Hi Experts,
I am working for first time on BI analysis authorization and I am having below queries to be clarified. Can you all please clarify my queries and help me.
1. In the project, we will not use HR and will therefore have to do local maintenance of authorizations in each system (for data access, we will also use a central identity management system). This will for sure affect the possibility of the automatic generation of authorizations. My first question is: can it still be used at all (can we load some data via flat-file or maintain some master data in BI)?
2. Is the concept of having queries linked to PFCG roles to be used at all in BI 7 (according to SAP standard), or is the thought that InfoProvider authorization should be used instead via 0TCAIPROV?
3. Is the following a correct way to do authorizations in BI 7, or if there is something that should be changed to comply with standard?
- Make the following characteristics authorization relevant: 0COMP_CODE, 0SALESORG, 0PLANT
- Activate the technical content for analysis authorizations: 0TCA*
- Create authorizations in RSECADMIN, where we link a authorization object to a characteristic value (for instance, assign object: "XY" to characteristic=0comp_code with value=1010)
- Link the authorizations just created to PFCG roles (for instance create a PFCG role "XY access" which gives access to company code 1010).
- Create PFCG roles for "Report User" and "BW Developer" which have access to read respective create/change/delete rights of queries.
- Create PFCG roles with certain queries linked to them.
- Assign the PFCG roles to BW Users.
4. Does the BI 7 authorization concept enable the use of user groups, or should authorizations be assigned on a user to user basis?
5. What happens if I make a characteristic authorization relevant and then include this characteristic in a query and do not do any restriction on this characteristic (i.e. I do not provide any auth values to the system), will I then get an authorization error?
6. If automatic generation of user authorizations is used together with for instance SAP HR and loaded daily, does this mean that any other manual authorization assignments will be deleted/reset upon the next automatic generation?
7. Is the following a correct way to do authorizations in BI 7, or if there is something that should be changed to comply with standard?
- Make the following characteristics authorization relevant: 0COMP_CODE, 0SALESORG, 0PLANT
- Activate the technical content for analysis authorizations: 0TCA*
- Create authorizations in RSECADMIN, basically one object that has a restriction for each of the authorization relevant characteristics and that uses different customer exit variables to determine which values to use. This customer exit then reads some table (which we maintain manually in BI) to find the values for each user based on user name.
- Link the authorization just created to a PFCG role.
- Give all reporting users this PFCG role.
- Create PFCG roles with certain queries linked to them.
- Assign the PFCG query roles to users.
Thank you very much in advance for helping.
Thanks & Regards,
Sharath