Analysis Authorizations (SAP Library - System Administration Tasks)

Analysis Authorizations

Use

Analysis authorizations are required of all users that want to display transaction data from authorization-relevant characteristics or navigation attributes in a query. This type of authorization is not based on the standard authorization concept of SAP. Instead, they use their own concept that takes the features of reporting and analysis in BI into consideration. More and more users are gaining access to query data with the distribution of queries using the BEx Broadcaster and publication of queries to the portal. With the special authorization concept of BI for the display of query data, you can protect especially critical data in a much better way.

Integration

If you have done an upgrade to SAP NetWeaver 2004s, you can decide whether you want to continue to use the current reporting authorization concept or switch to the new, more user-friendly concept for analysis authorizations.

Recommendation

SAP recommends that you switch to the new concept so that you can benefit from the new options and easier administration.

By default, the new concept is active and support will no longer be provided for the old concept.

Complete compatibility between the two concepts is not possible. For this reason, existing authorization concepts have to be converted. Migration has to be completed manually or using a tool. In any case, it requires manually reworking afterwards.

Prerequisites

You indicate characteristics that you wish to protect as authorization relevant in InfoObject maintenance.

Recommendation

In principle, all authorization-relevant characteristics are checked for existing authorizations when they occur in a query. For this reason, you should avoid designating too many characteristics as authorization relevant so that you can keep the administrative efforts to a minimum and keep performance good.

Features

Analysis authorizations are not based on authorization objects. Instead you create authorizations that include a group of characteristics. You restrict values for these characteristics.

The authorizations can include any authorization-relevant characteristics and treat single values, intervals and hierarchy authorizations the same. Navigation attributes as well can be indicated as authorization relevant in the attribute maintenance for characteristics and can be transferred into authorizations as characteristics.

You can then assign this authorization to one or more users.

All characteristics indicated as authorization relevant are checked when a query is executed:

A query always selects a set of data from the database. If authorization-relevant characteristics are part of this data, you have to make sure that the user who is executing the query has sufficient authorization for the complete selection. Otherwise you will receive an error message indicating that the authorization is not sufficient. In principle, the authorizations do not work as filters. Very restricted exceptions to this rule include hierarchies in the drilldown and variables that are filled by authorizations. Hierarchies are mostly restricted to the authorized nodes, and variables that are filled by authorizations act like filters for the authorized values for the affected characteristic.