To ensure that your data warehousing solution reflects your company’s structure and business needs, it is critical that you establish who is authorized to access what data. With Bi authorization can be defined and maintained by info Objects, Query, Infoprovider, and Hierarchies. Authorization can be inserted in to roles that are used to determine what type of content to specific users or user groups. Role templates and business content roles are delivered with BI.
The primary activates in BI are displaying data and analyzing results. The end user will only be analyzing data, not updating it.
Security for in Bi:
The security function in BI does not put the focus on transaction codes or activates. Instead it focuses on the data itself. The security function in BI focus on
- Info Areas
- Infoprovider ( InfoCube, DataStore Objects)
Bi is focused on What Data a user can access. This may be controlled at the field level, or it may be controlled at the Infoprovider level. The Infoprovider is a category of objects that can provide data to a query , such as InfoCube and DataStore Objects. The InfoCube or DataStore Objects holds the summarized data that the user can then analyze Query Results are based on the data in the Infoprovider.
There are two major types of authorization in BI. One type focuses on Administrative users (S_RS_ADMWB) and another type focuses on Reporting users (S_RS_COMP).
If you restrict user to certain InfoCube then this may be easy way to set up and maintain authorizations but this will severely restrict access. This would mean users can either access ALL the data in an InfoCube or NO data in the InfoCube.
For securing reporting Users, you may want to define authorizations at a much lower level than the InfoCube.
The Option Include for authorization
- InfoCube Level: Restrict at the InfoCube Level
- Characteristics Level: Restrict access to all values for a particular characteristics
- Characteristic value level: restrict access to certain values of a particular characteristics
- Key figure level: Restrict access to certain key figures
- Hierarchy Node: Restrict access to certain modes of Hierarchy.
Securing Data Access for Reporting users:
You have restricted access for reporting users by InfoCube. A sales manager can run any query created for InfoCube. However, each sales manager is responsible for a specific division. Although all sales Manager can run the same query, the result should be displayed only for their assigned Division. You need to enable a reporting user to query data by their assigned Division.
Minimum Authorization Requirements for a Reporting User:
- Analysis authorization for an Infoprovider
- S_RS_COMP (Activities 03,16).
- S_RS_COMP1 (query Owner)
- S_RFC (BEx Analyzer or BEx Browser only)
- S_TCODE (RRMX for BEx Analyzer)
A reporting user must have authorization for the S_RS_COMP, S_RS_COMP1 authorization objects as well as analysis authorization for the Infoprovider on which the query is based.
In addition, If the reporting user will be using the BEx Analyzer reporting tool, they will need authorization for objects S_RFC and S_TCODE with authorization for transaction code RRMX.
Create roles Go to PFCG (eg:SALES_AUTH_MP) Click on single role
Go to authorization Tab And Select change authorization Data.
Provide details of Your Info Area, InfoCube, Query ,click on Save and generate
Create user: go to su01 and create sales manager north (sales north)
Add details to user and assign Initial Password to user
In Roles Tab Assign roles to User
Log on the Bex analyzer with your user Id and execute your query in the query result, drill down by division. Notice that you have access for several divisions.
Ensure that InfoObject Division as a authorization relevant.
Go to RSECADMIN and select authorization Tab click on Maintenance
create Authorization ZDIVNT and Press create button.
Enter short, medium and long text of secure by division
Insert the row By Pressing + Icon
Highlight the row with Division and chose details and Insert the row by pressing the + Icon
Select I in the Including/ Excluding Column.
Select EQ in the Operator column
Enter North in the characteristics from column
Save and press green arrow back
Choose Insert Special Character: the special Characteristics (0CTAACTVT(activity), 0TCAIPROV( Infoprovider), and 0TCAVALID( Validity)) should now be added to your analysis authorization
Save . return to management of analysis Authorization. ( Green Arrow Back)
Assign your reporting user to your analysis authorization, Zdivnt . By passing your Reporting User to your new analysis authorization, that user will have only access to division north (Pumps)
Choose User Tab and Choose Assign
In the user field enter your reporting user Id and choose change.
In the Authorization section enter the Name ZDIVNT and press insert
Save Return Sap Menu Green arrow Back, green arrow back).
Go to PFCG and select authorization Tab and click on change authorization data .Expand Business Information Warehouse, Expand BI analysis authorization Data and input give for authorization Object.
Log in as your administration user ID log in BEx analyzer
Select your query (Z_MP_AUTH_REP) . Once open the Query, select it then choose Tools à Edit query from the BEx toolbar.
Open your Query Designer and press Filter Button.
From the context menu for division chose restrict
In this shows choose variable
Highlight Z_DIVI ( division) and copy it to the selection list on the right by pressing the Right arrow. Press OK and then save.
Press save the query and ok. And return to the BEX analyzer
You should leave the division blank, your query will display all the division during drill down. If we select the specific division , only that division will display during drill down. Leave Division blank. When the query results are displayed. Choose filter and double click on division. You should see all division in the Drill down.( Division: East, West, North, South).
As your Reporting user , execute your Report Query, Z_MP_AUTH_REP . When select Pumps for the Variable Prompt. When the query displays, Drill down on Division. You should only see division North only.