Scribd Logo
Upload

Welcome to Scribd!

  • BI Security Activities in SAP

    Uploaded by

    Srikanth Inja
    280 views11 pages
    BI Security Activities in SAP

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    BI Security Activities in SAP

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    280 views11 pages

    BI Security Activities in SAP

    Uploaded by

    Srikanth Inja
    BI Security Activities in SAP

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    Authorization Requirements for a Reporting-User

    S_RS_COMP : Using this authorization object, you can restrict the


    components that you work with in the Business Explorer query definition.

    S_RS_COMP1 (Query owner) : With this authorization object, you can


    restrict query component authorization with regards to the owner.

    S_RFC (BEx Analyzer ) : With this authorization object, user will be


    using the BEx Analyzer reporting tool.

    S_TCODE (RRMX for BEx Analyzer) : User will need to have


    authorizations for object S_RFC and S_TCODE with authorization for the tcode RRMX.

    S_RS_FOLD: Disable the InfoAreas button in the BEx Analyzer Open


    Queries dialog box.

    Tables used in BI Security:


    RSECVAL - Authorization Value Status

    RSECHIE

    Status of Authorization Hierarchies

    RSECTXT

    Authorization Texts

    RSDCUBE

    Directory of InfoCubes / InfoProvider

    RSDCUBEIOBJ

    RSDCHA

    Objects per InfoCube (where-used list)

    Characteristic Catalog

    How to find the list of roles of a particular query/ How to find whether
    user has access to the role in which the executed query exists
    You can find the query name from trace report or you can ask the user.
    Provide the query name in RSRREPDIR and find the technical query name.
    RSRREPDIR

    Directory of all reports (Query GENUNIID)

    Provide the technical query name (Unique ID) in AGR_HIER and find the list of
    roles.

    Different Kind of roles assigned in BI:


    There are 3 kinds of roles assigned to the reporting users.
    1. Menu Role
    2. Authorization role
    3. Common Authorization role

    Menu Role : RRMX and queries will be assigned in menu. No


    authorizations will be assigned through this role. Users will be able to see
    only these queries while logging into Portal.

    Authorization role: This role contains the analysis authorizations


    required for the queries assigned in the menu role.

    Common Authorization role: This role contains all required


    authorization to run a query by the reporting user.

    Assigning workbooks to roles:


    If a user wants to save a workbook to a location where it can be easily accessed
    by others, they need to save to a Role. S_USER_AGR is required to the user to
    save theworkbook to the Menu area of the role.

    Analysis Authorizations:
    When user executes a query which has an infoobject which is authorization
    relevant, then user needs to have analysis authorizations to execute the query.

    Analysis authorizations are created using RSECADMIN.


    We need to have access to the authorization object S_RSEC to create the
    analysis authorizations.

    0BI_ALL is a standard analysis authorization which grants authorisations for all


    values of all authorization relevant characteristics.
    It is automatically adjusted whenever a new infoobject is set to authorization
    relevant.

    Special characteristics/business content characteristics :


    0TCAACTVT (Activity): display (03).
    0TCAIPROV (InfoProviders): grants authorization to particular InfoProviders.
    0TCAVALID (Validity): grants authorization to specific time periods.
    Apart from the above special characteristic, we need to add the authorization
    relevant infoobject in the analysis authorization.

    RSECAUTH:
    Using a colon(:) as an authorization value enables to execute queries which do
    not have auth relevant info object that are checked in the infocube and provide
    aggregate data for the characteristic level for which user does not have access.

    These authorization values can be assigned as single value, ranges and pattern
    (*).
    EQ: single value
    BT: range of values
    CP: contain pattern; ABC*

    RSECADMIN Trace(RSECPROT)
    Transaction code RSECADMIN is specific to BI and only traces the custom
    reporting authorization objects you create to control access to InfoObject values.

    There are 2 ways to run trace:


    1. Choose the button Error Logs, add the user to the list and ask the user to
    run the query.

    2. Choose the button Execution as option if you know the query type the
    user name, check With Log and execute the query yourself.

    You can find all the traces executed by yourself if you provide blank date and
    * in restricted user.

    There are 2 kinds of error messages in trace reports.


    Message EYE001 : If the user does not have the access to the InfoProviders
    with a certain activity.
    Message EYE007 : If the user does not have access to particular infoobject.
    For example, in the below screenshot, user is missing access to sales org
    0020.

    Analysis Authorization maintenance :


    Analysis authorizations can be assigned indirectly through roles using
    S_RS_AUTH or directly through RSU01.

    You might also like