Tuesday, November 3, 2009

Structural Authorizations in SAP BW

 
The following steps show the way Structural Authorization is enforced in SAP BW.

 The following steps to be carried out in the mySAP ERP HCM system.

 1) Call program RHBAUS02 for uploading Table T77UU and enter users.

2) Call program RHBAUUS00 for generating an index for structural authorization profile

3)  Activate Data source 0HR_PA_2

 The following steps to be carried out in the SAP BW system

 1) Replicate Data source 0HR_PA_2

2) Activate ODS InfoProvider 0HR_PA_2

3) Create an InfoPackage to perform an extraction for 0HR_PA_2

4) Load ODS data from mySAP ERP HCM

5) Mark InfoObjects as relevant for authorization (In order to use structural authorizations in SAP BW, all characteristic values like position, employee etc. which are relevant to reporting should be marked as authorization relevant InfoObjects.)

6)  Create reporting authorization objects

7)  Link authorization objects to InfoCubes

8)  Call program RSSB_Generate_Authorizations.    

 

Hierarchical Authorizations in SAP BW

 
The following steps describe the steps to control authorizations for hierarchies

 1) Transfer and activate InfoObject 0TCTAUTHH tcode => RSD1

2) Mark InfoObject 0TCTAUTHH as relevant for authorization tcode => RSD1

3) Mark Leaf InfoObject as relavant for authorization tcode => RSD1

4)  Create authorization objects with 0TCTAUTHH and Leaf InfoObject => RSSM

5) Define hierarchical authorizations tcode => RSSM

6) Manual intrgration of authorization object in role tcode => PFCG

7)  Maintain authorization values tcode => PFCG

8)  Assign role to user tcode => PFCG or via Central User Administration

 For extracting structural authorizations from HR (mySAP ERP HCM)  and to map it in SAP BW to maintian consistency between the   two systems the tables of interest are:

1)  T77PR for Structural Authorization profiles

2)  T77UA for user assignments

3) T77UU for users (in this table you can select the users for extraction. You can either select all or specific users)

 

Activating Authorizations in SAP BW

 
The following steps explains how to activate the authorizations in BW.

 1)  Mark InfoObject as relevant for authorization tcode => RSD1

 2)  Create report authorization object tcode => RSSM

3)  Select InfoCubes tcode => RSSM

4)  Manually integrate authorization object in role tcode => PFCG

5) Change / Maintain authorization values => PFCG

6)  Assign role to user tcode => PFCG or via Central User Administration

Important SAP BW Transaction Codes

 

Transaction Code

Description

RSA1

Transaction RSA1 is the main transaction for administrative functions in SAP BW (Administrator Workbench)

RSD1

This transaction code can be used to mark objects as relevant for authorization (InfoObject Maintainence)

RSSM

This transaction code can be used to create and modify authorization objects in SAP BW

RSZV

This transaction code is used to create or modify the variables for authorization checks. (Variable Maintenance)

RRMX

Business Explorer is the reporting tool in SAP BW and is used for analyzing data.

GLOBAL_TEMPLATES

Templates for modelling and evaluating data

 

SAP BW Authorizatin Objects - IV

 
 
Authorizations of the SAP system
 
Authorization object
Object class
Description
BC-SRV-KPR-BDS: Authorizations on document set (S_BDS_DS)
BC_Z
Controls access to documents that belong to a document set of the Business Document Service (BDS).
Authorization object for the translation environment (S_TRANSLAT)
BC_C
Controls access to the translation functions of the SAP System. Determines whether, in which languages and which text types are to be translated.
 
 
 
Authorization objects of object class RS for BW-BPS

Authorization object

Description

Planning level (R_AREA)

Controls access to the planning area and all lower-level objects. You must set up read access to planning areas for people who will work with the BW-BPS component. Otherwise, they will not be able to access any of the subordinate planning elements.

Planning level (R_PLEVEL)

Controls access to the planning area and all lower-level objects.

Planning package (R_PACKAGE)

Controls access to planning packages (including ad hoc packages).

Planning methods (R_METHOD)

Controls access to planning functions and the corresponding parameter groups.

Parameter group (R_PARAM)

Controls access to the individual parameter groups of a particular planning function.

Global planning sequence (R_BUNDLE)

Controls access to global planning sequences (you control authorizations for planning sequences that you create for a planning level with the authorization objects R_METHOD, R_PLEVEL, or R_AREA).

No separate authorization for execution is defined for this authorization object. Whether a global planning sequence can be executed or not, depends on the authorization objects for the planning functions contained in it.

Planning profile (R_PROFILE)

Controls access to the planning profile. A planning profile restricts the objects that can be viewed. If you wish to view the planning objects, you must have at least display authorization for the appropriate planning profile.

Planning folder (R_PM_NAME)

Controls access to planning folders. In order to be able to work with planning folders, you also require the necessary authorizations for the planning objects combined in the folder.

Using the Web Interface Builder

 Controls access to Web interfaces that you create and edit with the Web Interface Builder, and from which you can generate Web-enabled BSP applications.

Authorization for planning session and subplan (R_STS_PT)

Controls access to the Status and Tracking System. The object enables a check to be carried out whether a user is allowed access to a certain subplan or a version of it with the Status and Tracking System.

Executing Customizing for the BW-BPS Status and Tracking System (R_STS_CUST)

Controls access to Customizing for the Status and Tracking System. The object enables or forbids a user to execute Customizing.

Authorization for special access Status and Tracking System (R_STS_SUP)

This authorization object provides the assigned users with the status of a superuser in relation to the Status and Tracking System. The object enables changing access to all plan data, independent of whether and where a user of the cost center hierarchy it is based on is assigned. The authorization object is intended for members of a staff controller group, who are not part of the line organization of the company, but who nevertheless must be able to intervene in the planning process.

SAP BW Authorizatin Objects - III

 
Authorization Objects for the Administration of Analysis Authorizations

Authorization Object/Technical Name

Description

Infrastructure of analysis authorizations/S_RSEC

Authorization for assigning and administrating analysis authorizations

BI analysis authorizations in role/S_RS_AUTH

Authorization object for including analysis authorizations in roles

 
Authorization Objects for Data Mining (Object Class RSAN):

Technical Name

Description

RSDMEMBW

Authorization for uploading data mining results into the BI system

RSDMEMODEL

Authorization for working with analytical models

 

Authorization Objects for SAP DemoContent:

Technical Name

Description

S_RS_RSFC

Authorizations for SAP DemoContent

 

SAP BW Authorizatin Objects - II

 
 
Authorization Objects for Business Planning (Object Class RS):

Authorization Object/Technical Name

Description

Planning: Aggregation level/S_RS_ALVL

Authorizations for working with aggregation levels

Planning function/S_RS_PLSE

Authorizations for working with planning functions

Planning sequence/S_RS_PLSQ

Authorizations for working with planning sequences

Planning service type/S_RS_PLST

Authorizations for working with planning function types

Lock settings/S_RS_PLENQ

Authorizations for maintaining or displaying lock settings

 
Authorization Objects for Working in the Business Explorer (Object Class RS):

Authorization Object/Technical Name

Description

Business Explorer – components/S_RS_COMP

Authorizations for using different components for the query definition

Business Explorer – components/S_RS_COMP1

Authorization for queries from specific owners

Business Explorer – components/S_RS_FOLD

Display authorization for folders

Business Explorer – individual tools/S_RS_TOOLS

Authorizations for individual Business Explorer tools

Business Explorer – Enterprise Reports/

S_RS_ERPT

Authorizations for BEx enterprise reports

Business Explorer – Enterprise Report reusable elements/

S_RS_EREL

Authorizations for reusable elements of a BEx enterprise report

Business Explorer – data access services/S_RS_DAS

Authorizations for working with data access services

 

Business Explorer - BEx Web templates (NW 7.0+)/S_RS_BTMP

Authorizations for working with BEx Web templates

Business Explorer – BEx reusable Web items (NW 7.0+)/S_RS_BITM

Authorizations for working with BEx Web items

BEx Information Broadcasting authorization for scheduling/S_RS_BCS

Authorization for registering broadcast settings for execution

Business Explorer – BEx texts (maintenance)/S_RS_BEXTX

Authorizations for maintaining BEx texts

 
 

SAP BW Authorizatin Objects - I

 
Authorization Objects for Working in the Data Warehousing Workbench (Object Class RS):

Authorization Object/Technical Name

Description

Data Warehousing Workbench – objects/

S_RS_ADMWB

Authorizations for working with individual objects of the Data Warehousing Workbench. In detail, these are: source system, InfoObject, monitor, application component, InfoArea, Data Warehousing Workbench, settings, metadata, InfoPackage, InfoPackage group, Reporting Agent settings, Reporting Agent package, documents (for metadata, master data, hierarchies, transaction data), document store administration, (Customer) Content system administration, broadcast settings.

Data Warehousing Workbench – InfoObject/S_RS_IOBJ

Authorizations for working with individual InfoObjects and their subobjects.

Until Release 3.0A, only general authorization protection was possible using authorization object S_RS_ADMWB. General authorization protection for InfoObjects still works as in the past. Special protection using S_RS_IOBJ is only used if there is no authorization for S_RS_ADMWB-IOBJ.

Data Warehousing Workbench – DataSource (Release > BW 3.x)/S_RS_DS

Authorizations for working with the DataSource (Release > BW 3.x) or its subobjects

Data Warehousing Workbench – DTP/S_RS_DTP

Authorizations for working with the data transfer process and its subobjects.

The authorizations assigned for the DTP object have a higher priority than the authorizations for the underlying TLOGO objects. Users that have a DTP authorization for a source or target combination do not need read authorization for the source object or write authorization for the target object to execute the DTP.

Data Warehousing Workbench – InfoSource (Release > BW 3.x)/S_RS_ISNEW

Authorizations for working with InfoSources (Release > BW 3.x)

Data Warehousing Workbench – InfoSource (flexible updating)/S_RS_ISOUR

Authorizations for working with InfoSources with flexible updating and their subobjects

Data Warehousing Workbench – InfoSource (direct updating)/S_RS_ISRCM

Authorizations for working with InfoSources with direct updating and their subobjects

Data Warehousing Workbench – transformation rules/S_RS_TR

Authorizations for working with transformation rules and their subobjects

Data Warehousing Workbench – InfoCube/S_RS_ICUBE

Authorizations for working with InfoCubes and their subobjects

Data Warehousing Workbench – MultiProvider/S_RS_MPRO

Authorizations for working with MultiProviders and their subobjects

Data Warehousing Workbench – DataStore object/S_RS_ODSO

Authorizations for working with DataStore objects and their subobjects.

Data Warehousing Workbench – InfoSet/S_RS_ISET

Authorizations for working with InfoSets

Data Warehousing Workbench – hierarchy/S_RS_HIER

Authorizations for working with hierarchies

Data Warehousing Workbench – maintain master data/

S_RS_IOMAD

Authorizations for processing master data in the Data Warehousing Workbench

Data Warehousing Workbench – process chains/S_RS_PC

Authorizations for working with process chains

Data Warehousing Workbench – open hub destination/S_RS_OHDST

Authorizations for working with open hub destinations

Data Warehousing Workbench – currency translation type / S_RS_CTT

Authorizations for working with currency translation types

Data Warehousing Workbench – quantity conversion type / S_RS_UOM

Authorizations for working with quantity conversion types

Data Warehousing Workbench – key date derivation type/S_RS_THJT

Authorizations for working with key date derivation types

Authorization object for the RS trace tool/S_RS_RST

Authorization object for the RS trace tool

Authorization for the analysis process/RSANPR

Authorizations for working with analysis processes

 

Important HR Authorization Objects - III

 

P_CH_PK (HR-CH: Pension Fund: Account Access)

The P_CH_PK authorization object contains the following fields which, are tested during an authorization check:

Authorization Field

Long Text

KONNR

Number of Individual PF Account

AUTGR

HR-CH: Authorization for PF Accounts

PKKLV

HR-CH: Pension Fund: Authorization Level for Account Access

 

More Information About the Fields

  • The KONNR field specifies which pension fund accounts an administrator is authorized to access.
  • The AUTGR field specifies the permissible authorization groups for the authorization check.
  • The PKKLV field specifies which operations (authorization level) the user is authorized to perform in pension fund accounts. The following values are possible:

-: No Access

R: Read authorization

W: Write authorization

X: Extended authorization (for example, offsetting entries for postings or changing the lock date)

 

P_PYEVDOC (HR: Posting Document)

The P_PYEVDOC authorization object contains the following fields, which are tested during an authorization check:

Authorization Field

Long Text

BUKRS

Company Code

ACTVT

Activity

 

More Information About the Fields

The ACTVT field contains the activities for posting documents that are possible as part of the authorization check. The ACTVT field can have the following values:

03: Display

10: Post

28: Display Line Item

43: Release

 

 

 

 

P_BEN (HR: Benefit Area)

The P_BEN authorization object contains the following fields, which are tested during an authorization check:

Authorization Field

Long Text

PBEN_AREA

Benefit Area

ACTVT

Activity

 

More Information About the Fields

The ACTVT field contains the activities for benefits that are possible as part of the authorization check. The field can have the following values:

02: Change

03: Display

 

P_PE01 (HR: Authorization for Personnel Calculation Schemas)

The P_PE01 authorization object contains the following field, which is tested during an authorization check:

Authorization Field

Long Text

P_AUTHPE01

HR Schema: Authorization

 

P_PE02 (HR: Authorization for Personnel Calculation Rule)  

The P_PE02 authorization object contains the following field, which is tested during an authorization check:

Authorization Field

Long Text

P_AUTHPE02

Personnel Calculation Rule: Authorization