We take a brief look at the authorization objects that need to be included in a PFCG-role for a user that is only allowed to do the bare minimum in BPC embedded: Open a report or input form in the web frontend.
We assume that the report or input form is defined on model
myModel of the environment
myEnvironment.
Consuming Global BW Reporting/Planning Queries
BW Analysis Authorizations
As BPC embedded extends BW in the sense that BW objects (queries etc.) can also be consumed in BPC embedded, this comes as no surprise.
Object
|
Remark
|
S_RS_AUTH
|
Analysis authorization objects as maintained in RSECADMIN.
These can be extended by the BPC-specific concept of environment authorizations and Data Access Profiles
|
S_RS_COMP
|
Authorizations by query component
|
S_RS_COMP1
|
Authorization by query owner
|
Data Access Profiles
The concept of analysis authorizations is extended by environment authorizations and Data Access Profiles (DAPs) in BPC.
As our objective is to build a minimal example, we would like to keep the analysis authorizations as configured in the BW backend. To do so, we have to configure a DAP for the model our input form or report live on
.
The resulting authorization for the user will be calculated as the intersection of the RSECADMIN analysis authorizations and the DAP. So we create a DAP for
myModel, assign our user to the DAP and choose *-authorizations for all authorization relevant dimensions of this DAP.
Note that DAPs are mandatory. Not configuring a DAP means "no authorization".
Authorizations for Library Access
Object
|
Value
|
Remark
|
S_USER_GRP
|
Act: 03 (Display)
Class: <Dummy>
|
Required for opening reports/input forms.
Also required for executing queries with authorization-relevant dimensions in an environment/model context (any client)
|
RSBPC_ID
|
App SetID: myEnvironment
|
Access (logon to) environment
|
RSBPC_WKSP
|
Act: 03 (Display)
App SetID: myEnvironment
Folder: *
Resource Type: *
|
See folders, input forms, reports.
|
If we want to be very strict, we can even restrict RSBPC_WKSP to Folder
[PUBLIC] or
[NON_PUBLIC]. Nonetheless, the user will always have read access to the team folders for all teams that he/she is a member of. Write access to team folders is determined by the “Team Lead” flag in the team maintenance UI.
Useful Extensions
Favorites
If our user should have the possibility to add input forms/reports to his/her favorites, we need to add
Object
|
Value
|
Remark
|
RSBPC_WKSP
|
Act: 23
App SetID: myEnvironment
Folder: <Dummy>
Resource Type: LINK
|
Allow things to be added to "favorites"
|
Consuming Local Objects
If our user should have permission to consume data from local providers, the authorization for the respective BW-workspace needs to be added. The name of this workspace corresponds to the name of the BPC environment:
Object
|
Value
|
Remark
|
S_RS_WSPAC
|
Act: 16 (Execute)
Name: myEnvironment
|
Access to local providers of the environment
|