Step by Step Sap Bi Security

kamaljeet.
kharbanda: Step-by-Step SAP BI

Security
Posted by Kamaljeet Kharbanda 26-Feb-2009
SAP BI security is an integral part of any BI implementation. Integrating all the data coming from
various source systems and providing the data access based on the users role is one of the
major concerns of all the BI Projects.
Security of SAP R/3-ECC systems are based on the activities while SAP BI security is focused on what data
user can access. Security in BI is categorized by major 2 categories:
Administrative Users The way we maintain security for administrative users is same as ECC
security but we have additional authorization objects in system which are defined only for BI
objects.
Reporting Users We have separate tools(Analysis Authorization) to maintain security for
reporting users.
What is Authorization Object?
It allows to check whether a user is allowed to perform a certain action. Actions are defined on the fields, and
each field in authorization object should pass the check. We can check all the Standard BI Authorization
Objects using tcode SU21 under the Business Warehouse folder:
Generated by Jive on 2015-08-07+02:00

1
kamaljeet.kharbanda: Step-by-Step SAP BI Security
With the SAP BI 7.0 we have new tool to maintain the reporting level security. We can access this new tool
using tcode RSECADMIN which replaces the old RSSM tool of BW 3.x.
## Below are the Step-by-Step instructions to create/maintain authorization objects for SAP BI Reporting:
I am covering the scenario where each employee (Sales Team) is assigned with one territory number, and the
data should be accessible to employee based on their territory only. For this scenario to work we have to set
security restriction for the corresponding territory InfoObject (ZDWSLTER).
# The first step before we create any Authorization Object is to set all the InfoObjects as authorization relevant
for which we want to restrict data access.
Authorization Objects on InfoObjects of type Characteristic:

# For accessing the new Analysis Authorization tools we use tcode RSECADMIN -> Authorizations Tab ->
Maintenance Button

2
# We can also use tcode RSECAUTH directly to come to maintenance screen:

3
# We have to give the technical name of the Authorization Object (ZDWKJTEST) then hit the create button:

4
# The very first step of creating any Authorization Object is to add the special characteristics as field for
restirction:
# The below 3 characteristics are mandatory for defining any Authorization Object. If we dont
have this we will get no access to any InforProvider. By default this gives us access to all the
InfoProvider(Full Access), but we can also set the value of InfoProvider for which we want the
Authorization Object to work.

5
# Now I am adding the infoobject(ZDWSLTER) for which we want to add restriction:

6
# We can double click on the newly added infobject, and can define the value which we want to allow for this
InfoObject. We can also set the dynamic value using Customer Exit Code which we will cover later in this blog.

7
# Saving the changes:

8

9
Assigning Authorization Objects to Users:

# Go back to previous screen (RSECADMIN) by hitting the back button, and click on assignment button under
user tab:

10
# Now we can assign the created Authorization Object to any user using this tool.

11
# Adding the created Authorization Object (ZDWKJTEST) to the user ZNBITSRTS. I will be using the same
user through out this blog for running any query so that it can use the restrictions which are applying using the
Authorization Object.

12
# We can also assign the authorization to users through role/profile using the standard Authorization Object
S_RS_AUTH:
# We can check the Authorization Objects assigned using roles/profile for any user using tcode RSU01 or we
can also use the path tcode RSECADMIN->user tab->assignment->user->role-based

13
# User with Authorization Object 0BI_ALL is having full access to data, and can overwrite any other
Authorization Objects assignment to it.

14
# Query on InfoProvider with Authorization Objects: Below is the test query in which I added the InfoObject for
which we created the test Authorization Object (ZDWKJTEST).

15
# I am running the query with the same user name (ZNBITSRTS) whom we assigned the Authorization Object
(ZDWKJTEST).:

16
# The query output displays the authorization error, and we can check the error log using tcode RSECPROT:

17

18

# The below log explains we are missing with some of the characteristics for the created object.
Logically we can think that we are only using one characteristic in our query and we did add it in
Authorization Object, but why still we are getting Authorization Error? The reason is we always
have to add all the authorization relevant InfoObjects of the InfoProvider on which we created
query.
# Now I added all the missing InfoObjects with full access for the Authorization Object
(ZDWKJTEST):

19
# I have restricted the query with input ready variable on InfoObject territory (ZDWSLTER):

20
# Running the query with the same territory what I assigned for territory field of Authorization Object:

21
# The query returns output without any authorization error:
# We can check the log in RSECPROT for the last run of query:

22
# Running the same query with some different territory number:

23
# We got the authorization error because of the value which we assigned for the object is not same as what we
passed:
# Authorization Variable on Query:

24

Using the Authorization Variable we can populate the value of InfoObject at run-time directly from
the Authorization Object fields value.
# If we have authorization variable defined for the query and when we run the query it will not prompt us for the
variable selection screen & will run the query directly for the value we defined for the field of the Authorization
Object.

25
# Rather than assigning the fixed values in the authorization object, we can also define the
technical name of the customer exit variable in the fields value starting with $ symbol which
will read the value of Authorization at query run-time based on the return value of customer exit
code:

26
# Below is the sample code which reads the territory based on the portal login-id from the reference table which
we have in our BI system:

27
Use of : Symbol in Authorization Objects Fields Value:
# Now I am covering the scenario where query is not using any InfoObject for which we have
restriction of values in the Authorization Object. I have added division as object in query which is
having full authorization access, and now we dont have any territory object in query anymore:

28

29
# Even though the division object is having full authorization access, still when we run the query we get
authorization error:

30
# By checking authorization log we can clearly see even though the query is not using territory InfoObject it still
checks for its value at query runtime because this object is part of InfoProvider on which we have defined the
query:

31

# To avoid the authorization check for the objects which are not being used in the query definition
we should always add : symbol in the authorization object field value which allows queries to
run for all the values of object even if the object is not the part of the query:
# Once we defined : now the query works fine (without any authorization failure):

32
# Below is the authorization log for the same:
Authorization Objects on InfoObjects of type Key Figure:

# I created one test query with 2 key figures as output.

33
# Output of query:

34
# We can restrict this query to show the data only for one key figure. For this we just have to add the required
key figure (Record Count - ZDWCOUNT) as value for the field 0TCAKYFNM of our test authorization object
(ZDWKJTEST).

35
# Now if we run the same query it will not show data for any other key figure except the one which we added in
the authorization object definition.

36
# The log also explains the reason of authorization error for 2nd key figure:
Authorization Objects on InfoObjects of type Hierarchy:

# I assigned brand hierarchy on the same test query:

37
# When we run the query it shows data for all the data brands as well the not-assigned brands:

38
# We can restrict the hierarchy using Authorization Object to show data only for 1st Node of above displayed
hierarchy:
# Assigned the node:

39
# Selected the Type of Authorization as 1 which will allow the hierarchy to show all the nodes
which are below the selected node:

40

41
# After adding the authorization on brand hierarchy now we only see the data for node which we restricted in
the hierarchy authorization value:
14447 Views
Christian Harrington
22-Jan-2015 17:32
Hi Kamaljeet and all,
I am trying to use a scenario where I would dynamically fill the object S_RS_COMP-RSZCOMPID (for query
name component) with the customer exit ZXRSRU01. This way we can maintain in a table the security at query
level rather than hardcoding it into the security object. So my code looks like this:
case i_vnam.
when 'Z_QRY_VAR'.
if i_step = 0.
clear l_s_range.
l_s_range-low = 'Z_QRY_001'. (this is just an example to make it work)
l_s_range-sign = 'I'.
l_s_range-opt = 'EQ'.
APPEND l_s_range to e_t_range.
endif.
endcase.
I created the variable from the query designer attached to a dummy infoobject (0INFOPROV) with processing
by customer exit, not ready for input, several single values. Looks fine.

42
And this is what I have defined in the security role:

S_RS_COMP-RSZCOMPID $Z_QRY_VAR
But the customer exit seems not to be called in this case...why? I was told the dynamic variable ($) is supposed
to work also in this case, but l am missing something.
There is many blogs around populating an object like 0COUNTRY, etc. but in my case I want directly to
populate the query ID into object S_RS_COMP-RSZCOMPID.
Do you think it's possible?
Many thanks!
Christian
Suman Chakravarthy K
25-Dec-2013 05:55
This really amazing stuff
Thank you..
MOHAN CHAND REDDY A in response to Prashant Tripathi on page 43

31-Oct-2012 14:12
Thanks Kamaljeet for providing a valuable information with easy steps which we can follow.Thanks a lot.
Prashant Tripathi
19-Aug-2011 11:16
As if this was what I was waiting for - most of the concepts going around the head - now easily grasped
through your illustrative and lucid visuals and texts:) ..seriously wonderful learning step by step :)
Nishant Sourabh
25-Mar-2011 13:35
As others have said this bolg is really helpful for beignners in BI like me to understand the BI Analysis
Authorization concepts.
Thank you !!
Waseem Akhtar
26-Apr-2010 03:33
Great work!!! Excellent job. Keep it up.
John Varkey
22-Apr-2010 06:01
Hello Kamaljeet,
Thanks a TON for your patience and passion about creating/Sharing a valuable document....A great thanks
from my Bottom of the Heart...
Regards,
Meghasyam
Sankar Kumar
26-Mar-2010 23:11
Really, tis is a very clear and demonstrative effort. Thank you.

43
Samuels David
12-Feb-2010 10:30
Thanks Kamaljeet!
This is BY FAR the very best and most complete description of BI 7x Analysis Authorizations available - I am
sure many people are grateful to you for putting it together and explaining some of the things that are not clear
from the help or TechEd/Portals conference presentations.
Its been very valuable to me, and much appreciated!
-Dave Samuels
SUNIL Kollabathini
11-Nov-2009 00:46
Hello Sir.. thnz for the blog and itz very easy and simple to understand ... will implement soon in som
escenario.... thnx again and will wait for next blog
Prahtap L
08-Nov-2009 23:31
Hi Kamaljeet Gi !
It's wounferful blog thank you very much . looking forward somemore articles all topics.
Regards
L.Prathap
Birgit Stephan in response to Kamaljeet Kharbanda on page 46
18-Sep-2009 08:43
Hello Kamaljeet,
thank you very much for this great blog.
I created also authorization object with filling by customer exit variable, so I was a little unsure about your
comment:"You don't have to create any variable for it, just define it in your CMOD code and it will take care of it
automatically. "
When I assign a variable for example $ABC in
rsecadmin and this variable is not available
I get the following message:
"This variable does not exist or does not have type Customer Exit.
Create a variable in the Query Designer ..."
I also get this message, when the variable is
available in cmod.
So perhaps you could clarify this for me.
Thank you very much and best regards,
Birgit
Srini Ryali

44
03-Aug-2009 21:05
Its really helpful blog.
Regards,
Madhu
Kishore Kumar Kusupati
16-Jul-2009 00:28
Thanks Kamaljeet. This is really a very useful and important blog in terms of understanding and implementing
SAP Netweaver BW security.
Best Regards,
Kishore
Abdul Harivaram
09-Jun-2009 07:21
Hello,
I'm working on giving BI access to channel partners. They need to be resticted based on partner number.
Means a partner should be able to see only reports related with his contacts, employess and so on.
For this I'm planning to make 0CRM_SALESP as authorization relavent and create a variable authorization
objects with $ value and based on user exit it will pull reports related with that partner.
Problem is if I go with this option then the employees who need to view all reports will not be able to do so.
Is there a alternate way where I can be able to both at the same time.
Appreciate your help.
Thanks
Anand R
04-Jun-2009 11:31
Nice blog to start with
ashh jan
11-Apr-2009 06:00
In portal, I need to restrict users based on company code.
When US users logged on to portal, they needs to look at the reports, which has the company code value
CC10
When Canadian users logged on to portal, they needs to look at the report, which has the company value
CC20
When Europian users logged on to portal, they needs to look at the report, which has the company value CC30
Director of the company needs to look at all the reports, Company code values CC10, CC20 and CC30.
For this I followed these steps:
1. Info object 0COMP_CODE, checking Authorization relevent flag in business explorer flag
2. Tran RSECADMIN, Click Maintenance, create Authorization object, then add special characteristics
(0TCAACTVT, 0TCAIPROV, 0TCVALID) and adding the 0COMP_CODE and double click on
0COMP_CODE and giving the value $ZCOMP and save it.

45
3. Assigning this Authorization object to the role using standard authorization object S_RS_AUTH
4. In the report, for the 0COMP_CODE, create a new variable ZAUTH_VAR with processing by option
Authorization
5. Based on user logon id, there is a process to identify which company code he belongs --> This is gap
for me --> Please advise
6. CMOD, variable exit
CASE I_VNAM.
WHEN 'ZCOMP'or 'ZAUTH_VAR' ?
IF I_STEP = 0.
---> This is gap for me. Please advise.
Thanks,
Ashh.
Ankush Hallan
08-Apr-2009 23:03
During the migration process problems have been reported for this blog. The blog content may look
corrupt due to not supported HTML code on this platform. Please adjust the blog content manually
before moving it to an official community.
Kamaljeet Kharbanda in response to Kamaljeet Singh on page 46
11-Mar-2009 19:31
Thanks Kamaljeet ... good to see someone by same name as mine and that too in the same field :o)
Kamaljeet Singh
11-Mar-2009 18:11
This is very good article, Looking forward from you some more article on BI Security.
Kamaljeet
Kamaljeet Kharbanda in response to Inkyung Song on page 46
06-Mar-2009 06:26
You don't have to create any variable for it, just define it in your CMOD code and it will take care of it
automatically.
Basically when you run any query it always check for authorization of all the auth relevant objects, and if in the
auth object you have defined any value starting with '$' it checks the code of CMOD to get the value of that field
at runtime.
Kamaljeet
Inkyung Song
06-Mar-2009 06:18
Hello.
Thank you for the great information. This helps me understand the Analysis Authorization concept well.

46
I have one question regarding Customer Exit. Could you please let me know how to create a customer exit
variable like what you did for $ZTA?
Thank you.
Inkyung
Babu Jayendran
27-Feb-2009 02:02
Thanks Kamaljeet for your very useful inputs on BI Security

47

Step by Step Sap Bi Security

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Step by Step Sap Bi Security

Caricato da

Copyright:

Formati disponibili

kamaljeet.

kharbanda: Step-by-Step SAP BI

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Authorization Objects on InfoObjects of type Characteristic:

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

# We can also use tcode RSECAUTH directly to come to maintenance screen:

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

# Now I am adding the infoobject(ZDWSLTER) for which we want to add restriction:

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

# Saving the changes:

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Assigning Authorization Objects to Users:

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

# The query returns output without any authorization error:

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

# Running the same query with some different territory number:

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

# Authorization Variable on Query:

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security

Generated by Jive on 2015-08-07+02:00

kamaljeet.kharbanda: Step-by-Step SAP BI Security