Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
Showing results for 
Search instead for 
Did you mean: 

BI 7 Analysis Autorisation ,doubts.

Former Member
0 Kudos

Hi all,

We are about to upgrade Bi3.5 system to BI 7 . After the upgrade we will have to migrate new BI security feature.

I have gone through the documents on analysis authorisations but still having some questions in my mind:

First Iam telling a old scenario .eg We have a FI user , for this user i have auth objects S_RS_COMP, S_RS_COMP1, S_TCODE , S_GUI.

S_RS_COMP and S_RS_COMP1 is having FI cubes , ODSes and read permission for all the queries

S_TCODe is for Tcode and is having RRMX and RRMXP Tcodes.

Now with the new concepts based on characteristics like 0COMP_CODE and for this charactericts we can restrict with 0TCAACTVT ,0TCAVALID, 0TCAIPROV.

So i how can i convert my above scenario with new one.

Inserting S_RS_AUTH will again insert newly created analysis auth.

Please help me with some steps , i have read documents but still not clear to me.

Thanks and Regards,



Former Member
0 Kudos

Object like s_rs_comp and s_rs_comp1 still exist in the new concept and can be used as before. The difference is that objects like S_RS_ICUBE and s_RS_ISOUR are not checked anymore. I've never done a migration but in the new concept you create authorisation objects in transaction RSECADMIN. There you can give this object an activity (or *), an infoprovider (or *) even a validity period. Once the object is created you can assign it directly to a user (so without a role) or you can put this into a role via authorisation object S_RS_AUTH. I always put this into a role when the company is already used to work with roles in R/3. In RSECADMIN you can create as many objects as needed, e.g. 1 object per company code.But I'm sure if you go looking on that you can find alot more detailed description about the new concept.

Former Member
0 Kudos

Hi Danny,

Thanks for replying ,i have assigned pts to u.

What i understood from you that we dont need to create new authorisation for new concept the older ones like S_RS_COMP , S_TCODE will still work. But if we want to create new authorisation we should use new ones.

Conclusion wil be like that we dont need to migrate anything but if we want to create new ones then we will use analysis authorisation concept.

Is it?? please confirm.

Thanks again.

0 Kudos

Akash, there are two types of authorization objects in BI, SAP delivered like S_RS_COMP, COMP1, S_RS_ADMWB...which are used to restrict access to BI tools like RSA1 or restricting access of report execution based on infocubes, query name, infoarea etc. The other type of authorizations Reporting authorization are used to restrict access to the data. As each customer has different reporting requirement they have to create reporting authorizations ( Analysis auths ( AA ) ) through RSECADMIN to match their need. Suppose 0COMP_CODE is used to restrict access in old scenario, after migration you need to create new AAs corresponding to different possible values for )COMP_CODE. Its alway better to follow a good naming convention policy which will reduce maintainance overhead later.

The you can update the existing authorization roles for the companies with object S_RS_AUTH auth and newly created AAs for those companies.

During Security migration to new concept of AA, you need to find out all the possible restriction placed in current repoting scenario ( BW 3.5 ) and then create AAs accordingly.

Hope this helps.

Former Member
0 Kudos

You can even work with the old concept, but in one of the next releases this old concept will disappear. But as a start you can put a flag in transaction SPRO (customizing) that you want to work with the old concept. When you have afterwards some time, and after reading some documentation, you can start migrating or rebuild the authorization concept in the new analysis auth.

You can find the flag under :

SPRO - SAP Netweaver - Business Intelligence -Settings for report and analysis - general settings - Analysis authorization : select concept

Former Member
0 Kudos

Hi ,

Again its confusing me.

How would then i use the new concept for lets say my reporting authorisation , t code acess etc.

In the older version we used s_RS_COMP, S_TCODE etc.

If i use newer concept how can i aplly this , as per my understanding then i have to create several authorisation because it s completey based on characteristics.

Culd u please give me the answer in the following scenario.

FIAA is a user is having authorisation objects S_RS_COMP

in which he is having access to 0FI_C03 and query mode is read.

He is also having authorisation object S_TCODE which is hvaing TCODE RRMS and RRMXP.

Now if i want to use newer concept how can i convert this .

Please help.

0 Kudos

if you switch to new concept, the old authorization roles won't work, users will get missing auth error while executing the reports which have restricted ( auth relevant ) characteristics.

With AA concept you do not have to change any values for SAP delivered auth objects like S_RS_COMP, comp1, s_tcode, only you need to create new AAs for auth relevant infoobjects.

in your case S_RS_COMP, S_RS_COMP1, S_TCODE, S_ICUBE...S_RS_MPRO values will remain same, lets say the infoprovider 0FI_C03 has two auth relevant characterisitcs c1 and c2 then with new security concept you need to create Analysis auth aa1 with these two characteristics and option 3 special characteristics 0TCAACTVT ,0TCAVALID, 0TCAIPROV.

Then you need to update the existing role which currently provide reporting auth for 0FI_C03 to include s_rs_auth with value aa1.

If 0FI_C03 does not have any auth relevant characteristic then you do not have to create any AA for it, users will be able to execute reports on this cube without any additional change to role.

Former Member
0 Kudos


I know we can even work with old concept but SAP recommends to work with the newer one only.

Please help.

Former Member
0 Kudos

the entries in those objects can stay the same. It's only when you want to limit on a characteristic that you have to use the new transaction RSECADMIN. If in the previous release that were your only restrictions, these will keep on working. Just put the flag in customizing on 'new concept' and the rest can stay the same.

Former Member
0 Kudos

Hi guys, thanks for ur prompt reply.

I have assigned points to you.

But one doubt is stil there in my mind. Like S_RS_ICUBE woil not be triggered in the new concept. So for this i have to create new authorisation which will be manual.

But the new concept is totally based on characterists and i want to restrict a cbe lets say 0Fi_C03. How can i do it.

One more case for auth object S_RS_ICUBE i have

1 Info area restrictions in Info areas ,

2 Activity 3

3 Info cube subobject *

4 Info Cube *

Could you please clarify on this .

Thanks again.


0 Kudos

In BI 7.0 S_RS_ICUBE will no longer be checked while retrieving data from Info Providers. However, this does not mean the object is no longer user. It will continue to be checked when you are working on the administration of InfoProviders( for ex when using Administrator Workbench - tcode RSA1).

In your case, I understand you have already set up the analysis authorizations for access to data. New analysis authorizations need not be created to accomodate how the system works on S_RS_ICUBE. End users will no longer need access to the object. However, continue to maintain the object for people responsible for administration of InfoCubes.

Hope this helps!!