Analysis Authorization

SAP AG

1
Overview
Defining Authorizations
Generating Authorizations
Assigning Authorizations
Monitoring & Test Tools
Comparison New Concept Former Concept
Migration

2
Overview
Defining Authorizations
Generating Authorizations
Assigning Authorizations
Monitoring & Test Tools
Comparison New Concept Former Concept
Migration

3
 Authorizations Levels

Authorizations can be defined

On InfoCube level On characteristic level
On characteristic level
On characteristic value level
On key figure level
On hierarchy node level Autho-
rization

On characteristic value level On key figure level

Authorization
Authorization

SAP AG 2006

4
 Introduction to Analysis Authorizations 1

Authorization Check ok
Query results will be shown if
query selection is a proper
subset of the authorization
Query
Selection

Authorizations

Authorization Check not ok

Query results will not be shown at all
(not authorized) even if parts of the
authorizations are met

Query
Selection

Authorizations

SAP AG 2006

5
 Introduction to Analysis Authorizations 2

Exceptions for all-or-nothing-rule

Display hierarchies are automatically filtered by the
authorization
Key figure values are not displayed if the key figure is not
authorized

SAP AG 2006

6
Overview
Defining Authorizations
Generating Authorizations
Assigning Authorizations
Monitoring & Test Tools
Comparison New Concept Former Concept
Migration

7
 Authorization Relevant Characteristics

Before restricting
authorizations on
characteristics, you
have to mark them as
authorization-
relevant.

InfoObject maintenance / transaction RSD1

SAP AG 2006

8
 Authorizing Characteristic Values 1

Central maintenance
for (analysis)
authorizations /
transaction
RSECADMIN

Scenario: A group of
users is authorized
only to specific sales
organizations (e.g.
Berlin and
Birmingham)

SAP AG 2006

9
 Authorizing Characteristic Values 2

A group of users is
authorized only to
specific sales
organizations (e.g.
Berlin and
Birmingham)

(Berlin)
(Birmingham)

Possible Values
EQ: single value
BT: range of values
CP: contains (simple) patterns ending
with * or + (e.g. XY*)
SAP AG 2006

10
 Authorizing Navigational Attributes 1

If you want to grant

authorizations on
navigational
attributes, mark them
in the attribute tab
strip as authorization
relevant.

SAP AG 2006

11
 Authorizing Navigational Attributes 2

Navigational Attributes
Can be assigned individually
The referencing characteristic
(here: 0D_SALE_ORG) need
not be authorization-relevant

SAP AG 2006

12
 Authorizing Hierarchies 1

On the same level like

the value
authorization, you
can also grant
authorizations on
hierarchy levels.

Assume youll have a

sales organization as
depicted.

SAP AG 2006

13
 Authorizing Hierarchies 2

Now you grant

access for the
complete Americas
and France.

You can also

use variables
for flexibly and
dynamically
determining
hierarchy
nodes.

SAP AG 2006

14
 Authorizing Hierarchies 3

Type of Authorization
Only the Selected Nodes
Subtree Below Nodes
Subtree Below Nodes to Level (Incl.)
Complete Hierarchy
Subtree Below Nodes to (and Incl.) Use case: hierarchies that
Level (Relative) happen to be restructured
regularly.
SAP AG 2006

Hierarchieebene
Fr die Typen 2 und 4 knnen Sie bei Hierarchieebene angeben, bis zu welcher
Ebene der Anwender die Hierarchie aufblttern darf:
Beim Berechtigungstyp 2 (bis einschlielich Ebene, absolut) bedeutet die Ebene
die absolute Ebenennummer in der Hierarchie, wobei der oberste Knoten einer
Hierarchie in Ebene 1 liegt.
Beim Berechtigungstyp 4 (bis einschlielich Ebene, relativ) bezieht sich die
Ebenennummer auf die Zahl der Ebenen vom aktuell ausgewhlten Knoten aus
gezhlt, der selbst dann in der ersten Ebene liegt.

15
 Authorizing Hierarchies 4

Validity Range
Which authorization hierarchy is checked against the currently
used hierarchy (strictness of check)?
Name, Version Identical and Key Date Less Than or Equal to
Name and Version Identical
Name Identical
All Hierarchies

Recommendation: Try to be as strict as possible!

SAP AG 2006

16
 Special Authorization Characteristics

Authorizations on special characteristics

Three characteristics can and are recommended to be included in each
authorization (note: they must not be included in queries!) They must
be assigned to a user in at least one authorization.
Activity (0TCAACTVT): e.g. reading (03)
InfoProvider (0TCAIPROV): grants authorization to particular InfoProviders
Validity (0TCAVALID): grants authorization to specific time periods

Insert special
characteristics

SAP AG 2006

17
 Special Authorizations

Special authorizations
* (asterisk): denotes a set of arbitrary characters
+ (plus): denotes exactly one character (e.g. 01.++.2005 until
10.++.2005 : allows access only the first 10 days of each month in
2005 - only available for time validity (0TCAVALID))
: (colon): allows only aggregated access to data (e.g. allows
information on all sales areas only on aggregated level not on
particular countries)

Key figure authorizations

For key figure authorizations, you can include 0TCAKYFNM as
characteristic into the authorization. Note: hierarchy
authorizations are not allowed on this characteristic.

Note: Once you define 0TCAKYFNM authorization-relevant,

key figures are checked for every InfoProvider.

SAP AG 2006

18
 Variables And Authorizations

Variables of type customer exit

For hierarchy authorizations
For value authorizations
Example: determine sales organization from assignments of the
user master data

Use enhancement RSR00001

(transaction CMOD) for the
necessary coding.

SAP AG 2006

19
 Selection and Authorization

Check of Authorizations
Selection of query will be checked against the union of the
authorizations
Example:
One authorization grants access to cost center 1000 for year 2004, a
second one grants access to the same cost center for year 2005
Access to a query selection with cost center 1000 and years 2004 and
2005 will be granted
Cost

Year 2004
Year 2005
Center

CC 1000

Year

Note: In the former concept of authorization objects, the query

selection had to be in the intersection of the two authorization object
if the authorization should be checked (i.e. the mentioned query was
not authorized)

SAP AG 2006

20
Overview
Defining Authorizations
Generating Authorizations
Assigning Authorizations
Monitoring & Test Tools
Comparison New Concept Former Concept
Migration

21
 Generated Authorizations

Generation authorizations from DataStore objects

Activate Business Content DataStore objects
HR authoriztions: 0TCA_DS01, 0TCA_DS02, 0TCA_DS03,
0TCA_DS04, 0TCA_DS05
Controlling authorizations: 0CCA_001, 0CCA_002, 0CCA_003
Load user data into DataStore object and start generation

SAP AG 2006

22
 Generation Log

Log for Generated Authorizations

SAP AG 2006

23
Overview
Defining Authorizations
Generating Authorizations
Assigning Authorizations
Monitoring & Test Tools
Comparison New Concept Former Concept
Migration

24
 Assigning Authorizations 1

Assignment of authorizations to users

SAP AG 2006

25
 Assigning Authorizations 2

Assignment of authorization hierarchies to users

You can define hierarchies

on authorizations. Use
InfoObject 0TCTAUTH for
this hierarchy (possibly,
youll have to activate the
hierarchy flag in the
InfoObject maintenance).

SAP AG 2006

26
 Assigning Authorizations 3

Generated special authorization: 0BI_ALL

Automatically generated and not changeable
Grants authorizations for all values of all authorization-relevant
characteristics
Adjusted whenever a new InfoObject is set to authorization-
relevant
Simple possibility to grant authorizations to everything (e.g. via
role see next slide)

SAP AG 2006

27
 Assigning Authorizations 4

Assignment of authorizations to roles

Alternatively, you can also assign authorizations to roles, which
can then be assigned to users
Use authorization object S_RS_AUTH for the assignment of
authorizations to roles

SAP AG 2006

28
Overview
Defining Authorizations
Generating Authorizations
Assigning Authorizations
Monitoring & Test Tools
Comparison New Concept Former Concept
Migration

29
 Authorization Monitoring 1

Checking Authorizations
Check query execution with the authorization of a specific user

SAP AG 2006

30
 Authorization Monitoring 2

Evaluate Log Protocol

Detailed Information of all authorization checks
Which authorizations are checked?

SAP AG 2006

31
 Legal Auditing 1

Recording of changes
Recording of authorization changes and user assignments
Technical Content RemoteProviders
0TCA_VAL
0TCA_HIE
0TCA_UA
Activate Business
Content

SAP AG 2006

32
 Legal Auditing 2

Recording of changes
Query Example

Linked into Administrator Cockpit

SAP AG 2006

33
Overview
Defining Authorizations
Generating Authorizations
Assigning Authorizations
Monitoring & Test Tools
Comparison New Concept Former Concept
Migration

34
 Comparing Authorization Concept

Comparison Analysis Authorizations

<= SAP NetWeaver 2004 vs. SAP NetWeaver 2004s
Most important differences

<=SAP NetWeaver 2004 SAP NetWeaver 2004s

Technical Foundation Authorization Objects Analysis Authorization

Not Changeable
Maintenance Changeable
Afterwards
Number of InfoObjects
Number of objects 10 objects
not limited
Navigational Attributes Only on global basis Individually
Via GUID and Equivalent to value
Hierarchy Authorizations
0TCTAUTHH authorizations
Composition of Intersection of business
Union (as expected)
authorizations objects
Per InfoObject AND
Authorization Relevance Only InfoObject setting
InfoCube

SAP AG 2006

35
Overview
Defining Authorizations
Generating Authorizations
Assigning Authorizations
Monitoring & Test Tools
Comparison New Concept Former Concept
Migration

36
 Migration 1

Migration Support
ABAP program RSEC_MIGRATION (use transaction SA38)
No complete, automatic migration, but support
About 80% automatic migration expected
The more complex the existing authorization concept, the more
manual migration work might be necessary
Customer-exit variables for 0TCTAUTHH cannot be migrated; the
respective hierarchy nodes must be assigned manually
Intensive tests are highly recommended
Singular event, not for scheduling
During migration to the new authorization concept, the existing
concept wont be changed

SAP AG 2006

37
 Migration 2

Former and new authorization concept

It is highly recommended to migrate to the new concept
The former authorization concept wont be supported any longer
You can, however, switch back to the former concept in some
exceptional cases (IMG setting)

SAP AG 2006

38
 Migration Steps 1

Migration Steps
Step 1: Choose users
Migration can be done for singular user groups

Pre-requisite: a user group must be complete and self-contained!

User 1 User 2 If user 1 is chosen and

Authorization Object 1 Authorization Object 3 authorization objects
1&2 should be migrated,
Authorization Object 2
you have to choose user
Note: there might be entangled dependencies of 2 as well in order to
users with respect to the authorization objects. have a complete user
Youll get a message with information on the group.
missing users in case the user group is not
compete.
SAP AG 2006

39
 Migration Steps 2

Migration Steps
Step 2: Choose authorization objects to be migrated

SAP AG 2006

40
 Migration Steps 3

Migration Steps
Step 3: Choose assignment method
Direct user assignment
z Migrated authorizations will be assigned to the users directly (not via
roles)
z Migrated authorizations have prefix RSR_ and will be treated like
generated authorizations
Create new profiles
z Generation of profiles basing on authorization object S_RS_AUTH that
contains the new, migrated authorizations
z Generated profiles have prefix RSR_
Extend existing profiles
z Existing profiles will be extended by
authorization object S_RS_AUTH
containing the migrated authorizations
z Preserves the existing role concept and
extends the role profiles
Undo migration
z All migrated authorizations and profiles
will be deleted, extended profiles contain
empty authorization object R_RS_AUTH

SAP AG 2006

41
 Migration Steps 4

Migration Steps
Step 4: Choose details of authorization migration (expert mode)
Settings for referencing navigational attributes and characteristics
are only relevant for the compatibility mode setting in SAP BW 3.x
Please have a look at the detailed documentation for more
information

SAP AG 2006

42
 Migration Protocol

Migration protocol
A detailed protocol reports success and error events during the
migration

SAP AG 2006

43
 Additional Information

Additional Information
Release Notes
Documentation (help portal)

SAP AG 2006

44
 Copyright 2006 SAP AG. All Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries,
pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or
registered trademarks of IBM Corporation in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix,
ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered
trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium,
Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScriptis a registered trademark of Sun Microsystems, Inc., used under license for technology invented and
implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein
as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other
countries all over the world. All other product and service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group
shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional warranty.

SAP AG 2006

45