The new SAP BI 7.0 authorization concept, known as analysis authorization, significantly changes how users access, analyze, and display BI information. This approach allows for granular data access control at multiple levels, including:
- Key Figure
- Characteristic
- Characteristic Value
- Hierarchy Node
- InfoCube
This provides a more flexible and secure data access management system.
Enabling Analysis Authorization in SAP BI 7.0
Analysis authorization is active by default in SAP BI 7.0 systems. This guide explores the key concepts and steps required to restrict access to SAP BW reports at the InfoObject level.
Initial Setup
1️⃣ Activate Business Content Objects using Transaction RSORBCT:
- InfoObjects →
0TCA* - InfoCubes →
0TCA*
2️⃣ Set the following InfoObjects as Authorization-Relevant:
0TCAACTVT→ Activity-based restrictions (e.g., Display)0TCAIPROV→ InfoProvider authorization0TCAVALID→ Validity period of authorization0TCAKYFNM→ Key figure access restrictions (if needed)
Authorizing Different BI Elements
1. Characteristic Authorization
🔹 Steps:
- Use Transaction RSA1 → Navigate to Modeling → InfoObjects
- Select the characteristic to be restricted
- Set it as Authorization-Relevant
2. Characteristic Values Authorization
To restrict access to specific characteristic values, create an Analysis AuthorizationObject using Transaction RSECADMIN.
Steps to Authorize Specific Characteristic Values (e.g., Sales Organization)
1️⃣ Open Transaction RSECADMIN and create a new Analysis Authorization Object (e.g., Z_SORG_B).
2️⃣ Select the characteristic and click on Details.
3️⃣ Choose the required Sales Organizations (e.g.,
1612 - New York, 1614 - San Francisco, 1615 - Dallas).4️⃣ Use operators for value selection:
EQ→ Single ValueBT→ Range of ValuesCP→ Pattern Matching (abc*)- Include (
I) or Exclude (E) values
3. Attribute Authorization
🔹 To authorize navigational attributes, mark them as Authorization-Relevant in RSA1.
4. Hierarchy Authorization
🔹 To restrict access to specific hierarchy nodes, modify the authorization object (e.g., Z_SORG_B), add the hierarchy and nodes, and define the authorization type.
5. Key Figure Authorization
🔹 To restrict access to specific Key Figures, add the object 0TCAKYFNM to the authorization object (e.g., Z_SORG_B), and select the key figure to be authorized.
Best Practices & Performance Considerations
✅ InfoObject-Level Authorization provides great flexibility, but keep in mind system limitations:
- Avoid marking too many characteristics as Authorization-Relevant (more than 10 per query may slow execution).
- Every marked characteristic is checked for authorization if present in a query or InfoProvider.
- Exception: Characteristics with
ALL (*)authorization do not slow down queries.
🔎 Checking Authorization-Relevant InfoObjects
To verify which InfoObjects are authorization-relevant:
- Use Transaction RSECADMIN → Navigate to Authorization Maintenance
- Display the
0BI_ALLauthorization
🚨 Important Note:
Authorization does not function like a filter. If a user runs a query with authorization-relevant characteristics, they must have sufficient authorization for all included characteristics ("all-or-nothing" rule).
Exceptions:
- Hierarchies in drill-down mode
- Variables dependent on authorization
.%20The%20image%20fe.webp)
.%20The%20image%20features%20a%20structured%20layout%20showcasing%20key%20con.webp)
Posts
No comments:
Post a Comment