Introduction
All users who want to display transactional data from authorization-relevant characteristics in a query require analysis authorizations (or OLAP authorizations) for these characteristics. Analysis authorizations are NOT based on the SAP Standard Authorization concept. They use their own concept based on the BW reporting and analysis features. Please have a look at note 820183 which provides an overview and description on how the authorization concept works.
The old authorization-concept in BW 3.X has been completely replaced by the new 7.X authorization-concept introduced with BW 7.X. This site will only deal with the new authorization concept as the old authorization-concept will no longer work in future releases (see note 923176).
Runtime of the OLAP authorization-check
The figure shown above roughly shows how the authority-check is carried out executing a BW-query. The runtime of the authority-check also involves checking the authorizations for the infoprovider and retrieving the assigned authorization-values. The query in the example is very simple not using any variables/hierarchies/complex OLAP-features etc.
Step 1: The query is executed with a selection defined in the query-definition
Step 2, 3 and 4: The authorizations for all authorization-relevant attributes used in the query are collected and filled into the authorization buffer. Note 1951019 provides more details on attribute authorizations. The auth-relevant attributes for which the user is not authorized are simply not getting displayed in the BW report.
Step 5, 6, 7 and 8: The authorizations relevant for the infoprovider are collected and filled into the authorization buffer. The system then checks whether the user is authorized for the infoprovider on which the query is based. Note 2504860 provides more details on the infoprovider-check which is the first part of the OLAP authorization-check.
Step 9a: The query displays an authorization error if the infoprovider-check in the previous step fails.
Step 9b and 10: The system now continues with the main authorization-check checking the selection-set selected by the query in Step1. If the selection-set is greater than the authorization-set, the authorization-check fails.
Step 11a: The query displays an authorization error if the main authorization-check in the previous step fails.
Step 11b, 12 and 13: If the authorization-check is successfull, the system continues retrieving the selected data from the database. It's very important to understand that the OLAP auth-check is done before the database is accessed. Hence the idea that authorizations work as filters is not correct. Authorizations do not automatically filter the data according to the authorized values. The authorization-check simply checks the selection-set (regardless of whether data exists for this selection).
CSS component: BW-BEX-OT-OLAP-AUT
SAP Online Documentation
Latest Documentation for SAP BW 7.X Analysis Authorizations |
Examples
Authorization Variable | Example01 |
SAP Consulting Notes
SAP BW Analysis Authorizations | |
---|---|
820183 | New authorization concept in BI |
The authorization log RSECADMIN | |
BI Analysis authorization: Generation | |
Merging and optimizing analysis authorizations | |
Intervals and Patterns [(*),(+)] in Analysis Authorizations | |
Colon authorization during query execution | |
1951019 | Navigation Attribute and Display Attribute for BW Analysis Authorization |
OLAP AUTH Search
Topics
"No authorization" executing a BW-query | Consulting Notes / KBAs:
|
Authorization Maintenance | Consulting Notes / KBAs:
Analysis Authorization - Authorization log tables |
Hierarchy authorizations not working | Consulting Notes / KBAs:
|
Authorization- & Customer-Exit Variables | Consulting Notes / KBAs:
|
DTP & RSDRI & Data Federator | Consulting notes/KBA
|
Analysis Authorizations & BPC DAP (Data Access Profile) | Consulting notes/KBA
Wiki Page |
Performance | Consulting Notes / KBAs: |
Generation of Authorizations | Consulting Notes / KBAs:
|