Authorization Groups (BRGRU) Authorization Groups allow us to secure access to various entities in the SAP landscape.

The most common application of authorization groups is to secure tables but they can also be used to secure other objects like customers, vendors, accounts or materials. In fact authorization groups are represented by the authorization field BRGRU and they form part of quite a few authorization objects. However lets start our discussion with the example of table authorization groups. Table authorization groups are created through the SE54 transaction shown below.

SE54 - Inital Screen To secure access to tables/views through authorization groups, we need to assign it an authorization group. We have the choice of using any of the existing authorization groups or create a new one for our table. Both these activities can be completed through the SE54 transaction as shown below.

SE54 - Create Table Authorization Groups Note that the figure above shows the existing auth-groups created in the system. The entry S_TABU_DIS appears at top of the screen as this is the auth groups assigned to the table needs to be maintained for the S_TABU_DIS object with the correct activity (02 change, 03 display, etc) in the users role to complete the process of securing table access. Another point to remember is

the fact that a table without any auth group maintained for it, is considered to be linked to the &NC& auth-group. So for these tables, &NC& need to be maintained in S_TABU_DIS.

SE54 - Assign Authorization Groups Now that we are done with the use of auth groups for securing table access, lets check out their use in securing other SAP applications. To better understand the subsequent use of auth groups lets start with a display of the BRGRU field (which represents them in authorization objects) in SU20. You will note that the BRGRU field has a length of 4 and has a check table TBRG. The TBRG table is the central repository of auth groups defined in the system. When creating new groups through the SE54 transaction, we are actually accessing this table filtered for S_TABU_DIS.

SU20 - Definition of field BRGRU (Authorization Group) To create auth groups for use in other objects, we need to directly access the TBRG table. We can use SM30, SM31 or SE16 for creating new entries. The figure below shows this table being maintained through SM30. We create entries for the F_LFA1_BEK object which is used to secure access to vendor master records.

SM30 - Creation of entries in TBRG table Now to secure vendors through the created auth groups, we need to update the vendor master (transaction FK02) as shown below with the same and maintain the same values in the F_LFA1_BEK object in the users roles.

FK02 - Change auth group for vendor Similarly auth groups can be maintained for customers as well through the XD02 transaction as shown below. In this case the TBRG entries are for the F_KNA1_BED object.

XD02 - Change auth group for customer

SAP BI Diagnostics & Support Desk Tool With the release of BI7.0 SAP introduced a requirement to force the use of a combination of a Java stack along with an ABAP stack. A majority of the BI engine is still running on the legacy ABAP engine. The newer web template functionality is now hosted on a Java stack. In order for the application to work correctly the communication between the two stacks has to be functioning correctly. In a legacy portal to BI3.5 integration the integration between the portal and BI system is configured in a single location: a portal system. However, there are many more integration points required between the portal and a BI7 instance. To help in debugging issues that arise when configuring the connection between the two systems, SAP has developed a tool which can be run to help identify issues and provide clues as to how to fix them; the SAP NetWeaver BI Diagnostics & Support Desk Tool. Solution:

It is a good idea to grab the latest version of the tool attached to OSS Note: 937697. Once the tool has been deployed to the Java stack, it can be access via <http| https>://<j2ee_server>:<j2ee_port>/irj/servlet/prt/portal/prtroot/com.sap.ip.bi.supportdesk.default After logging in ( see Note 937697 for security requirements ), you will be prompted with an overview screen. This screen will tell you if your configuration is working properly or not.

The stoplight at the top of the screen will tell you immediately if you have a properly configured system.

The RED light lets you know that there are issues with your system configuration. Scroll down to the bottom of the screen for more specific information.

As you go through each item with a RED light, you will see suggestions from SAP on how to solve them.

Once you have solved each of the problem items, click on the Reload Configuration button at the top of the screen to rerun the tests

With any luck the light at the top of the page will eventually turn green and your configuration will be complete.