Entering content frame

Function documentation Generation of Analysis Authorizations Locate the document in its SAP Library structure

Use

With the generation of analysis authorizations, you can load authorized values from other systems into DataStore objects and generate authorizations from them.

In this way, necessary authorizations from the data for an application (for example, HR) can be generated so that users are able to see or not see the same data in the BI system as in the transactions of the application, even when the authorization concepts are different.

You can use the generation of authorizations to generate either single authorizations or mass authorizations.

Prerequisites

An extractor must be available for authorizations (up to now, for HR and Controlling).

For HR:

You have to transfer the DataStore objects 0TCA_DS01 and 0TCA_DS02 (optional 03 to 05) from BI Content. These DataStore objects should be copied for each application for which you want a complete data load. For more information about the content objects at BI Content ® Human Resources ® Organizational Management ® DataStore Objects ® Structural Authorizations – Hierarchy and Structural Authorizations Values

For controlling:

A complete scenario is available. Transfer the content objects: 0CO_OM_CCA_USER1 (DataSource and InfoSource), as well as the DataStore objects including update rules 0CCA_001, 0CCA_002, 0CCA_003.

For all other applications:

Copy the templates 0TCA_DS01 and 0TCA_DS02 (optional 03 to 05) in DataStore objects for your application area (department, and so on).

You need sufficient authorization for generation activities such as deleting, changing and generating analysis authorizations, changing user assignments (authorization object R_SEC), along with any other activities for creating or changing system users using NetWeaver authorization objects for user maintenance. The authorizations required in detail depend on the generation scenario.

Features

You get to this function through management of analysis authorizations (transaction RSECADMIN) at Authorizations ® Generation of Authorizations.

The DataStore objects for generating authorizations have an analogous structure to the authorizations and contain the following authorization values:

·        Authorization data (values) (0TCA_DS01)

·        Authorization data (hierarchy) (0TCA_DS02)

·        Description texts for authorizations (0TCA_DS03)

·        Assignment of authorization users (0TCA_DS04)

·        Generation of users for authorizations (0TCA_DS05)

You define which authorizations are to be generated from which DataStore objects. You then load your authorization data for them. You can generate the authorizations on the Authorizations tab page under Generation in the transaction RSECADMIN. As an alternative, the report RSEC_GENERATE_AUTHORIZATIONS starts or schedules generation.

Generating Single Authorizations:

Maintain the user in the DataStore object 0TCA_DS01. It is assigned to the user when the authorization is generated. It can be used for assigning authorizations that are very user specific.

Generating Mass Authorizations:

Leave the User key field empty in the DataStore object 0TCA_DS01 and generate the authorizations. A profile appears that can be assigned to any number of users. Its text contains the profile from the DataStore object 0TCA_DS03. You maintain the user in the DataStore object 0TCA_DS04. This generates your mass authorizations.

Generation of Users

You can also generate users with 0TCA_DS05. To do this, specify a reference user from which to copy. In the background a random password is generated for each that you can change in the general user maintenance. It cannot be displayed.

Generating Authorization Names:

Generate explicit (meaningful) authorization names by filling the field for 0TCTAUTH with your desired name. As an alternative, you can also specify numbers to mark characteristic dimensions that belong to the same authorization. If the 0TCTAUTH field remains empty, artificial names are generated according to the pattern RSR_00000012. All entries with the same name (or an empty field) are assigned the same authorization.

Deletion of Authorizations and Regeneration

For users for which data exists in the DataStore object that has to be regenerated, first the existing, generated authorizations are deleted. Afterwards, authorizations are generated using the data in the DataStore objects in the usual way.

If a data record with the user name 'D_E_L_E_T_E' is loaded into the DataStore object 0TCA_DS01, first the generated authorizations for all (!) users in the BI system for the DataStore object record are deleted (separated by the first part of the name before the digits) and then generated for the rest of the data.

Log for Generation

A detailed log is created during generation that documents the generation steps and that is displayed automatically. Old logs can be viewed from the transaction RSECADMIN under the Analysis tab page ®  This graphic is explained in the accompanying text Generation Logs or at the start of the report RSEC_GENERATE_AUTHORIZATIONS by clicking on the log symbol.

...

 

 

Leaving content frame