Authorizations for Generating SAP HANA Views
To be able to access SAP HANA views that have been generated from the BW system, you need certain authorizations in the SAP HANA system and in the BW system.
Transaction RS2HANA_CHECK allows you to check all prerequisites for successful replication of BW authorizations to SAP HANA.
Prerequisites in SAP HANA
To be able to access SAP HANA views that have been generated from the BW system, you need the following authorizations:
- Object privilege: SELECT on _SYS_BI
- Object privilege: EXECUTE on REPOSITORY_REST(SYS)
- Package privilege: REPO.READ on the content package where generated SAP HANA views are stored.
http://help.sap.com/hana_platform 
Security Information SAP HANA Security Guide SAP HANA Authorization
Prerequisites in the BW System
To be able to generate SAP HANA views from the BW system, you need the following authorizations:- SAP HANA authorizations are assigned to one user. You can define how the corresponding SAP HANA user is determined. In Customizing, underSAP NetWeaver Business Warehouse General Settings Settings for Generating SAP HANA Views of InfoProviders, you have the following options:
- Option C: The BW user must have a DBMS user, or there must be a SAP HANA user with exactly the same name. If the BW user has a DBMS user, this is taken as the SAP HANA user. If no DBMS user has been created, the SAP HANA user is taken with exactly the same name as the BW user. In this case, the SAP HANA user must not be a DBMS user of a BW user. More information: DBMS User Management
- Option D: The SAP HANA user is the DBMS user created for the BW user in user administration (transaction SU01).
- The analysis authorizations must be defined for all characteristics flagged as authorization-relevant in the InfoProvider. These authorizations must also be assigned to the BW user. They must also contain all technical characteristics for the InfoProvider, the key figures and the activity.
These include the following characteristics:
- 0TCAACTVT
- 0TCAIPPROV
- 0TCAVALID
- 0TCAKYFNM
More information: Prerequisites for the Management of Analysis Authorizations
Generating the Authorizations
The other authorizations that are needed are generated from the BW system and assigned to the user via roles. An object authorization SELECT is created here for a generated view, and SAP HANA analysis authorizations for the BW analysis authorizations. The roles that are generated always have the following structure for InfoProviders (also for InfoObjects as InfoProviders): <package name> / <SID> _ <view name>_REPORTING. Roles have the following structure for InfoObjects with master data: <package name> / <SID> _ <view name>. The package name is always bw2hana.
You can define in Customizing that the SAP HANA authorizations are assigned to the user directly instead of via roles. To do this, go to Customizing and choose SAP Customizing Implementation Guide SAP NetWeaver Business Warehouse General Settings Settings for Generating External SAP HANA Views for BW Objects.
BW authorizations cannot be converted 1:1 to SAP HANA. The following restrictions apply to using BW authorizations as SAP HANA authorizations and are not supported:
- Aggregation authorizations (:)
- Restrictions to specific key figures (entries for characteristic/dimension 0TCAKYFNM). Only I CP * for characteristic/dimension 0TCAKYFNM is supported
Hierarchies are converted into a flat list, and an additional technical column (which is invisible) is added to the SAP HANA view.
If you need to filter for the initial value of a characteristic in the BW analysis authorization object, it may not be possible to correctly evaluate this value, which results in a smaller result.
Mass Generation of Authorizations
If you want to create an identical SAP HANA user for multiple BW users, you can use report RSUSR_DBMS_USERS for mass synchronization. For more information, see SAP Note 1927767
.