Migration of Reporting Authorizations to the New Concept

Migration help is available to aid you in transferring existing authorization data from the previous concept of reporting authorizations to the new concept of analysis authorizations. You can start it using the program RSEC_MIGRATION. It leads you through the migration configuration step by step and performs a conversion of the old data at the end. The old data remains unchanged.

Prerequisites

Before you migrate users and the authorizations assigned to them, you need to make sure that you only migrate complete user groups. Complete means that only those users selected have the profiles that are affected by the selection of users and authorization objects.

Tip

User USER1 and user USER2 are subject to the following authorization concept:

USER1: Authorizations for the authorization object BO1 in profile T_1234

Authorizations for authorization object BO2 in profile T_4567

USER2: Authorizations for authorization object BO2 in profile T_4567

If you select the user USER1 and the authorization objects BO1 and BO2, the group would be incomplete, because user USER2 has authorizations for the authorization object BO2. The migration would affect both users. The user group from both users would be complete, on the other hand, as long as no other users in the system had been assigned one of the two profiles. The migration of user USER1 and authorization object BO1 would also be complete.

Authorization Objects for InfoProvider Access

The authorization objects S_RS_ICUBE, S_RS_MPRO, S_RS_ISET and S_RS_ODSO will no longer be checked during query processing. Instead, the check is performed using special characteristics 0TCAIPROV, 0TCAACTVT and 0TCAVALID. These authorization objects are offered during migration configuration as a migration option. If you select these authorization objects, authorization for these special characteristics are generated according to the entries in the Activity and the associated field for the corresponding InfoProvider and then assigned to the users.

Methods of Migration

Three methods are available for migration of the existing reporting authorizations. First all existing reporting authorizations in profiles receive their own, new analysis authorizations. They have technical names that start with RSR_ and end with 8 digits. The three methods differ in the type of assignment to the users.

Direct assignment
In this method, the authorizations are assigned directly. This corresponds to the assignment using Manage Analysis Authorizations → User Assignment. Maintenance and modification is only possible in the transactions for analysis authorizations.
Generation of new authorization profiles
A profile is generated for every authorization and assigned to the users. The profile includes the authorization object S_RS_AUTH and the technical name of the analysis authorization as the value. The profile name is also structured like the authorization name, but is not identical to the authorization name. This procedure allows you to create a role concept relatively easily and to include the newly generated analysis authorizations. Old and new authorizations are separate, however, and the old authorizations and profiles can be deleted later as needed.
Enhancement of existing authorization profiles
In principle, this procedure gets the authorization structure of an existing role concept because new NetWeaver authorizations are inserted into the existing profiles.

Authorizations for authorization object S_RS_AUTH are added to the old profiles, the values of which are the technical name of the newly generated analysis authorizations. In this way, old and new authorizations are included in the same profile and are transferred to the role structure.