Creating an Authorization Object to Control User Access to the InfoCube Data

Authorization objects, such as the one in Screen 6.8, are the foundation of SAP authorization management. For this reason, SAP provides many authorization objects for most conceivable activities that users might perform on R/3 and BW objects. Nevertheless, in BW, we almost always need to create our own authorization objects. For example, the sales manager might decide that it is not appropriate for users in one sales region to view another region's sales data. In this case, the appropriate authorization object is not available from SAP, so we must create one by ourselves.

Before we create our own authorization object, we need to do a few things.

Prerequisites

Step 1. Modify the InfoObject IO_SREP to make it be authorization relevant.

Open the InfoObject IO_SREP, and then select the option Authorization Relevant in the General settings block under the Business Explorer tab. Click graphics/check.gif to check the new InfoObject definition. If it is valid, click graphics/activate.gif to activate the change.

 

 

SCREEN 6.18

graphics/06fig18.gif

Step 2. Make sure that the InfoObject 0TCTAUTHH is available.

 

 

Note

If the InfoObject 0TCTAUTHH is not available, follow the instructions in Section 10.4, "Installing Business Content and Loading R/3 Data," to install it.

SCREEN 6.19

graphics/06fig19.gif

Now, we can create our authorization object.

Work Instructions

Step 1. Log on to BW, and then either double-click Reporting Authorization Objects or run transaction RSSM.

 

 

SCREEN 6.20

graphics/06fig20.gif

Step 2. Enter a name, make sure the Object option is selected, and then click graphics/attribute.gif to create the authorization object.

 

 

SCREEN 6.21

graphics/06fig21.gif

Note

The names of customer-developed authorization objects must begin with Y or Z.

Step 3. In the pop-up window, enter a description and then click graphics/continue.gif to continue.

 

 

SCREEN 6.22

graphics/06fig22.gif

Step 4. Select IO_SREP and 0TCTAUTHH from the Authorization relevant | Objects window. Move them to the left window by clicking graphics/previous.gif Click graphics/save.gif to save the changes.

 

 

SCREEN 6.23

graphics/06fig23.gif

Step 5. For demonstration purposes, click graphics/localobject.gif to save the authorization object as a local object so it will not be transported to other systems.

 

 

SCREEN 6.24

graphics/06fig24.gif

Note

See Section 14.2, "Development Class," for more information on $TMP and local objects.

A status message Authorization object ZAO_SREP saved will appear at the bottom of Screen 6.23. The authorization object has been created with two fields, IO_SREP and 0TCTAUTHH.

Next, we will specify the InfoCubes to which this authorization object will apply.

Step 6. Select the Check for InfoCubes option, and then click graphics/change.gif to change the authorization object.
 

SCREEN 6.25

graphics/06fig25.gif

Step 7. Select IC_DEMOBC, and then click graphics/save.gif to save the authorization object.

 

 

SCREEN 6.26

graphics/06fig26.gif

Note

Only one InfoCube depends on InfoObject IO_SREP. Otherwise, more dependent InfoCubes would be listed.

Next, we need to create an authorization for each region.

Step 8. Select the option Authorization definition fr hierarchies, and then click graphics/change.gif to create an authorization.
 

SCREEN 6.27

graphics/06fig27.gif

Step 9.

Enter a name for the authorization and provide other information as shown in Screen 6.28. Click graphics/c.gif to look up the available Type of authorization.

Note

Except for the name of the authorization, you can populate all fields by clicking graphics/c.gif and choosing one item from the list.

SCREEN 6.28

graphics/06fig28.gif

Step 10. Select 1 for Subtree below nodes, and then click graphics/continue.gif to continue.

 

 

SCREEN 6.29

graphics/06fig29.gif

Step 11. Click graphics/save.gif to save the authorization.

 

 

SCREEN 6.30

graphics/06fig30.gif

Result

You have created the authorization using the newly created authorization object.

We use the same method to create an authorization for the West region (Screen 6.31).

SCREEN 6.31

graphics/06fig31.gif

Now we can use the authorization object and the authorizations to create an authorization profile for a role. The users assigned to this role and the role created in Section 6.1 can access only the East region's sales information.

Step 12. Repeat the steps from Screen 6.1 to Screen 6.5 to create a role called R_RUN_SREP_EAST. This time, however, click graphics/dontselecttemplates.gif because we will use our own authorization object.

 

 

SCREEN 6.32

graphics/06fig32.gif

Step 13. Click graphics/manually.gif to insert our authorization object.

 

 

SCREEN 6.33

graphics/06fig33.gif

Step 14. Enter ZAO_SREP as the authorization object, and then click graphics/continue.gif to continue.

 

 

SCREEN 6.34

graphics/06fig34.gif

Step 15. Click graphics/change.gif to add authorizations to the Authorization for hierarchy field.

 

 

SCREEN 6.35

graphics/06fig35.gif

Step 16. Enter ZA_SREP_EAST, an authorization created previously, and then click graphics/save.gif to continue.

 

 

SCREEN 6.36

graphics/06fig36.gif

Step 17. Click graphics/generate.gif to generate the authorization profile for the role.

 

 

SCREEN 6.37

graphics/06fig37.gif

Step 18. This message indicates that the Sales rep. ID field has no values. Click graphics/generate1.gif to continue.

 

 

SCREEN 6.38

graphics/06fig38.gif

Step 19. Enter a name and a description, and then click graphics/continue.gif to continue.

 

 

SCREEN 6.39

graphics/06fig39.gif

Step 20. Notice that the status light of the Authorizations tab turns green. Click the User tab to assign user U_EAST to this role, and then click graphics/usercompare.gif to add the authorization profile to U_EAST's master data.

 

 

SCREEN 6.40

graphics/06fig40.gif

Step 21. Repeat the steps from Screens 6.13 and 6.14. When they are complete, the status light of the User tab will turn green.

 

 

SCREEN 6.41

graphics/06fig41.gif

Result

You have created the role R_RUN_SREP_EAST using a new authorization object. Users as signed to this role and the role created in Section 6.1 can only access the East region sales data. For example, when user U_EAST runs the query in Screen 5.31 again, the user will have only two cities from which to choose (Screen 6.42).

SCREEN 6.42

graphics/06fig42.gif

Part I. Guided Tours

Business Scenario and SAP BW

Creating an InfoCube

Loading Data into the InfoCube

Checking Data Quality

Creating Queries and Workbooks

Managing User Authorization

Part II. Advanced Topics

InfoCube Design

Aggregates and Multi-Cubes

Operational Data Store (ODS)

Business Content

Generic R/3 Data Extraction

Data Maintenance

Performance Tuning

Object Transport

Appendix A. BW Implementation Methodology

Object Transport

Appendix B. SAP Basis Overview

Object Transport

Appendix C. Glossary

Appendix D. Bibliography



SAP Bw. A Step-By-Step Guide
Sap Bw: a Step By Step Guide for Bw 2.0
ISBN: B000LZM8CM
EAN: N/A
Year: 2002
Pages: 106

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net