Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
Showing results for 
Search instead for 
Did you mean: 

Please help : use of : in bi security

Former Member
0 Kudos

Dear All,

Please give one exampl for use of : in bi securiy.

1)exact use of bi security and what will happen if won't give : and what will happedn if we give : with value also.

Please help me in this..I am getting confuse every timewhen i am resolving the bi issues...I am doing on guess only.

With Best Regards,


Former Member
0 Kudos

Hi Bi security is just like anyother security for standard roles

use PFCG to build role, enable or disable what is required at the authorization data level, populate the organization levels required

The difference is about the analytical reporting :

Let us you want to restrict :

Charateristic, Characteristic value, keyfigures and hierarchy

Then you will have to make those authorization relevant using the transaction RSECADMIN

and this transaction has the direct link to user and role maintenance.

Let me give you an example

Lets say your cost price is $100 and selling price is $150 for a sales item " CAT"

you will create a authorization object using RSECADMIN

make the characteristic name CAT visible to users

make the selling price visible to the user.

remaining line items can be masked from the user.

Similarly if you have lot of sales items ( Different breeds of CAT)




you would not want the users to know your purchase price

so you will mask the complete column of purchase price

that is called keyfigures in this example.

Remember for BI Analtical reporting tool box is RSECADMIN now.


A.Franklin Jayasim

Principal Architect

SAP Security/GRC/IDM

Former Member
0 Kudos


Colon :

You require aggregation authorization (u201Ccolon authorizationu201D) to view the values of an authorization-relevant characteristic in aggregated form. What does this mean exactly?


The calendar year (0CALYEAR) characteristic is authorization-relevant and is contained in the InfoProvider that is in use. You defined a query as follows:

1. 0CALYEAR is in the free characteristics (not in the drilldown) without any selections

- or -

2. 0CALYEAR does not exist in the query at all.

In both cases, no 0CALYEAR values are displayed in the query. Also, the query is not restricted to any 0CALYEAR values. A colon is required for the authorization check in this situation.

Note the following in particular about case two:

The query does not contain the authorization-relevant characteristic. However, this does not mean that an authorization check does not take place on this characteristic. This is because the characteristic is contained in the InfoProvider.

What relationship do the displayed key figures have to the calendar year?

The displayed data does have a relationship to the year. The described query displays data from all years that are posted in the InfoProvider. Each individual figure that is displayed represents the sum (aggregation) of the corresponding data from all years.

This form of display must be authorized by colon authorization.

Special case: Structural components (restricted key figures)

Many queries contain several structural components that contain a separate local filter. These could be columns (for example) with local restrictions on the last three years 2008, 2007 and 2006. In this situation, note the following: If the query contains another structural component (another column) which does not contain a characteristic restriction (0CALYEAR in our example), the colon is required during authorization. This is because aggregated values are displayed in this column

Example from BI 365.

If the InfoProvider has sensitive data, it could be that you do not want the user to see any summarized data.

For example, let us assume you have an InfoProvider that has sensitive data. In this business scenario you have chosen to secure by InfoObjects (for example, Company Code). If you do not want a user with access to CompanyCode 1000 to see ANY data from other company codes, then you might not give this user the colon ( value in the authorization. This would mean that ANY

queries on your InfoProvider that do not use the CompanyCode InfoObject will fail for this user.

Refer BW365 page 76 & examples


Easy way to identify when colon is missing,when u get message EYE 007 u201CYou do not have sufficient authorizationu201D

Colon authorization is not taken into account when you use a variable of the type u201CFill from authorizationu201D since it is not known whether the affected characteristic is in the drilldown during variable processing.



0 Kudos


I think there is a lot explained already. In note 1337102 and 1140831 you find more information about the :

Have fun

Bye jan van Roest