Show TOC

Authorization Concept in Business Context Viewer (BCV)Locate this document in the navigation structure

Use

This function provides for an easily manageable way of granting complex authorization to users accessing Business Context Viewer (BCV) for different purposes. Authorization can be granted and denied at different levels, which makes the authorization concept flexible, while ensuring that data is not misused. The authorization concept of BCV is based on the following components:

  • Roles

  • Authorization objects

  • NetWeaver access control lists (ACLs)

Note

You can use the BCV authorization concept only to control users' access to BCV functions and features. The BCV authorization concept does not influence users' access to data by means of the data provider, for example, BI query. This means that the roles and authorization objects in BCV do not overrule or replace the authorization check in the data provider applications.

For this reason, you should use trusted connections to the external system (BI, SES, BAPIs, and WebService search connectors). The connection to the external systems uses the current user, and a correct authorization check regarding the user can be done in the external system.

Integration

Role Maintenance (PFCG) roles contain authorization profiles, which in turn, are made up of authorization objects, and filled with authorization data.

The authorization concept of BCV offers the following three ways to use authorization objects along with the roles they are assigned to, and NetWeaver access control lists (ACLs):

  • Use of authorization objects only

    Authorization objects are commonly used in SAP applications to administer the authorization of users. In this scenario, system administrators assign roles to users, and the authorization objects and authorization data contained in the roles determine the range of activities a user can perform, as well as the kinds of objects they can access and change. An advantage of using authorization objects only is that system administrators are familiar with authorization objects, and thus can manage complex authorizations. A disadvantage is that changing a user's authorization is time-consuming, because in such a case the system administrator might need to change the user's role and transport the role settings to the productive system.

  • Use of NetWeaver ACLs only

    Users that do not necessarily have administrator rights can create, change, display, and delete NetWeaver ACLs. This means that users can grant or withdraw authorizations for BCV objects without asking a central system administrator to do this for them. An advantage of using NW ACLs only is that it is a flexible and decentralized way to deal with authorizations. If authorizations for a BCV object are changed frequently, the use of NW ACLs simplifies the assignment of authorizations.

  • Use of authorization objects and NW ACLs

    You can choose using authorization objects together with NW ACLs when you have on one hand, BCV objects as, for example query view hierarchies that do not require detailed authorizations, and on the other hand BCV objects for which you must maintain detailed authorizations. In this case, you use authorization objects for BCV objects for which detailed authorizations are not required, for example, query views that display production quantities. You use NW ACLs for BCV objects that require detailed authorizations, for example query views that display financial data. You can also use an authorization object and NW ACLs for the same BCV object. In this case, you use the Business Add-In (BAdI) BAdI: Definition of the Priority of Authorization Checks to specify the sequence of the two types of authorization checks.

Features

Roles

PFCG Roles

BCV provides a set of preconfigured roles that offer authorization data for the most typical ways different types of BCV users use BCV. The PFCG roles delivered with BCV are the following:

  • BCV Administrator (SAP_BCV_ADMIN2)

    This role provides authorization for all the activities that an administrator of BCV needs, including configuration and monitoring tasks. For more information, see BCV Administrator.

  • BCV User (SAP_BCV_USER2)

    This role provides authorization for all the activities that a user of BCV needs. For more information, see BCV User.

  • BCV External User (SAP_BCV_EXTERNAL_USER2)

    This role provides authorization for all the activities that an external user of BCV needs. An external user is a user working in a demilitarized zone (DMZ) system. In BCV, the term external user describes an external user of SAP Product Lifecycle Management (SAP PLM), who is authorized to display BCV in the side panel and cockpit, but has no authorization to access the configuration center or configuration wizard. For more information, see BCV External User.

    For more information about using BCV in a demilitarized zone (DMZ) system, see Using BCV from a DMZ System.

For more information about PFCG roles and their maintenance, see SAP Library at http://help.sap.com, under Start of the navigation path SAP NetWeaver Next navigation step SAP NetWeaver 7.0 including Enhancement Package 1 Next navigation step SAP NetWeaver Library Next navigation step SAP NetWeaver by Key Capability Next navigation step Security Next navigation step Identity Management Next navigation step User and Role Administration of AS ABAP Next navigation step Configuration of User and Role Administration Next navigation step Role Administration End of the navigation path.

SAP NetWeaver Portal Roles

BCV provides access to the configuration center by means of two predefined roles. Applications implementing BCV can reuse the BCV iViews, Worksets, and Roles to offer their BCV-related content in a portal environment.

For the portal UI integration of BCV, you must install the Business Package for Common Parts 1.5 that includes the portal content for SAP Business Suite Foundation.

The following portal roles are available:

  • BCV User (com.sap.pct.bs_fnd.16.BCV_USR)

  • BCV Administrator (com.sap.pct.bs_fnd.16.BCV_ADMIN)

For more information about portal role administration, see SAP Library at http://help.sap.com, under Start of the navigation path SAP NetWeaver Next navigation step SAP NetWeaver 7.0 including Enhancement Package 1 Next navigation step SAP NetWeaver Library Next navigation step SAP NetWeaver by Key Capability Next navigation step People Integration by Key Capability Next navigation step Portal End of the navigation path.

Authorization Objects

For a list of authorization objects available in BCV and their use, see Authorization Objects in BCV.

Access Control Lists

A NetWeaver access control list is a list of users, user groups, roles, and organizational units who are allowed (or not allowed) to perform an activity on a BCV object. You can assign a NW ACL to an authorization holder that can be a user, user group, organizational unit, or role. You can assign a NW ACL only to query views or dashboards because these BCV objects are visible to the user at runtime. You can use the configuration center to create, display, maintain, or delete ACLs for a query view or dashboard.

For more information about access control lists in BCV, see Access Control Lists in BCV.

Performing Authorization Checks

For more information, see Authorization Check.