Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert


Authorizations in SAP Datasphere are implemented using Data Access Controls. This blog post gives a great overview of the functionality and how to create and apply authorizations.

Data Access Controls are a very generic concept, and this is good, because SAP Datasphere integrates data from different kinds of system, which all have their own authorization concept. Generic also means open and that’s the idea behind it.

Does this mean I have to implement all my authorizations again? How can I ensure that changes to authorizations in the sources are updated to SAP Datasphere?

In this blog post I describe an approach for an S/4HANA system, which should answer those questions. And which is also valid for SAP ECC.


The general approach is simple:

    1. Integrate the tables/views that contain authorizations/privileges as a remote table
    2. Use views to combine, harmonize and enrich the authorization values
    3. Build data access objects on top of the view
    4. Assign the data access objects to the relevant views

It’s obvious that step 1 is the relevant and very likely most complex one, because this must be done for each system type. The integration using remote tables helps fulfil the requirement to have an automatic synchronization of the authorizations.

For SAP BW/4HANA and SAP BW we provide the Remote Authorization feature that takes care of the authorization integration.

Example use case

My example is about integrating the authorizations for sales organizations from an SAP S/4HANA system for usage in SAP Datasphere. This approach is also valid when you want to integrate the authorizations from several source systems

The first step is to define how the authorization can be derived from the existing SAP S/4HANA authorizations. For this you need to define which authorization object(s) are relevant for your scenario.

Integrate authorization values

To integrate the authorization values and user assignments into SAP Datasphere we need to combine the following three objects from the source system:

    • role assignments (table AGR_USERS)
    • assigned authorization objects (table AGR_1251)
    • authorization values (table AGR_1252 as sales organization is an organizational level)

This can be achieved in a graphical view that uses joins to build a structure with the username and the corresponding authorization values:

Since authorization values can contain wildcards, we need to convert the wildcards into individual values as the Data Access Controls currently do not support wildcards.

For this we need to do two things:

    1. translate the "*" wildcards from the authorization values into "%" (as a calculated column in the view with the authorization values:
    2. also integrate the master data table for sales organizations (TVKO), which we build as a dimension view:

Combine, harmonize & enrich authorization values

Finally, we combined the two views with a join. To allow for the wildcards we need to use the LIKE predicate and apply all relevant filters (role, auth. object, field name, validity, …).
We do this in a scripted SQL view:

The result of this view gives a list of all users and the sales organizations they are currently authorized for:

And you can easily imagine that this approach can also be used to combine authorization data from several source systems by combining the authorization values and master data from those systems.

Create Data Access Control

Now we are ready to create the Data Access Control based on the scripted SQL view and sales organization column as data entity:

The identifier column must be set to the username and you are ready to go:

The Data Access Control is now ready and provides real-time authorizations from the source system.

Performance considerations

This approach is a real-time access to the S/4HANA system. And if you are worried about putting more load on your source system or the impact on the response times then you can of course also use the data replication functionality for remote tables offered in the Data Integration Monitor in SAP Datasphere.

Assigning Data Access Control

The final step is of course to assign the newly created Data Access Control to the relevant views. Relevant meaning all views that shall be protected via the authorizations for sales organization.

The SAP Datasphere help documentation contains a good example on how it is possible how the space concept can be used to ensure a segregation of application data from the authorizations if you wonder how this could be set up.


What have we achieved?

    1. Real-time integration of authorization vales fromSAP S/4HANA into SAP Datasphere
    2. Transformation of the authorization values into the format for Data Access Controls
    3. Translation of the wildcards into individual values
    4. Definition of a central Data Access Control that can be used to protect any sales organization related data

What does this mean for you? Hopefully I was able to demonstrate how a flexible authorization integration can be achieved and that you can use this approach in your SAP Datasphere projects.