Generated by Jive on 2015-08-07+02:001kamaljeet.kharbanda: Step-by-Step SAP BISecurityPosted by Kamaljeet Kharbanda 26-Feb-2009SAP BI security is an integral part of any BI implementation. Integrating all the data coming fromvarious source systems and providing the data access based on the users role is one of themajor concerns of all the BI Projects.Security of SAP R/3-ECC systems are based on the activities while SAP BI security is focused on what datauser can access.Security in BI is categorized by major 2 categories:Administrative Users The way we maintain security for administrative users is same as ECCsecurity but we have additional authorization objects in system which are defined only for BIobjects.Reporting Users We have separate tools(Analysis Authorization) to maintain security forreporting users.What is Authorization Object?It allows to check whether a user is allowed to perform a certain action. Actions are defined on the fields, andeach field in authorization object should pass the check.We can check all the Standard BI AuthorizationObjects using tcode SU21 under the Business Warehouse folder:kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:002 With the SAP BI 7.0 we have new tool to maintain the reporting level security. We can access this new toolusing tcode RSECADMIN which replaces the old RSSM tool of BW 3.x. ## Below are the Step-by-Step instructions to create/maintain authorization objects for SAP BI Reporting:I am covering the scenario where each employee (Sales Team) is assigned with one territory number, and thedata should be accessible to employee based on their territory only. For this scenario to work we have to setsecurity restriction for the corresponding territory InfoObject (ZDWSLTER). # The first step before we create any Authorization Object is to set all the InfoObjects as authorization relevantfor which we want to restrict data access. Authorization Objects on InfoObjects of type Characteristic:# For accessing the new Analysis Authorization tools we use tcode RSECADMIN -> Authorizations Tab ->Maintenance Buttonkamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:003 # We can also use tcode RSECAUTH directly to come to maintenance screen:kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:004 # We have to give the technical name of the Authorization Object (ZDWKJTEST) then hit the create button:kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:005 # The very first step of creating any Authorization Object is to add the special characteristics as field forrestirction: # The below 3 characteristics are mandatory for defining any Authorization Object. If we donthave this we will get no access to any InforProvider. By default this gives us access to all theInfoProvider(Full Access), but we can also set the value of InfoProvider for which we want theAuthorization Object to work.kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:006 # Now I am adding the infoobject(ZDWSLTER) for which we want to add restriction:kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:007 # We can double click on the newly added infobject, and can define the value which we want to allow for thisInfoObject. We can also set the dynamic value using Customer Exit Code which we will cover later in this blog.kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:008 # Saving the changes:kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:009 kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0010 Assigning Authorization Objects to Users:# Go back to previous screen (RSECADMIN) by hitting the back button, and click on assignment button underuser tab:kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0011 # Now we can assign the created Authorization Object to any user using this tool. kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0012# Adding the created Authorization Object (ZDWKJTEST) to the user ZNBITSRTS. I will be using the sameuser through out this blog for running any query so that it can use the restrictions which are applying using theAuthorization Object.kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0013 # We can also assign the authorization to users through role/profile using the standard Authorization ObjectS_RS_AUTH: # We can check the Authorization Objects assigned using roles/profile for any user using tcode RSU01 or wecan also use the path tcode RSECADMIN->user tab->assignment->user->role-basedkamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0014 # User with Authorization Object 0BI_ALL is having full access to data, and can overwrite any otherAuthorization Objects assignment to it.kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0015 # Query on InfoProvider with Authorization Objects:Below is the test query in which I added the InfoObject forwhich we created the test Authorization Object (ZDWKJTEST).kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0016 # I am running the query with the same user name (ZNBITSRTS) whom we assigned the Authorization Object(ZDWKJTEST).:kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0017 # The query output displays the authorization error, and we can check the error log using tcode RSECPROT:kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0018 kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0019# The below log explains we are missing with some of the characteristics for the created object.Logically we can think that we are only using one characteristic in our query and we did add it inAuthorization Object, but why still we are getting Authorization Error? The reason is we alwayshave to add all the authorization relevant InfoObjects of the InfoProvider on which we createdquery. # Now I added all the missing InfoObjects with full access for the Authorization Object(ZDWKJTEST):kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0020 # I have restricted the query with input ready variable on InfoObject territory (ZDWSLTER):kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0021 # Running the query with the same territory what I assigned for territory field of Authorization Object:kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0022 # The query returns output without any authorization error: # We can check the log in RSECPROT for the last run of query:kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0023 # Running the same query with some different territory number: kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0024# We got the authorization error because of the value which we assigned for the object is not same as what wepassed: # Authorization Variable on Query:kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0025Using the Authorization Variable we can populate the value of InfoObject at run-time directly fromthe Authorization Object fields value. # If we have authorization variable defined for the query and when we run the query it will not prompt us for thevariable selection screen & will run the query directly for the value we defined for the field of the AuthorizationObject.kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0026 # Rather than assigning the fixed values in the authorization object, we can also define thetechnical name of the customer exit variable in the fields value starting with $ symbol whichwill read the value of Authorization at query run-time based on the return value of customer exitcode:kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0027 # Below is the sample code which reads the territory based on the portal login-id from the reference table whichwe have in our BI system:kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0028 Use of : Symbol in Authorization Objects Fields Value:# Now I am covering the scenario where query is not using any InfoObject for which we haverestriction of values in the Authorization Object. I have added division as object in query which ishaving full authorization access, and now we dont have any territory object in query anymore:kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0029kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0030 # Even though the division object is having full authorization access, still when we run the query we getauthorization error:kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0031 # By checking authorization log we can clearly see even though the query is not using territory InfoObject it stillchecks for its value at query runtime because this object is part of InfoProvider on which we have defined thequery: kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0032# To avoid the authorization check for the objects which are not being used in the query definitionwe should always add : symbol in the authorization object field value which allows queries torun for all the values of object even if the object is not the part of the query: # Once we defined : now the query works fine (without any authorization failure):kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0033 # Below is the authorization log for the same: Authorization Objects on InfoObjects of type Key Figure:# I created one test query with 2 key figures as output.kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0034 # Output of query:kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0035 # We can restrict this query to show the data only for one key figure. For this we just have to add the requiredkey figure (Record Count - ZDWCOUNT) as value for the field 0TCAKYFNM of our test authorization object(ZDWKJTEST).kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0036 # Now if we run the same query it will not show data for any other key figure except the one which we added inthe authorization object definition.kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0037 # The log also explains the reason of authorization error for 2nd key figure: Authorization Objects on InfoObjects of type Hierarchy:# I assigned brand hierarchy on the same test query:kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0038# When we run the query it shows data for all the data brands as well the not-assigned brands: kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0039# We can restrict the hierarchy using Authorization Object to show data only for 1st Node of above displayedhierarchy: # Assigned the node:kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0040 # Selected the Type of Authorization as 1 which will allow the hierarchy to show all the nodeswhich are below the selected node:kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0041 kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0042# After adding the authorization on brand hierarchy now we only see the data for node which we restricted inthe hierarchy authorization value: 14447 ViewsChristian Harrington22-Jan-2015 17:32Hi Kamaljeet and all, I am trying to use a scenario where I would dynamically fill the object S_RS_COMP-RSZCOMPID (for queryname component) with the customer exit ZXRSRU01. This way we can maintain in a table the security at querylevel rather than hardcoding it into the security object. So my code looks like this: case i_vnam. when 'Z_QRY_VAR'. if i_step = 0. clear l_s_range. l_s_range-low = 'Z_QRY_001'. (this is just an example to make it work) l_s_range-sign = 'I'. l_s_range-opt = 'EQ'. APPEND l_s_range to e_t_range. endif.endcase.I created the variable from the query designer attached to a dummy infoobject (0INFOPROV) with processingby customer exit, not ready for input, several single values. Looks fine.kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0043And this is what I have defined in the security role:S_RS_COMP-RSZCOMPID$Z_QRY_VARBut the customer exit seems not to be called in this case...why? I was told the dynamic variable ($) is supposedto work also in this case, but l am missing something.There is many blogs around populating an object like 0COUNTRY, etc. but in my case I want directly topopulate the query ID into object S_RS_COMP-RSZCOMPID.Do you think it's possible?Many thanks!ChristianSuman Chakravarthy K25-Dec-2013 05:55This really amazing stuffThank you..MOHAN CHAND REDDY A in response to Prashant Tripathi on page 4331-Oct-2012 14:12Thanks Kamaljeet for providing a valuable information with easy steps which we can follow.Thanks a lot.Prashant Tripathi19-Aug-2011 11:16As if this was what I was waiting for - most of the concepts going aroundthe head - now easily graspedthrough your illustrative and lucid visuals and texts:) ..seriously wonderful learning step by step :)Nishant Sourabh25-Mar-2011 13:35As others have said this bolg is really helpful for beignners in BI like me to understand the BI AnalysisAuthorization concepts.Thank you !!Waseem Akhtar26-Apr-2010 03:33Great work!!! Excellent job. Keep it up.John Varkey22-Apr-2010 06:01Hello Kamaljeet,Thanks a TON for your patience and passion about creating/Sharing a valuable document....A great thanksfrom my Bottom of the Heart...Regards,MeghasyamSankar Kumar26-Mar-2010 23:11Really, tis is a very clear and demonstrative effort. Thank you.kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0044Samuels David12-Feb-2010 10:30Thanks Kamaljeet!This is BY FAR the very best and most complete description of BI 7x Analysis Authorizations available - I amsure many people are grateful toyou for putting it together and explaining some of the things that are not clearfrom the help or TechEd/Portals conference presentations.Its been very valuable to me, and much appreciated!-Dave SamuelsSUNIL Kollabathini11-Nov-2009 00:46Hello Sir.. thnz for the blog and itz very easy and simple to understand ... will implement soon in somescenario.... thnx again and will wait for next blogPrahtap L08-Nov-2009 23:31Hi KamaljeetGi !It's wounferful blogthank you very much . lookingforward somemore articles all topics.RegardsL.PrathapBirgit Stephan in response to Kamaljeet Kharbanda on page 4618-Sep-2009 08:43Hello Kamaljeet,thank you very much for this great blog.I created also authorization object with filling by customer exit variable, so I was a little unsure about yourcomment:"You don't have to create any variable for it, just define it in your CMOD code and it will take care of itautomatically. "When I assign a variable for example $ABC inrsecadmin and this variable is not availableI get the following message:"This variable does not exist or does not have type Customer Exit.Create a variable in the Query Designer ..."I also get this message, when the variable isavailable in cmod.So perhaps you could clarify this for me.Thank you very much and best regards,BirgitSrini Ryalikamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:004503-Aug-2009 21:05Its really helpful blog.Regards,MadhuKishore Kumar Kusupati16-Jul-2009 00:28Thanks Kamaljeet.This is really a very useful and important blog in terms of understanding and implementingSAP Netweaver BW security.Best Regards,KishoreAbdul Harivaram09-Jun-2009 07:21Hello,I'm working on giving BI access to channel partners. They need to be resticted based on partner number.Means a partner should be able to see only reports related with his contacts, employess and so on.For this I'm planning to make 0CRM_SALESP as authorization relavent and create a variable authorizationobjects with $ value and based on user exit it will pull reports related with that partner.Problem is if I go with this option then the employees who need to view all reports will not be able to do so.Is there a alternate way where I can be able to both at the same time.Appreciate your help.ThanksAnand R04-Jun-2009 11:31Nice blog to start withashh jan11-Apr-2009 06:00In portal, I need to restrict users based on company code.When US users logged on to portal, they needs to look at the reports, which has the company code valueCC10When Canadian users logged on to portal, they needs to look at the report, which has the company valueCC20When Europian users logged on to portal, they needs to look at the report, which has the company value CC30Director of the company needs to look at all the reports, Company code values CC10, CC20 and CC30.For this I followed these steps:1. Info object 0COMP_CODE, checking Authorization relevent flag in business explorer flag2. Tran RSECADMIN, Click Maintenance, create Authorization object, then add special characteristics(0TCAACTVT, 0TCAIPROV, 0TCVALID) and adding the 0COMP_CODE and double click on0COMP_CODE and giving the value $ZCOMP and save it.kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:00463. Assigning this Authorization object to the role using standard authorization object S_RS_AUTH4. In the report, for the 0COMP_CODE, create a new variable ZAUTH_VAR with processing by optionAuthorization5. Based on user logon id, there is a process to identify which company code he belongs --> This is gapfor me --> Please advise6. CMOD, variable exitCASE I_VNAM.WHEN 'ZCOMP'or 'ZAUTH_VAR' ?IF I_STEP = 0.---> This is gap for me. Please advise.Thanks,Ashh.Ankush Hallan08-Apr-2009 23:03During the migration process problems have been reported for this blog. The blog content may lookcorrupt due to not supported HTML code on this platform. Please adjust the blog content manuallybefore moving it to an official community.Kamaljeet Kharbanda in response to Kamaljeet Singh on page 4611-Mar-2009 19:31Thanks Kamaljeet ... good to see someone by same name as mine and that too in the same field :o)Kamaljeet Singh11-Mar-2009 18:11This is very good article, Looking forward from you some more article on BI Security.KamaljeetKamaljeet Kharbanda in response to Inkyung Song on page 4606-Mar-2009 06:26You don't have to create any variable for it, just define it in your CMOD code and it will take care of itautomatically.Basically when you run any query it always check for authorization of all the auth relevant objects, and if in theauth object you have defined any value starting with '$' it checks the code of CMOD to get the value of that fieldat runtime. KamaljeetInkyung Song06-Mar-2009 06:18Hello.Thank you for the great information.This helps me understand the Analysis Authorization concept well. kamaljeet.kharbanda: Step-by-Step SAP BI SecurityGenerated by Jive on 2015-08-07+02:0047I have one question regarding Customer Exit. Could you please let me know how to create a customer exitvariable like what you did for $ZTA?Thank you.InkyungBabu Jayendran27-Feb-2009 02:02Thanks Kamaljeet for your very useful inputs on BI Security