In previous blog about SAP BW Authorizations, my friend guided you step by step how to manage Analytic Authorization of an InfoObject and how you can use it in query function of SAP Profitability and Performance Management 3.0 (SAP PaPM). In this part I will focus about showing you how to create more complex scenarios and how you can use this kind of authorizations on query level.
If you didn’t check his blog post about simple cases of BW authorization usage in SAP PaPM, I encourage you to visit
this one first before continuing with the next section of this blog post.
First of all: let’s have a quick presentation of more complex choices that you can display on query level. Let us assume that user has restrictions not only for one characteristic, but on few of them. In this example those characteristics will be: Company code: YBW_COMP, Country: /NXI/CNTR and Version: 0VERSION.
As you can see, we have characteristics with all possible technical naming conversion including standard one: 0VERSION, Characteristics delivered with certain product/add-on: /NXI/CNTR and created by user: YBW_COMP. Additionally we added one key figure: YQA_AMT. In the end, the data in Model Table function will look like this:
Fig. 1. Transactional data saved in model table function
In the screenshot above, you can find such values for given characteristic:
- Company code: CC_A, CC_B and CC_C
- Version: 1, 2 and 3
- Country: US, DE and PL
Just a bit of a side note, regarding the authorization user - DBW_ATH_PAPM. DBW_ATH_PAPM authorizations for these
more complex scenarios are maintained like on the screenshot (from RSECADMIN) given below:
Fig. 2. SAP BW authorization assignment for particular user (RSECADMIN)
Now going back to Model Table --- So we have Model Table and let’s create query on top of that. However, did you think about one question: “What results will be shown by query?” Query will show data according to authorizations meaning it will show common part of authorization values, visualized as on figure below:
Fig. 3. Visual representation of part of common of chosen authorizations
In other manner, data that will be shown will have such filter: (Company: CC_A OR CC_B) AND (Country: US) AND (Version: 1 OR 2).
Note:
When you create a query, you have to remember that authorization relevant characteristic need to have variable set as: Authorization.
Fig. 4. SAP PaPM query definition with “Authorization” variable
If you miss to do that, you will get message:
Fig. 5. An error message (SAP PaPM view)
Let us analyze results of a query:
Fig. 6. Query results (SAP PaPM view) when using SAP BW reporting authorization
As you can clearly see, query results match what I stand for earlier. Query will display only records which are matching certain filters done by authorizations.
But how about displaying records that are in Model Table or Model BW function via Analyze screen? Let’s try it:
Fig. 7. SAP PaPM Model table function output when using SAP BW reporting authorization from our example
You will get a message that you haven’t got authorization to display results of that InfoProvider. But why? To be able to answer that question let us have a look about what Analyze button would like to display. When you do the same thing with user which has no restrictions, data will be displayed as given:
Fig. 8. SAP PaPM Model table function output when using no restriction for SAP BW reporting authorization
As you can see, by default results that are shown were created by aggregation of key figure (or all of key figures used), and since our DBW_ATH_PAPM user doesn’t have authorizations to display all of characteristic’s values or aggregated key figure value, we must attach aggregation authorizations for that user to be able to analyze display that kind of data. You can create them as I explained in first part of my blog, but instead of giving precise value, you need to fill field with colon sign “:” as shown on screenshot below.
Fig. 9. Definition of SAP BW “aggregation” authorization
You can create all of those aggregation authorizations for all 3 characteristics from our example and add them to your user. Then we can try to Analyze function model table again:
Fig. 10. SAP PaPM Model table function output when using SAP BW reporting authorization from our example extended by SAP BW “aggregation” authorization
Nevertheless, you still cannot see and add any characteristic to rows/columns freely due to the fact that we have restrictions on values of those characteristics. When you want to add Company code to rows you will get a message that you haven’t got authorizations to display that. Only way to display those is to filter them up according to your authorizations, e.g. we will be able to see CC_A for company code:
Fig. 11. SAP PaPM Model table function output when using SAP BW reporting authorization (filtering data to authorized values)
Note:
You may ask: why the system doesn’t automatically filter data according to those authorizations? When we run Analyze, PaPM is trying to display all InfoProvider’s data in aggregated form and doesn’t know if you want to display those values or not – remember that the only way to pass information about variables is the query function. This is why it is important to select authorization variables on authorization relevant characteristics in definition of query.
To exhaust the topic about authorization on characteristics we must mention one more: Hierarchy authorization. As you know you can use hierarchy of characteristic can be display when analyzing a query. You can provide this information in query definition:
Fig. 12. SAP PaPM query definition with hierarchy in the rows
So, when you would like to Analyze query with no restricted values (by authorization feature) you will see such results:
Fig. 13. SAP PaPM query output when using hierarchies in the rows
Hierarchy for Company code has given definition:
Fig. 14. SAP PaPM hierarchy definition for characteristic/field “Company code”
Ok, so how you can maintain authorization on specific hierarchy node level? It is pretty simple: You can go to RSECADMIN and create such authorization, but it needs to be a hierarchy authorization as given on screenshot below:
Fig. 15. SAP BW hierarchy authorization definition
So, as you expect, user DBW_ATH_PAPM with such authorizations will be able to display only values given under specific node of hierarchy – in this case N03:
Fig. 16. SAP PaPM query output when using hierarchies authorization in query definition
Key figures can also be restricted by authorizations – some people could see only authorized key figures on the same query/report. Authorization for specific key figure should look like this:
Fig. 17. SAP BW key figure authorization definition
And for technical InfoObject 0TCAKYFNM you can select technical name of the key figure that you want to authorize:
Fig. 18. SAP BW key figure authorization definition for key figure “YQA_AMNT”
Meaning – user will only be able to see values for that specific key figure. So, let’s have a look into SAP PaPM Environment. Let’s create simple example with two characteristics and two key figures. So, Analyze screen in SAP PaPM for user with authorizations for all characteristics values and key figures:
Fig. 19. SAP PaPM query output for user with no authorization restriction
For our DBW_ATH_PAPM user, we restrict authorizations only for key figure Net result – YQA_AMT. As you can see key figure Quantity is not available for this user to analyze.
Fig. 20. SAP PaPM query output for user with authorization restriction to key figure “Net result – YQA_AMT”
You can see that using BW authorizations is not that difficult, and I think you will be able to re-create that examples on your system. I strongly encourage you to try it by yourself and make some of examples which can have all of authorizations mentioned in this blog and in the previous part.
In next blog I will go through other SAP Profitability and Performance Management functions that can use BW Authorizations, so watch out!