New SAP BI 7.

0 Authorization concept (analysis authorization) change a lot in

accessing, analyzing and displaying BI information. The approach allow to
restrict data access on Key figure, Characteristic, Characteristic value, Hierarchy
node, and InfoCube levels. It enables more flexible data access management.

Analysis authorization is active by default in SAP BI 7.0 systems and I think it is

worth to spend some time to look closer at the new concepts and the features. In
part one of this two-article series, I will show you how you can restrict access to
SAP BW reports on InfoObjects level.

Initial settings

At the beginning activate business content objects (TCode RSORBCT) related to

authorizations:

• InfoObjects 0TCA*
• InfoCubes 0TCA*

and set the following InfoObjects as Authorization-Relevant:

• 0TCAACTVT (activity such as Display)

• 0TCAIPROV (InfoProvider authorization)
• 0TCAVALID (validity period of authorization)
• 0TCAKYFNM (if you want to restrict access to key figure)

Characteristics authorization

Use TCode RSA1, go to Modelling -> InfoObjects. Display properties of the

characteristic to which you want to restrict access and set it as Authorization-
Relevant.
Characteristics values authorization

To authorize characteristics values you need to create new authorization object

through TCode RSECADMIN. The following pictures show how allow users to
access to specific sale organization (e.g., New York, San Francisco, Dallas).
1. Create new authorization object (e.g., Z_SORG_B).
2. Choose characteristic and press Details button.

3. Select sales organization (e.g., 1612 - New York, 1614 - San Francisco, 1615 -
Dallas). Available operators: EQ - single value, BT - range of values, CP - pattern
ending with (*) (e.g., abc*). You have also option to Include (I) or Exclude (E)
values.
Attributes authorization

To authorize navigational attributes, set them as Authorization-Relevant.

Hierarchies authorization

To grant authorization on hierarchy level edit or create authorization object (e.g.,

Z_SORG_B), add hierarchy and nodes, and choose type of authorization.
Key figure authorization

To grant authorization to particular key figure, add special object 0TCAKYFNM

to authorization object (e.g., Z_SORG_B), and choose the key figure to be
authorized.
Summary

InfoObject level authorization gives you a great flexibility, but keep in mind
system limitations. Avoid setting too many characteristics as authorization
relevant (more than 10 in a query). All marked characteristics are checked for
existing authorization if they are in a query or in an InfoProvider that is being
used. Too much authorization objects may slow query execution. Exception are
characteristics with all (*) authorization. If you want to check which InfoObjects
are authorization relevant in your BI system, use TCode RSECADMIN ->
Authorization Maintenance and display 0BI_ALL authorization. More about
0BI_ALL you will find in the article on creating and assigning authorization.

Remember that authorization do not work as a filters do. It means that the user
who is executing the query, where characteristics are authorization relevant, must
have sufficient authorization to the characteristics ("all-or-nothing" rule).
Exceptions are hierarchies in the drill down and variables which are dependent
on authorization.

In this post I present basic steps to transport SAP BI queries from development
to quality server. The steps are performed in source and target system, so you
need authorizations to release and import objects.

Source system
Start with transaction RSOR (Transport Connection), insert initial and target
source system names using Conversion button (2) and choose grouping type (3).
Select queries you would like to transport to target system and press Execute and
than Transport objects (truck) button.
Release the change request to transport using SE10 transaction. Press Display,
choose tasks and requests you would like to release and press the button with
single truck (or F9). When both task and request have been released successfully,
start transport in target system.

Target system
To import queries to quality system start STMS transaction > Import Overview
(F5) > Display Import Queue. On the Import Queue screen select the request and
press Import (truck with a small loading). Choose target client's number and
press enter. The queries will be written to the target system.

Standard BEx Transport Request

When the request, you have released, was set as Standard BEx Transport
Request, you need created a new standard request. If there is no standard
request, nobody is able to process queries or workbooks on the system. When you
try to do so, you will receive the error: The query could not be saved due to a
problem in transport. BEx transport request is not available or not suitable.

To create a new request you need to press BEx and than Assign / Delete button,
add the request and save the choice.
Now all new objects and modifications will be written to the chosen BEx
transport request. For more information on the standard transport request see
this note:194051.

Additional resource:
Transporting: role and objects.
Authorizations for change and transport: S_TRANSPRT and S_CTS_ADMI.