BW2HANA Authorization Generation

Overview

In order to be able to access the External HANA views which have been generated by the BW system, some general object privileges(to access schemas _SYS_BI and _SYS_BIC and to run SELECT statements on the view, see Assigne Default Database Privileges to DBMS Users) and data authorizations (SQL Analytic Privileges) are needed. In transaction RS2HANA_VIEW there are some important settings which have an impact on the way how authorizations are assigned to HANA users:

BW75 System(SP16)

BW/4Hana 2.0 System

You can use the F1-help to get a detailed description displayed to all these settings. 

• Assignment Type
  • R: Global Single Role(does not exists on BW/4 system). This setting is not supported if static user-specific analytic privileges are used("U" of note 2604161, see below)
  • D: Privileges are directly assigned to the user. 
  • M: Multiple Roles: For each SAP HANA user and external SAP HANA view of a BW object, a role is generated.
• SAP HANA User Mapping: you can specify the name of the HANA user assigned to the BW user
  • D: DBMS user(transaction SU01 - tab DBMS: if this tab isn't available, the corresponding customizing is missing, see DBMS User Management. In BW/4Hana systems, D is always used automatically!)
  • C: DBMS user, else SAP HANA user with same name as BW user(does not exist in BW/4HANA  systems)
• DB Connection Name: Database connection used for generation of HANA  privileges. In case roles are generated(assignment type = R,M) it is strongly recommended(in BW4Hana systems required) to maintain a DB Connection in order to avoid long runtimes or even time outs when replicating the BW Analysis authorizations to SAP HANA(warning RS2HANA_AUTH443). See also Role User and note 3206624.
• Limit Replication: with this option it is possible to switch off the automatic generation of HANA  privileges during activation of the BW object. See note 2756480.
• Assign View Privileges: Specifies how the generated external SAP HANA view of an object can be accessed.
• SAP Note 2604161(AP generation mode): specifies the type of analytical privileges generated on HANA  database, this may have an impact on the performance of the runtime of the preparation or execution of the SQL statements that access the generated external SAP HANA views. On BW/4 systems this setting is called 'AP Generation Mode'.
  • ' ' Dynamic analytic privileges using stored procedures(see also Example I )
  • 'S' Static analytic privileges using SQL SELECT statements(see also Example III)
  • 'U' Static user-specific analytic privileges w/ defined values - see also note 2695442 and Example II.

Details and Remarks to AP Generation Modes(note 2604161)

SQL Analytic Privileges are automatically generated from the existing BW analysis authorizations (and assigned to a role or directly to the DB user) by BW object activation or running transaction RS2HANA_GEN.

• ' ': SQL Analytic Privileges use procedures which access table RS2HANA_AUTH_STR containing the filter values.
• 'S': SQL SELECT statements are used to read the valid filter values for the session user from table RS2HANA_AUTH_FIL.
• 'U':  SQL Analytic Privileges are directly assigned to the users. Generated filter conditions can be checked in HANA  administration table structured_privileges. 

Remarks

• Select option U if you experience performance issues during query runtime, which might occur due to the fact that the SQL plan cache cannot be used. Analytic privileges using dynamic procedures (option ' ') or SQL SELECT statements (option 'S') to retrieve the filter values during query runtime, force the database to not use the SQL plan cache. See also note 3206624.
• Select either option <blank> or S if you do not encounter performance issues but want to reduce the number of generated analytic privileges in the database to a minimum.

For automatic checks concerning authorization replication (as well as checks and repairs of external SAP HANA views) see SAP note 2031522.

Comparison between the concept of BW and HANA Analytic authorizations

In the SAP HANA database, analytic privileges are handled as filters for database queries. Users only see the data for which they have an analytic privilege. In BW, however, authorizations do NOT work as filters. Here, users can only execute a query if their analysis authorizations completely cover the relevant selection. If this is not the case, an error message will be displayed. See OLAP/Analysis Authorizations .

Examples

• AP Mode ' ': Dynamic analytic privileges using stored procedures: Example I 
• AP Mode S: Static analytic privileges using SQL SELECT statements: Example III
• AP Mode U: Static user-specific analytic privileges: Example Example II

Transactions

• RS2HANA_CHECK: Checks all of the required prerequisites for a successful replication of the BW authorizations
• RS2HANA_ADMIN: Displays an overview of all of the BW objects with an external SAP HANA view. Allows you to manage the views from BW Objects. Check and repair the HANA views themselves in transaction RS2HANA_ADMIN.
• RS2HANA_GEN (same as SE38 report RS2HANA_AUTH_RUN) Replicate BW Analysis Authorizations to Hana. Complete clean-up and re-build of generated HANA privileges.
• RS2HANA_VIEW: Make central settings in relation to the external SAP HANA view.SAP HANA authorizations are assigned to one user. You can define how this user is generated here. 

Special Topics

• Consuming External View in BW(Privileges of user SAP<SID>)
• Generation of Full Authorization
• Assigne Default Database Privileges to DBMS Users(e.g. 'SELECT on schema _SYS_BI' and 'EXECUTE on procedure REPOSITORY_REST')
• Role User
• External Hana Views of Characteristics: Authorization Generation
• Authorization Generation and Transport

Troubleshooting

In case of issues please review also the following SAP notes:

• 2756480 HANA Privilege Generation - General Solutions and Facts
• 2390443 BW external HANA views and authorizations
• Performance/Memory Consumption
  • 3206624 BW: External SAP Hana View and Query Performance
  • 3149633 How to avoid/optimize long running BW2HANA authorization replication or timeout

  • 2555533 Memory Dump or Performance Problem during BW2HANA Analysis Authorization Generation

Documentation

SAP Online Documentation

• BW/4HANA 
  • Authorizations for Generated SAP HANA Views
  • DBMS User Management(Prerequisite)
• BW75
  • Generating SAP HANA Views from the BW System
  • Authorizations for Generating SAP HANA Views
  • DBMS User Management

SAP Notes

• 2031522 Transactions RS2HANA_ADMIN and RS2HANA_CHECK
• 2756480 HANA Privilege Generation - General Solutions and Facts
• 2604161 Generation of user-specific analytical privileges not possible
• 2390443 BW external HANA views and authorizations
• 2317197 External SAP HANA View: Frequently asked questions, feature availability
• 2468273 Missing entries in RS2HANA_AUTH_STR - Inconsistent View Authorizations
• 2695442 External Hana View: Activation of BW Object fails with error 'Replication failed RS2HANA_AUTH234'
• 2897784 Transaction RS2HANA_GEN - log display for repeat execution/cache usage
• 2291805 RS2HANA_AUTH089 - "Char. XXX is auth. relevant, but missing in authorization object" when generating HANA-View authorizations

Wiki Pages

OLAP/Analysis Authorizations