Start of Content Area

Function documentation Generation of Analysis Authorizations  Locate the document in its SAP Library structure


With the generation of analysis authorizations, you can load authorized values from other systems into DataStore objects and generate authorizations from them.

In this way, necessary authorizations from the data for an application (for example, HR) can be generated so that users are able to see or not see the same data in the BI system as in the transactions of the application, even when the authorization concepts are different.

You can use the generation of authorizations to generate either single authorizations or mass authorizations. It is suitable for scenarios that generate new authorizations periodically, that is, that are constantly changing. It does not necessarily make sense to assign these authorizations to the users in roles and profiles. This is not even possible for automatically generated names that keep changing. Therefore the generated authorizations are assigned directly in the BI system. This is considerably faster than generating them from profiles. If a fixed name is assigned, however, this can be done manually from role maintenance. Keep in mind, however, that there is the danger that you can overwrite constant names.

The generation of authorizations is a dynamic authorization assignment that is an alternative concept to the role concept.


An extractor must be available for authorizations (up to now, for HR and Controlling).

For HR:

You have to transfer the DataStore objects 0TCA_DS01 and 0TCA_DS02 (optional 03 to 05) from BI Content. These DataStore objects should be copied for each application for which you want a complete data load. For more information about the content objects at BI Content Human Resources Organizational Management DataStore Objects Structural Authorizations – Hierarchy and Structural Authorizations Values

For controlling:

A complete scenario is available. Transfer the content objects: 0CO_OM_CCA_USER1 (DataSource and InfoSource), as well as the DataStore objects including update rules 0CCA_001, 0CCA_002, and 0CCA_003.

For all other applications:

Copy the templates 0TCA_DS01 and 0TCA_DS02 (optional 03 to 05) in DataStore objects for your application area (department, and so on). Note the naming convention with the digits 1 to 5 at the end.

You need sufficient authorization for generation activities such as deleting, changing and generating analysis authorizations, changing user assignments (authorization object R_SEC), along with any other activities for creating or changing system users using NetWeaver authorization objects for user maintenance. The authorizations required in detail depend on the generation scenario.


You get to this function through management of analysis authorizations (transaction RSECADMIN) at Authorizations Generation of Authorizations.

The DataStore objects for generating authorizations have an analogous structure to the authorizations and contain the following authorization values:

      Authorization data (values) (0TCA_DS01)

      Authorization data (hierarchy) (0TCA_DS02)

      Description texts for authorizations (0TCA_DS03)

      Assignment of authorization users (0TCA_DS04)

      Generation of users for authorizations (0TCA_DS05)

The actual data to be used in the generated authorizations can be found in the two template DataStore objects 0TCA_DS01 and 0TCA_DS02.

More information:

      Template for DataStore Objects with Authorization Data (Values)

      Template for DataStore Objects with Authorization Data (Hierarchy)

You define which authorizations are to be generated from which DataStore objects. You then load your authorization data for them. This can be done for example with CSV files or with extractors. Automatic generation assumes correctly filled DataStore objects. However, the system tries to detect incorrect intervals and some other errors, and to correct them if possible. This is recorded in the log.

For CSV files, the fields User and Authorization need not necessarily be filled with values. In general, however, these fields can be filled with names and numbers. There can be different results when you assign authorizations. You can find more detailed information in the detailed descriptions of the two template DataStore objects above.

You can generate the authorizations on the Authorizations tab page under Generation in the transaction RSECADMIN. As an alternative, the report RSEC_GENERATE_AUTHORIZATIONS starts or schedules generation.

Generating Single Authorizations:

Maintain the user in the DataStore object 0TCA_DS01. It is assigned to the user when the authorization is generated. It can be used for assigning authorizations that are very user specific.

Generating Mass Authorizations:

Leave the User key field empty in the DataStore object 0TCA_DS01 and generate the authorizations. A profile appears that can be assigned to any number of users. The profile gets its texts from the DataStore object 0TCA_DS03. There can be language-dependent short, medium and long texts. You maintain the user in the DataStore object 0TCA_DS04. This generates your mass authorizations.

Generation of Users

You can also generate users with 0TCA_DS05. To do this, specify an existing reference user from which to copy. The newly created users are assigned randomly generated initial passwords that are not transparent. Users can only log on after manually changing the assigned password.       

Generating Authorization Names:

Generate explicit (meaningful) authorization names by filling the field for 0TCTAUTH with your desired name. As an alternative, you can also specify numbers to mark characteristic dimensions that belong to the same authorization. If field 0TCTAUTH is empty, technical names are generated according to the pattern RSR_00000012. All entries with the same name (or an empty field) are assigned the same authorization.

If a technical name with eight digits (RSR_nnnnnnnn) was created for an authorization and then generated again, the existing names are deleted and new technical names are generated. As a result, the previous authorization is deleted and replaced with the new authorization. This new authorization might not be identical to the old one. You can prevent unintended overwriting by using a number range. There is an overflow after 100,000,000 generated authorizations and numbering starts with 1 again.

Deletion of Authorizations and Regeneration

For users for which data exists in the DataStore object that has to be regenerated, first the existing, generated authorizations are deleted. Afterwards, authorizations are generated using the data in the DataStore objects in the usual way.

If a data record with the user name 'D_E_L_E_T_E' is loaded into the DataStore object 0TCA_DS01, first the generated authorizations for all (!) users in the BI system for the DataStore object record are deleted (separated by the first part of the name before the digits) and then generated for the rest of the data.

Log for Generation

A detailed log is created during generation that documents the generation steps and that is displayed automatically. Old logs can be viewed from the transaction RSECADMIN under the Analysis tab page   This graphic is explained in the accompanying text Generation Logs or at the start of the report RSEC_GENERATE_AUTHORIZATIONS by clicking on the log symbol.




End of Content Area