Step-by-Step SAP BI Security

SAP BI security is an integral part of any BI implementation. Integrating all

the data coming from various source systems and providing the data access
based on the users role is one of the major concerns of all the BI Projects.
Security of SAP R/!"## systems are based on the activities $hile SAP BI
security is focused on $hat data user can access. Security in BI is
categori%ed by major & categories'
Administrative Users ( )he $ay $e maintain security for administrative
users is same as "## security but $e have additional authori%ation objects in
system $hich are defined only for BI objects.
Reporting Users( *e have separate tools+Analysis Authori%ation, to
maintain security for reporting users.
What is Authorization Object
It allo$s to chec- $hether a user is allo$ed to perform a certain action.
Actions are defined on the fields. and each field in authori%ation object
should pass the chec-. *e can chec- all the Standard BI Authori%ation
/bjects using tcode SU!" under the Business *arehouse folder'

*ith the SAP BI 0.1 $e have ne$ tool to maintain the reporting level
security. *e can access this ne$ tool using tcode RS#$A%&I' $hich
replaces the old RSS2 tool of B* .3.

(( Belo$ are the Step!by!Step instructions to create/maintain authori%ation
objects for SAP BI Reporting'
I am covering the scenario $here each employee +Sales )eam, is assigned
$ith one territory number. and the data should be accessible to employee
based on their territory only. 4or this scenario to $or- $e have to set
security restriction for the corresponding territory Info/bject +56*S7)"R,.

( )he first step before $e create any Authori%ation /bject is to set all the
Info/bjects as authori%ation relevant for $hich $e $ant to restrict data
access.

Authorization Objects on In)oObject*s o) type $haracteristic+
( 4or accessing the ne$ Analysis Authori%ation tools $e use tcode
RS"#A62I8 !9 Authori%ations )ab !9 2aintenance Button

( *e can also use tcode RS#$AU,- directly to come to maintenance
screen'

( *e have to give the technical name of the Authori%ation /bject
+56*:;)"S), then hit the create button'

( )he very first step of creating any Authori%ation /bject is to add the
special characteristics as field for restirction'

( )he belo$ characteristics are mandatory for defining any Authori%ation
/bject. If $e dont have this $e $ill get no access to any InforProvider. By
default this gives us access to all the InfoProvider+4ull Access,. but $e can
also set the value of InfoProvider for $hich $e $ant the Authori%ation /bject
to $or-.

( 8o$ I am adding the infoobject+56*S7)"R, for $hich $e $ant to add
restriction'

( *e can double clic- on the ne$ly added infobject. and can define the
value $hich $e $ant to allo$ for this Info/bject. *e can also set the
dynamic value using #ustomer "3it #ode $hich $e $ill cover later in this
blog.

( Saving the changes'



Assigning Authorization Objects to Users+
( <o bac- to previous screen +RS"#A62I8, by hitting the bac- button. and
clic- on assignment button under user tab'

( 8o$ $e can assign the created Authori%ation /bject to any user using this
tool.

( Adding the created Authori%ation /bject +56*:;)"S), to the user
58BI)SR)S. I $ill be using the same user through out this blog for running
any =uery so that it can use the restrictions $hich are applying using the
Authori%ation /bject.

( *e can also assign the authori%ation to users through role/profile using
the standard Authori%ation /bject S>RS>A?)@'

( *e can chec- the Authori%ation /bjects assigned using roles/profile for
any user using tcode RS?1A or $e can also use the path tcode RS"#A62I8!
9user tab!9assignment!9user!9role!based

( ?ser $ith Authori%ation /bject 1BI>A77 is having full access to data. and
can over$rite any other Authori%ation /bjects assignment to it.

( Buery on InfoProvider $ith Authori%ation /bjects' Belo$ is the test =uery
in $hich I added the Info/bject for $hich $e created the test Authori%ation
/bject +56*:;)"S),.

( I am running the =uery $ith the same user name +58BI)SR)S, $hom $e
assigned the Authori%ation /bject +56*:;)"S),.'

( )he =uery output displays the authori%ation error. and $e can chec- the
error log using tcode RS#$PRO,'

( )he belo$ log e3plains $e are missing $ith some of the characteristics for
the created object. 7ogically $e can thin- that $e are only using one
characteristic in our =uery and $e did add it in Authori%ation /bject. but $hy
still $e are getting Authori%ation "rrorC )he reason is $e al$ays have to add
all the authori%ation relevant Info/bjects of the InfoProvider on $hich $e
created =uery.

( 8o$ I added all the missing Info/bjects $ith full access for the
Authori%ation /bject +56*:;)"S),'

( I have restricted the =uery $ith input ready variable on Info/bject
territory +56*S7)"R,'

( Running the =uery $ith the same territory $hat I assigned for territory
field of Authori%ation /bject'

( )he =uery returns output $ithout any authori%ation error'

( *e can chec- the log in RS"#PR/) for the last run of =uery'

( Running the same =uery $ith some different territory number'

( *e got the authori%ation error because of the value $hich $e assigned for
the object is not same as $hat $e passed'

( Authorization .ariab/e on 0uery+
?sing the Authori%ation Dariable $e can populate the value of Info/bject at
run!time directly from the Authori%ation /bject fields value.

( If $e have authori%ation variable defined for the =uery and $hen $e run
the =uery it $ill not prompt us for the variable selection screen E $ill run the
=uery directly for the value $e defined for the field of the Authori%ation
/bject.

( Rather than assigning the fi3ed values in the authori%ation object. $e can
also define the technical name of the customer e3it variable in the fields
value starting $ith FG symbol $hich $ill read the value of Authori%ation at
=uery run!time based on the return value of customer e3it code'

( Belo$ is the sample code $hich reads the territory based on the portal
login!id from the reference table $hich $e have in our BI system'

Use o) 1+* Symbo/ in Authorization Objects 2ie/d*s .a/ue+
( 8o$ I am covering the scenario $here =uery is not using any Info/bject
for $hich $e have restriction of values in the Authori%ation /bject. I have
added division as object in =uery $hich is having full authori%ation access.
and no$ $e dont have any territory object in =uery anymore'

( "ven though the division object is having full authori%ation access. still
$hen $e run the =uery $e get authori%ation error'

( By chec-ing authori%ation log $e can clearly see even though the =uery is
not using territory Info/bject it still chec-s for its value at =uery runtime
because this object is part of InfoProvider on $hich $e have defined the
=uery'

( )o avoid the authori%ation chec- for the objects $hich are not being used
in the =uery definition $e should al$ays add F' symbol in the authori%ation
object field value $hich allo$s =ueries to run for all the values of object even
if the object is not the part of the =uery'

( /nce $e defined F' no$ the =uery $or-s fine +$ithout any authori%ation
failure,'

( Belo$ is the authori%ation log for the same'

Authorization Objects on In)oObject*s o) type 3ey 2igure+
( I created one test =uery $ith & -ey figures as output.

( /utput of =uery'

( *e can restrict this =uery to sho$ the data only for one -ey figure. 4or
this $e just have to add the re=uired -ey figure +Record #ount !
56*#/?8), as value for the field 1)#A:H482 of our test authori%ation
object +56*:;)"S),.

( 8o$ if $e run the same =uery it $ill not sho$ data for any other -ey
figure e3cept the one $hich $e added in the authori%ation object definition.

( )he log also e3plains the reason of authori%ation error for &nd -ey figure'

Authorization Objects on In)oObject*s o) type -ierarchy+
( I assigned brand hierarchy on the same test =uery'
( *hen $e run the =uery it sho$s data for all the data brands as $ell the
not!assigned brands'

( *e can restrict the hierarchy using Authori%ation /bject to sho$ data only
for Ast 8ode of above displayed hierarchy'

( Assigned the node'

( Selected the )ype of Authori%ation as FA $hich $ill allo$ the hierarchy to
sho$ all the nodes $hich are belo$ the selected node'

( After adding the authori%ation on brand hierarchy no$ $e only see the
data for node $hich $e restricted in the hierarchy authori%ation value'
Assigning Authorization objects to Users in BI/BW
Assigning Authorization Objects to Users+

( <o to the screen +RS"#A62I8, . and clic- on assignment button under user tab'
( 8o$ $e can assign the created Authori%ation /bject to any user using this tool.
( Adding the created Authori%ation /bject +56*:;)"S), to the user 58BI)SR)S. I
$ill be using the same user through out this blog for running any =uery so that it
can use the restrictions $hich are applying using the Authori%ation /bject.
( *e can also assign the authori%ation to users through role/profile using the
standard Authori%ation /bject S>RS>A?)@'
( ?ser $ith Authori%ation /bject 1BI>A77 is having full access to data. and can
over$rite any other Authori%ation /bjects assignment to it.
( Buery on InfoProvider $ith Authori%ation /bjects' Belo$ is the test =uery in
$hich I added the Info/bject for $hich $e created the test Authori%ation /bject
+56*:;)"S),.
BW Security (Authorizations)
)he follo$ing are some of the relevant SAP BW Security transaction
codes.
,ransaction $ode %escription
RSA" )ransaction RSA" is the main transaction for
administrative functions in SAP BW +Administrator
*or-bench,
RS%" )his transaction code can be used to mar- objects as
relevant for authori%ation +Info/bject 2aintainence,
RSS& )his transaction code can be used to create and
modify authori%ation objects in SAP BW
RS4. )his transaction code is used to create or modify the
variables for authori%ation chec-s. +Dariable
2aintenance,
RR&5 Business "3plorer is the reporting tool in SAP BW
and is used for analy%ing data.
67OBA78,#&P7A,#S )emplates for modelling and evaluating data
-o9 to Activate Authorizations In BW+-
)he follo$ing steps e3plains ho$ to activate the authori%ations in B*.
A, 2ar- In)oObject as re/evant for authori%ation tcode I9 RS%"
&, #reate report authorization object tcode I9 RSS&
, Select In)o$ubes tcode I9 RSS&
J, 2anually integrate authori%ation object in role tcode I9 P2$6
K, #hange / 2aintain authori%ation values I9 P2$6
L, Assign role to user tcode I9 P2$6 or via #entral ?ser Administration

-ierarchica/ Authorizations in BW
)he follo$ing steps describe the steps to control authorizations )or
hierarchies
": )ransfer and activate In)oObject ;,$,AU,-- tcode I9 RS%"
!: 2ar- In)oObject ;,$,AU,-- as re/evant for authori%ation tcode I9
RS%"
<: 2ar- 7eaf In)oObject as re/avant for authori%ation tcode I9 RS%"
=: #reate authori%ation objects $ith ;,$,AU,-- and 7eaf In)oObject I9
RSS&
>: 6efine hierarchica/ authorizations tcode I9 RSS&
?: 2anual intrgration of authori%ation object in role tcode I9 P2$6
@: 2aintain authori%ation values tcode I9 P2$6
A: Assign role to user tcode I9 P2$6 or via #entral ?ser Administration
4or e3tracting structura/ authorizations from -R +mySAP "RP @#2, and
to map it in SAP BW to maintian consistency bet$een the t$o systems the
tables of interest are'
": ,@@PR !for Structura/ Authorization pro)i/es
!: ,@@UA !for user assignments
<: ,@@UU !for users +in this table you can select the users for e3traction. Hou
can either select all or specific users,
Structura/ Authorizations in SAP BW
)he follo$ing steps sho$ the $ay Structural Authori%ation is enforced in SAP
BWB
)he follo$ing steps to be carried out in the mySAP #RP -$& system.
": #all program R-BAUS;! for up/oading )able ,@@UU and enter users.
!: #all program R-BAUUS;; for generating an indeC for structural
authori%ation profile
<: Activate 6ata source ;-R8PA8!B
)he follo$ing steps to be carried out in the SAP BW system
": Replicate %ata source ;-R8PA8!
!: Activate /6S In)oProvider ;-R8PA8!
<: #reate an In)oPacDage to perform an e3traction for ;-R8PA8!
=: 7oad /6S data from mySAP "RP @#2
>: 2ar- In)oObjects as re/evant for authori%ation +In order to use structura/
authorizations in SAP BW. all characteristic values li-e positionE
emp/oyee etc. $hich are re/evant to reporting should be mar-ed as
authorization re/evant In)oObjects.,
?: #reate reporting authori%ation objects
@: 7in- authori%ation objects to In)o$ubes
M, #all program RSSB86enerate8AuthorizationsB
SAP BI 7.0 Authorization concept (analysis authorization
8e$ SAP BI @B; Authorization concept Fana/ysis authorization: change a lot
in accessing. analy%ing and displaying BI information. )he approach allo$ to restrict
data access on 3ey )igure. $haracteristicE $haracteristic va/ueE -ierarchy
nodeE and In)o$ube /eve/s. It enables more fle3ible data access management.
Analysis authori%ation is active by default in SAP BI @B; systems and I thin- it is
$orth to spend some time to loo- closer at the ne$ concepts and the features. In
part one of this t$o!article series. I $ill sho$ you ho$ you can restrict access to
SAP BW reports on In)oObjects level.
Initia/ settings
At the beginning activate business content objects +)#ode RS/RB#), related to
authori%ations'
Info/bjects ;,$AN
Info#ubes ;,$AN
and set the follo$ing In)oObjects as Authorization-Relevant'
;,$AA$,., Factivity such as Display:
;,$AIPRO. FInfoProvider authori%ation:
;,$A.A7I% Fvalidity period of authori%ation:
;,$A3G2'& Fif you $ant to restrict access to -ey figure:
$haracteristics authorization
?se )#ode RSA". go to 2odelling !9 In)oObjects. 6isplay properties of the
characteristic to $hich you $ant to restrict access and set it as Authorization-
Relevant.

Characteristics values authorization
To authorize characteristics values you need to create new analysis authorization object
through TCode RSECADMIN. The following pictures show how to allow users to access the
specific sale organization (e.g., New York, San Francisco, allas!.
". Create new analysis authorization object using Tcode RSECADMIN (e.g.,
Z_SORG_B!.
#. Choose characteristic and press Details $utton.
%. Select sales organization (e.g., "&"# ' New York, "&"( ' San Francisco, "&") ' allas!. *vaila$le
operators+ E ' single value, B! ' range of values, C" ' pattern ending with (,! (e.g., a$c,!. You
have also option to -nclude (I! or ./clude (E! values.
Attributes authorization
To authorize navigational attri$utes, set the0 as Authorization-Relevant.

#ierarchies authorization
To grant authorization on hierarchy le$el edit or create authorization object (e.g.,
Z_SORG_B!, add hierarchy and nodes, and choose type of authorization.
%ey &i'ure authorization
To grant authorization to (articular )ey &i'ure, add special o$1ect *!CA%+,NM to
authorization o$1ect (e.g., 23S45637!, and choose the key figure to $e authorized.
Su--ary
In&oObject level authorization gives you a great fle/i$ility, $ut keeps in 0ind syste0
li0itations. *void setting too 0any characteristics as authorization rele$ant (0ore than
"8 in a 9uery!. *ll 0arked characteristics are checked for e/isting authorization if they are in
a 9uery or in an In&o"ro$i.er that is $eing used. Too 0uch authorization objects 0ay slow
/uery e0ecution. ./ception are characteristics with all 123 authorization.
-f you want to check which In&oObjects are authorization rele$ant in your BI syste0, use
TCode RSECADMIN ': Authorization Maintenance and display *BI_A44 authorization.
;ore a$out *BI_A44 you will find in the article on creatin' an. assi'nin' authorization5
5e0e0$er that authorization do not work as a filters do. -t 0eans that the user who is e/ecuting
the 9uery, where characteristics are authorization rele$ant, 0ust have sufficient
authorization to the characteristics (<all'or'nothing< rule!. ./ceptions are hierarchies in the
drill down and varia$les which are dependent on authorization.
Steps to !ransport SAP BI "ueries #ro$ %e&elop$ent to "uality
Ser&er
-n this post - present $asic steps to transport SA" BI /ueries fro0 develop0ent to 9uality
server. The steps are perfor0ed in source and target syste0, so you need authorizations to
release and i-(ort objects.
Source syste-

Start with transaction RSOR (Transport Connection!, insert initial and target source syste0
na0es using Conversion button (#! and choose 'rou(in' ty(e (%!. Select /ueries you
would like to transport to target syste0 and press Execute and than Transport objects
(truck! $utton.
5elease the chan'e re/uest to transport using SE6* transaction. =ress Display, choose
tas)s and re9uests you would like to release and press the $utton with sin'le truc) (or F>!.
?hen $oth task and re9uest have $een released successfully, start transport in target syste0.
!ar'et syste-

To i0port 9ueries to 9uality syste0 start S!MS transaction : Import Overview (F)! :
Display Import ueue. 4n the Import ueue screen select the re9uest and press Import
(truck with a s0all loading!. Choose target client@s nu0$er and press enter. The 9ueries will $e
written to the tar'et syste-.
Stan.ar. BE0 !rans(ort Re/uest

?hen the re9uest, you have released, was set as !tan"ar" #Ex Transport Re$uest, you
need to created a new stan.ar. re/uest. -f there is no standard re9uest, no$ody is a$le to
process /ueries or 7or)boo)s on the syste0. ?hen you try to do so, you will receive the
error+ The $uery coul" not be save" "ue to a problem in transport% #Ex transport
re$uest is not available or not suitable%
To create a ne7 re/uest you need to press #Ex and than Assi&n ' Delete $utton, add the
re9uest and sa$e the choice.
Now all ne7 objects and -o.i&ications will $e written to the chosen BE0 trans(ort
re/uest. For 0ore infor0ation on the standard transport re9uest see this note869:*;65
A..itional resource8
Transporting+ role and o$1ects.
*uthorizations for change and transport+ S3T5*NS=5T and S3CTS3*;-.