Financial Management Blogs by SAP
Get financial management insights from blog posts by SAP experts. Find and share tips on how to increase efficiency, reduce risk, and optimize working capital.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert

We take a brief look at the authorization objects that need to be included in a PFCG-role for a user that is only allowed to do the bare minimum in BPC embedded: Open a report or input form in the web frontend.

We assume that the report or input form is defined on model myModel of the environment myEnvironment.

Consuming Global BW Reporting/Planning Queries

BW Analysis Authorizations

As BPC embedded extends BW in the sense that BW objects (queries etc.) can also be consumed in BPC embedded, this comes as no surprise.




Analysis authorization objects as maintained in RSECADMIN.

These can be extended by the BPC-specific concept of environment authorizations and Data Access Profiles


Authorizations by query component


Authorization by query owner

Data Access Profiles

The concept of analysis authorizations is extended by environment authorizations and Data Access Profiles (DAPs) in BPC.
As our objective is to build a minimal example, we would like to keep the analysis authorizations as configured in the BW backend. To do so, we have to configure a DAP for the model our input form or report live on.
The resulting authorization for the user will be calculated as the intersection of the RSECADMIN analysis authorizations and the DAP. So we create a DAP for myModel, assign our user to the DAP and choose *-authorizations for all authorization relevant dimensions of this DAP.

Note that DAPs are mandatory. Not configuring a DAP means "no authorization".

Authorizations for Library Access





Act: 03 (Display)
Class: <Dummy>

Required for opening reports/input forms.
Also required for executing queries with authorization-relevant dimensions in an environment/model context (any client)


App SetID: myEnvironment

Access (logon to) environment


Act: 03 (Display)

App SetID: myEnvironment

Folder: *

Resource Type: *

See folders, input forms, reports.

If we want to be very strict, we can even restrict RSBPC_WKSP to Folder [PUBLIC] or [NON_PUBLIC]. Nonetheless, the user will always have read access to the team folders for all teams that he/she is a member of. Write access to team folders is determined by the “Team Lead” flag in the team maintenance UI.

Useful Extensions


If our user should have the possibility to add input forms/reports to his/her favorites, we need to add





Act: 23
App SetID: myEnvironment
Folder: <Dummy>

Resource Type: LINK

Allow things to be added to "favorites"


Consuming Local Objects

If our user should have permission to consume data from local providers, the authorization for the respective BW-workspace needs to be added. The name of this workspace corresponds to the name of the BPC environment:





Act: 16 (Execute)

Name: myEnvironment

Access to local providers of the environment

1 Comment