Function documentationAuthorizations for Master Data

 

You use this function to grant various privileges for accessing consolidation characteristics to people who work with the SEM system.

Integration

The authorization concept of consolidation is embedded in the SAP authorization concept.

Features

Authorization checks are possible for all master data in consolidation.

You can define for each characteristic how the authorization is to be assigned and checked:

  • For each characteristic (for example, across all consolidation units) or

  • For each characteristic value (for example, for each consolidation unit individually)

There are the following authorization objects for this purpose:

  • Authorization object R_UGMD_CHA is used for aggregate checking of authorization for characteristics in the local system.

  • Authorization object R_UGMD_SNG is used for checking authorizations for individual characteristic values.

  • Authorization object S_TABU_LIN (from SAP Basis) is also used for checking authorizations for individual characteristic values. This authorization object is still supported to ensure compatibility with Customizing you have made in earlier versions of SEM-BCS.

    Note Note

    The authorization objects R_UGMD_SNG and S_TABU_LIN are functionally the same. However, the use of generic authorization object S_TABU_LIN can result in some operational restrictions in certain situations (for example, no input help for characteristic values).

    End of the note.

    Note Note

    We recommend that you use authorization object R_UGMD_SNG when checking authorizations for individual values. In Customizing, you need to specify which of the authorization objects the system should use.

    End of the note.

In consolidation customizing, when you choose authorization checking for individual characteristic values of a characteristic, the system generates an organizational criterion when you use the authorization object S_TABU_LIN. This allows you to assign authorizations per characteristic value.

Master data can be stored in the SEM system and/or in SAP NetWeaver Business Intelligence (BI). A mechanism ensures that the master data of both systems is kept synchronized. In the same way, the authorization check is extended across all systems in which the characteristic resides. The BI system uses authorization object S_RS_IOMAD, which serves the same purpose as authorization object R_UGMD_CHA in the local system.

It is possible that you operate BI and SEM in different physical systems. To allow authorization to be checked across systems, a user requires the same authorizations in all systems involved.

Replication to the BW System

When transports are imported, the system synchronizes the master data and hierarchies in the BW system with the local data. In Customizing for replication to the BW system, you specify which fields are to be replicated.

To change these Customizing settings, you must be authorized for authorization object R_UGMD_CHA for field name UGMD_TR_SYNCH_BI and activity 02 (Change).

Activities

To assign authorizations for characteristics, you make the following Customizing settings (steps A-D):

A) Customizing Settings in the Consolidation Workbench

In the workbench, you determine whether authorization checks are performed per characteristic or per characteristic value.

  1. Navigate to the process view of the workbench and choose Start of the navigation path Data Model Next navigation step Data Basis End of the navigation path.

  2. Open the required data basis in change mode.

  3. Go to the Authorizations tab page.

    The system displays all of the characteristics for which you can assign authorizations.

  4. For each characteristic, determine whether authorization is to be checked per characteristic value.

  5. Save the data basis.

    For those characteristics whose values are checked individually, the system generates an organizational criterion for each characteristic value when you use authorization object S_TABU_LIN. The organizational criterion allows you to assign authorizations per characteristic value in role maintenance.

B) Customizing Settings in Role Maintenance (Transaction PFCG) in the Local System
  1. In the local system, start role maintenance from the SAP Easy Access screen by choosing Start of the navigation path Tools Next navigation step Administration Next navigation step User Maintenance Next navigation step Role Administration Next navigation step Roles End of the navigation path.

  2. Specify an existing role or create a new role.

  3. In role maintenance, navigate to the Authorizations tab page and choose Change Authorization Data.

  4. In authorization maintenance, activate the authorizations as follows:

    • Define the aggregate authorizations for the desired characteristics (authorization object R_UGMD_CHA) under Start of the navigation path Strategic Enterprise Management Next navigation step Master Data: Characteristics End of the navigation path.

    • Define the authorizations for individual characteristic values. Use one of the following authorization objects for this:

      • Authorization object R_UGMD_SNG: Start of the navigation path Financials Basis Next navigation step Characteristic Values: Master Data End of the navigation path

      • Authorization object S_TABU_LIN: Start of the navigation path Basis Administration Next navigation step Authorization for Organizational Unit End of the navigation path.

    • Save the authorizations.

C) Customizing Settings in the BI System
C 1) Customizing Settings in Characteristic Maintenance
  1. In the BI system, activate authorization assignments per characteristic value as follows: Maintain the desired characteristic, go to the Master Data/Texts tab page and select the indicator Master Data Maintenance with Authorization Check.

  2. Save the characteristic.

C 2) Customizing Settings in Role Maintenance (Transaction PFCG)

Proceed the same way as for the authorization assignments in the local system – that is, define the following authorizations:

  • The authorizations for individual characteristic values (authorization object R_UGMD_SNG or S_TABU_LIN)

  • The aggregate authorizations for characteristics (authorization object S_RS_IOMAD)

D) Final Settings for Checking Characteristic Value Authorizations

If you have opted for an authorization assignment at the level of characteristic values, define which of the available authorization objects should be included in the authorization check:

  1. Start transaction UG01.

    The Display Area Menu UG01 screen appears.

  2. In the menu structure, choose Start of the navigation path Master Data Settings Next navigation step Parameter Settings End of the navigation path.

  3. In the table, search for the parameter Use Authorization Object R_UGMD_SNG for All Fields. If no entry exists for this parameter yet, create an entry and assign the parameters.

  4. Decide which authorization object the system should use for checking authorizations for individual characteristic values:

    • To use authorization object R_UGMD_SNG, enter X in Parameter Value.

    • To use authorization object S_TABU_LIN, do not enter anything in Parameter Value.

  5. Save your settings.

    Note Note

    If you do not perform the settings described above, the system assumes that the generic authorization object S_TABU_LIN is to be used for checking characteristic authorizations in order to ensure downward compatibility.

    End of the note.
E) Checking Authorizations (System Activity)

Once you have completed the Customizing settings, the system can run an authorization check for characteristics based on your definitions. The system uses the following procedure:

More Information

SAP Authorization Concept