Authorization objects, such as the one in Screen 6.8, are the foundation of SAP authorization management. For this reason, SAP provides many authorization objects for most conceivable activities that users might perform on R/3 and BW objects. Nevertheless, in BW, we almost always need to create our own authorization objects. For example, the sales manager might decide that it is not appropriate for users in one sales region to view another region's sales data. In this case, the appropriate authorization object is not available from SAP, so we must create one by ourselves.
Before we create our own authorization object, we need to do a few things.
Prerequisites
Step 1. Modify the InfoObject IO_SREP to make it be authorization relevant.
Open the InfoObject IO_SREP, and then select the option Authorization Relevant in the General settings block under the Business Explorer tab. Click to check the new InfoObject definition. If it is valid, click to activate the change.
SCREEN 6.18
Step 2. Make sure that the InfoObject 0TCTAUTHH is available.
Note
If the InfoObject 0TCTAUTHH is not available, follow the instructions in Section 10.4, "Installing Business Content and Loading R/3 Data," to install it.
SCREEN 6.19
Now, we can create our authorization object.
Work Instructions
Step 1. Log on to BW, and then either double-click Reporting Authorization Objects or run transaction RSSM.
SCREEN 6.20
Step 2. Enter a name, make sure the Object option is selected, and then click to create the authorization object.
SCREEN 6.21
Note
The names of customer-developed authorization objects must begin with Y or Z.
Step 3. In the pop-up window, enter a description and then click to continue.
SCREEN 6.22
Step 4. Select IO_SREP and 0TCTAUTHH from the Authorization relevant | Objects window. Move them to the left window by clicking Click to save the changes.
SCREEN 6.23
Step 5. For demonstration purposes, click to save the authorization object as a local object so it will not be transported to other systems.
SCREEN 6.24
Note
See Section 14.2, "Development Class," for more information on $TMP and local objects.
A status message Authorization object ZAO_SREP saved will appear at the bottom of Screen 6.23. The authorization object has been created with two fields, IO_SREP and 0TCTAUTHH.
Next, we will specify the InfoCubes to which this authorization object will apply.
Step 6. Select the Check for InfoCubes option, and then click to change the authorization object.
SCREEN 6.25
Step 7. Select IC_DEMOBC, and then click to save the authorization object.
SCREEN 6.26
Note
Only one InfoCube depends on InfoObject IO_SREP. Otherwise, more dependent InfoCubes would be listed.
Next, we need to create an authorization for each region.
Step 8. Select the option Authorization definition fr hierarchies, and then click to create an authorization.
SCREEN 6.27
Step 9.
Enter a name for the authorization and provide other information as shown in Screen 6.28. Click to look up the available Type of authorization.
Note
Except for the name of the authorization, you can populate all fields by clicking and choosing one item from the list.
SCREEN 6.28
Step 10. Select 1 for Subtree below nodes, and then click to continue.
SCREEN 6.29
Step 11. Click to save the authorization.
SCREEN 6.30
Result
You have created the authorization using the newly created authorization object.
We use the same method to create an authorization for the West region (Screen 6.31).
SCREEN 6.31
Now we can use the authorization object and the authorizations to create an authorization profile for a role. The users assigned to this role and the role created in Section 6.1 can access only the East region's sales information.
Step 12. Repeat the steps from Screen 6.1 to Screen 6.5 to create a role called R_RUN_SREP_EAST. This time, however, click because we will use our own authorization object.
SCREEN 6.32
Step 13. Click to insert our authorization object.
SCREEN 6.33
Step 14. Enter ZAO_SREP as the authorization object, and then click to continue.
SCREEN 6.34
Step 15. Click to add authorizations to the Authorization for hierarchy field.
SCREEN 6.35
Step 16. Enter ZA_SREP_EAST, an authorization created previously, and then click to continue.
SCREEN 6.36
Step 17. Click to generate the authorization profile for the role.
SCREEN 6.37
Step 18. This message indicates that the Sales rep. ID field has no values. Click to continue.
SCREEN 6.38
Step 19. Enter a name and a description, and then click to continue.
SCREEN 6.39
Step 20. Notice that the status light of the Authorizations tab turns green. Click the User tab to assign user U_EAST to this role, and then click to add the authorization profile to U_EAST's master data.
SCREEN 6.40
Step 21. Repeat the steps from Screens 6.13 and 6.14. When they are complete, the status light of the User tab will turn green.
SCREEN 6.41
Result
You have created the role R_RUN_SREP_EAST using a new authorization object. Users as signed to this role and the role created in Section 6.1 can only access the East region sales data. For example, when user U_EAST runs the query in Screen 5.31 again, the user will have only two cities from which to choose (Screen 6.42).
SCREEN 6.42
Part I. Guided Tours
Business Scenario and SAP BW
Creating an InfoCube
Loading Data into the InfoCube
Checking Data Quality
Creating Queries and Workbooks
Managing User Authorization
Part II. Advanced Topics
InfoCube Design
Aggregates and Multi-Cubes
Operational Data Store (ODS)
Business Content
Generic R/3 Data Extraction
Data Maintenance
Performance Tuning
Object Transport
Appendix A. BW Implementation Methodology
Object Transport
Appendix B. SAP Basis Overview
Object Transport
Appendix C. Glossary
Appendix D. Bibliography