represents a specific part of an employeeu2019s job.
  - The R/3 authorization concept permits the assignment of either general and/or finely detailed user authorizations. These assignments can reach down to transactions, field and field value level.
  For e.g. If a user wants to create a PO we can restrict him on:
  u2022     Activity : Create/Change/Display
  u2022     Org elements like Company Code, Plant, Purchase Organization etc
  u2022     Document type etc.
  - Authorization objects are grouped in an object class such as Materials Management: Master Data (MM_G). Each Object Class may have several authorization objects and within each object we can have several authorizations (max. up to 99).
  - Fields :The permissible values for the fields constitute the authorization. For e.g. ACTVT (Activity) is a field with permissible values of 01 (Create), 02 (Change) & (03 Display) for the object M_MATE_CHG (Material Master: Batches/Trading Units). Value * for field BEGRU signifies all possible values.
  - An authorization allows you to carry out an R/3 task based on a set of field values in an authorization object. By themselves authorizations do not exist and they only have a meaning inside a profile
  - Authorizations are contained within profiles and these profiles are assigned to users manually or automatically via role assignment. When you assign the field values for all the authorization objects and save system will auto generate a profile name.
  - Authorization check are included in the transactions source code in standard SAP R/3.A user may carry out an action if the authorization check is successful for each field in the object.
  Edited by: Subramaniam Iyer on Nov 27, 2008 12:08 PM

• New Authorization concept

  Hi experts,
  what is new Authorization concept in NW2004s.
  All of our queries are created in Query Designer 3.x and our generic Authorization objects are created in RSSM.
  Is it necessary to use new Auth.concept ?
  What are the advantages or disadvantages of new concept?
  Thanks

  Hi there again,
  If you have that entry in RSCUSTV23 it means you're using the old concept of RSSM authorization not mantained anymore by SAP:
  I recommend (as well as SAP) to use the new concept. For that, since you've already the old authorizations, you can do a migration of authorizations with a standard report (transaction se38) called RSEC_MIGRATION.
  This report is of ease to use and does the migration of the old concept to the new one, therefore you can after running the migration use the new concept.
  The worst part, is that is recommended (and you should) do an exaustive battery test, to ensure, no errors are encountered with the new authorization concept after migration.
  You can also read about the migration of authorizations (and the detal of how to use the standard migration report) in here:
  [http://www.sdn.sap.com/irj/scn/events?rid=/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea&overridelayout=true]
  Diogo.

• Basic Authorization  concept

  Hi Friends,
  I want to be clear in basic authorization terminologies.
  Can any one give the definition for the each below mentioned basic authorization terminologies with some example?
  1.Object class
  2.Authorization
  3.Authorization Object
  4.Authorization Field
  5.Field Value
  6.Profile
  7.Role
  8.Composite role
  9.Reference role
  10.Derived role
  Thanks in advance.
  Regards,
  Venu

  Hi Venu,
  Lets come from the top to bottom ...
  at the highest level you have the Role. A role can be defined as follows.
  <b>Role</b>
  The collection of activities that a person performs to participate in one or more business scenarios in an organization.
  Access to the transactions, reports, Web-based applications, and other objects contained in roles is through user menus.
  Also in a simple manner can be defined as a set of transaction codes in one bundle.
  Note : when a Tcode is assigned to a Role hte related authorization objects get autmaticaly assigned to the role. I hope its clear until now.
  So every Tcode i sassigned to a specific set pof Authorization objects and every authorization object has a set of Auth fields assigned to it. They can be che3cked in any role in transaction PFCG.
  for better programming SAP has classified a set of authorization objects into OBJECT classess. its not much of importance to you as its a system thing.
  One more thing is every role has a profile assigned to it when its created and Generated. Usually profiles are the concept until 4.0 system of SAP...later the roles concept came into existence and hence they are defunct exept a few standard SAP profiles like SAP_ALL and stuff which can be assigned to Users directlky. Else Profiles are also automatic assignment and get linked to a uswer once a user is assigned a particular properly generated role.
  Coming to other terms, a group of single roles can be bundles into a single <b>composite role</b>. Hence its justa group of single roles.
  In authorization concept, wehave the Parent Child relations hip in roles.
  That is... when a Role is created we call it the master role and its properties can be inherited by a cild role.
  the scenario is if we r having 4 company codes in an org, and i am supposed to create roles for each comp code seperately..so i try to create a master role and create 5 child roles with inheritance properties. this way any change to master role gets drilled down to child roles without having to change all the rolese seperately.
  This is the concept of <b>derived roles</b>.
  i wish this info has helpfed you...
  Br,
  Sri
  Thanks for the points...

• New authorization concept - Access to data

  Hello, i'm new in SAP BW and i'm in migration process to the new authorization concept.
  Here is what happening:
  I have a role with all access to a company (*) of a provider X.
  I have another role with restricted access to a company (ex: COMPANY1, COMPANY2 and COMPANY3) of a provider Y.
  When i attribute those 2 roles to a user and access a query of the provider Y, i can see all the companies when it was supposed to only see the 1, 2 and 3.
  What am i doing wrong?
  Thank you in advance.
  João Gonçalves

  Hi friend,
  The Authorization concept works on sets concept of mathematics.
  Explanation to your scenario:
  For user A you apply company (*) on provider X and company 1, 2, 3 on provider Y. i.e. u are collectively applying All company codes for provider X and Y. as Company (*) set is a bigger set and the providers set is extended to 2 elements X and Y to get her and not separately.
  Way to check the actual set by which authorization is getting applied:
  RSECADMIN -> Analysis tab -> Execute as user (check with load check box, and RSRT radio button) ->  Execute -> Put a query on which you need to check authorizations (the query must have authorization variable if relevant) -> execute the query -> return back after execution -> on the Execute as user screen hit on Display log option.
  You will get a detailed log for your query execution. Here you will also get a log where what set is applied for the query execution is displayed. You will get an understanding of your issue there.
  Regards,
  Sourabh Deo

• BPS_WIF0 authorization concept

  Authorization object R_PM_NAME can be used to control the access to different planning folders within UPSPL. What is a similar object for Web folders of the kind that can be executed from BPS_WIF0 or directly from the appropriate BSP. How is this same type of authorization concept applied, or does it need to be integrated directly into portal roles?

  Blake,
  there is no special authorization object for BPS web interface. You have to restrict access to the generated BSP application by using roles. However, even if someone had access to the BSP application, the next level of authorizations should be fully sufficient (BW auth. on transaction data, RSSM, or R_AREA, R_PLEVEL, etc).
  Regards
  Marc
  SAP NetWeaver RIG

• Bw upgrade - Authorization concept

  Hi,
  We have just completed the BW3.5 upgrade to BI7.3.
  I'm trying to work out the authorization concept in our system again.
  I've created one simple query on a multiprovider with only 1 characteristic and 1 KF.
  -Authorization object S_RS_MPRO for this multiprovider given.
  -User has one role which has the basic  0TCAACTVT , 0TCAIPROV,0TCAVALID
  -Basic BW end user authorization for RS Class is available.(S_RS_COMP,S_RS_COMP1,S_RS_FOLD,S_RS_HIER,S_RS_ICUBE
  S_RS_IOBJ,S_RS_ISET,S_RS_ODSO)
  Now when i run the query, i have 'No authorization'.
  Display authorization check shows authorization check failed for S_RS_AUTH with object 0BI_ALL.
  From my understanding 0BI_ALL should be given to user who is allowed to access all queries.
  Appreciate advice from anyone whos familiar on this. Is it safe to give 0BI_ALL or there is some other object which i am not assigning?
  Thank you.
  Regards
  Maili

  Hi,
  With NW2004s, a new concept was introduced to check analysis authorizations. You can activate this using Transaction RSCUSTV23 or the IMG entry "Analysis authorizations: Select concept".
  To do this, select the "Current procedure with analysis authorizations"
  option. For detailed information, refer to the following link:
  http://help.sap.com/saphelp_nw04s/helpdata/de/80/d71042f664e22ce10000000
  a1550b0/frameset.htm
  Using the new analysis authorizations, the check of the MultiProvider authorization is not carried out any longer.
  If you cannot use the new analysis authorizations, assign corresponding
  authorizations for the "Data Warehousing Workbench - MultiProvider"
  authorization object (S_RS_MPRO).
  The settings of Transaction RSCUSTV16 listed above are obsolete as of
  Release NW2004s and are not analyzed any longer. Instead, the
  MultiProvider authorization is always checked when you execute queries
  using the usual authorization concept.
  Please refer notes
  820183     New authorization concept in BI
  727354    Colon authorization during query execution
  1122407   dealing with prerequisits for message processing in OLAP!!
  Thanks,
  Venkat

• WIKI: Mapping Concepts in SAP XI

  Hi all,
  I have posted a WIKI for the mapping concepts in SAP XI, where you could find the details of various blogs and other links regarding the mapping concepts in SAP XI.
  Please refer this link:
  https://www.sdn.sap.com/irj/sdn/wiki?path=/display/xi/mappingConceptsinSAPXI
  Regards,
  Nithiyanandam

  Hi,
  check this links
  Comparing Performance of Mapping Programs
  Message mapping
  Message Mapping Simplified - Part I
  /people/sravya.talanki2/blog/2005/12/08/message-mapping-simplified-150-part-ii
  http://help.sap.com/saphelp_nw04/helpdata/en/43/c4cdfc334824478090739c04c4a249/frameset.htm
  New functions in the Graphical Mapping Tool XI 3.0 SP13
  File Content Conversion for Multi Hierarchical Structure
  Message Splitting Using the Graphical Mapping Tool
  Number formatting to handle LARGE Numbers
  Optimizing Lookup's in XI
  Minimize memory usage during Message Mapping when replicating an element
  Mapping Context Changes in XI
  /people/jeyakumar.muthu2/blog/2005/12/19/data-mining-using-apriori-algorithm-in-xi-150-part-ii
  /people/jeyakumar.muthu2/blog/2005/11/23/data-mining-using-apriori-algorithm-in-xi-150-part-i
  /people/jeyakumar.muthu2/blog/2005/12/30/data-mining-using-apriori-algorithm-in-xi-150-part-iii
  Java Mapping to handle flat files in SAP XI
  xpath functions in xslt mapping
  http://help.sap.com/saphelp_nw04/helpdata/en/e2/e13fcd80fe47768df001a558ed10b6/content.htm---java mapping
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/50ce0433-4309-2b10-4bb4-d421e78463f7 -
  java mapping
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/00ee347e-aabb-2a10-b298-d15a1ebf43c5  -
  value mapping
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/8e7daa90-0201-0010-9499-cd347ffbbf72
  ABAP MAPPING
  The specified item was not found.
  How to call XI ABAP Mapping via RFC
  Different types of Mapping in XI
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/xi/3.0/how%20to%20use%20abap-mapping%20in%20xi%203.0.pdf
  - The specified item was not found.
  Testing ABAP Mapping
  XSLT
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/01a57f0b-0501-0010-3ca9-d2ea3bb983c1
  xpath functions in xslt mapping
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/006aa890-0201-0010-1eb1-afc5cbae3f15
  regards
  srinivas

• Maintain Authorization Field in SAP ECC6.0

  Hello all,
  Our SAP system has upgraded from SAP 4.7 to ECC6.0 recently. After upgrade, I find that the function Maintain
  Authorization Field - SU20 cannot be launched.
  When I run the T-code SU20, the maintain authorization fields screen does not appear and a message "Start of Application: Maintain Authorization Fields" flash one time in the message bar  (bottom left corner at the SAP screen).
  Can I ask how to maintain Authorization Field in SAP ECC6.0?
  Thanks
  Sunny

  Hello,
  Does anyone know how to maintain Authorization Field in SAP ECC6.0?
  Many thanks
  Sunny

• Webdynpro ABAP content authorization object in SAP portal ?

  Hi
  We are on EHP 6.06 , we have an authorization problem in sap portal for the webdynpro abap content. our standart users got the error "page can not be found" for the services provided from webdynpro abap. when I assign the user to administrator group in sap portal the services working fine. I also checked the SAP ERP roles no problem is there.  I guess I should create a new portal role for them cause its the only difference between users who can reach or not but have no idea what to put in it in SAP portal. Any idea ?

  in portal content directory => double click on the Content provided by sap folder. Than you should have a dropdown somewhere where you can select "Authorizations". You should add the group endusers and check the checkbox.

• Authorization Concept - BI7

  Hi ,
  I'm working on authorization concept for BI7 which seems to be having a conflicting statement.
  User : Mary
  InfoObject : ZORDER
  Set 1 : Queries built on multiproviders within infoArea ZSALES should display ONLY order number 123.
  Set 2 : Queries built on multiproviders within infoArea ZPROJECT should display ALL order numbers.
  Its a conflicting scenario.
  Its giving an output for ALL orders for both set 1 and set 2 queries.
  Appreciate if anyone could provide some ideas if this is feasible to achieve within RSECADMIN.
  Thank you.
  Regards
  Maili
  Edited by: Maili06 on Jan 12, 2012 1:19 PM

  hi,
  plz try creating the analysis auth objects for the mentioned scenarios can be:
  1)1st auth object can have  infoarea=ZSALES and order number=123
  2)2nd auth object can have infoarea=ZPROJECT and order number=*
  Both these analysis authorization objects can be assigned to the user via RSECADMIN.
  In the auth profile, S_RS_AUTH = Inactive, read analysis auth from RSECADMIN and manual assignement.
  regards
  laksh

• Switching BW authorization concept back and forth on the fly

  After upgrading to BW 7.0, we are currently developing the BW authorizations from scratch with the new analytical authorizations. The system is currently set to the legacy RSR authorization objects. The idea is now to define two timeframes on our development system, one for the users working with old authorizations, and a second timeframe for testing the new analytical authorizations.
  Can we switch the authorization concept back and forth on the fly, or are there any obstacles?
  Thanks in advance!

  Andreas,
  The latest version of BW is 7.3 which is also Analysis authorization concept like 7.0. So please clarify from the system status what level are you upgrading to.
  Under 7.0, the RSR objects were still available i.e. you can switch the concept back and forth on the fly, it will trigger a transport. AFAIK - In 7.3 however there is no support for RSR anymore in fact even the object class is not visible and so does the switch for the concept and even RSR objects (Z-objects) do not show up in PFCG either.
  So if you are moving to 7.0 switch is possible, 7.3 it is not. But in either case, you should be upgrading using a dual landscape with upgrade work being done & tested in separate boxes than daily production support landscape. It will come in handy at the time of testing also.
  Regards,
  Shivraj Singh

• Not clear with the Authorization concept for Marketing Plan

  Hi All,
  I am new to CRM and was going through some of the prescribed document for CRM marketing
  when i encounter with the authorization concept in marketing plan,for example how
  can i restrict a user with a campaign manager role from changing marketing plan.please
  provide the step by step procedure.
  Regards,
  Sanju

  Hi Sanju
  User with a campaign manager role can be restricted for changing marketing plan using authorization group.
  We define authorization groups for use in the Marketing Planner. Authorization groups can be maintained at both marketing plan level and campaign or trade promotion level. Authorization groups enable us to control which users are authorized to change which of these two types of marketing project. We could, for example, define one authorization group to be assigned to a marketing plan, then define further authorization groups to be assigned to the different campaigns within the marketing plan. In the Marketing Planne.
  Follow below steps
  1. Define authorization group using following IMG Path
  Customer Relationship Management / Marketing / General Settings / Define Authorization Group.
  2. In authorization object CRM_CPGAGR of the role Campaign manager maiantian activity 01, 02, 03 ,06 (this will allow user to create, change, display and delete)
  3. IMG defined authorization group ex: ABC can be seen under the tabstrip Basic Data of marketing plan.
  4. Now user have to choose the Authorization group ABC from the drop down in Basic tab to create a marketing plan. User will get the change access for all the marketing plan which have the authorization object ABC.
  Hope this will help...
  Rgds
  Mallikarjun