Step-by-Step SAP BI Security

SAP BI security is an integral part of any BI implementation. Integrating all the data coming from
various source systems and providing the data access based on the users role is one of the major
concerns of all the BI Projects.
Security of SAP R!-"## systems are based on the activities $hile SAP BI security is focused on $hat
data user can access. Security in BI is categori%ed by major & categories'
Administrative Users ( )he $ay $e maintain security for administrative users is same as "##
security but $e have additional authori%ation objects in system $hich are de*ned only for BI objects.
Reporting Users( +e have separate tools,Analysis Authori%ation- to maintain security for reporting
users.
What is Authorization Object?
It allo$s to chec. $hether a user is allo$ed to perform a certain action. Actions are de*ned on the
*elds/ and each *eld in authori%ation object should pass the chec.. +e can chec. all the Standard BI
Authori%ation 0bjects using tcode SU21 under the Business +arehouse folder'

+ith the SAP BI 1.2 $e have ne$ tool to maintain the reporting level security. +e can access this
ne$ tool using tcode RSECA!"# $hich replaces the old RSS3 tool of B+ !.4.

$$ Belo$ are the Step-by-Step instructions to createmaintain authori%ation objects for SAP BI
Reporting'
I am covering the scenario $here each employee ,Sales )eam- is assigned $ith one territory
number/ and the data should be accessible to employee based on their territory only. 5or this
scenario to $or. $e have to set security restriction for the corresponding territory Info0bject
,67+S8)"R-.

$ )he *rst step before $e create any Authori%ation 0bject is to set all the Info0bjects as
authori%ation relevant for $hich $e $ant to restrict data access.

Authorization Objects on "n%oObject&s o% t'pe Characteristic(
$ 5or accessing the ne$ Analysis Authori%ation tools $e use tcode RS"#A73I9 -: Authori%ations
)ab -: 3aintenance Button

$ +e can also use tcode RSECAU)* directly to come to maintenance screen'

$ +e have to give the technical name of the Authori%ation 0bject ,67+;<)"S)- then hit the create
button'

$ )he very *rst step of creating any Authori%ation 0bject is to add the special characteristics as *eld
for restirction'

$ )he belo$ ! characteristics are mandatory for de*ning any Authori%ation 0bject. If $e dont have
this $e $ill get no access to any InforProvider. By default this gives us access to all the
InfoProvider,5ull Access-/ but $e can also set the value of InfoProvider for $hich $e $ant the
Authori%ation 0bject to $or..

$ 9o$ I am adding the infoobject,67+S8)"R- for $hich $e $ant to add restriction'

$ +e can double clic. on the ne$ly added infobject/ and can de*ne the value $hich $e $ant to
allo$ for this Info0bject. +e can also set the dynamic value using #ustomer "4it #ode $hich $e $ill
cover later in this blog.

$ Saving the changes'



Assigning Authorization Objects to Users(
$ =o bac. to previous screen ,RS"#A73I9- by hitting the bac. button/ and clic. on assignment
button under user tab'

$ 9o$ $e can assign the created Authori%ation 0bject to any user using this tool.

$ Adding the created Authori%ation 0bject ,67+;<)"S)- to the user 69BI)SR)S. I $ill be using the
same user through out this blog for running any >uery so that it can use the restrictions $hich are
applying using the Authori%ation 0bject.

$ +e can also assign the authori%ation to users through rolepro*le using the standard Authori%ation
0bject S?RS?A@)A'

$ +e can chec. the Authori%ation 0bjects assigned using rolespro*le for any user using tcode
RS@2B or $e can also use the path tcode RS"#A73I9-:user tab-:assignment-:user-:role-based

$ @ser $ith Authori%ation 0bject 2BI?A88 is having full access to data/ and can over$rite any other
Authori%ation 0bjects assignment to it.

$ Cuery on InfoProvider $ith Authori%ation 0bjects' Belo$ is the test >uery in $hich I added the
Info0bject for $hich $e created the test Authori%ation 0bject ,67+;<)"S)-.

$ I am running the >uery $ith the same user name ,69BI)SR)S- $hom $e assigned the
Authori%ation 0bject ,67+;<)"S)-.'

$ )he >uery output displays the authori%ation error/ and $e can chec. the error log using tcode
RSEC+RO)'

$ )he belo$ log e4plains $e are missing $ith some of the characteristics for the created object.
8ogically $e can thin. that $e are only using one characteristic in our >uery and $e did add it in
Authori%ation 0bject/ but $hy still $e are getting Authori%ation "rrorD )he reason is $e al$ays have
to add all the authori%ation relevant Info0bjects of the InfoProvider on $hich $e created >uery.

$ 9o$ I added all the missing Info0bjects $ith full access for the Authori%ation 0bject
,67+;<)"S)-'

$ I have restricted the >uery $ith input ready variable on Info 0bject territory ,67+S8)"R-'

$ Running the >uery $ith the same territory $hat I assigned for territory *eld of Authori%ation
0bject'

$ )he >uery returns output $ithout any authori%ation error'

$ +e can chec. the log in RS"#PR0) for the last run of >uery'

$ Running the same >uery $ith some diEerent territory number'

$ +e got the authori%ation error because of the value $hich $e assigned for the object is not same
as $hat $e passed'

$ Authorization ,ariab-e on .uer'(
@sing the Authori%ation Fariable $e can populate the value of Info0bject at run-time directly from
the Authori%ation 0bject *elds value.

$ If $e have authori%ation variable de*ned for the >uery and $hen $e run the >uery it $ill not
prompt us for the variable selection screen G $ill run the >uery directly for the value $e de*ned for
the *eld of the Authori%ation 0bject.

$ Rather than assigning the *4ed values in the authori%ation object/ $e can also de*ne the technical
name of the customer e4it variable in the *elds value starting $ith HI symbol $hich $ill read the
value of Authori%ation at >uery run-time based on the return value of customer e4it code'

$ Belo$ is the sample code $hich reads the territory based on the portal login-id from the reference
table $hich $e have in our BI system'

Use o% /(& S'mbo- in Authorization Objects 0ie-d&s ,a-ue(
$ 9o$ I am covering the scenario $here >uery is not using any Info0bject for $hich $e have
restriction of values in the Authori%ation 0bject. I have added division as object in >uery $hich is
having full authori%ation access/ and no$ $e dont have any territory object in >uery anymore'

$ "ven though the division object is having full authori%ation access/ still $hen $e run the >uery $e
get authori%ation error'

$ By chec.ing authori%ation log $e can clearly see even though the >uery is not using territory
Info0bject it still chec.s for its value at >uery runtime because this object is part of InfoProvider on
$hich $e have de*ned the >uery'

$ )o avoid the authori%ation chec. for the objects $hich are not being used in the >uery de*nition
$e should al$ays add H' symbol in the authori%ation object *eld value $hich allo$s >ueries to run
for all the values of object even if the object is not the part of the >uery'

$ 0nce $e de*ned H' no$ the >uery $or.s *ne ,$ithout any authori%ation failure-'

$ Belo$ is the authori%ation log for the same'

Authorization Objects on "n%oObject&s o% t'pe 1e' 0igure(
$ I created one test >uery $ith & .ey *gures as output.

$ 0utput of >uery'

$ +e can restrict this >uery to sho$ the data only for one .ey *gure. 5or this $e just have to add
the re>uired .ey *gure ,Record #ount - 67+#0@9)- as value for the *eld 2)#A;J593 of our test
authori%ation object ,67+;<)"S)-.

$ 9o$ if $e run the same >uery it $ill not sho$ data for any other .ey *gure e4cept the one $hich
$e added in the authori%ation object de*nition.

$ )he log also e4plains the reason of authori%ation error for &nd .ey *gure'

Authorization Objects on "n%oObject&s o% t'pe *ierarch'(
$ I assigned brand hierarchy on the same test >uery'
$ +hen $e run the >uery it sho$s data for all the data brands as $ell the not-assigned brands'

$ +e can restrict the hierarchy using Authori%ation 0bject to sho$ data only for Bst 9ode of above
displayed hierarchy'

$ Assigned the node'

$ Selected the )ype of Authori%ation as HB $hich $ill allo$ the hierarchy to sho$ all the nodes $hich
are belo$ the selected node'

$ After adding the authori%ation on brand hierarchy no$ $e only see the data for node $hich $e
restricted in the hierarchy authori%ation value'