Authorizations for Generating SAP HANA Views

To be able to access SAP HANA views that have been generated from the BW system, you need the following authorizations:

• Object privilege: SELECT on _SYS_BI
• Object privilege: EXECUTE on REPOSITORY_REST(SYS)
• Package privilege: REPO.READ on the content package where generated SAP HANA views are stored.

Note The session client has to correspond to the BW system client. If SAP HANA authorizations are assigned using roles, user ABAP SAPSID must have authorization ROLE ADMIN. For more information, see SAP Note 1956963 .

 http://help.sap.com/hana_platform  Security Information  SAP HANA Security Guide   SAP HANA Authorization 

• SAP HANA authorizations are assigned to one user. You can define how the corresponding SAP HANA user is determined. In Customizing, under SAP NetWeaver  Business Warehouse  General Settings  Settings for Generating SAP HANA Views of InfoProviders , you have the following options:
  • Option C: The BW user must have a DBMS user, or there must be a SAP HANA user with exactly the same name. If the BW user has a DBMS user, this is taken as the SAP HANA user. If no DBMS user has been created, the SAP HANA user is taken with exactly the same name as the BW user. In this case, the SAP HANA user must not be a DBMS user of a BW user. More information: DBMS User Management
  • Option D: The SAP HANA user is the DBMS user created for the BW user in user administration (transaction SU01).
• The analysis authorizations must be defined for all characteristics flagged as authorization-relevant in the InfoProvider. These authorizations must also be assigned to the BW user. They must also contain all technical characteristics for the InfoProvider, the key figures and the activity.

  These include the following characteristics:

  • 0TCAACTVT
  • 0TCAIPPROV
  • 0TCAVALID
  • 0TCAKYFNM

  More information: Prerequisites for the Management of Analysis Authorizations

The other authorizations that are needed are generated from the BW system and assigned to the user via roles. An object authorization SELECT is created here for a generated view, and SAP HANA analysis authorizations for the BW analysis authorizations. The roles that are generated always have the following structure for InfoProviders (also for InfoObjects as InfoProviders): <package name> / <SID> _ <view name>_REPORTING. Roles have the following structure for InfoObjects with master data: <package name> / <SID> _ <view name>. The package name is always bw2hana.

You can define in Customizing that the SAP HANA authorizations are assigned to the user directly instead of via roles. To do this, go to Customizing and choose  SAP Customizing Implementation Guide  SAP NetWeaver  Business Warehouse  General Settings  Settings for Generating External SAP HANA Views for BW Objects .

BW authorizations cannot be converted 1:1 to SAP HANA. The following restrictions apply to using BW authorizations as SAP HANA authorizations and are not supported:

• Aggregation authorizations (:)
• Restrictions to specific key figures (entries for characteristic/dimension 0TCAKYFNM). Only I CP * for characteristic/dimension 0TCAKYFNM is supported

Hierarchies are converted into a flat list, and an additional technical column (which is invisible) is added to the SAP HANA view.

If you need to filter for the initial value of a characteristic in the BW analysis authorization object, it may not be possible to correctly evaluate this value, which results in a smaller result.