The authorization concept of SAP BusinessObjects Planning and Consolidation version 10.1 (version for SAP Netweaver, in short: BPC embedded) is based on BW Analysis Authorizations. There are three layers of authorizations in place:
- BW analysis authorization
- Environment authorizations
- Data Access Profile (DAP)
As always BW analysis authorizations are maintained in transaction RSECAUTH and assigned either directly via transaction RSU01 or via PFCG role.
Environment authorizations are BW analysis authorizations assigned to BPC environments. Each user who is authorized for the environment is granted the assigned analysis authorization. The assignment is done using the BPC frontend.
Data Access Profiles (=DAP) are created and assigned via BPC frontend. In the BW authorization-check the assigned DAPs are retrieved and transformed into BW authorizations.
If a workbook is run in the context of a BPC environment and model, the applicable authorizations are calculated in the following way:
- The analysis authorizations B maintained in transaction RSECADMIN and assigned to the user directly or via PFCG-roles are extended by the environment authorizations E for the current environment as maintained in transaction RSECENVI. The extension is done by simply taking the union of the two lists of authorizations. The result of this is a set of analysis authorizations which potentially grants access to more objects than the initial set B.
- This extended set of authorizations is then restricted again by the DAPs D of the BPC-model in question. This restriction is an intersection of the authorizations.
In effect, the user can only see or write data which he/she is authorized to by the DAP and the union of environment and BW authorizations. In short, this can be summarized as
A = (B∪E) ∩ D
If no DAPs are maintained (this is interpreted as D = ), no access to the data will be granted.
If no Environment/Model context is used (f.e. by executing a BW-query in AO), only the Analysis Authorizations B are considered.