Show TOC

Authorizations in the Analytic QueryLocate this document in the navigation structure

Use

Every user who wants to display transaction data from authorization-relevant characteristics or from navigation attributes, in an analytic query for a TransientProvider (derived from an ODP), needs the relevant authorizations.

The authorization checks for operational data providers (ODPs) are based on either authorization objects or access control lists (ACLs) that you use for your application. In the search and analysis model, the checks are defined and connected with each other in logical conjunction using Boolean operators.

Some of the search and analysis models supplied by SAP contain authorization checks. If the checks supplied are not sufficient for your customer scenario, you can add further authorization checks to the supplied models. However, you cannot modify or delete the supplied authorization checks from the model. For more details on the search and analysis models supplied by SAP, read the information on the authorization objects or ACLs in the application documentation.

Specifying an Authorization Check for Operational Data Providers of a Supplied Search and Analysis Model

If you want to define authorization checks for an ODP of a supplied search and analysis model, proceed as follows:

  1. Adapt the model that contains the operational data provider, for which you want to specify authorization checks. To do this, you need a customer-specific software component, in which you can include the software component of the relevant application.

    More information: Creating or Adapting a Search and Analysis Model.

  2. Define the authorization checks.

    More information: Modeling Authorizations

Result

The logical conjunction in the model of the ODP, which the TransientProvider is derived from, and the authorization checks contained, define which authorizations are checked at runtime.

  • All TransientProvider characteristics, for which the corresponding ODP field is part of an authorization check used in the logical conjunction, are relevant for authorization.

    Note

    In the TransientProvider Preview, the authorization-relevant InfoObjects are indicated by the authorization-relevant symbol.

  • All joined fields (such as navigation attributes) that should be authorization-relevant, must be part of the authorization check of the logical conjunction that belongs to the ODP, from which the TransientProvider is derived. The logical conjunction of an associated ODP is ignored.

  • If there is no logical conjunction for the ODP from which the TransientProvider is derived, an authorization check is not performed.

All TransientProvider characteristics flagged as authorization-relevant are checked when a query is executed (before data is accessed):

A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise, a message appears to inform the user that the query results cannot be displayed due to insufficient authorization. In general, the authorizations do not work as filters. Very restricted exceptions to this rule are hierarchies in the drilldown and variables that are filled from authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled from authorizations act like filters for the authorized values for the characteristic in question.