Showing results for 
Search instead for 
Did you mean: 

Best Practice Read Only Security BPC and BW for Production

0 Kudos

Hi Experts,

has anyone created a Task Profile or BW role definition for read only settings for production environments?
Our client, who wishes to restrict consultants and others to read-only functionality while providing us the ability to view all activity and data in the system.
I created a Task Profile and DAP that provide read only and the VIEW tasks along with a few more to be able to view the packages and schedule task statuses for all users  (The DAP profiles are all read only so even if there are a few “use TP below we cannot transact in the system”. 

Any other thoughts re security setup?  Does anyone have a Task Profile (TP) and Data Access Profile (DAP) setup that they created and can share?

While this seems like an obvious question, we find have been adjusting the TP multiple times to arrive at the below setup to view all the necessary functions and data.


Use BPFs
View Journals
Use Input Forms and Save Data
Run Audit Reports
Run Comment Reports
Run Work Status Reports
Run BPF Reports
Run Security Reports
View Consolidation Monitor
View Ownership Manager
View Controls definition
View Controls
Cancel Any User Packages
Edit Package Schedules for any users
View All Package Status
View All Detailed Package Status
View Models
View Environments
View Business Rules
View Dimensions
View Data Locks and Work Status
View Drill Throughs
View Document Types
View Audit Settings
View BPFs settings
View Journal Templates
View Security
View Equity Pick Up Monitor
View Equity Pick Up Audit Report
Use Work Status

Accepted Solutions (0)

Answers (2)

Answers (2)

0 Kudos

An update to the above post, the question also is what's best re BW roles in production?

We gave requested transactions just as:


SE16 to view tables

SU01D to view user IDs.


Did anyone create a list of these transactions?  We are adding one-offs as needed.



0 Kudos

Hi Eyal

I would like to know if you want to control access to users from the backend BW or from BPC front end?

That will be one consideration.

Secondly, if you are having CUA - Central User Administration in place. That can create complications as once CUA is in place, it is advisable to adjust access of the users from CUA only - addition or removal of DAPs, creating a new user etc.

Discuss with your security team as well as I believe they will own this aspect ultimately.

0 Kudos


We are managing controls via the BPC web administrator.

There's no CUA implemented at this site.