Applies to
How to implement Multi Dimensional authorization in BW reports: SAP BI 7.0 version and higher
For more information, for more information, visit the EDW homepage.
Summary
This document will provide information regarding implementing multi-dimensional authorization concept in BW reports. Also it contains the information regarding analysis Authorization and customer exit variable etc
Author: Arvind Tekra
Company: Infosys Technologies.
Created on: 4th June 2014
Author Bio
Arvind Tekra has been working in various technologies in SAP BI. He is mainly responsible for implementing SAP BI/BO projects and has worked extensively on SAP BI Modeling.
Introduction
Whenever the analysis authorization of a user is combined, the authorization variable implemented in the report is not able to restrict the data at the appropriate combination which might lead to user getting message of “No appropriate authorization” when executing the report. This is explained better with the scenario explained below:
Objective
In the below example is a requirement from the user that the user should be able to see all the Sales Org for a particular Sales Division (as part of the global team) and for a specific Sales Org he should see all Sales Divisions (as per his role of a regional manager). As per the requirement two analysis authorization objects were created and assigned to the user. The analysis authorizations would make sure at the database level that the users see the appropriate data as per the user’s access, however the BW query is not able to read it appropriately and it throws an error message to the user.
| Analysis Authorization | Sales Org | Sales Division |
| TEST | 1000 | * |
| TEST12 | * | 10 |
Both the analysis authorization are assigned to the TESTUSER1.
A simple BW query is built for the demo purpose, it has authorization variables in the selection screen.
If we execute this report in Tcode-RSRT with a user with all access we get the below data.
Selection Screen:
Output:
From the above output we can see the combination for which TESTUSER1 is authorized for has data available in the report.
If we now run the report with TESTUSER1:
Selection screen:
The values are not populated as for individual charactersitics, it reads as * access from the authorizations.
If we execute the report, then we get the error message that no authorization is there as he only has access for combinations of data and not all the data.
The above example takes into consideration only two characteristics and in other business scenario we may have scenarios where the access can be defined on combination of 3-4 characteristics.
Solution
The solution can be divided into two parts:
· Automatic generation of analysis authorization for the user for the desired combination.
· Introduction of a concatenated object which is a combination of Sales Org/Division, this object can be used to restrict the output of the BW report as per the users authorization.
The following design can be implemented for the solution. The user access matrix can be maintained in an ECC table by the business itself. The business team can enter the user and the combination matrix on which the users should have access.
ECC table:
| User | Sales Org | Sales Division |
| TESTUSER1 | 1000 | * |
| TESTUSER1 | * | 10 |
In ECC a customized extractor (data source) can be built which fetches this information and passes it to BW system. The below data model can be built to fetch the user access matrix in BW.
In DSO1 we need to add an additional object which is concatenation of the two objects with a differentiator in between. The differentiator will help in distinguishing the values of the Sales Org/ Sales Division. In the below example we have used “/” as the differentiator, the differentiator can be any special symbol which is allowed in the BW and is not used in the value of the characteristics used for the combination. The concatenated object can be populated in the DSO by writing this logic in the transformation.
DSO1 sample entries:
| User
(ZUSER) |
Sales Org
(ZSA_ORG) |
Sales Division (ZSA_DIV) | Sales Org/Division
(ZSA_ORDI) |
| TESTUSER1 | 1000 | * | 1000/* |
| TESTUSER1 | * | 10 | */10 |
The concatenated object is also added to the cube and the data is populated by defining the logic in transformation same as the DSO1 transformation.
DSO entries:
Cube entries:
To fully automate this solution the following design can be used.
Copy DSO’s for authorization can be created
DSO2: copy of Authorization data (values) (0TCA_DS01)
DSO3: copy of Description texts for authorizations (0TCA_DS03)
The authorization DSO’s are used to generate the authorizations on Sales Org and Sales Division
- In the transformation from DSO1 (ZUSER_1) à DSO2 (Z_DS01) the below expert routine can be used, this would convert the entries into the format of authorization generation.
Data: WA_SOURCE_PACKAGE LIKE LINE OF SOURCE_PACKAGE.
SORT SOURCE_PACKAGE BY TCTUSERNM.
LOOP AT SOURCE_PACKAGE INTO WA_SOURCE_PACKAGE.
RESULT_FIELDS–tctusernm = WA_SOURCE_PACKAGE–TCTUSERNM.
RESULT_FIELDS–tctobjvers = ‘A’.
RESULT_FIELDS–tctoption = ‘EQ’.
RESULT_FIELDS–tctsign = ‘I’.
RESULT_FIELDS–tctadfrom = ‘19000101’.
RESULT_FIELDS–tctadto = ‘99991231’.
***********Sales Org*******************
RESULT_FIELDS–tctauth = ‘SALESORG’.
RESULT_FIELDS–tctiobjnm = ‘0TCAACTVT’.
RESULT_FIELDS–tctlow = ’03’.
APPEND RESULT_FIELDS TO RESULT_PACKAGE.
RESULT_FIELDS–tctiobjnm = ‘0TCAVALID’.
RESULT_FIELDS–tctlow = ‘*’.
APPEND RESULT_FIELDS TO RESULT_PACKAGE.
RESULT_FIELDS–tctiobjnm = ‘0TCAIPROV’.
RESULT_FIELDS–tctlow = ‘ZSALES_M1’.
“Mention the cube on which the report is built
APPEND RESULT_FIELDS TO RESULT_PACKAGE.
“This name can be changed as per the description you require for the aut“horization
RESULT_FIELDS–tctiobjnm = ‘ZSA_ORG’.“Sales org object
RESULT_FIELDS–tctlow = WA_SOURCE_PACKAGE–/BIC/ZSA_ORG.
APPEND RESULT_FIELDS TO RESULT_PACKAGE.
***************Sales Division*******************
RESULT_FIELDS–tctauth = ‘SALESDIV’.
RESULT_FIELDS–tctiobjnm = ‘0TCAACTVT’.
RESULT_FIELDS–tctlow = ’03’.
APPEND RESULT_FIELDS TO RESULT_PACKAGE.
RESULT_FIELDS–tctiobjnm = ‘0TCAVALID’.
RESULT_FIELDS–tctlow = ‘*’.
APPEND RESULT_FIELDS TO RESULT_PACKAGE.
RESULT_FIELDS–tctiobjnm = ‘0TCAIPROV’.
RESULT_FIELDS–tctlow = ‘ZSALES_M1’.
“Mention the cube on which the report is built
APPEND RESULT_FIELDS TO RESULT_PACKAGE.
“This name can be changed as per the description you require for the aut“horization
RESULT_FIELDS–tctiobjnm = ‘ZSA_DIV’.“Sales Division object
RESULT_FIELDS–tctlow = WA_SOURCE_PACKAGE–/BIC/ZSA_DIV.
APPEND RESULT_FIELDS TO RESULT_PACKAGE.
CLEAR RESULT_FIELDS.
ENDLOOP.
The entries of DSO after loading.
The text for the TCTAUTH (authorizations) defined above can be loaded in copy of DSO 0TCA_DS03, this text appears in the user profile for the authorization. After loading the DSO1 and DSO3 execute the report “RSEC_GENERATE_AUTHORIZATIONS” with the DSO’s and generate the profile.
Screenshot of user profile in RSECADMIN:
The loading and generation of the analysis authorization can be done using a Process chain.
The BW query is enhanced and the concatenated object is added in the filter selection, the variable used is of type “customer exit”. In the customer exit code the DSO ZUSER_1 can be read for the allowed concatenated values. This way the overall report would be restricted to the allowed values only and the report will not throw any error message for authorization.
Sample code for the exit.
DATA: l_s_range TYPE rsr_s_rangesid,
lv_user TYPE sy–uname,
lv_zconcobj TYPE STRING,
L_S_VAR_RANGE LIKE LINE OF I_T_VAr_RANGE.
Data: I_ZUSER_1 type STANDARD TABLE OF /BIC/AZUSER_100,“INTERNAL TABLE TO DETERMINE AUTH VALUES
WA_ZUSER_1 like line of I_ZUSER_1.
CASE I_STEP.
WHEN ’01’. “BEFORE USER INPUT
************FUNCTION TO DETERMINE THE USER NAME********
CALL FUNCTION ‘RSEC_GET_USERNAME’
IMPORTING
e_username = lv_user.
*******************************************************
“SELECT FROM ZUSER_1 FOR USER
SELECT <span
