Show TOC

Procedure documentationUsing Authorization Groups to Restrict the Display of Dashboards

 

You use authorization groups to restrict the access to dashboards for end users. You can assign authorization groups to any dashboard. That is, if the authorization for a specific authorization group is granted to a user, by choosing the Display My BPO Dashboards link, the user can access all dashboards that have the authorization group assigned.

The end user can only display the data inside the dashboards that is not restricted by other authorizations, such as solution, application area, key figure, and system and client. In the BPO dashboards, you can use authorization groups to restrict, for example, to regions (EMEA, US, APJ) or SAP application modules (SD, MM, FI).

Recommendation Recommendation

We recommend that you assign an authorization group to every dashboard that an administrator creates. Doing so avoids unauthorized access to business-sensitive data in the dashboards.

End of the recommendation.

Per default, in the standard roles SAP_SM_DASHBOARDS_ADMIN and SAP_SM_DASHBOARDS_DISP, all users are assigned to the PUBLIC authorization group.

Procedure

To create and assign authorization groups for dashboards, do the following:

  1. In the Data Browser transaction (SE16), in the DSH_AUTHGROUPS table, create a new entry for field AUTHGROUP (for example AUTHGROUP = “FINANCE”).

  2. In the Manage BPO Dashboards screen, in the Setup Dashboard tab page, assign the authorization group to the dashboard.

  3. Assign the authorizations to end users and administrators as follows:

    • For end users:

      Authorization object SM_DSBINST (in SAP standard role SAP_SM_DASHBOARDS_DISP):

      • For display authorization, in ACTVT, enter value 03 (display mode).

      • For displaying dashboards with specific authorization groups, in AUTHGRPDSB, enter the values of the authorizations groups.

    • For administrators:

      Authorization object SM_APPTYPE (in SAP standard role SAP_SM_DASHBOARDS_ADMIN):

      • For general authorization, in ACTVT, enter 01, 02, 03, and 06 (01 = Create, 02 = Change, 03 = Display, 06 = Delete).

      • For administering dashboards with specific authorization groups, in AUTHGRPDSB, enter the values of the authorizations groups.