Skip to Content

Analysis Authorization - creating and direct assignment in productive system - good practice ?

Mar 29, 2017 at 05:59 PM


avatar image

Hi folks,

We have a requirement upcoming for our retails sites to access our BW prods individual. This will usher in frequent maintenance as we will have to create analysis auth object one for one at site level - each site would hold its own unique analysis auth object. We currently use roles based for all auths , transport any changes.

I notice RSECADMIN has the direct assignment feature. Has anyone created analysis directly in prod and assignment in experience as a common practice for these situations

I see a few tables for views of assignment and history but no SUIM type tcodes/reports ?

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

3 Answers

Jurjen Heeck Mar 29, 2017 at 08:25 PM

Hi Dan,

I personally prefer to have the 'standard' user management tools as single point of entry for user administration. Both for maximum simplicity in user maintenance and the ease of viewing all change documents for role (and analysis authorization) assignment in one spot.

Besides that I do not know if RSECADMIN authorizations allow for segregation of authorization change rights v.s. assignment rights. In standard role maintenance you can separate those rights. Role and user maintenance separation is often a requirement.

Hope this helps.


10 |10000 characters needed characters left characters exceeded
Krishna Chaitanya Mar 31, 2017 at 12:08 PM

Hi Dan

You need to create all Analysis authorizations in Dev environment and tested it thouroughly before moving these changes to QA and PROD.

Please go through the link, It will help you for sure.


Krishna Chaitanya.

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Thanks Gents ...

We are looking at separating the Analysis Auth from the query role so that the query role /objects will be maintained only by test and transport.

The requirement is looking for 1300 AA 's to associate with this one role

Thanks for input !

Chris Obura May 12, 2017 at 03:29 PM

Hi Dan,

It is not a best practice to assign analysis authorizations directly to users from the direct assignment tab. You can use this tab when you are testing an analysis authorization. The best practice is to assign the analysis authorization to a role via auth object S_RS_AUTH. This way users will indirectly be assigned the analysis authorization via security roles.


Show 2 Share
10 |10000 characters needed characters left characters exceeded

Thanks Chris ...and yes this has always been our standard as well. This new requirement will expound things greatly to 1000 + analysis auths and they will change weekly. The AA's will be be copied with only site # ? changing.

I am not like the inconsistencies i see in tables RSECUSERAUTH and RSECUSERAUTH_CL. The tables reflect fine for additions and changes while the user SU01 is active. I notice those and other BW tables do not reflect accurate once

the SU01 user is deleted - not sure if any has input on those areas. Nothing shows up in notes (so far) that i see.


Hi Dan,

You are right about the tables RSECUSERAUTH and RSECUSERAUTH_CL not updating after SU01 user deletion. This appears to be a program bug and probably should raise a message with SAP. A workaround would be of course to remove AA first before deleting user in SU01.

However, from what you are describing to me it sounds like you may consider activating 0TCA_DS01 DSO to dynamically read user authorizations from say ECC system if that's where you have your master retail sites defined and generate values. This will allow you to dynamically read the site details from user in ECC and a dynamically generated AA will be assigned to user in BW based on ECC site role values. When user no longer requires a site from ECC, the next time the generation runs in BW it will automatically remove the generated AA from user profile. Check out this link to get you started. Please note, even though this feature was mainly meant for HR / FI but it can be extended to any functional area.