Structural Authorizations in SAP BW

 

The following steps show the way Structural Authorization is enforced in SAP BW.

 The following steps to be carried out in the mySAP ERP HCM system.

 1) Call program RHBAUS02 for uploading Table T77UU and enter users.

2) Call program RHBAUUS00 for generating an index for structural authorization profile

3)  Activate Data source 0HR_PA_2

 The following steps to be carried out in the SAP BW system

 1) Replicate Data source 0HR_PA_2

2) Activate ODS InfoProvider 0HR_PA_2

3) Create an InfoPackage to perform an extraction for 0HR_PA_2

4) Load ODS data from mySAP ERP HCM

5) Mark InfoObjects as relevant for authorization (In order to use structural authorizations in SAP BW, all characteristic values like position, employee etc. which are relevant to reporting should be marked as authorization relevant InfoObjects.)

6)  Create reporting authorization objects

7)  Link authorization objects to InfoCubes

8)  Call program RSSB_Generate_Authorizations.    

 

Hierarchical Authorizations in SAP BW

 

The following steps describe the steps to control authorizations for hierarchies

 1) Transfer and activate InfoObject 0TCTAUTHH tcode => RSD1

2) Mark InfoObject 0TCTAUTHH as relevant for authorization tcode => RSD1

3) Mark Leaf InfoObject as relavant for authorization tcode => RSD1

4)  Create authorization objects with 0TCTAUTHH and Leaf InfoObject => RSSM

5) Define hierarchical authorizations tcode => RSSM

6) Manual intrgration of authorization object in role tcode => PFCG

7)  Maintain authorization values tcode => PFCG

8)  Assign role to user tcode => PFCG or via Central User Administration

 For extracting structural authorizations from HR (mySAP ERP HCM)  and to map it in SAP BW to maintian consistency between the   two systems the tables of interest are:

1)  T77PR for Structural Authorization profiles

2)  T77UA for user assignments

3) T77UU for users (in this table you can select the users for extraction. You can either select all or specific users)

 

Activating Authorizations in SAP BW

 

The following steps explains how to activate the authorizations in BW.

 1)  Mark InfoObject as relevant for authorization tcode => RSD1

 2)  Create report authorization object tcode => RSSM

3)  Select InfoCubes tcode => RSSM

4)  Manually integrate authorization object in role tcode => PFCG

5) Change / Maintain authorization values => PFCG

6)  Assign role to user tcode => PFCG or via Central User Administration

Important SAP BW Transaction Codes

 

Transaction Code	Description
RSA1	Transaction RSA1 is the main transaction for administrative functions in SAP BW (Administrator Workbench)
RSD1	This transaction code can be used to mark objects as relevant for authorization (InfoObject Maintainence)
RSSM	This transaction code can be used to create and modify authorization objects in SAP BW
RSZV	This transaction code is used to create or modify the variables for authorization checks. (Variable Maintenance)
RRMX	Business Explorer is the reporting tool in SAP BW and is used for analyzing data.
GLOBAL_TEMPLATES	Templates for modelling and evaluating data

 

SAP BW Authorizatin Objects - IV

 

 

Authorizations of the SAP system

 

Authorization object	Object class	Description
BC-SRV-KPR-BDS: Authorizations on document set (S_BDS_DS)	BC_Z	Controls access to documents that belong to a document set of the Business Document Service (BDS).
Authorization object for the translation environment (S_TRANSLAT)	BC_C	Controls access to the translation functions of the SAP System. Determines whether, in which languages and which text types are to be translated.

 

 

 

Authorization objects of object class RS for BW-BPS

Authorization object	Description
Planning level (R_AREA)	Controls access to the planning area and all lower-level objects. You must set up read access to planning areas for people who will work with the BW-BPS component. Otherwise, they will not be able to access any of the subordinate planning elements.
Planning level (R_PLEVEL)	Controls access to the planning area and all lower-level objects.
Planning package (R_PACKAGE)	Controls access to planning packages (including ad hoc packages).
Planning methods (R_METHOD)	Controls access to planning functions and the corresponding parameter groups.
Parameter group (R_PARAM)	Controls access to the individual parameter groups of a particular planning function.
Global planning sequence (R_BUNDLE)	Controls access to global planning sequences (you control authorizations for planning sequences that you create for a planning level with the authorization objects R_METHOD, R_PLEVEL, or R_AREA). No separate authorization for execution is defined for this authorization object. Whether a global planning sequence can be executed or not, depends on the authorization objects for the planning functions contained in it.
Planning profile (R_PROFILE)	Controls access to the planning profile. A planning profile restricts the objects that can be viewed. If you wish to view the planning objects, you must have at least display authorization for the appropriate planning profile.
Planning folder (R_PM_NAME)	Controls access to planning folders. In order to be able to work with planning folders, you also require the necessary authorizations for the planning objects combined in the folder.
Using the Web Interface Builder	Controls access to Web interfaces that you create and edit with the Web Interface Builder, and from which you can generate Web-enabled BSP applications.
Authorization for planning session and subplan (R_STS_PT)	Controls access to the Status and Tracking System. The object enables a check to be carried out whether a user is allowed access to a certain subplan or a version of it with the Status and Tracking System.
Executing Customizing for the BW-BPS Status and Tracking System (R_STS_CUST)	Controls access to Customizing for the Status and Tracking System. The object enables or forbids a user to execute Customizing.
Authorization for special access Status and Tracking System (R_STS_SUP)	This authorization object provides the assigned users with the status of a superuser in relation to the Status and Tracking System. The object enables changing access to all plan data, independent of whether and where a user of the cost center hierarchy it is based on is assigned. The authorization object is intended for members of a staff controller group, who are not part of the line organization of the company, but who nevertheless must be able to intervene in the planning process.

SAP BW Authorizatin Objects - III

 

Authorization Objects for the Administration of Analysis Authorizations

Authorization Object/Technical Name	Description
Infrastructure of analysis authorizations/S_RSEC	Authorization for assigning and administrating analysis authorizations
BI analysis authorizations in role/S_RS_AUTH	Authorization object for including analysis authorizations in roles

 

Authorization Objects for Data Mining (Object Class RSAN):

Technical Name	Description
RSDMEMBW	Authorization for uploading data mining results into the BI system
RSDMEMODEL	Authorization for working with analytical models

 

Authorization Objects for SAP DemoContent:

Technical Name	Description
S_RS_RSFC	Authorizations for SAP DemoContent

 

SAP BW Authorizatin Objects - II

 

 

Authorization Objects for Business Planning (Object Class RS):

Authorization Object/Technical Name	Description
Planning: Aggregation level/S_RS_ALVL	Authorizations for working with aggregation levels
Planning function/S_RS_PLSE	Authorizations for working with planning functions
Planning sequence/S_RS_PLSQ	Authorizations for working with planning sequences
Planning service type/S_RS_PLST	Authorizations for working with planning function types
Lock settings/S_RS_PLENQ	Authorizations for maintaining or displaying lock settings

 

Authorization Objects for Working in the Business Explorer (Object Class RS):

Authorization Object/Technical Name	Description
Business Explorer – components/S_RS_COMP	Authorizations for using different components for the query definition
Business Explorer – components/S_RS_COMP1	Authorization for queries from specific owners
Business Explorer – components/S_RS_FOLD	Display authorization for folders
Business Explorer – individual tools/S_RS_TOOLS	Authorizations for individual Business Explorer tools
Business Explorer – Enterprise Reports/ S_RS_ERPT	Authorizations for BEx enterprise reports
Business Explorer – Enterprise Report reusable elements/ S_RS_EREL	Authorizations for reusable elements of a BEx enterprise report
Business Explorer – data access services/S_RS_DAS	Authorizations for working with data access services
Business Explorer - BEx Web templates (NW 7.0+)/S_RS_BTMP	Authorizations for working with BEx Web templates
Business Explorer – BEx reusable Web items (NW 7.0+)/S_RS_BITM	Authorizations for working with BEx Web items
BEx Information Broadcasting authorization for scheduling/S_RS_BCS	Authorization for registering broadcast settings for execution
Business Explorer – BEx texts (maintenance)/S_RS_BEXTX	Authorizations for maintaining BEx texts

 

 

SAP BW Authorizatin Objects - I

 

Authorization Objects for Working in the Data Warehousing Workbench (Object Class RS):

Authorization Object/Technical Name	Description
Data Warehousing Workbench – objects/ S_RS_ADMWB	Authorizations for working with individual objects of the Data Warehousing Workbench. In detail, these are: source system, InfoObject, monitor, application component, InfoArea, Data Warehousing Workbench, settings, metadata, InfoPackage, InfoPackage group, Reporting Agent settings, Reporting Agent package, documents (for metadata, master data, hierarchies, transaction data), document store administration, (Customer) Content system administration, broadcast settings.
Data Warehousing Workbench – InfoObject/S_RS_IOBJ	Authorizations for working with individual InfoObjects and their subobjects. Until Release 3.0A, only general authorization protection was possible using authorization object S_RS_ADMWB. General authorization protection for InfoObjects still works as in the past. Special protection using S_RS_IOBJ is only used if there is no authorization for S_RS_ADMWB-IOBJ.
Data Warehousing Workbench – DataSource (Release > BW 3.x)/S_RS_DS	Authorizations for working with the DataSource (Release > BW 3.x) or its subobjects
Data Warehousing Workbench – DTP/S_RS_DTP	Authorizations for working with the data transfer process and its subobjects. The authorizations assigned for the DTP object have a higher priority than the authorizations for the underlying TLOGO objects. Users that have a DTP authorization for a source or target combination do not need read authorization for the source object or write authorization for the target object to execute the DTP.
Data Warehousing Workbench – InfoSource (Release > BW 3.x)/S_RS_ISNEW	Authorizations for working with InfoSources (Release > BW 3.x)
Data Warehousing Workbench – InfoSource (flexible updating)/S_RS_ISOUR	Authorizations for working with InfoSources with flexible updating and their subobjects
Data Warehousing Workbench – InfoSource (direct updating)/S_RS_ISRCM	Authorizations for working with InfoSources with direct updating and their subobjects
Data Warehousing Workbench – transformation rules/S_RS_TR	Authorizations for working with transformation rules and their subobjects
Data Warehousing Workbench – InfoCube/S_RS_ICUBE	Authorizations for working with InfoCubes and their subobjects
Data Warehousing Workbench – MultiProvider/S_RS_MPRO	Authorizations for working with MultiProviders and their subobjects
Data Warehousing Workbench – DataStore object/S_RS_ODSO	Authorizations for working with DataStore objects and their subobjects.
Data Warehousing Workbench – InfoSet/S_RS_ISET	Authorizations for working with InfoSets
Data Warehousing Workbench – hierarchy/S_RS_HIER	Authorizations for working with hierarchies
Data Warehousing Workbench – maintain master data/ S_RS_IOMAD	Authorizations for processing master data in the Data Warehousing Workbench
Data Warehousing Workbench – process chains/S_RS_PC	Authorizations for working with process chains
Data Warehousing Workbench – open hub destination/S_RS_OHDST	Authorizations for working with open hub destinations
Data Warehousing Workbench – currency translation type / S_RS_CTT	Authorizations for working with currency translation types
Data Warehousing Workbench – quantity conversion type / S_RS_UOM	Authorizations for working with quantity conversion types
Data Warehousing Workbench – key date derivation type/S_RS_THJT	Authorizations for working with key date derivation types
Authorization object for the RS trace tool/S_RS_RST	Authorization object for the RS trace tool
Authorization for the analysis process/RSANPR	Authorizations for working with analysis processes

 

Important HR Authorization Objects - III

 

P_CH_PK (HR-CH: Pension Fund: Account Access)

The P_CH_PK authorization object contains the following fields which, are tested during an authorization check:

Authorization Field	Long Text
KONNR	Number of Individual PF Account
AUTGR	HR-CH: Authorization for PF Accounts
PKKLV	HR-CH: Pension Fund: Authorization Level for Account Access

 

More Information About the Fields

• The KONNR field specifies which pension fund accounts an administrator is authorized to access.
• The AUTGR field specifies the permissible authorization groups for the authorization check.
• The PKKLV field specifies which operations (authorization level) the user is authorized to perform in pension fund accounts. The following values are possible:

-: No Access

R: Read authorization

W: Write authorization

X: Extended authorization (for example, offsetting entries for postings or changing the lock date)

 

P_PYEVDOC (HR: Posting Document)

The P_PYEVDOC authorization object contains the following fields, which are tested during an authorization check:

Authorization Field	Long Text
BUKRS	Company Code
ACTVT	Activity

 

More Information About the Fields

The ACTVT field contains the activities for posting documents that are possible as part of the authorization check. The ACTVT field can have the following values:

03: Display

10: Post

28: Display Line Item

43: Release

 

 

 

 

P_BEN (HR: Benefit Area)

The P_BEN authorization object contains the following fields, which are tested during an authorization check:

Authorization Field	Long Text
PBEN_AREA	Benefit Area
ACTVT	Activity

 

More Information About the Fields

The ACTVT field contains the activities for benefits that are possible as part of the authorization check. The field can have the following values:

02: Change

03: Display

 

P_PE01 (HR: Authorization for Personnel Calculation Schemas)

The P_PE01 authorization object contains the following field, which is tested during an authorization check:

Authorization Field	Long Text
P_AUTHPE01	HR Schema: Authorization

 

P_PE02 (HR: Authorization for Personnel Calculation Rule)  

The P_PE02 authorization object contains the following field, which is tested during an authorization check:

Authorization Field	Long Text
P_AUTHPE02	Personnel Calculation Rule: Authorization