Analysis Authorizations

Use

All users who want to display transaction data from authorization-relevant characteristics or navigation attributes in a query require analysis authorizations. Authorizations of this type are not based on the standard SAP authorization concept. They use their own concept based on the BEx reporting and analysis features instead. As a result of the distribution of queries using BEx Broadcaster and publication of queries to the portal, more and more users can access query data. With the special BW authorization concept for displaying query data, you can far better protect especially critical data.

Integration

If you are still using the reporting authorizations concept and upgrade to SAP NetWeaver BW 7.3, you now have to migrate these authorizations to the new analysis authorization concept or redefine your authorizations from scratch.

Ideally, you should migrate the authorizations before upgrading if your system already has Release SAP NetWeaver BW 7.0. So long as the new concept is not being actively used, no BEx queries can be run after the upgrade.

Complete compatibility between the two concepts is not possible. Existing authorization concepts therefore have to be converted. Migration can be performed either manually or using a tool. Manual steps are always required afterwards though.

More information: Migration of Reporting Authorizations to the New Concept.

Prerequisites

You have flagged characteristics that you want to protect as authorization-relevant in InfoObject maintenance.

Features

Analysis authorizations are not based on authorization objects. You create authorizations that include a group of characteristics instead. You restrict the values for these characteristics.

The authorizations can include any authorization-relevant characteristics, and treat single values, intervals and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.

You can then assign this authorization to one or more users. Since the authorizations are TLOGO objects (analytics security objects), they can also be transported to other systems.

All characteristics flagged as authorization-relevant are checked when a query is executed.

A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the user does not have the required authorization. In general, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled from authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled from authorizations act like filters for the authorized values for the characteristic in question.