The authorization check for accessing BW-BPS objects belongs to the general SAP authorization check process. The SAP authorization check is based on the authorization objects. An authorization object is made up of a maximum of 10 authorization fields. To define an authorization for an authorization object, you must specify values for the individual fields in the object. You can create as many authorizations together with different values and fields for an authorization object. Profiles are lists of authorization objects. A user's authorizations for the various objects in the SAP BW System are determined by authorization profiles that are assigned to the user master record.
In the BW-BPS one has to distinguish between authorizations on transaction data and on customizing objects.Authorization on transaction data controls whether the user is allowed to use, see or change a set of data from an Info Cube.Authorizations on customizing control whether a user can use or change a customizing object like a layout or a planning function.
Authorizations regarding InfoCube and transaction data will be evaluated for reporting and planning. Example: If a user has reporting permission for a cost center it is automatically valid for planning also. Reading transaction data requires authorization for InfoCube access (S_RS_ICUBE) and for transaction data (reporting authorization).In reporting you only have to control the read access. In planning you have to distinguish between read and write access.You create authorization objects using transaction RSSM or SU21. You add authorization relevant characteristics and key figures to the authorization object. In planning you should add the technical InfoObject 0ACTIVITY for distinguishing between read and write access.If you use layouts with MS Excel the system has to read the Excel templates for the planning layouts. Thus you need the authorizations for the object S_BPS_DS (Class name SEM_BPS and Class type OT).
All authorization objects for planning are delivered. They use the standard SAP authorization concept and can be displayed e.g. by using transaction SU21. They follow a naming convention: all planning objects start with "R_".
Authorization objects used in the planning framework (FW):
- R_AREA Planning area
- R_PLEVEL Planning level
- R_PACKAGE Planning package – no execution activity
- R_METHOD Planning method
- R_PARAM Parameter group
All authorization objects offer the following activities
16 Execute (except package)
All objects mentioned before have a hierarchical relationship as shown in the slide. The activities are inherited automatically.Example: Activity ‚execute‘ for R_PLEVEL all functions and layouts defined for the planning level can be executed.
Hint 1: You cannot exclude any planning levels or packages. Instead you have to include all planning levels and packages explicitly.
Hint 2: For Manual Planning use the planning method "0-MP", for local sequences use "0-BF".
R_PROFILE Planning profileR_BUNDLE Global planning sequence
R_WEBITF Web Interfaces (customizing and execution)
R_PM_NAME Planning folder
R_STS_CUST Customizing Status and Tracking System (STS)
R_STS_SUP Super user access to STS
R_STS_PT Executing STS (sub plan and planning sessions) as normal user