SAP SECURITY

SAP Security & GRC made easy

SAP BI 7.0 Authorization Concept (Analysis Authorization)

by

 SAP BI 7.0 introduced a new Analysis Authorization concept, significantly changing how BI data is accessed, analyzed, and displayed. This approach allows for granular control over data access at multiple levels, including:

  • Key Figures
  • Characteristics
  • Characteristic Values
  • Hierarchy Nodes
  • InfoCubes

This enables flexible and precise data access management.

Understanding Analysis Authorization

Analysis authorization is activated by default in SAP BI 7.0 systems. To effectively use this feature, it’s essential to understand its key components and how to restrict access to SAP BW reports based on InfoObjects.

Initial Setup

1. Activate Business Content Objects

Use TCode RSORBCT to activate authorization-related business content objects:

  • InfoObjects: 0TCA*
  • InfoCubes: 0TCA*

Next, set the following InfoObjects as Authorization-Relevant:

  • 0TCAACTVT (Activity such as Display)
  • 0TCAIPROV (InfoProvider authorization)
  • 0TCAVALID (Validity period of authorization)
  • 0TCAKYFNM (For restricting access to key figures)

Authorization Types

1. Characteristic Authorization

Use TCode RSA1 and navigate to:
📌 Modeling → InfoObjects → Select the characteristic → Enable Authorization-Relevant in its properties.

2. Restricting Characteristic Values

To control characteristic values, create a new Analysis Authorization Object using TCode RSECADMIN.

Steps to Authorize Characteristic Values (e.g., Sales Organizations - New York, San Francisco, Dallas):

  1. Open TCode RSECADMIN → Create a new authorization object (e.g., Z_SORG_B).
  2. Choose the characteristic and click Details.
  3. Select Sales Organizations (e.g., 1612 - New York, 1614 - San Francisco, 1615 - Dallas).
  4. Use available operators:
    • EQ (Single Value)
    • BT (Range of Values)
    • CP (Pattern, e.g., ABC*)
  5. Choose Include (I) or Exclude (E) values as required.

3. Attribute Authorization

To authorize navigational attributes, mark them as Authorization-Relevant in InfoObject properties.

4. Hierarchy Authorization

To restrict access at the hierarchy level:

  • Edit or create an Authorization Object (e.g., Z_SORG_B).
  • Add the required Hierarchy and Nodes.
  • Define the type of authorization (e.g., access to specific hierarchy levels).

5. Key Figure Authorization

To control access to specific Key Figures:

  • Add the 0TCAKYFNM object to the Authorization Object (e.g., Z_SORG_B).
  • Select the Key Figures that need authorization.

Best Practices & Considerations

Optimizing Performance

  • Avoid marking too many characteristics as authorization-relevant (limit to 10 per query).
  • Every marked characteristic in an InfoProvider or Query triggers an authorization check, potentially slowing performance.
  • Exception: Characteristics with all (*) authorizations are not checked individually.

Checking Authorization-Relevant InfoObjects
Use TCode RSECADMIN → Authorization Maintenance to review 0BI_ALL, which contains all necessary authorizations.

Understanding Authorization Behavior

  • Authorization ≠ Filter: Users must have full authorization for a characteristic in a query, following an "all-or-nothing" rule.
  • Exceptions: Hierarchies in drill-downs and authorization-dependent variables can still function with partial authorization.
By

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)