Analysis Authorizations – Design
The idea for this article came to me after reading through a question from a visitor to this site. I believe the question is relevant to anyone designing Analysis Authorizations. So even though there are other posts in this blog that talk about how to actually create analysis authorization, this current article is meant to help security consultant in actually applying the concepts while designing security. I will start with reproducing the question below.
Q: Hi Aninda,
Firstly, thanks for the helpful posts on this site.
I would like to check with you on how the system checks BI auth.
Does it check every possible combination?
For eg: user is assigned with 2 analysis auth as below:
A: plant 1000, purchasing group (PG) 100
B: plant 2000, PG 200
When the user runs a report and fills in the fields with plant : 1000, 2000 and PG: 100, 200,
he/she will actually get no authorization. When I checked the trace, it looks like the system is checking for
1) plant 1000, PG 100
2) plant 1000, PG 200
3) plant 2000, PG 100
4) plant 2000, PG 200
In this case, the authorization failed because there is no such combination for 2 and 3 in my analysis authorization. Appreciate your advice if my understanding is correct and how do we work around this apart from asking the user to run the report separately for plant 1000 and 2000? Thanks.
I will elaborate from my original answer below. Firstly I should re-iterate that SAP does indeed check for the 4 different combinations mentioned , i.e.
1) plant 1000, PG 100
2) plant 1000, PG 200
3) plant 2000, PG 100
4) plant 2000, PG 200
This may be counter intuitive to us from our experience in ECC while looking up data from SAP tables in SE16 or SUIM. However, BI reports only return data when the total result set is authorized. In other words, you need access to all possible combinations for the query to return any data at all. You get everything or nothing 🙂
So the next question that we need to answer is how to give access to plants 1000, 2000 and PG 200, 100?
Here we would need to create two new analysis authorization rather than the ones already in use
Auth 1) Plant 1000, 2000
Auth 2) PG 100, 200
However, these two authorizations end up giving access to the combinations for Plant 1000 PG 200 and Plant 2000, PG 100 in addition to the earlier values. We need to ask ourselves, Is this extra access a problem?
Like most consulting questions, there is no single correct answer to the problem. For some clients this extra access might be okay while for others it might be a strict no. I would start looking at how security is set up in ECC and try to replicate same access in BI. For example, I would think a Buyer in ECC would be assigned to one or more purchasing groups and would be responsible for one or more plants. Its far less likely that a Buyer is assigned to a different purchasing groups for different plants. So the more likely scenario tells me that the extra access with the two new authorizations are perfectly fine and in line with ECC security. However, your client might be using a different configuration for plant and purchasing group security.
In case, the extra security access is not enough, the solution would be to ask the reporter to run the BW query twice. Once for Plant 1000, PG 100 and next for Plant 2000, PG 200.
Hi aninda
How are you, We are eagarly waiting for your MAY morals or messages.
Please start GRC or post contents on bi security VARIABLES and hierarchies.
Cheers
Syed.
Hi Syed,
Thanks for your comments. I always try to add new content as long as time permits. Hopefully I will update the blog soon.
Regards,
Aninda
I have a question on running BI Query.Did not find link to create New discussion. So, i had to post it here.
Question
A user is unable to execute a query. But i am not able to find the missing authroization in the Log, as ABAP Debugger starts on execution of the query. Admin id is able to successfully run, as it has Full access.
How to stop this Debugger from running and How to know the missing Authroization values? The Log button becomes disabled, due to this error