Field Based Authorization in BW BEx queries

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com © 2006 SAP AG 1

Field Based Authorization in BW BEx queries

Applies to: SAP BW version 3.5 (Netweaver 2004 BI)

Summary The document will run the readers through a step-by-step example of how to enable field-based authorizations in BEx queries. The article assumes no prior knowledge of authorization objects and provides an exhaustive solution replete with screenshots for clear understanding of the configuration. Author(s): Nikhil Chowdhary Company: Infosys Technologies Limited Created on: 05 October 2006

Author Bio Nikhil Chowdhary is a SAP Certified Solution Consultant for Netweaver 2004 BI and is currently working as an Associate Consultant for Infosys Technologies Limited

Field Based Authorization in BW BEx queries

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com © 2006 SAP AG 2

Table of Contents Applies to: ........................................................................................................................................ 1 Summary.......................................................................................................................................... 1 Author Bio ........................................................................................................................................ 1 The Requirement ............................................................................................................................. 3 Step-by-step guide to add authorization on the cost center object ................................................. 3

Step 1: Define the 0COSTCENTER InfoObject as Authorization Relevant:................................ 3 Step 2: Create a reporting authorization object for this InfoObject: ............................................. 3 Step 3: Assign the authorization object to the relevant InfoProviders: ........................................ 4 Step 4: Add this new authorization object to the relevant roles/users: ........................................ 5 Step 5: Add a variable to the query:............................................................................................. 6

Disclaimer and Liability Notice......................................................................................................... 8

Field Based Authorization in BW BEx queries

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com © 2006 SAP AG 3

The Requirement We want to give users only to specific values of an InfoObject when executing BEx Queries, i.e., they will see data only having the values assigned to them for this field. Lets take an example for this: Say we want the users to see data only pertaining to their cost centers. Following are the steps that need to be followed

Step-by-step guide to add authorization on the cost center object

Step 1: Define the 0COSTCENTER InfoObject as Authorization Relevant: Open the InfoObject in change mode and go to the Business Explorer TAB. There is a check box at the bottom of the general settings section that needs to be checked to make the InfoObject Authorization relevant. Unless this is done, the object will not be visible in RSSM and thus it will not be possible to create an Authorization Object based on this InfoObject.

Step 2: Create a reporting authorization object for this InfoObject: This would be done through transaction RSSM. Go to transaction RSSM and create a new authorization object from the top box:

Field Based Authorization in BW BEx queries

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com © 2006 SAP AG 4

The create button will throw up a screen asking for the Authorization object name & description. Once you enter these values, the next screen will give you options to choose your InfoObject from a list of all objects that have been marked as relevant for Authorization (through Step1). Select the 0COSTCENTER object and transfer it to the left pane. Once its done it should look like the screen below:

Step 3: Assign the authorization object to the relevant InfoProviders: This is again done through transaction RSSM. This will force the reporting authorization object to be checked when ANY query on the cubes to which it is added here gets executed. In our example say we have an InfoCube called ACCA_C11 and we need all queries on this cube to check for this authorization.

Field Based Authorization in BW BEx queries

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com © 2006 SAP AG 5

So we enter in the second pane the name of this cube and then click on the change button:

This opens up a screen that allows you to select which Authorization objects should be checked for this InfoProvider. The list only shows the authorization object for which the corresponding InfoObject (0COSTCENTER in our example) is present in the InfoProvider. So in our case we will select the checkbox next to our Authorization Object:

Step 4: Add this new authorization object to the relevant roles/users: This can be done through transaction PFCG. When this is added to the roles/users we also need to specify the values to which each user in that role has access for this InfoObject. This is mostly a basis or BW

Field Based Authorization in BW BEx queries

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com © 2006 SAP AG 6

System admin job. In our example we need to specify, say, for the combination of role 1 & authorization object Z_CCTR2 the valid values are 100101, 100102 & 100103. In the example screenshot below I have given myself access to all cost centers by putting in a ‘*’:

Step 5: Add a variable to the query: This is required because the query needs to be able to restrict data by cost center dynamically. We need to create a variable to restrict the 0COSTCENTER InfoObject. The variable should be of type authorization, and should take in single value/multiple single values/interval (based on how the values are defined in Step 4). It is advisable to add the 0COSTCENTER InfoObject restricted by this variable in the filter section of the query. This variable needs to be added to all queries based on the InfoProvider we selected in Step 3 that have the 0COSTCENTER object. Any query based on the InfoProvider (ACCA_C11 in our case), which has the 0CSTCENTER InfoObject NOT restricted by this authorization variable will generate an error message for restricted users (users who do not have a * value as defined in Step 4). This is because the query will try and fetch the data for all cost centers but the authorization object will not return all the data once it checks that the user is restricted to specific values of 0COSTCENTER. We have to use this variable to restrict 0COSTCENTER in every query based on our selected InfoProvider (ACCA_C11). An example of such a variable will be:

Field Based Authorization in BW BEx queries

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com © 2006 SAP AG 7

Field Based Authorization in BW BEx queries

SAP DEVELOPER NETWORK | sdn.sap.com BUSINESS PROCESS EXPERT COMMUNITY | bpx.sap.com © 2006 SAP AG 8

Disclaimer and Liability Notice This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade. SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk. SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.