Skip to Content

Analysis Authorization - creating and direct assignment in productive system - good practice ?

Hi folks,

We have a requirement upcoming for our retails sites to access our BW prods individual. This will usher in frequent maintenance as we will have to create analysis auth object one for one at site level - each site would hold its own unique analysis auth object. We currently use roles based for all auths , transport any changes.

I notice RSECADMIN has the direct assignment feature. Has anyone created analysis directly in prod and assignment in experience as a common practice for these situations

I see a few tables for views of assignment and history but no SUIM type tcodes/reports ?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Mar 29, 2017 at 08:25 PM

    Hi Dan,

    I personally prefer to have the 'standard' user management tools as single point of entry for user administration. Both for maximum simplicity in user maintenance and the ease of viewing all change documents for role (and analysis authorization) assignment in one spot.

    Besides that I do not know if RSECADMIN authorizations allow for segregation of authorization change rights v.s. assignment rights. In standard role maintenance you can separate those rights. Role and user maintenance separation is often a requirement.

    Hope this helps.


    Add comment
    10|10000 characters needed characters exceeded

  • Mar 31, 2017 at 12:08 PM

    Hi Dan

    You need to create all Analysis authorizations in Dev environment and tested it thouroughly before moving these changes to QA and PROD.

    Please go through the link, It will help you for sure.


    Krishna Chaitanya.

    Add comment
    10|10000 characters needed characters exceeded

    • Thanks Gents ...

      We are looking at separating the Analysis Auth from the query role so that the query role /objects will be maintained only by test and transport.

      The requirement is looking for 1300 AA 's to associate with this one role

      Thanks for input !

  • avatar image
    Former Member
    May 12, 2017 at 03:29 PM

    Hi Dan,

    It is not a best practice to assign analysis authorizations directly to users from the direct assignment tab. You can use this tab when you are testing an analysis authorization. The best practice is to assign the analysis authorization to a role via auth object S_RS_AUTH. This way users will indirectly be assigned the analysis authorization via security roles.


    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Dan,

      You are right about the tables RSECUSERAUTH and RSECUSERAUTH_CL not updating after SU01 user deletion. This appears to be a program bug and probably should raise a message with SAP. A workaround would be of course to remove AA first before deleting user in SU01.

      However, from what you are describing to me it sounds like you may consider activating 0TCA_DS01 DSO to dynamically read user authorizations from say ECC system if that's where you have your master retail sites defined and generate values. This will allow you to dynamically read the site details from user in ECC and a dynamically generated AA will be assigned to user in BW based on ECC site role values. When user no longer requires a site from ECC, the next time the generation runs in BW it will automatically remove the generated AA from user profile. Check out this link to get you started. Please note, even though this feature was mainly meant for HR / FI but it can be extended to any functional area.