All users who want to display transaction data from authorization-relevant characteristics or navigation attributes in a query require analysis authorizations. This type of authorization is not based on the standard authorization concept of SAP. Instead, these authorizations use their own concept that takes the features of reporting and analysis in BI into consideration. As a result of the distribution of queries using the BEx Broadcaster and the publication of queries to the portal, more and more users can access query data. Using the special authorization concept of BI for the display of query data, you can protect especially critical data in a much better way.
If you have upgraded to SAP NetWeaver 7.0, you can decide whether you want to continue to use the current reporting authorization concept or switch to the new, more user-friendly concept for analysis authorizations.
SAP recommends that you switch to the new concept so that you can benefit from the new options and easier administration.
By default, the new concept is active; support is no longer provided for the old concept.
Complete compatibility between the two concepts is not possible. Existing authorization concepts must therefore be converted. Migration has to be completed manually or using a tool. It always requires subsequent manual work.
You have flagged characteristics that you want to protect as authorization-relevant in InfoObject maintenance.
In principle, all authorization-relevant characteristics are checked for existing authorizations if they occur in a query or in an InfoProvider that is being used. For this reason, you should avoid flagging too many characteristics as authorization-relevant so you keep the administrative efforts to a minimum and keep performance good.
We recommend that you include a maximum of 10 authorization-relevant characteristics in a query, since performance is otherwise negatively impacted. Authorization-relevant characteristics with asterisk (*) authorization are an exception to this; you can include more authorization-relevant characteristics of this type in a query.
Analysis authorizations are not based on authorization objects. Instead, you create authorizations that include a group of characteristics. You restrict the values for these characteristics.
The authorizations can include any authorization-relevant characteristics, and treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
You can then assign this authorization to one or more users.
All characteristics flagged as authorization-relevant are checked when a query is executed.
A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled depending on authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled depending on authorizations act like filters for the authorized values for the particular characteristic.