How to Use SAP Access Control to Provision Dynamic Analysis Authorization Values in SAP BW

  • by Nitin Aggarwal , Chartered Accountant and Certified Information Systems Auditor, Infosys
  • Sanjeev Kotwal, ABAP Technical Consultant, Infosys
  • November 25, 2015
Learn the various options available to customize SAP Access Control to provide automated provisioning of dynamic analysis authorization values in SAP Business Warehouse (SAP BW) systems. The options include an additional screen in the request form that allows you to select the values in real time from the back-end SAP BW system.
Learning Objectives

Reading this article you will learn:

  • About the dynamic analysis authorization concept in SAP Business Warehouse
  • The options available to automate provisioning of dynamic analysis authorization values using SAP Access Control
Key Concept

SAP Access Control is used to provision roles and profiles to users in back-end systems. However, in the case of an SAP Business Warehouse (SAP BW) system, the authorization setup goes beyond that into analysis authorization, which is not handled directly by SAP Access Control. Handling of analysis authorizations through SAP Access Control requires the creation and provisioning of a large number of roles or the implementation of a custom solution. The solution is dependent on implementation of a dynamic analysis authorization concept in the SAP BW system.

All users who want to display transaction data from authorization-relevant characteristics or navigation attributes in a query require analysis authorizations. Authorizations of this type are not based on the standard SAP authorization concept, which uses authorization objects.

Analysis authorization is a new authorization concept introduced for SAP Business Warehouse (SAP BW) that instead includes a group of characteristics. You restrict the values for these characteristics. The authorizations can include any authorization-relevant characteristics, and they treat single values, intervals, and hierarchy authorizations in the same way. Navigation attributes also can be flagged as authorization-relevant in the attribute maintenance for characteristics and can be added to authorizations as separate characteristics.

These authorizations are then added to roles under authorization object S_RS_AUTH and finally are assigned to users through the roles. However, when the number of analysis authorization objects increases, it becomes more complex to manage them through roles. For example, a restriction on a profit center or a cost center hierarchy node requires the creation of a large number of analysis authorizations that, in turn, are included in different roles (based on user requirements). That increases the number of roles that need to be created and maintained. You can avoid this by setting up dynamic analysis authorization.

Nitin Aggarwal

Nitin Aggarwal is a chartered accountant and a certified information systems auditor with more than 10 years of experience in SAP implementations, business process control reviews, access and authorizations reviews, and IT audit. He is a subject matter expert on SAP Access Control and has been involved in numerous implementations over the past seven years.

See more by this author

Sanjeev Kotwal

Sanjeev Kotwal is an ABAP technical consultant with more than five years of experience in SAP implementations. His areas of expertise include Web Dynpro ABAP, SAP Adobe forms, BSP, user exits, and report programming.


See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.