Show TOC

Generating Analysis AuthorizationsLocate this document in the navigation structure


By generating analysis authorizations, you can load authorized values from other systems into DataStore objects and generate authorizations from them.

This makes it possible to generate the required authorizations using data from an application (such as HR). The data that users are permitted/not permitted to see in BW is therefore the same as in the application transactions, even if the authorization concepts are different.

You can use this function to generate either single authorizations or mass authorizations. It is suitable for scenarios that generate new authorizations periodically and are thus constantly changing. It does not necessarily make sense to assign these authorizations to the users in roles and profiles. This is also not possible for automatically generated names that keep changing. The generated authorizations are therefore assigned directly in the BW system. This is considerably faster than generating them from profiles. If a fixed name is assigned however, this can be done manually from role maintenance. Keep in mind however the risk of overwriting constant names.

Generation of authorizations is a dynamic authorization assignment that is an alternative to the role concept.


An extractor must be available for authorizations (so far for HR and Controlling).

For HR:

You have to copy the DataStore objects 0TCA_DS01 and 0TCA_DS02 (optional 03 to 05) from BI Content. These DataStore objects should be copied for every application, which must have been loaded completely. You can find out more about content objects under Start of the navigation path BI Content Next navigation step Human Resources Next navigation step Organizational Management Next navigation step DataStore Objects Next navigation step Structural Authorizations - Hierarchy and Structural Authorizations - Values End of the navigation path

For Controlling:

A complete scenario is available. Copy over the following Content objects: 0CO_OM_CCA_USER1 (DataSource and InfoSource), as well as the DataStore objects including update rules 0CCA_001, 0CCA_002, and 0CCA_003.

For all other applications:

Copy the templates 0TCA_DS01 and 0TCA_DS02 (optional 03 to 05) in DataStore objects for your application area (department etc). Note the naming convention with the digits 1 to 5 at the end.

You need sufficient authorization for generation activities such as deleting, changing and generating analysis authorizations, changing user assignments (authorization object R_SEC), along with any other activities for creating or changing system users using NetWeaver authorization objects for user maintenance. Which authorizations are required depends on the generation scenario.


You can call this function via the analysis authorzation administration transaction (RSECADMIN) under Start of the navigation path Authorizations Next navigation step Generation of Authorizations End of the navigation path.

The DataStore objects for generating authorizations have the same structure as the authorizations and contain the following authorization values:

  • Authorization data (values) (0TCA_DS01)

  • Authorization data (hierarchies) (0TCA_DS02)

  • Description texts for authorizations (0TCA_DS03)

  • Assignment of authorizations to users (0TCA_DS04)

  • Generation of users for authorizations (0TCA_DS05)

The actual data to be used in the generated authorizations can be found in the two template DataStore objects 0TCA_DS01 and 0TCA_DS02.

More information:

You define which authorizations to generate from which DataStore objects. You then load your authorization data for them. This can be done with CSV files or extractors for example. Automatic generation assumes correctly filled DataStore objects. The system tries to detect incorrect intervals and other errors however, and tries to correct them if possible. This is entered in the log.

For CSV files, the User and Authorization fields can be left empty. In general however, names and numbers can be entered in these fields. There can be various results when you assign authorizations. You can find more detailed information in the detailed descriptions of the two template DataStore objects above.

In transaction RSECADMIN, you can generate the authorizations on the Authorizations tab page, under Generation. Alternatively, report RSEC_GENERATE_AUTHORIZATIONS can start or schedule generation.

Generating Single Authorizations:

Maintain the user in DataStore object 0TCA_DS01. This is assigned to the user during generation. This can be used to assign highly user-specific authorizations.

Generating Mass Authorizations

In DataStore object 0TCA_DS01, leave the User key field emptry and generate the authorizations. A profile appears that can be assigned to any number of users. The profile gets its texts from DataStore object 0TCA_DS03. There can be language-dependent short, medium and long texts. You maintain the users in DataStore object 0TCA_DS04. This generates your mass authorizations.

Generating Users

You can also generate users with 0TCA_DS05. To do this, specify an reference user to copy from. The newly created users are assigned randomly generated initial passwords that are not transparent. Users can only log on after manually changing this password.

Generating Authorization Names

Generate explicit (meaningful) authorization names by entering your chosen in name in the field for 0TCTAUTH. As an alternative, you can also specify numbers to mark characteristic dimensions that belong to the same authorization. If field 0TCTAUTH is empty, technical names are generated according to the pattern RSR_00000012. All entries with the same name (or an empty field) are assigned the same authorization.

If a technical name with eight digits (RSR_nnnnnnnn) was created for an authorization and then generated again, the existing names are deleted and new technical names are generated. As a result, the previous authorization is deleted and replaced with the new authorization. This new authorization might not be identical to the old one. You can prevent unintended overwriting by using a number range. There is an overflow after 100,000,000 generated authorizations, and numbering starts again with 1.

Deleting and Regenerating Authorizations

For users with data in the DataStore object that has to be regenerated, first the existing, generated authorizations are deleted. This is done while the program is running (program RSEC_GENERATE_AUTHORIZATIONS or transaction RSECADMIN Generate Authorizations).

Deletion revokes the authorizations from the users that they were assigned to. Authorizations are then generated as usual with the data in the DataStore objects. The two steps, deletion and regeneration, are performed one after the other and cannot be uncoupled or influenced in any way.

If a data record with the user name 'D_E_L_E_T_E' is loaded into the DataStore object 0TCA_DS01, first the generated authorizations for all (!) users in the BI system for the DataStore object record are completely deleted (separated by the first part of the name before the digits) and then generated for the rest of the data.

Generation Log

A detailed log is created during generation. This documents the generation steps and is displayed automatically. You can view old logs in transaction RSECADMIN by choosing Start of the navigation path Analysis Next navigation step Generation Logs End of the navigation path or by starting report RSEC_GENERATE_AUTHORIZATIONS with the log symbol.


Note about performance during generation:

Thousands of data records can be processed during generation. The runtimes cannot be compared with performance when reading transaction data from a DataStore object however. A generation run can therefore also run in the background using program RSEC_GENERATE_AUTHORIZATIONS.

Tips about Generation

  1. During generation, all generated authorizations are deleted. During a generation run, all affected users lose their authorization until the newly generated authorizations have been assigned. This is also true if no changes have been made to the contents of the structure of the authorization. A generation that takes a number of hours can result in downtime of the same duration.

    You can prevent this by using the delta mechanism: You should only generate authorizations that have actually changed. You can check this in the corresponding extraction program before filling the DataStore objects. Since these are normally far fewer than the total number of users, you can significantly speed up the entire process so that there is hardly any downtime. You might find it beneficial to generate delta authorizations more regularly.

  2. You can perform the occasional clean-up with user D_E_L_E_T_E, which precedes a completely refreshed generation run (for example, monthly). You can also do this by inserting an additional row in the DataStore object for the values or hierarchies.

    This deletes any obsolete user authorizations that were already locked or deleted and that will never be regenerated. The authorizations generated here would not otherwise be automatically deleted.