Authorization and Roles in SAP BW

In BW, users can access an InfoCube or a specific query, but it does not mean that they can also access all the data contained in those objects. That’s why we need to configure access privileges in the SAP BW system, by creating authorizations and assigning them to user roles.

If you want to know the main transactions and how to create authorization, roles, and assign them to a user in a simple way, this blog is for you!

Here a summary of the steps to follow:

1. Creating authorization, via T-Code RSECADMIN.
2. Creating roles and assigning authorizations to role, via T-Code PFCG.
   • A general role for all BI users
   • A general role for developers
   • A specific role for specific business users

Or you can also assign authorizations directly to a user, via T-Code RSECADMIN.

3. Creating user and assigning roles to user, via T-Code SU01.
4.Checking the authorization set up for any user, via T-Code RSECADMIN.

Step 1: Creating authorization

1. T-Code RSECADMIN
2. Tab ‘Authorizations’
3. Select ‘Ind. Maint.’
4. Authorization: Type the technical name
5. Click on the icon ‘Create’
6. Short Text: Complete the description
7. Click on the icon ‘Insert Special Charact’ and the 3 following special characteristics are added:
   0TCAACTVT [Activity in Analysis Authorizations]: As default value, you get Display [03].
   0TCAIPROV [Authorizations for InfoProvider]: As default value, you get All [*].
   0TCAVALID [Validity of an Authorization]: As default value, you get All [*].

These 3 characteristics need to be added in at least one authorization for a user.

8. Click on the icon ‘Insert Row’ and select the InfoObject which is authorization-relevant

Example: You get the rights to access data only for a specific company code; So, you add a restriction for this specific company code.

9. Click on the icon ‘Save’ to save the authorization

Figure 1: Creating authorization

Step 2: Creating role and assigning authorization(s) to role

1. T-Code PFCG
2. Role: Type the technical name
3. Click on the icon ‘Create Single Role’
4. Description: Complete the description
5. Click on the icon ‘Save’
6. Tab ‘Authorizations’
7. Click on the icon ‘Change Authorization Data’
8. Click on the icon ‘Selection Criteria’ and assign the authorizations needed
   For the authorizations, see next steps 2.1 / 2.2 / 2.3, to see which criteria’s you can select per role.
9. After selecting all authorizations for the role, save and generate the role

Figure 2: Creating role

Step 2.1: Creating a general role for all BI users

Regarding the creation of the role, we recommend creating a main role for all BI users in order to get the rights to access BW systems via front-end tools (like Analysis For Office or SAP Analytics Cloud), with the following criteria’s:

Authorization	Goal and Restriction
S_RFC	Authorization Check for RFC Access – Activity: Execute – Name (Whitelist) of RFC object: * – Type of RFC object to which ac: Function group, Function Module   Goal: To be able to execute modules (for example, a function group or function modules).
S_TCODE	Transaction Code Check at Transaction Start – Transaction Code: RAAOE, RRMX   Goal: To be able to launch Analysis for office from the transaction RAAOE or start the Business Explorer Analyzer from the transaction RRMX (used for viewing the Query Output or AFO workbooks).
S_C_FUNCT	C calls in ABAP programs – Activity: Execute – Name of C Routine Callable Usi: * – Program Name with Search Help: *   Goal: To be able to call functions direct from ABAP programs (with the ABAP key word CALL).
S_ADT_RES	Authority object for ABAP Development Tool Resource Access – REST resource URI prefix: /sap/bw/modeling/*   Goal: To be able to access all ABAP development tools.
S_BDS_D	Authorizations for Accessing Documents – Activity: All activities – BDS: Data element for LOIO cla: *   Goal: To get access and perform all activities (create, change, display, delete…) to Business Document Service documents.
S_BDS_DS	Authorizations for Document Set – Activity: All activities – Business Document Service: Cla: BW_* – Business Document Service: Cla: Other objects   Goal: To get access and perform all activities (create, change, display, delete…) to Business Document Service documents that belong to a document set. Example: This object is needed to save AFO workbook in ‘My Documents’.
S_OC_SEND	Authorization Object for Sending – Valid communication methods: All values – Range of number of recipients: *   Goal: To get the authorization to send externally and internally.
S_RS_AO	Analysis Office: Authority Object – Activity: Display, Execute – Analysis Client Technical Name: * – Analysis Client Object Type: Microsoft Excel, Microsoft PowerPoint – Owner (Person Responsible) for: *   Goal: To get authorizations for Working with SAP BusinessObjects Analysis, edition for Microsoft Office. In this case we can only display and execute all AFO Workbooks created by the BI developers.   Note: In case, you want to allow users to save workbooks in ‘My Documents’, you can specify a rule to give them the right to save only with a technical name starting by specific letters (example: ZH_*), in order to avoid that the end-users overwrite existing workbooks. Note that they will not be able to save the workbooks under the roles where they have only ‘Display’ and ‘Execute’ authorizations. Additionally, we can make sure that only the user who have creates the workbook starting by ZH_* can change or delete it. This constraint is possible thanks to the rule with the naming convention (starting by ZH_*) and using the $USER variable for the owner parameter, with the following restrictions for the authorizations: Analysis Office: Authority Object – Activity: All activities – Analysis Client Technical Name: ZH_* – Analysis Client Object Type: Microsoft Excel, Microsoft PowerPoint – Owner (Person Responsible) for: $USER
S_RS_BCS	BEx Broadcasting Authorization to Schedule – Activity: All activities – Event ID in Broadcasting Frame: * – Event Type in Broadcasting Fra: All values – ID of a BW Reporting Object in: * – Object Type of BW Reporting Ob: *   Goal: To get authorization to determine which user can schedule broadcast settings for execution in which way.
S_RS_PARAM	Business Explorer – Variants in Variable Screen – Activity: All activities – Technical Name of Variant: *   Goal: To get authorization to work with variants of BEx objects (such as queries or Web templates). The variant combines one or more variable values under one name.

Here you have an overview of this general role needed for all BI users (business and developers):

Figure 3: General role for all BI users

Step 2.2: Creating a general role for developers

It is also recommended to create role for the developers to give them full rights on reports.

The business can only display and execute reports (AFO workbooks for example), but the developers can also create, change, and delete them.

Here the criteria’s you can add for this role:

Authorization	Goal and Restriction
S_USER_AGR	Authorizations: Role Check – Activity: All activities – Role Name: *   Goal: This authorization object is used to protect the roles. Roles are used to combine users in groups and to assign them different attributes, in particular transactions and authorization profiles. In this case, the developer can perform all activities: create, change, save, delete, … workbooks in all roles (by saving the workbook in the correct and relevant role).
S_USER_TCD	Authorizations: Transactions in Roles – Transaction Code: All transaction   Goal: Authorization objects control the transactions that system administrators can assign to a role, as well as the transactions for which they can assign transaction code authorization (object S_TCODE). In this case, the developers can execute all transactions.
S_RS_AO	Analysis Office: Authority Object – Activity: All activities – Analysis Client Technical Name: * – Analysis Client Object Type: Microsoft Excel, Excel NW Embedded, Analysis Application – Owner (Person Responsible) for: *   Goal: To get authorizations for Working with SAP BusinessObjects Analysis, edition for Microsoft Office. The business with the general BW role assigned (explained above) can only display and execute all AFO Workbooks created by the BI developers. However, with this role, the developers can perform all activities: display and execute but also create, change and delete.

Here you have an overview of this additional general role for developers:

 Figure 4: General role for developers

Step 2.3: Create a specific role for specific business users

In this case, we will create a role to get access to a specific module. 

Here the way to set-up the authorization roles for a specific module (for example: COPA):

Authorization	Goal and Restriction
S_RS_COMP	Business Explorer – Components – Activity: Display, Execute – InfoArea: ANALYTICAL_BLOCK_COPA – InfoCube: * – Name (ID) of a reporting compo: * – Type of a reporting component: * (Calculated key figure, Query View, Query, Restricted key figure,…)   Goal: To get access to the components that you work with in the Business Explorer query definition, and you can restrict the access to a specific InfoArea and composite providers or queries. Note: In this example, we have restricted authorizations to the required module ‘COPA’ with the possibility to ‘Display’ and ‘Execute’ only (to insure that the end-users will not change any report created by the BI developers).
S_RS_COMP1	Business Explorer – Components: Enhancements to the Owner – Activity: Display, Execute – Name (ID) of a reporting compo: * – Type of a reporting component: * (Calculated key figure, Query View, Query, Restricted key figure,…) – Owner (Person Responsible) for: *   Goal: With this authorization, you can restrict query component authorization with regards to the owner.  This authorization object is checked in conjunction with the authorization object S_RS_COMP.

Here you have an overview of this specific role giving access to module COPA for example:

Figure 5: Specific role for specific business users

Moreover, for this specific role, you need to create a menu where all reports (AFO workbooks) will be saved:

1. Tab ‘Menu’
2. Click on the icon ‘Transaction’
3. Select the transaction code ‘RRMX’
4. Assign transaction and save the role

Figure 6: Creating a menu in specific role

Step 3: Creating user and assigning roles to user

1. T-Code SU01
2. User: Type the technical name
3. Click on the icon ‘Create’
4. Tab ‘Address’: Complete the user personal information’s
5. Tab ‘Roles’: Assign roles needed to the user
6. Save the user

Figure 7: Create user and assign roles to user

Step 4: Checking the authorization set up for any user

1. T-Code RSECADMIN
2. Tab ‘Analysis’
3. Select ‘Execution as…’
4. Execute as user: Select the name of the user you want to test
5. Activate the option ‘With Log’ which will record an authorization trace for the query execution
6. Select transaction ‘RSRT’ which is a query monitor where you can run and analyze queries without a BW front end
7. Click on ‘Start Transaction’
8. Enter the relevant query
9. Click on the icon ‘Execute’
10. You can see if the user has the rights to see the query or not.

In the case below, he has the authorization because we could execute the query without error message.

If you get an error message, check the log via T-Code SU53.

Figure 8: Checking the authorization set up for any user

Summary

Before creating all the authorization and roles, I advise you to collect all the requirements (list of users, the access rights per user, all restrictions needed in the organization, the grouping of the queries, …) from the business. This preliminary analysis will allow you to define the most efficient way to split the authorizations and roles and it will also save you a lot of time. Be pragmatic and create analysis authorization (via T-Code RSECADMIN) and general roles (via T-Code PFCG) that are relevant for the organization.