[ BI 7 Authorisation Design ]

The BI7 Design will contain customer exit variables which will allow the InfoObject restrictions to be applicable only to selected InfoProviders.

The following is required to achieve this design:

  1. Create customer exit variables:
    1. ZCST_CC          - Company Code

 

To create these variables. Open up the Query Designer and open up a query with either of the above InfoObjects.

Right click on the required InfoObject and select “Restrict”

 

Right click on the left scroll window and select “New Variable”

Complete required details.


Remove “Ready for Input” checkbox.

 

  1. Create Analysis Authorisations

RSECADMIN

Maintenance


Change / Create

Click the following to add the standard objects:

Double click each object to set intervals:


Note the Customer Exit Variable is added here.


  1. Create table if it does not exist

SE11
Table name: ZTS_INFOPROVIDER

Generate maintenance view:

 


  1. Modify the User Exit

 

Enhancement: RSR00001
Exit: EXIT_SAPLRRS0_001
Include: ZXRSRU01

Run à SMOD


Display

Components


Double click on exit

Double click on include

In the data section:

lv_infoprovider_check TYPE c.

In the i_vnam case statement

WHEN 'ZCST_CC'.
lv_infoprovider_check = 'X'.

 

And finally at the end of the code add the following ‘if’ statement:

* Check to see if a customer exit has been encountered
if lv_infoprovider_check EQ 'X'.

* Check table to see if infoobject/infoprovider
* Combination exist
select count( * )
from ZTS_INFOPROVIDER
where INFOPROV EQ I_S_COB_PRO-INFOPROV
and INFOOBJ EQ I_S_COB_PRO-IOBJNM.

* If table is not found, then provide full access
* to the restructed InfoObject
if sy-subrc NE 0.

    l_s_range-opt = 'EQ'.
l_s_range-sign = 'I'.
l_s_range-low = '*'.
APPEND l_s_range TO e_t_range.

  endif.
lv_infoprovider_check = space.
endif.

Authorisation objects:

Object Name: ZPK_AUTH - PKSW Global Authorisations

Field

Value

Name

Description

From

To

0COMP_CODE

Company code

1010

1080

 

 

$ZCST_CC

 

ZTRAN_FLG

Flag: Transfield

*

 

0TCAACTVT

Activity in Analysis Authorizations

03

 

0TCAIPROV

Authorizations for InfoProvider

*

 

0TCAVALID

Validity of an Authorization

*

 

Role name: ZPK_AUTH - PKSW Global Authorisations

Object

Value

Name

Description

Field

Value

S_RS_AUTH

BI Analysis Authorizations in Role

BIAUTH

ZPK_AUTH

 

Object Name: ZNZ_AUTH – NZ Steel Global Authorisations

Field

Value

Name

Description

From

To

0COMP_CODE

Company code

2010

2140

 

 

$ZCST_CC

 

ZTRAN_FLG

Flag: Transfield

*

 

0TCAACTVT

Activity in Analysis Authorizations

03

 

0TCAIPROV

Authorizations for InfoProvider

*

 

0TCAVALID

Validity of an Authorization

*

 

Role name: ZNZ_AUTH - PKSW Global Authorisations

Object

Value

Name

Description

Field

Value

S_RS_AUTH

BI Analysis Authorizations in Role

BIAUTH

ZNZ_AUTH

 

Object Name: ZAM_AUTH – AusMM Global Authorisations

Field

Value

Name

Description

From

To

0COMP_CODE

Company code

1310

1320

 

 

$ZCST_CC

 

ZTRAN_FLG

Flag: Transfield

*

 

0TCAACTVT

Activity in Analysis Authorizations

03

 

0TCAIPROV

Authorizations for InfoProvider

*

 

0TCAVALID

Validity of an Authorization

*

 

Role name: ZAM_AUTH - PKSW Global Authorisations

Object

Value

Name

Description

Field

Value

S_RS_AUTH

BI Analysis Authorizations in Role

BIAUTH

ZAM_AUTH

 

Object Name: ZCO_AUTH – Corporate Global Authorisations

Field

Value

Name

Description

From

To

0COMP_CODE

Company code

1510

1560

 

 

$ZCST_CC

 

ZTRAN_FLG

Flag: Transfield

*

 

0TCAACTVT

Activity in Analysis Authorizations

03

 

0TCAIPROV

Authorizations for InfoProvider

*

 

0TCAVALID

Validity of an Authorization

*

 

Role name: ZCO_AUTH - PKSW Global Authorisations

Object

Value

Name

Description

Field

Value

S_RS_AUTH

BI Analysis Authorizations in Role

BIAUTH

ZCO_AUTH

 

Object Name: ZLO_AUTH – Logistics Global Authorisations

Field

Value

Name

Description

From

To

0COMP_CODE

Company code

1410

1470

 

 

$ZCST_CC

 

ZTRAN_FLG

Flag: Transfield

*

 

0TCAACTVT

Activity in Analysis Authorizations

03

 

0TCAIPROV

Authorizations for InfoProvider

*

 

0TCAVALID

Validity of an Authorization

*

 

Role name: ZLO_AUTH - PKSW Global Authorisations

Object

Value

Name

Description

Field

Value

S_RS_AUTH

BI Analysis Authorizations in Role

BIAUTH

ZLO_AUTH

 

Object Name: ZPK_AUTH_TR – Logistics Global Authorisations

Field

Value

Name

Description

From

To

0COMP_CODE

Company code

1010

1080

 

 

$ZCST_CC

 

ZTRAN_FLG

Flag: Transfield

X

 

0TCAACTVT

Activity in Analysis Authorizations

03

 

0TCAIPROV

Authorizations for InfoProvider

*

 

0TCAVALID

Validity of an Authorization

*

 

Role name: ZPK_AUTH_TRANS - PKSW Global Authorisations

Object

Value

Name

Description

Field

Value

S_RS_AUTH

BI Analysis Authorizations in Role

BIAUTH

ZPL_AUTH_TR

 

Object Name: ZAM_AUTH_TR – Logistics Global Authorisations

Field

Value

Name

Description

From

To

0COMP_CODE

Company code

1310

1320???

 

 

$ZCST_CC

 

ZTRAN_FLG

Flag: Transfield

X

 

0TCAACTVT

Activity in Analysis Authorizations

03

 

0TCAIPROV

Authorizations for InfoProvider

*

 

0TCAVALID

Validity of an Authorization

*

 

Role name: ZAM_AUTH_TRANS - PKSW Global Authorisations

Object

Value

Name

Description

Field

Value

S_RS_AUTH

BI Analysis Authorizations in Role

BIAUTH

ZAM_AUTH_TR

 

Notes:

The following objects:
0TCAACTVT
0TCAIPROV
0TCAVALID

Need to be assigned to a user in at least one authorisation. Therefore the are independent of other auth objects.

 

The Colon (:) authorisation value

  • Enable the execution of queries that do NOT contain authorisation-relevant InfoObjects that are checked in the InfoCube.
  • Enable summary data to be reported for characteristic levels where user does not have authorisation to access detailed data.

 

Important: Once an InfoObject is authorisation relevant, ALL queries on ALL InfoProviders containing that InfoObject will be checked for authorisation. Even if the InfoObject is not contained in the query. Every query that does not use the secured InfoObject(s) will fail if the user does not have the colon ‘:’ or ‘*’ authorisation.

 

List of InfoProviders:

Assign to Role

Once created the new auth object must be assigned to the Role.

Run: PFCG


Create Single Role

Authorisations tab

Change


Add object S_RS_AUTH

 


Add new analysis auth object.

 

Generate profile and you are done.

 

Transport Authorisation Objects

Transaction à RSECADMIN

Transport


Select the required auth objects