Start of Content Area

Function documentation Authorization Dimension  Locate the document in its SAP Library structure

Use

An authorization consists of multiple dimensions. An authorization dimension is a characteristic or navigation attribute.

Features

You can authorize characteristics and navigation attributes independently of one another.

An authorization dimension contains a set of values, intervals, and hierarchy authorizations.

This graphic is explained in the accompanying text

You can add any number of characteristic and navigation attributes to an authorization as dimensions; you can authorize single values, intervals, simple patterns, variables, and hierarchy nodes.

To display aggregated values, such as totals rows, you require the authorization for aggregated values; this authorization is indicated with a colon (I EQ :). The definition of the authorization in this case is:

Including/Excluding

Operator

Technical Characteristic Value (from)

Technical Characteristic Value (to)

I (including)

EQ (equal: single value)

:

 

The pound sign (I EQ #) stands for non-assigned values. The definition of the authorization in this case is:

Including/Excluding

Operator

Technical Characteristic Value (from)

Technical Characteristic Value (to)

I (including)

EQ (equal: single value)

#

 

Only patterns that end with a single pattern symbol, that is, with an asterisk (*) for any character string or with a plus sign (+) for exactly one character, are permitted. The only exception to this is the characteristic 0TCAVALID for the validity period.

Exclusion definitions (negative authorizations) are not possible; all authorizations have to be positively defined. Again, the only exception to this is the characteristic 0TCAVALID for the validity period.

Special Dimensions

In addition to these generic dimensions, an authorization includes special dimensions. These consists of the characteristics 0TCAACTVT (activity), 0TCAIPROV (InfoProvider), and 0TCAVALID (validity). These special characteristics must be included in at least one authorization for a user; otherwise the user is not authorized to execute a query.

This graphic is explained in the accompanying text

Recommendation

We recommend that you include these special characteristics in every authorization.

You do not have to include them in every authorization, but for reasons of clarity and analysis security, we recommend that you do this.

Caution

These special characteristics may not be used in queries.

The special characteristics are delivered with the BI Content and are activated automatically. However, they are not yet designated as authorization-relevant. You need to set this indicator yourself in InfoObject maintenance before you use the characteristics in authorizations.

Using the characteristics 0TCAACTVT (activity), you can restrict the authorization to different activities. Read (03) is set as the default activity; you must also assign the activity Change (02) for integrated planning.

Using the characteristic 0TCAIPROV (InfoProvider), you can restrict the authorization to individual InfoProviders. The default is that all InfoProviders are authorized with the asterisk (*). Its master data and the hierarchy characteristic for the InfoArea represent the structure of the InfoProvider in the Data Warehousing Workbench. This allows you to assign authorizations for entire InfoAreas. Note that this type of authorization assignment can have a negative impact on performance.

Using the characteristic 0TCAVALID (validity), you can restrict the validity of an authorization. Always valid (*) is set as the default for validity. You can restrict this validity. You can also specify a single value or an interval. With single values, the relational operator is set to EQ (equal to) during the check. With intervals, you can select from more relational operators than you can with other characteristics; this allows you to set the validity accurately. To do this, you can use the following pattern: * (asterisk) for any number of characters or + (plus) for exactly one character. For single-digit information for days and months with patterns, continue to use the two-digit format. For example, 12/0+/2005 if you want to authorize December 1-9, 2005.

Example

In the following example, the authorization is restricted to the 1 - 10 of each month for the year 2004.

Including/Excluding

Operator

Technical Characteristic Value (from)

Technical Characteristic Value (to)

I (including)

BT (between: interval)

01.++.2004

10.++.2004

In the following example, the authorization is only valid until 12/31/2004.

Including/Excluding

Operator

Technical Characteristic Value (from)

Technical Characteristic Value (to)

I (including)

LE (less or equal: everything <= the value in field from)

31.12.2004

 

Characteristic 0TCAKYFNM is the special characteristic for key figure authorizations (with the earlier concept for reporting authorizations, the technical characteristic 1KYFNM was used for this purpose). Authorizations are created and checked for this special characteristic when key figure authorizations are required. Hierarchy authorizations cannot be used on 0TCAKYFNM.

Note

If this characteristic becomes authorization-relevant, it is always checked. You should therefore only mark it as authorization-relevant after careful consideration.

 

End of Content Area