BW SECURITY

Data warehousing in SAP BW represents the integration, transformation, consolidation, cleanup and
storage of data. It also signifies the extraction of data for analysis and interpretation. The data
warehousing process includes data modelling, data extraction and the management of the data
warehouse management processes.
SAP BW Authorization Specifics

In an SAP BW system there are two different types of authorization objects.

1.

2.

Standard authorization objects: This type of authorization objects is provided by SAP and covers
all checks for e.g. system administration tasks, data modelling tasks, and for granting access to
Info Providers for reporting. For this type of authorizations the same concept and technique is
used as in an SAP R/3 system.
Reporting authorization objects: For more granular authorization checks on an Info Providers
data you need another type of authorization objects defined by the customer. With these
objects you can specify which part of the data within an Info Provider a user is allowed to see.

Both types of authorization objects use the same authorization framework. Technically they are treated
in the same way. However, the design of reporting authorizations is more complex because you need to
design the reporting authorization objects first. This is an additional step that needs to be treated with
care because the structure of the authorization objects determines the possible use in regards to
selections, combinations and granularity. In your project you need expertise in the area of reporting
authorizations; knowledge of the basis authorization framework is not sufficient.
User Type in BW
There are different types of users in SAP BW. Most of your users will be the users who execute queries
and workbooks. These people could be considered "reporting users" or "end users." To read more about
how to secure reporting users click here
Reporting User Security
Authorization Objects Used Primarily by Reporting Users
In order to execute any query, you must have access to
S_RS_ICUBE, S_RS_COMP, S_RS_COMP1 and S_RS_FOLD.
S_RS_COMP is a powerful object that enables you to make choices on how to secure. There is one field
in S_RS_COMP that relates to the query, and another field that relates to the Info Cube. This gives you
the option to secure by query name, Info Area, or Info Cube.

Tips

Info Area = group of Info Cubes

Info Cube = actual data
Info Object=field (for example: company code, plant, or cost center)
There are also users who develop new queries. Some people may refer to them as "power users" or
"data analysts." The users who develop queries may also create new workbooks and may be responsible
for publishing that information to the right audience.
Then, there are users who create new objects like Info Cubes, Info Areas, and Info Objects. They also
schedule data loads, create update rules for Info Cubes, monitor performance, and set up source
systems. The users who do these tasks are normally referred to as "administration users." read more
about how to secure administrator users.

Administrator
There are users who create new objects like Info Cubes,
Info Areas, and Info Objects. They also schedule data loads, create update
rules for Info Cubes, monitor performance, and set up source systems. The
users who do these tasks are normally referred to as "administration users."
Some of the common tasks performed by administration users are:

Set up and maintain different source systems and connections to SAP BW

Manage metadata and define new Info Objects, Data Sources, and Info Sources.
Create transfer rules and update rules
Design Info Cubes
Schedule and monitor data-loading processes

Administration authorization objects are primarily used when doing

anything in the Administrator Workbench (transaction codeRSA1). The
primary objects used are:
S_RS_ADMWB: Administrator Workbench - Objects
Authorization object S_RS_ADMWB is the most critical authorization
object in administration protection. When you do anything in transaction
code RSA1, object S_RS_ADMWB is the first object checked. There are two
fields in this object: Activity and Administrator Workbench Object. Each of
the two fields can have a variety of values.
The possible values for the Administrator Workbench field are:

Source Sys: Working with a source system

Info Object: Creating, maintaining Info Objects
Monitor: monitoring data brought over from the source systems
Workbench: Checked as you execute transaction code RSA1
Info Area: Creating and maintaining Info Areas
Appl Comp: Limiting which application components you can access
Info Package: Creating and scheduling Info Packages for data extraction
Metadata: Replication and management of the metadata repository

The following list shows possible values for the Activity field.

Maintain - 03
Execute-16
Administer document storage - 23
Update metadata - 66

Other Authorization objects for Admin user

Authorization object/ Technical Description
name
Administrator Workbench -Objects Authorizations for working with individual objects of the
S_RS_ADMWB
Administrator Workbench. In detail, these are: source system,
InfoObject, monitor, application component, Info Area, Administrator
Workbench, settings, metadata, Info Package, Info Package group,
Reporting Agent settings, Reporting Agent package, documents (for
metadata, master data, hierarchies, transaction data), document
store administration, Info Spoke.

Administrator Workbench - Info

Object S_RS_IOBJ

Administrator Workbench InfoSource (flexible update)

S_RS_ISOUR
Administrator Workbench InfoSource (direct update)
S_RS_ISRCM
Administrator Workbench
InfoCube S_RS_ICUBE

Authorizations for working with individual Info Objects and their subobjects
Until Release 3.0A, only general authorization protection was
possible with authorization object S_RS_ADMWB. General
authorization protection for Info Objects still works as in the past.
Special protection with S_RS_IOBJ is only used if there is no
authorization for S_RS_ADMWB-IOBJ.
Authorizations for working with Info Sources with flexible updating
and their sub-objects
Authorizations for working with InfoSources with direct updating and
their sub-objects
Authorizations for working with InfoCubes and their sub-objects

Administrator Workbench MultiProvider S_RS_MPRO

Authorizations for working with MultiProviders and their sub-objects

Until BW 3.0B, Support Package 1, authorizations for MultiProviders
were checked by using the authorization object S_RS_ICUBE. As of
BW 3.0B, Support Package 2, this can be maintained, or you can
change the check over to the authorization object S_RS_MPRO. To
do this, choose in Customizing under Business Information
Warehouse General BW Settings Settings for Authorizations.

Administrator Workbench ODS

object S_RS_ODSO

Authorizations for working with ODS objects and their sub-objects.

Administrator Workbench - Info Set Authorizations for working with InfoSets

S_RS_ISET
Administrator Workbench hierarchy S_RS_HIER

Authorizations for working with hierarchies

Administrator Workbench Master

data maintenance
S_RS_IOMAD

Steps to Implement Info Object Security (field-level security)

1.

2.

3.

4.

Make the Info Object authorization-relevant.

The Authorization Relevant setting for an Info Object made in the Info Object definition
on the Business Explorer tab. The business needs will drive which Info Objects should
be relevant for security. Keep in mind that the people using SAP BW are running
queries to help make strategic decisions on how to better run the business. The decision
makers typically need to see more data on SAP BW than they would need to see in SAP
R/3.

Create a custom reporting authorization object.

Since there are no reporting authorization objects provided for Info Objects, you will
have to create your own reporting authorization object for any Info Object you decide
to secure. This is done in transaction code RSSM. When creating your reporting
authorization object, you select which fields to put in the authorization object from a list
of authorization-relevant Info Objects. Only Info Objects that have been marked
Authorization Relevant are eligible to be put in a reporting authorization object.
Add your new authorization object to a role.
Once you have created a new reporting authorization object and linked it to the
appropriate Info Cube(s), users will need access to your reporting authorization object.
You will need to manually insert your object into a role.
Add a variable to the query.
The reason the variable is required is sometimes unclear at first. If we want a query to

5.

6.
7.

8.

9.

only provide results based on the division, for example, then the query itself needs the
ability to filter specific division values. Before we can secure on division, the query must
be able to restrict data by division. The only way the query can restrict data
dynamically is through a variable.
Link the reporting authorization object to an Info Provider.
Linking your reporting authorization object to an Info Provider is a very critical step. In
this step, you will impact people currently executing queries for the Info Provider that is
now related to your reporting authorization object. This linkage forces your reporting
authorization object to be checked when ANY query tied to the Info Provider is
executed.
In the SAP Easy Access screen of the SAP Business Information
Warehouse choose Business Explorer >> Authorizations>> Reporting Authorization
Objects.
Choose Authorization Object >> Create. Enter a technical name and a description for
the reporting authorization object. Save your entries. On the right-hand side, you get
an overview of all the Info Objects indicated as authorization-relevant.
Caution: Only those characteristics that have previously been marked as authorizationrelevant in Info Object maintenance can be assigned to a reporting authorization object
as fields.
Assign the InfoObject fields to the reporting authorization object:
Select the characteristics for which an authorization check of the selection conditions
should be carried out.
Select the InfoObject key figure (1KYFNM) if you want to restrict the authorization to a
single key figure.
Select the Info Object (0TCTAUTHH) if you want to check authorizations for a hierarchy.
Save your entries

Using Workbooks model.

Generally power user create query to suit their teams needs and save the results in a workbook. They
may want to save the workbooks to their Favorites folder for easy retrieval later, or they may want to
save the workbooks to a location where other users can execute the same workbook.
Difference between workbooks and queries
An SAP BW user spends more time on the results. They perform activities such as drilling down to
various levels in the data, rearranging the results to highlight certain relationships in the data, and
eventually saving the results to a workbook. Now that the user has spent that time to format the results
in a meaningful way, they would like the results to be in the same format each time they retrieve the
results. To accomplish this, the user does not execute a query, but instead executes a workbook. The
workbook contains the results of the query in the formatted look and feel that the user requires. Data in
a workbook can either be static, refreshed manually, or refreshed automatically when the workbook is
retrieved.
Queries are actually inserted into workbooks so you can display them. A
workbook could contain several queries that are related in nature.
Thus, a query is more the technical definition of what the results should look like. Workbooks are actual
results that have been formatted and can be refreshed each time the workbook is executed.

How the reporting user accesses workbooks, and security related to workbooks.
You must set up security to control who can save workbooks, where they can be saved, and which
workbooks appear in the BEX Browser for a specific user.
Workbooks can also be created in the BEX Analyzer. After executing a query, choose Save Save as
new workbook.

Securing Workbooks
In order to save a workbook, a user needs two authorization objects. The two objects listed below are
the minimum authorizations a user needs to save workbooks.

S_GUI: Authorization for GUI activities

S_BDS_DS: Authorizations for document set

Using both S_GUI and S_BDS_DS will enable a user to save workbooks to their Favorites folder.
The authorization object S_GUI has one field, Activity. The activity field must be set to 60. For
S_BDS_DS, the user needs activities 03 and 30. The Class Type field should be set to OT.

Saving Workbooks to Roles

If a user wants to save a workbook to a location where it can be easily accessed by others, they need to
save to a Role rather than saving the workbook in their own Favorites folder. Saving to a Role means
saving to a security role.
You may want to set up roles specifically for saving workbooks. You can then assign the role to all
parties who need to share workbooks.
Another option is to not allow users to save workbooks, but rather only allow power users to save
workbooks. This is done to maintain the roles and to ensure that the workbooks are manageable. This
also prevents users from changing workbooks saved by other users.
In order to save workbooks to roles, a user needs:

S_USER_AGR: Authorizations: Role check

S_USER_TCD: Transactions in roles

The authorization object S_USER_AGR has two fields:

Activity and Role Name.
Activity field -Must have at least values 01, 02 and If the user can delete workbooks, they will also need
value 06.
Role Name, you should enter the specific roles you have created for saving
workbooks. Use proper naming convention for roles so that the roles can be restricted pretty easily. The
role name is the name of a role that will be used to hold workbooks. Saving a workbook to a role
actually updates the Menu portion of a role, so object S_USER_AGR is a required object.
Authorization object S_USER_TCD has one field
Transaction Code. The user needs value RRMX in this field.
Once a workbooks is saved, the data and the layout is saved in the workbook. For security reasons, we
recommend that users save workbooks without the data. To save the workbook without the data, the
users selects from following menu path from the BEx Analyzer: Tools > All queries in Workbooks >
Delete results.

Step by step instruction on Creating folders and

saving workbook
1.

2.

3.

Open the Favorites folder in the tree structure of the BEx

Browser. Place the cursor on the right side of the screen
and create a new folder (New Folder). Give it an
appropriate name and specify how you want it presented
by choosing Select Color and Symbol.
Open the BEx Analyzer and execute the selected query.
Save the workbook by choosing Save Save as new
workbook. Enter a name for the query and select the
sub-folder you created in your Favorites folder. Confirm
with OK.
When you call the BEx Browser, you see the name of the
query in your new folder, shown as a sub-folder within
your Favorites folder. Double-click on the workbook
name to retrieve the saved query results.
The following procedure explains how to create a simple
query using the
BEx Query Designer. The results of the query can be
displayed either in
Microsoft Excel using the BEx Analyzer or on the web.

Step by step instruction on Creating a new query

1.
2.
3.

4.
5.

6.

7.

8.
9.

In the BEx Analyzer, choose Open Queries from the

BEx toolbar.
On the next screen, choose New. This brings you to a
selection screen containing all of the InfoCubes for which
you can define a new query.
Select the InfoCube on which you want the query to be
based by selecting it with the mouse. You can see the
technical name of the InfoCube by choosing Technical
Name (wrench icon).
After selecting an InfoCube, choose New to create the
query.
The objects available for the InfoCube you have selected
are shown as a tree structure in the left-hand part of the
BEx Query Designer. These objects include the key
figures of the fact table and the characteristics of the
dimensions.
The right-hand part of the screen contains empty
windows for filter selections, rows, columns, and the free
characteristics of the query. The bottom right-hand part
of the screen shows a preview of the query result area.
This area is empty at first.
By choosing the plus or minus symbols for the
directories, you can expand or compress the directory
structure. By expanding the key figure node in the
InfoCube tree, for example, you can display a list of all
the key figures for the InfoCube.
You can drag the characteristics and key figures for the
InfoCube into the windows for the query definition (filter,
rows, columns, and free characteristics).
When you have finished defining your query, choose
Save Query. Choose Quit and Use Query (check mark
icon) to execute and start working with the query.

Thursday, August 23, 2007

Maintaining Authorizations for Hierarchies

Before you can make authorizations for hierarchies, you must first transfer and activate the Info Object
0TCTAUTHH from Content. Make sure that the indicator relevant for
authorization is set. You must also create an authorization object for which you want to make the
authorization.
1.
2.
3.
4.

Choose Business Explorer Authorizations Reporting Authorization Objects.

Choose Authorizations Authorization Definitions for Hierarchies > Change.
In the Definition, select the Info Object, hierarchy, and node.
Select the Type of authorization:
0 - for the node
1 - for a sub tree below the node
2 - for a sub tree below the node up to and including levels for a sub tree below the node
3 - for the entire hierarchy
4 - for a sub tree below the node up to and including levels (relative) (You must specify a level
that is defined relative to the node for this type. It makes sense to specify a relative distance if
an employee may only expand the hierarchy to a certain depth below his initial node, but this
node is moved to another level when the hierarchy is restructured.)

5.
6.

Specify a technical name for this definition. If you do not enter a value, a unique ID is set.
Now create an authorization for the new authorization object. To do this, enter the technical
name of the definition as a characteristic value for the characteristic 0TCTAUTHH. For the
characteristic defined on the hierarchy, specify the value" ." (blank). It often makes sense to
also enter ":" (colon) so that queries without this characteristic are also allowed.
Hint: If you enter the value "*" here (all characteristic values), the user is allowed to view data
for all characteristic values, regardless of whether a hierarchy is used or a complete drilldown is
carried out.

7.

Optionally you can use the following fields:

Top of hierarchy: This option allows you to select the top of the hierarchy instead of a
node in the hierarchy.
If, for example, you want to authorize a user to work with a hierarchy from the top
node, down to a particular level, you can of course authorize the user for the highest
node in the hierarchy. If, on the other hand, the hierarchy is used in the query without
a filter set for this node, the user is not able to execute the query.
This is because the node that is displayed at the highest level in the hierarchy, is not
actually the top of the hierarchy. For example, there is the .All Other Leaves. node. This
is an internal node, but a node in the hierarchy nevertheless, and it is this node that is
at the top of the hierarchy, a level higher than the highest node that appears in the
hierarchy display. If the hierarchy is used in the query, and the top-level node has not
been specified explicitly, the system checks the authorization against the highest node
in
the hierarchy, meaning the internal node that is not displayed. This option, therefore,
allows you to determine the top-level node of the hierarchy yourself, so that you can
ensure that users are assigned the appropriate authorizations.

Hierarchy level : Within the framework of the authorization check, you can use this
value to specify to which level the user can expand the hierarchy.
Please note that this is an absolute value and refers to the entire hierarchy. The highest
node of a hierarchy stands at level 1.
If you have entered the value 3 for the
hierarchy level, for example, then the user can expand/see the hierarchy up to level 3.

Validity period :

Node variable default value: If this option is chosen, this definition of a hierarchy
authorization is used as the default value for node variables.

0: Name, Version, and key Date identical

1: Name and version identical
2. Name identical
3. All hierarchies

If a user is allocated several authorizations for subareas of the same hierarchy, one of
these authorizations must be defined as the default value in this way. Only one node
can be chosen for a node variable in the variable screen of a query. In order that this
variable be filled from the authorizations, the correct variable type must be chosen and
an authorization must be marked as the default value.

Creation of Analysis Authorizations

The need of Analysis Authorizations is to provide access to Auth relevant characteristics.

Analysis Authorizations are created through transaction code RSECADMIN by clicking
Maintenance button which would eventually take us to RSECAUTH transaction code
which means that the creation of analysis authorizations can also be done through
RSECAUTH tcode .Then enter the Analysis Authorization name and click on create button
on the next screen we need to enter short ,medium and long texts as necessary and the most
important thing here is the special; characteristics which are mandatory for any analysis
authorization
0TCAACTVT
0TCAIPROV
0TCAVALID
0PLANT
0TCAKYFNM
Later on we need to add characteristic which we want to secure we can go in each and every
characteristic and maintain values individually.
. I Assigning

Analysis Authorizations to Users and Roles ntegrating al

Now in-order to assign analysis authorizations to user we can do it in two ways one way is to
go to RSECADMIN transaction code and click on User tab and click on Assignment
button which would take us to RSU01 transaction and enter the user id to whom the
Analysis Authorization needs to be assigned enter the analysis authorization name and click
on insert button
The other way round is directly adding the Analysis Authorization in users role under the
object S_RS_AUTH in the BIAUTHfield .
Find the Analysis Authorization in which the cube is maintained
1. Run transaction SE16-Data Browser. Enter RSECVAL in the Table Name field.
2. Enter the name of the Cube in the field TCTLOW-Internal char. value field and Execute.

3. Screen Data Browser:Table RSECVAL Select Entries will be displayed. Select the
Analysis Authorization from the Column TCTAUTH-Authorization based on the affiliate.
lt

Find the roles in which analysis authorization is maintained

Run transaction SUIM- User Information System in a new session. Expand the Roles tree and select
Roles by Complex Selection Criteria.

Now Enter the Authorization Object name as S_RS_AUTH in the field Object1. Click
Enter. Enter the Analysis Authorization under the field BI Analysis Authorizations which was
obtained from table RSECVAL Now Execute and you will find the Roles in which the Analysis
Authorization is maintained.

SAP BW BEx Analyzer Business Explorer Concepts

BEx analyzer is an analysis and reporting tool which is an add-on in Microsoft Excel. It
comes as part of the SAP Business Warehouse Desktop installation. BEx analyzer is thus a
user interface based on Web technology and MS Excel. There are many standard reports
available in the library, as well as the required analysis tools. These analysis tools can
support complex multidimensional analysis based on different data views. Business Explorer
thus acts as an information catalogue, which allows users to browse the available
information from the business applications. Not only that, with BW users can access
information in SAP BW using the Enterprise Portal, the intranet (Web application design), or
mobile technologies.
I am listing some features of the BEX analyzer below.
Using the BEx query designer users can define and update queries. One can create
different query views of data. BEx analyzer allows saving multiple queries in
a workbook in excel.
Queries created can be processed in Microsoft excel or the same can be viewed in a
web browser like internet explorer.
BEx analyzer can be connected with VBA applications and programs. Users with
advanced knowledge can develop their own programs.
BEX tools support editing of data such as sorting, totaling etc. These editing functions
can be used in microsoft excel, to set up dashboards, reports, templates as required.
Security Authorization Objects for SAP BW
Security in SAP is controlled through authorization objects. The SAP Business Information
Warehouse BIW, has a set of authorization objects specific to BW which control security in
BW. Primarily there are two classes of authorization objects in SAP BIW. They are in the
areas of BIW reporting and BIW administration. The BIW reporting authorization objects
are used for field level security in BW reporting. The BW administration objects are used to
secure administation functions in business information warehouse. Below are some of the
authorization objects in the above two areas of BW security.
1. SAP Business Information Warehouse Reporting
- S_RS_COMP
- S_RS_COMP1
- S_RS_FOLD
2. SAP Business Information Warehouse Administration
- S_RS_ADMWB

- S_RS_IOBJ
- S_RS_ISOUR
- S_RS_ISRCM
Apart from the above two classes of authorization objects in SAP BW, there are a set of
common authorization objects which are used in BW. These common authorization objects
are required by all users as these auth_objects are checked in different areas. The common set
of authorization objects used in SAP BIW include S_RS_ICUBE, S_RS_ODSO and
S_RS_HIER. One key point to note is that BW reporting authorization objects for field level
security are created as needed whereas the BW administration authorization objects are used
across the module to secure admin functions.
SAP BW Security transaction codes
Transaction Code Description RSA1 Transaction RSA1 is the main transaction for
administrative functions in SAP BW (Administrator Workbench)
RSD1 This transaction code can be used to mark objects as relevant for authorization
(InfoObject Maintainence)
RSSM This transaction code can be used to create and modify authorization objects in
SAP BW RSZV This transaction code is used to create or modify the variables for
authorization checks. (Variable Maintenance)
RRMX Business Explorer is the reporting tool in SAP BW and is used for analyzing
data. GLOBAL_TEMPLATES Templates for modelling and evaluating data