Prevent Users from Accessing Sensitive Data Using Authorization Restrictions

  • by Graeme Smith, Principal BW Consultant, Unilog Ltd.
  • September 1, 2005
Securing information within an SAP BW system is necessary, but it can be difficult because of the massive volumes of sensitive data that are stored in the system. Learn how to develop authorization restrictions for InfoObjects via transaction RSSM so end users can access only relevant data.
Key Concept

SAP BW has two types of authorization objects. The Business Information Warehouse authorization object (RS) restricts BW users from completing certain functions such as creating queries or assigning them to roles. BW provides all the required authorization objects for this classification type so there is no requirement to create custom objects in this category.

The other type of authorization object, Business Information Warehouse — Reporting (RSR), restricts users from seeing certain data. BW does not provide standard RSR authorization objects so you have to create them yourself using transaction RSSM.

You can roll out SAP BW information to an end-user community in a variety of ways. The most widely used and effective means, however, is to empower users to access BW and run queries themselves. This requires the implementation of authorizations so users see only the data to which they should have access. For instance, you must protect HR data to ensure that only the head of an IT department can see the salaries and personal information for the employees within that department. You could also add authorizations so cost center managers only see the cost and spend figures for the cost center for which they are responsible.

I’ll walk you through the process of developing data authorization restrictions for InfoObjects within BW. I’ll also detail the process of implementing authorizations for both characteristics and key figures and point out when the process differs for each. I’ll focus on how to use the BW reporting authorization object RSR. In the characteristic authorization example, I’ll configure the system so that users are only allowed to see cost center CC00000010. For the key figure authorization example, the setup I’ll explain here allows users to view only the key figure 0AMOUNT.

Graeme Smith

Graeme Smith is an SAP-certified lead BW consultant with the UK-based Unilog Group. He has over seven years’ experience implementing data warehousing and business intelligence solutions and also has much exposure to data management applications, including SAP MDM. Since early 2002, Graeme has focused on implementing projects involving SAP Business Information Warehouse and during this time has undertaken a number of key roles within these projects such as lead BW developer, project lead, and program release manager. Graeme has specialist knowledge in BW, HR, and authorizations. You may meet him in person in the UK delivering training for the Unilog Group.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.