How to Implement Authorizations in SAP BW/4HANA

How to Implement Authorizations in SAP BW/4HANA

How to Implement Authorizations in SAP BW/4HANA

SAP BW/4HANA is a next-generation data warehousing solution that enables you to optimize processes and enable innovation with one trusted source for all insights. One of the key aspects of SAP BW/4HANA is the authorization concept, which is used to control and secure access to data at different levels. In this blog post, we will explain what authorizations are, how they work, and how you can implement them in your system with some examples.

What are authorizations?

Authorizations are the permissions that determine what actions a user can perform on the data and objects in SAP BW/4HANA. Authorizations are based on authorization objects, which are the smallest units of authorization in SAP BW/4HANA. Authorization objects consist of one or more authorization fields, which specify the values or ranges of values that a user can access or modify.

There are different types of authorization objects in SAP BW/4HANA, such as:

  • Data Warehousing Workbench – objects (S_RS_ADMWB): Authorizations for working with the Data Warehousing Workbench and the BW Modeling tools. These include the following: Source system, InfoObject, monitor, application component, InfoArea, Data Warehousing Workbench, settings, metadata, documents (for metadata, master data, hierarchies, transaction data), document store administration, (Customer) Content system administration.
  • InfoObject (S_RS_IOBJA): Authorizations for working with individual InfoObjects with InfoAreas and their subobjects.
  • DataSource (S_RS_DS): Authorizations for working with DataSources and their subobjects.
  • DTP (S_RS_DTP): Authorizations for working with individual DTPs and their subobjects.
  • InfoSource (InfoArea) (S_RS_TRCS): Authorizations for working with InfoSources for BW systems that are using a SAP HANA database.
  • Transformation rules (S_RS_TR): Authorizations for working with transformation rules and their subobjects.
  • DataStore Object (Advanced) (S_RS_ADSO): Authorizations for working with DataStore objects (advanced) and their subobjects.
  • Authorization object for local and ad hoc CompositeProviders (S_RS_CPRO): Authorizations for working with localand ad-hoc CompositeProviders and their subobjects.
  • Central CompositeProvider (S_RS_HCPR): Authorizations for working with (central) CompositeProviders and their subobjects.
  • BAdI Provider (S_RS_BDPR): Authorizations for working with BAdI providers and their subobjects.
  • Authorizations for TLOGO object history (S_RS_HIST): Authorizations for working with version management.
  • Hierarchy (S_RS_HIER): Authorizations for working with hierarchies.
  • Maintain master data (S_RS_IOMAD): Authorizations for processing master data in the Data Warehousing Workbench.
  • Process chains (S_RS_PC): Authorizations for working with process chains.
  • Open hub destination (S_RS_OHDST): Authorizations for working with open hub destinations.
  • Authorizations for the SAP HANA analysis process (RSHAAP): Authorizations for working with SAP HANA analysis processes.
  • Authorizations for SAP HANA analysis elements (RSHAOT): Authorizations for working with SAP HANA analysis elements.
  • Open ODS View (S_RS_ODSV): Authorizations for working with Open ODS Views.

In addition to these standard authorizations, there are also analysis authorizations, which are used to restrict access to transaction data based on characteristics values. Analysis authorizations are assigned to InfoProviders and can be defined using variables or fixed values.

How do authorizations work?

Authorizations work by checking the user’s assigned roles and profiles against the required authorization objects and fields when performing an action on the data or objects in SAP BW/4HANA. If the user has the necessary authorization values or ranges for all the relevant authorization fields, then the action is allowed. Otherwise, the action is denied or restricted.

Authorizations can be checked at different levels in SAP BW/4HANA, such as:

  • Object level: This level checks whether the user has authorization to access or modify a specific object type or instance, such as an InfoObject or a DataSource. This level is controlled by the standard authorization objects mentioned above.
  • Value level: This level checks whether the user has authorization to access or modify specific values or ranges of values of a characteristic or a key figure. This level is controlled by the analysis authorizations assigned to InfoProviders.
  • Cell level: This level checks whether the user has authorization to access or modify specific cells in a query result set. This level is controlled by the cell-level security feature, which allows you to define cell-level restrictions based on formulas or conditions.

How to implement authorizations with examples?

You can implement authorizations in SAP BW/4HANA using the following steps:

  • Define the authorization concept and requirements for your system, such as the roles, profiles, authorization objects, authorization fields and analysis authorizations that you need to secure your data and objects.
  • Create and maintain the roles and profiles for your users using the role maintenance tool (transaction code PFCG) or the BW/4HANA cockpit. Assign the relevant authorization objects and fields to the roles and profiles according to your authorization concept and requirements.
  • Create and maintain the analysis authorizations for your InfoProviders using the analysis authorization editor (transaction code RSECADMIN) or the BW/4HANA cockpit. Assign the relevant characteristic values or variables to the analysis authorizations according to your authorization concept and requirements.
  • Assign the roles and profiles to your users using the user maintenance tool (transaction code SU01) or the BW/4HANA cockpit. Ensure that the users have the necessary authorizations for their tasks and responsibilities.
  • Test and monitor your authorization concept and implementation using the authorization check tool (transaction code RSRT) or the BW/4HANA cockpit. Ensure that the authorizations are working as expected and that there are no unauthorized access or errors.

Here are some examples of how you can implement authorizations for different scenarios:

Example 1: Restricting access to an InfoObject

To restrict access to an InfoObject, follow these steps:

  • Create a role for the users who need access to the InfoObject using the role maintenance tool or the BW/4HANA cockpit.
  • Assign the authorization object S_RS_IOBJA to the role with activity 03 (display) and InfoArea * (all).
  • Assign the InfoObject name or pattern to the authorization field IOBJNM of the authorization object S_RS_IOBJA.
  • Save and generate the role.
  • Assign the role to the users who need access to the InfoObject using the user maintenance tool or the BW/4HANA cockpit.

Example 2: Restricting access to a characteristic value

To restrict access to a characteristic value, follow these steps:

  • Create an analysis authorization for the characteristic using the analysis authorization editor or the BW/4HANA cockpit.
  • Enter a technical name and a description for the analysis authorization.
  • Select the characteristic from the list of available characteristics and enter a fixed value or a variable as a restriction condition.
  • Save and activate the analysis authorization.
  • Assign the analysis authorization to one or more InfoProviders using the analysis authorization editor or the BW/4HANA cockpit.
  • Assign the analysis authorization to one or more roles using the role maintenance tool or the BW/4HANA cockpit.

Example 3: Restricting access to a query cell

To restrict access to a query cell, follow these steps:

  • Create a query on an InfoProvider using the Eclipse-based BW Query tool or any other BI client.
  • Go to the Cell Definition tab and select a cell in your query structure that you want to restrict access to.
  • Right-click on the cell and select Restrict Access.
  • Enter a formula or a condition that defines when the cell should be restricted. You can use variables, constants, operators, functions or references in your formula or condition.
  • Save and activate your query.
  • Assign the query to one or more roles using the role maintenance tool or the BW/4HANA cockpit.
  • Test and monitor your query cell restriction using the authorization check tool or the BW/4HANA cockpit.

This content is generated by AI.

Tags: ,