Authorizations in SAP Business Warehousing

Business scenario for Authorizations in SAP Business Warehousing is relevant in the following scenario.Your company has decided that it must restrict access to potentially sensitive cost center information. Cost center managers must only be able to see data about their own particular cost centers. 

You have to create new reporting objects to protect data from particular cost centers from being accessed.
You use the role-maintenance functions to apply the authorization concept.

Authorization objects are the link between the authorizations that are checked by programs and the authorizations that are given to a user.A role contains a collection of authorizations known as a profile. When a user is assigned to a role,the or she is given the authorizations included in the profile of the role.

A role is a combination of activities or tasks that are the responsibility of an individual user.Authorizations or menu objects that the user needs in order to be able to fulfil a particular role, are assigned to the user in the role maintenance (transaction PCFG).You must no longer use the old transactions for maintaining authorizations (SU02) and profiles (SU03). Use transaction PFCG instead. Many standard roles are delivered with Business Content.


There is a user master record for every SAP BW user. User master records can be assigned to roles. A user master record can be assigned to more than one role.Profiles can be used in as many user master records as required. If you change the authorization for an authorization object, the change affects all of the user master records that are assigned to profiles containing this authorization.


Contain a combination of transactions and workflow tasks required by activities in your organization  for example, auditor, sales representative
Contain a date-dependent authorization profile that assigns the necessary authorizations for each activity
Are assigned to organizational objects for example, jobs, positions
Allow the date-dependent assignment of authorization profiles to user master records

Roles can have more than one period of time in which they are valid (a validity period). Each validity period can have variations in the transaction selection or authorization profile data. Validity periods  may not overlap one another.Within a role, transactions are assigned using the company menu. This enables the profile generator tool to retrieve the required authorization objects and the default authorization values from the configuration tables.The company menu must be configured first. You also need decide beforehand, which authorization objects are relevant for which transaction.

Role maintenance is a tool that allows authorization administrators to generate and assign authorization profiles automatically. This simplifies the task of setting up the authorization environment during the implementation of the SAP BW.Role maintenance contains the following steps: 

Selecting transactions from the company menu
ŸRetrieving all the authorization objects for the selected transactions
ŸGenerating authorizations once the field restrictions have been determined for each authorization object
ŸGrouping authorizations into profiles that are generated automatically
The administrator has only to configure the customer-specific settings, such as:

ŸThe company menu
ŸActivating the transactions that are available for the customer
ŸMaintaining the scope of authorization checks in transactions
ŸAssigning the authorization objects that are relevant to a transaction
ŸAssigning default values for authorization object fields on an organizational level

Roles: Maintaining Authorizations

The structure has the following levels:

Level 1: Classes for authorization objects
Level 2: Author ization objects
Level 3: Authorization(s)
Level 4: Field values for authorizations

If you change a role, you have to regenerate the authorization profile that belongs to it.Once the authorization profile has been created, you can give it a descriptive name. Otherwise, the name generated by the system is used.

Using Templates in Role-Maintenance

A selection of the templates for roles that are delivered with SAP BW:

  1. S_RS_RDEAD Role: Administrator (development system)
  2. S_RS_RDEMO Role: Modeler (development system)
  3. S_RS_ROPAD Role: Administrator (live system)
  4. S_RS_ROPOP Rolle: Operator (live system)
  5. S_RS_RREDE Role: Reporting Developer (live system)
  6. S_RS_RREPU Role: Reporting User

You can also create your own role templates. They contain default values for the corresponding  authorizations that refer to different authorization objects for you to include in your new roles.

Using role templates makes it easier to create authorizations and authorization objects.Customer-defined templates must not start with the letter "S". 

 The Business Content supplied with  SAP BW provides many examples of roles across all segments of an enterprise. These can be used to quickly model the job functions within your enterprise.

Related Posts

No comments :

Post a Comment