OLAP Authorizations

Introduction

All users who want to display transactional data from authorization-relevant characteristics in a query require analysis authorizations (or OLAP authorizations) for these characteristics. Analysis authorizations are NOT based on the SAP Standard Authorization concept. They use their own concept based on the BW reporting and analysis features. Please have a look at note 820183 which provides an overview and description on how the authorization concept works.

Important to Know

The OLAP-authorization-check must not be confused with the basis-authorization-check. When executing a BW-query some basis-authorizations are checked first. f.e. S_RS_COMP1, S_RS_COMP (authorization for executing a BW-report, see note 540720), ..etc. If the basis-authorization-check is successful, the OLAP-authorization-check (which checks the analysis-authorizations) is performed.
It's very important to understand that the OLAP authorization-check is executed before the data are retrieved from the database. It checks whether the assigned authorization-set authorizes the selection-set of the query. The selection-set comprises of all the filters/restrictions applied in the query. If the selection-set is bigger than the authorization-set, the user will always get an authorization-error. It is irrelevant whether authorized values are booked in the infoprovider.
OLAP authorizations do not act automatically as filter restrictions in queries (this is only possible with the "thinning-out" feature described in note 1905641). If this is required you need to use variables filled by authorizations. However please read note 1736473 which describes possible problems when using authorization-variables for multidimensional authorizations.

The old authorization-concept in BW 3.X has been completely replaced by the new 7.X authorization-concept introduced with BW 7.X. This site will only deal with the new authorization concept as the old authorization-concept will no longer work in future releases (see note 923176).

Runtime of the OLAP authorization-check

The figure shown above roughly shows how the authority-check is carried out executing a BW-query. The runtime of the authority-check also involves checking the authorizations for the infoprovider and retrieving the assigned authorization-values. The query in the example is very simple not using any variables/hierarchies/complex OLAP-features etc.

Step 1: The query is executed with a selection defined in the query-definition

Step 2, 3 and 4: The authorizations for all authorization-relevant attributes used in the query are collected and filled into the authorization buffer. Note 1951019 provides more details on attribute authorizations. The auth-relevant attributes for which the user is not authorized are simply not getting displayed in the BW report.

Step 5, 6, 7 and 8: The authorizations relevant for the infoprovider are collected and filled into the authorization buffer. The system then checks whether the user is authorized for the infoprovider on which the query is based. Note 2504860 provides more details on the infoprovider-check which is the first part of the OLAP authorization-check.

Step 9a: The query displays an authorization error if the infoprovider-check in the previous step fails.

Step 9b and 10: The system now continues with the main authorization-check checking the selection-set selected by the query in Step1. If the selection-set is greater than the authorization-set, the authorization-check fails.

Step 11a: The query displays an authorization error if the main authorization-check in the previous step fails.

Step 11b, 12 and 13: If the authorization-check is successfull, the system continues retrieving the selected data from the database. It's very important to understand that the OLAP auth-check is done before the database is accessed. Hence the idea that authorizations work as filters is not correct. Authorizations do not automatically filter the data according to the authorized values. The authorization-check simply checks the selection-set (regardless of whether data exists for this selection).

CSS component: BW-BEX-OT-OLAP-AUT

Guided Answers

Use the decision tree for analyzing authorization issues: Guided Answers: Analyzing BW authorizations issues

SAP Online Documentation

Latest Documentation for SAP BW 7.X Analysis Authorizations

Analysis Authorizations

Examples

Authorization Variable

Example01

SAP Consulting Notes

	SAP BW Analysis Authorizations
820183	New authorization concept in BI
1234567	The authorization log RSECADMIN
1052242	BI Analysis authorization: Generation
1000004	Merging and optimizing analysis authorizations
1053989	Intervals and Patterns [(*),(+)] in Analysis Authorizations
1140831	Colon authorization during query execution
1951019	Navigation Attribute and Display Attribute for BW Analysis Authorization

OLAP AUTH Search

SAP Support Troubleshooting Guideline

SSG BW-BEX-OT-OLAP-AUT

Topics

"No authorization" executing a BW-query	Consulting Notes / KBAs: 1905641 "No authorization" message when deactivating hierarchy display or removing drilldown in BW Query 1736473 Usage of authorization variables results in "no authorization" when multi-dimensional auths are assigned 1904962 How to Analyze a "No Authorization" or Showing Too Much Data Issue with BW Analysis Authorization 1234567 The authorization log RSECADMIN 1140831 Colon authorization during query execution 1632677 Query with Multiple Authorization variables failing with "No Authorization" 1951019 Navigation Attribute and Display Attribute for BW Analysis Authorization 1953967 BW Analysis Authorization for Navigation Attribute in Query Based on InfoSet 2232492 "No Applicable Data Found" instead of "No Authorization" When the User does not Have Enough Analysis Authorization Wiki-Page: Colon authorization during query execution
Authorization Maintenance	Consulting Notes / KBAs: 1929419 BW Analysis Authorization Maintenance has "Exclude" Option Greyed out 1053989 Intervals and Patterns [(),(+)] in Analysis Authorization 1982399 Removing Inconsistent analysis authorizations that show as inactive 1630584 Analysis Authorization not changable in closed client 1685338 Analysis Authorizations missing, deleted or inactive after upgrade to 730 1911259 Analysis Authorization Missing after Upgrade to 730 1956404 Characteristics 0TCAIPROV, 0TCAACTVT, 0TCAVALID are no longer Authorization Relevant after Upgrade to BW7.3 or higher 1982399 Removing Inconsistent analysis authorizations that show as inactive Wiki-Page:* Analysis Authorization - Authorization log tables The authorization Log in RSECADMIN
Hierarchy authorizations not working	Consulting Notes / KBAs: 1905641 "No authorization" message when deactivating hierarchy display or removing drilldown in BW Query 1772536 EYE020 when editing Analysis Authorization 1791558 Node authorization does not work when determined using exit or generated using RSEC_GENERATE_AUTHORIZATIONS 1927047 Node authorization does not work for hierarchies with time-dependent structure 1772536 EYE020 when editing Analysis Authorization 1170163 "Validity" in hierarchy authorizations Wiki-Page: "Validity" in hierarchy authorizations
Authorization- & Customer-Exit Variables	Consulting Notes / KBAs: 1900590 Error executing BW query when using Customer Exit Variable in Analysis Authorization definition 1772536 EYE020 when editing Analysis Authorization 1791558 Node authorization does not work when determined using exit or generated using RSEC_GENERATE_AUTHORIZATIONS 976680 Usage of variables in authorization 1226163 Authorization variables in workbook 1561635 Filling Analysis Authorizations from exit variables in I_STEP=0 1988154 BW Query F4 Help doesn't Show Value for Restricted Authorization Users 1579015 Could not determine value for variable from authorization 1914703 Transaction RSECADMIN "Execute as User" has different BW query result compared to direct BW query execution result by this user 2672200 - Please use Function module RSEC_GET_AUTHS_FILTERED Wiki-Page: Variable Replaced with Authorization
DTP & RSDRI & Data Federator	Consulting notes/KBA 1291204 Loading with DTP: Failed authorization check on 0BI_ALL Wiki Page RSDRI_DF and authorizations (Data Federator)
Analysis Authorizations & BPC DAP (Data Access Profile)	Consulting notes/KBA 2403016 Error "This query is invalid. Please contact your administrator" when Open a BW BEx Query with EPM Add-In in AO 2479551 Query results display in AO but not EPM Add-in Wiki Page How BPC authorizations are checked in the BW OLAP authorization-check
Performance	Consulting Notes / KBAs: 1454140 Performance problems with authorizations 1592528 Delete Authorisation Logs from BW table RSECLOG to gain memory space and improve performance
Generation of Authorizations	Consulting Notes / KBAs: 1052242 BI Analysis authorization: Generation 1630469 Deleting Generated Authorizations using D_E_L_E_T_E 1940454 BW Analysis Authorization Generation for HCM Structural Authorization Generates More Authorized Values than you Expect 2182202 Error Message "Message number 999999 reached. Log is full" (BL252) occurs for BW Analysis Authorization Generation

Child pages