Creating an Authorization Object to Control User Access to the InfoCube Data - SAP BW

Authorization objects,are the foundation of SAP authorization management. For this reason,SAP provides many authorization objects for most conceivable activities that users might perform on R/3 and BW objects. Nevertheless,in BW,we almost always need to create our own authorization objects. For example,the sales manager might decide that it is not appropriate for users in one sales region to view another region's sales data. In this case,the appropriate authorization object is not available from SAP,so we must create one by ourselves.

Before we create our own authorization object,we need to do a few things.

Step 1. Modify the InfoObject IO_SREP to make it be authorization relevant.

Open the InfoObject IO_SREP,and then select the option Authorization Relevant in the General settings block under the Business Explorer tab. ClickClick to check the new InfoObject definition. If it is valid,clickClickto activate the change.

Change Characterstic IO_SREP: detail

Step 2. Make sure that the InfoObject 0TCTAUTHH is available.

Note:If the InfoObject 0TCTAUTHH is not available,follow the instructions in "Installing Business Content and Loading R/3 Data," to install it.

Now,we can create our authorization object.

Administrator work bench modelling

Work Instructions:
Step 1. Log on to BW,and then either double-click Reporting Authorization Objects or run transaction RSSM.
Work Instructions

Step 2. Enter a name,make sure the Object option is selected,and then click clickto create the authorization object.
Business Information warehouse Authorizations

The names of customer-developed authorization objects must begin with Y or Z.

Step 3. In the pop-up window,enter a description and then clickClick to continue.
Create Authorization object

Step 4. Select IO_SREP and 0TCTAUTHH from the Authorization relevant | Objects window. Move them to the left window by clickingclicking Click saveto save the changes.
Maintain Authorization fields

Step 5. For demonstration purposes,clicklocal-object to save the authorization object as a local object so it will not be transported to other systems.
create object Directory Entry

Note:See "Development Class," for more information on $TMP and local objects.

A status message Authorization object ZAO_SREP saved will appear at the bottom of Screen. The authorization object has been created with two fields,IO_SREP and 0TCTAUTHH.

Next,we will specify the InfoCubes to which this authorization object will apply.

Step 6. Select the Check for InfoCubes option,and then clickpen to change the authorization object.
Business Information Warehouse Authorizations

Step 7. Select IC_DEMOBC,and then click saveto save the authorization object.
Switch on/off info cube check

Note:Only one InfoCube depends on InfoObject IO_SREP. Otherwise,more dependent InfoCubes would be listed.

Next,we need to create an authorization for each region.

Step 8. Select the option Authorization definition fr hierarchies,and then clickpen to create an authorization.
Business Information Warehouse Authorization

Step 9:Enter a name for the authorization and provide other information as shown in Screen. Click Clickto look up the available Type of authorization.

Note:Except for the name of the authorization,you can populate all fields by clicking and choosing one item from the list.
Maintain Authorization for Hierarchy

Step 10. Select 1 for Subtree below nodes,and then clickClick to continue.
Short text

Step 11. Clicksave to save the authorization.
Maintain Authorization for Hierarchy

You have created the authorization using the newly created authorization object.We use the same method to create an authorization for the West region.
Maintain Authorization for Hierarchy

Now we can use the authorization object and the authorizations to create an authorization profile for a role. The users assigned to this role and the role created in Section can access only the East region's sales information.

Step 12. Repeat the steps from Screen to Screen to create a role called R_RUN_SREP_EAST. This time,however,clickdon't Select templates because we will use our own authorization object.
own authorization object

Step 13. Click manullyto insert our authorization object.
Change role: Authorizations

Step 14. Enter ZAO_SREP as the authorization object,and then click Clickto continue.

Manual Selection of Authorizations

Step 15. Clickpen to add authorizations to the Authorization for hierarchy field.

Change role Authorizations

Step 16. Enter ZA_SREP_EAST,an authorization created previously,and then clicksave to continue.
Maintain Field values

Step 17. Click to generate the authorization profile for the role.
generate the authorization profile for the role.

Step 18. This message indicates that the Sales rep. ID field has no values. Clickgenerate to continue.
Generate Profiles

Step 19. Enter a name and a description,and then click Clickto continue.

Assign profile name for generated authorization profile

Step 20. Notice that the status light of the Authorizations tab turns green. Click the User tab to assign user U_EAST to this role,and then clickuser-compare to add the authorization profile to U_EAST's master data.
Change roles

Step 21. Repeat the steps from Screens. When they are complete,the status light of the User tab will turn green.
Change roles

You have created the role R_RUN_SREP_EAST using a new authorization object. Users as signed to this role and the role created can only access the East region sales data. For example,when user U_EAST runs the query in Screen again,the user will have only two cities from which to choose Screen .
Select Hierarchy nodes

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd Protection Status

SAP BW Topics