Entering content frame

This graphic is explained in the accompanying text Individual and Detailed Authorizations Locate the document in its SAP Library structure

The authorization check is very detailed. Approximately as many roles are needed as users                                         

This situation arises when each user is only allowed to evaluate his/her cost center, region or the like. If authorization is not only one- but multi-dimensional, this situation is more likely to occur since authorizations are usually detailed in this case.                            

The result is that a large number of roles or authorizations are to be maintained. Proceed here as follows:

...

       1.      Maintaining roles with transaction PFCG:

The advantage here is that role maintenance is also used for other authorizations in BI or in other SAP systems, and is therefore known to the system. The copying of roles is also supported. Users can be assigned using the (central) user maintenance. The necessary authorizations and profiles are automatically generated for the roles.                                                        

However, the maintenance of authorizations for hierarchies is not supported here. You must maintain them in the transaction RSSM in the BI system, and enter their technical names in the role.

For the procedure, see: Setting Up Standard Authorizations.

       2.      Maintaining authorizations with transaction RSSM:

In this transaction, you can maintain authorizations for an individual user or for several users. You can display the users alphabetically or with any number of BI hierarchies in the characteristic 0TCTUSERNM. The system also displays characteristic values or hierarchies. Authorization is maintained using Drag&Drop on the values or nodes of the hierarchy. There are two significant advantages. Firstly, it is possible to drag & drop into user hierarchy nodes and the value or node is assigned to all users underneath. The other advantage is that the system automatically creates a definition for the authorization in a hierarchy in the background. Manual authorization is thus not necessary. The system generates or changes authorizations and profiles for the users and assigns these to them.                    

The maintenance load is hereby reduced to a minimum. You only need to assign the authorized values or nodes to the users. You can even consider a grouping that already exists. The SAP standard authorization concept (authorizations and profiles) will continue to be used.            

If you have not already maintained this assignment of authorized values for users in another system, this concept displays the method with the least workload.

For the procedure, see: Maintaining Reporting Authorizations Manually

       3.      Assignment of authorized values for users already exists in a system and should not be maintained again. In this case, you have two options:

                            a.      The authorized values are loaded into the BI system as transaction data.

                            b.      The authorized values are loaded into DataStore objects that have a pre-specified format, or are created by a report.       

See also Using Existing Authorization Data.

The procedure can be found in Generating Report Authorizations

Example of use:

¡        You have already maintained the assignment for a legacy system and want to transfer this as it is into the BI system.   

¡        The authorized values can be derived using name spaces from the user name.             

Nevertheless, you need not maintain the data manually nor store it in a database table before generating authorizations from it. It is better to use the RSSM transaction described above in this case.                                    

 

 

Leaving content frame