SHORT MANUAL : Analysis authorization
Short manual: Analysis authorization
I. Introduction
Starting with NetWeaver all users who want to display data from
authorization-relevant characteristics or navigation attributes in a
query require analysis authorizations. This type of authorization is
not based on the standard authorization concept of SAP®.
The formerly used reporting authorization concept is basically
replaced by the current analysis authorization concept.
The system setting only allows using either one of the concepts.
The analysis authorizations have an individual concept that takes
the features of reporting and analysis in BI into consideration.
Analysis authorizations are not based on authorization objects.
The authorizations are based on BI-objects instead.
The authorization relevant BI objects are the so called info objects.
Info objects are the smallest unit within BI for the evaluation of
business relevant data.
An info object is divided into certain characteristics [e.g. customer],
key figures [e.g. sales], units [e.g. currency], time characteristics
[e.g. business year], technical characteristics [e.g. request numbers].
Any BI info object could be check marked as authorization relevant,
the objects 0TCAIPROV, 0TCAVALID and 0TCAACTVT are checked by default.
Therefore it may be recommended to set them to authorization relevant
right from the beginning.
Authorizations are created by including a group of characteristics
and restricting them accordingly.
The authorizations may include any authorization-relevant
characteristics, and treat single values, intervals and hierarchy
authorizations in the same way.
• Single value: I EQ A (characteristic value =A),
• Interval: I BT A B (A <= characteristic value <= B)
• Pattern: I CP A* and I CP A+ (Pattern with exactly one place holder
wild card (*) or exactly one plus sign (+) after A).
Only pattern with exact one + or a * are allowed
• Aggregation authorization:
Colon (:). Allows an aggregation of a characteristic.
Written as single value I EQ:
The authorizations are then assigned to roles. The role assignment is
generally not mandatory, but can be recommended for an aligned
conceptual approach.
Some of the key benefits for analysis authorizations are that they
are modifiable afterwards and may contain as many info objects as
necessary and desired.
Together with that SAP® has introduced the authorization object
S_RS_AUTH. This is the object that actually contains the
BI authorization that is relevant for a role.
Terms:
Info providers is a generic term for objects/views that are reporting relevant
and for which in BEx queries can be created and executed.
An info cube is a special type of info provider as a self-contained set of
data that consists of business relevant information e.g.
A basic info cube is a special type of info cube that physically stores data.
An info source is a unit that contains summarized information that logically
belongs together.
A ODS object is to be regarded as a storage location for consolidated and
cleaned-up data [e.g. master data or transaction data]; it therefore
basically describes a consolidated dataset of one or more info sources.
Relevant tables:
RSECHIE
RSECHIE_CL Change log of hierarchy authorizations
RSECTXT Authorization text
RSECTXT_CL Change log of authorization texts
RSECVAL Authorization Value Status
RSECVAL_CL Change log of Authorization Value Status
RSECBIAU Changes to Authorization (Last Changed By]
RSECUSERAUTH BI Analysis authorization – assignment to users
RSECUSERAUTH_CL BI Analysis authorization – assignment to users [
II. Technical prerequisites
Before analysis authorization can be created, the following below prerequisites
needs to be completed.
1. In transaction SPRO -> SAP NetWeaver -> Business Intelligence ->
Settings for Reporting and Analysis [transaction RSCUSTV23]
the selected concept needs to be set to “Current Procedure with Analysis Authorizations”.
To check which info objects are set to authorization relevant you can go to
transaction RSD1, enter the desired object, and then go to the tab Business explorer.
The checkmark needs to be activated for “authorization relevant” if the
info object is supposed to be authorization relevant.
III. Maintenance and transport
Analysis authorizations are created, maintained, assigned, transported,
and analyzed [error logs] via the new, consolidated transaction RSECADMIN.
The maintenance of the authorizations is a security task.
The Security team needs access to transaction RSECADMIN and the
corresponding object S_RSEC in order to maintain analysis authorizations .
Maintenance access is only required for the development system.
The regular end users need access to the above mentioned object S_RS_AUTH
in order to execute queries based on analysis authorization.
In order to create analysis authorizations the transaction code RSECADMIN
is to be called and the Maintenance button to be selected.
For the creation of a new authorization a name is to be entered,
then the Create button is to be activated.
The text information is to be filled out.
In order to grant access for newly created analysis authorization,
the corresponding authorization needs to be added to the object
S_RS_AUTH in respective role.
Special case: 0BI_ALL
0BI_ALL is an automatically generated authorization for all authorization relevant info objects and characteristics. This authorization cannot be maintained manually.
Whenever an info object is changed and the authorization relevance for a characteristic or navigation attribute is changed, the profile is automatically adapted.
Everyone with 0BI_ALL has unrestricted data access.
This is not to be used for any dialog user in any system.
In order to transport one or more analysis authorizations,
the transaction code RSECADMIN is to be called and the
Transport button to be activated as shown below.
In the following screen, select the analysis authorization that need to be
transported and click on green Check button to add them to a transport.
IV. Trace and trouble shooting
To identify authorization issues related to standard SAP® delivered BI objects and transaction codes, the standard ST01 trace can be used.
For issues related to analysis authorizations the trace functionality as
part of transaction code RSECADMIN is to be preferred.
Especially in the context of running queries of course.
1. Select the Analysis tab and then click on the button Execute as other user
button as shown below.
2. Enter the SAP® user ID that is having issue with running a query e.g.
and activate checkmark with log and click on button Start transaction.
3. Enter the query name to the query monitor that causes the problem
for the user and click on button as shown below and then enter the
field values in order to execute the query. The query search is part of F4.
4. When the query execution fails you will get a log that contains the
corresponding results aside from some additional header
and info provider check information.
5. Additionally, a similar analysis authorization trace can be done
on one ore more users via RSECADMIN by configuring the log recording.
By clicking on button
the log configuration is accessible.
Important Note:
Please be aware that neither SU53 nor ST01 will show relevant
information related to analysis authorization.
Any hint to a missing 0BI_ALL authorization is irrelevant.
No authorization message requesting 0BI_ALL is in any way reliable or correct.
Please also refer to OSS note 820183.
For more information related to analysis authorization you may refer to the following links:
http://help.sap.com/saphelp_n
http://help.sap.com/saphelp_n
