Analysis Authorizations
All users who want to display transaction data from authorization-relevant characteristics or navigation attributes in a query require analysis authorizations. Authorizations of this type are not based on the standard SAP authorization concept. They use their own concept based on the BEx reporting and analysis features instead. As a result of the distribution of queries using BEx Broadcaster and publication of queries to the portal, more and more users can access query data. With the special BW authorization concept for displaying query data, you can far better protect especially critical data.
If you are still using the reporting authorizations concept and upgrade to SAP NetWeaver 7.3, you now have to migrate these authorizations to the new analysis authorization concept or redefine your authorizations from scratch.
Ideally, you should migrate the authorizations before upgrading if your system already has Release SAP NetWeaver 7.0. So long as the new concept is not being actively used, no BEx queries can be run after the upgrade.
Complete compatibility between the two concepts is not possible. Existing authorization concepts therefore have to be converted. Migration can be performed either manually or using a tool. Manual steps are always required afterwards though.
More information: Migration of Reporting Authorizations to the New Concept.
You have flagged characteristics that you want to protect as authorization-relevant in InfoObject maintenance.
In principle, all authorization-relevant characteristics are checked for existing authorizations if they occur in a query or in an InfoProvider that is being used. You should therefore avoid flagging too many characteristics as authorization-relevant. This will keep the administrative effort to a minimum and ensure satisfactory performance.
To prevent performance from being impaired, we recommend having no more than 10 authorization-relevant characteristics in a query. Authorization-relevant characteristics with asterisk (*) authorization are an exception. You can include more authorization-relevant characteristics of this type in a query.
Analysis authorizations are not based on authorization objects. You create authorizations that include a group of characteristics instead. You restrict the values for these characteristics.
The authorizations can include any authorization-relevant characteristics, and treat single values, intervals and hierarchy authorizations in the same way. Navigation attributes can also be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.
You can then assign this authorization to one or more users. Since the authorizations are TLOGO objects (analytics security objects), they can also be transported to other systems.
All characteristics flagged as authorization-relevant are checked when a query is executed.
A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, an error message is displayed indicating that the user does not have the required authorization. In general, the authorizations do not work as filters. Very limited exceptions to this rule are hierarchies in the drilldown and variables that are filled from authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled from authorizations act like filters for the authorized values for the characteristic in question.