Data Access Profile Setup

Configuring a Dimension as Authorization Relevant

To configure a dimension as relevant for authorization, follow the steps below:

  1. Run transaction RSD1.

  2. Enter the dimension's technical name and choose Maintain.

  3. In the maintenance screen that appears, choose the Business Explorer tab and then select Authorization Relevant.

Authorization Levels

  • SAP BW Analysis Authorization

    Defined centrally in the BW backend system. The data access is controlled independently from other data access tools.

    This type of authorization is defined in transaction RSECADMIN and is assigned to a user.

  • Environment Authorization

    Extend the BW analysis authorization to an environment in Planning and Consolidation.

  • Data Access Profile

    The owner of Planning and Consolidation environment can define a data access profile and assign it to Planning and Consolidation users.

Creating an SAP BW Analysis Authorization

  1. Run transaction RSECADMIN and create a standard analysis authorization.

  2. Assign the authorization to a PFCG role and generate a SAP NetWeaver profile with transaction PFCG.

  3. Run transaction SU01 and assign the PFCG role or the NetWeaver profile to a user.

    For more information, see the SAP BW/4 HANA analysis authorization documentation available on the SAP Help Portal.

Creating an Environment Authorization

  1. Create a standard SAP BW analysis authorization.

  2. To assign the analysis authorization to a Planning and Consolidation environment, run transaction RSECENVI.

  3. Enter the environment name.

  4. On the next screen, choose the required BW analysis authorizations.

Creating a Data Access Profile

  1. In the Business Planning and Consolidation web client, go to the Administration page and under the Security section, choose Data Access Profile.

  2. On the screen that appears, choose New.

  3. Enter the ID and description of the new data access profile.

  4. Select the required model from the list.

  5. For each authorization-relevant dimension, select the required members and set their access rights.

    Important: Be sure to read the note below.

  6. Go to the Users or Teams tab to assign the new data access profile to users that are assigned to the current environment or teams that have corresponding users assigned to it.

Note

You can group several members by hierarchy and access rights. To do that, select the required members and choose Group.

You can split a member to separate lines for easier access rights maintenance. To do that, select the required member and choose Split.

In step 5 above, if the members you select come from a hierarchy, you can further define the selection range according to the relationship and level of the selected member in the hierarchy. However, if you choose All Members or Aggregation, or you select members from a flat view, you will not be able to further define such a selection range. For instructions on how to use Relationship and Level to define a certain selection range, review this example in which you select member China from a hierarchy level that has been defined as shown below:

Level 0

Level 1

Level 2

Level 3

Asia

China

Shanghai

A1

A2

Beijing

B1

B2

EUR

FR

PARIS

E1

E2

After selecting China in this example, you then choose one of the five relationships and define levels of how deep in the hierarchy you want the access right to take effect:

  • If you choose Only Selected Nodes, the access right affects only China, which is the exact member you select.

  • If you choose Subtree Below Nodes, the access right affects China and all of its descendants.

  • If you choose Subtree Below Nodes to Level (Static to Hierarchy) and set the level value to 2, this defines to which level the selection range expands, starting from the root level, also known as level 0. In this case, the affected members start from China and end at the level 2 members Shanghai and Beijing.

  • If you select Subtree Below Nodes to Level (Relative to Node) and set the level value as 2, this defines to which level the selection range expands, starting from the selected member. In this case, the affected members are China and all members from the next two levels, which are Shanghai and Beijing in level 2 and A1, A2, B1, B2 in level 3.

  • If you choose Complete Hierarchy, the access right affects all the members in the current hierarchy.

Example

In the following example there are two dimensions - Customer and Country. The possible values for the Customer dimension are 1, 2, 3 and 4, and the possible values for the Country dimension are DE and FR. The access rights for these dimensions are defined as follows:

When the analysis authorizations and the environment authorizations are combined, customers 1, 2 and 4 all gain authorizations for country FR. The authorizations for country DE are not changed:

After the data access profile is added to the combined result of the previous step, only customer 2 has authorizations for country FR because that is the only customer that appears in both the combined result and the data access profile.

The data access profile does not define any permissions for country DE. There is no intersection between the combined result of the previous levels and the data access profile. Because of that the permissions for country DE are entirely excluded from the final combination of authorizations.