11.3 Standard Authorization Objects
SAP BW/4HANA comes delivered with a set of standard authorization objects that control access to general SAP functionality, SAP HANA functionality, SAP BW/4HANA administration, and SAP BW/4HANA reporting objects. These objects can be divided into two types:
- Developer and administrator authorizations
- Reporting authorizations
We’ll discuss each in more detail in the following subsections.
11.3.1 Developer and Administrator Authorizations
Standard SAP BW/4HANA developer and administrator authorizations are available to limit access to creating and maintaining nonreporting objects in the system.
The SAP BW/4HANA standard authorization objects that control access to the administrator workbench and other administrator functionality are listed in Table 11.2.
| Authorization Object | Description |
|---|---|
| BO_CA_CES | Content administration: BOE system definition |
| BO_CA_JOB | Content administration: Operations on content-related jobs |
| BO_CA_RPT | Content administration: Operations on reports |
| RSANAUMMEN | Authorization for adv. analytics UMM entity |
| RSHAAP | Authorization for SAP HANA analysis process |
| RSHAOT | Authorization for SAP HANA analysis element type |
| RSBPC_ID | Grant user access to an SAP BPC environment |
| S_ADT_RES |
Authorization object for ADT resource access Authorization field URI must have value /sap/bw/modeling/* Placeholder * is used for URI subfolders |
| S_RSEC | Infrastructure for analysis authorizations |
| S_RS_ADMWB | Data Warehousing Workbench—objects |
| S_RS_ADSO | Data Warehousing Workbench—Advanced DSO |
| S_RS_ALVL | Planning: Aggregation level |
| S_RS_B4H | Authorizations for executing programs RS_B4HANA_CHECK_ENABLE and RS_B4HANA_WHITELIST_MAINTAIN |
| S_RS_CPRO | CompositeProvider (local and ad hoc) |
| S_RS_CTT | Data Warehousing Workbench—currency translation type |
| S_RS_DMOD | Data Warehousing Workbench—data flow |
| S_RS_DS | Data Warehousing Workbench—DataSource |
| S_RS_DTP | Data Warehousing Workbench—DTP |
| S_RS_HCPR | Central CompositeProvider |
| S_RS_HIER | Data Warehousing Workbench—hierarchy |
| S_RS_HIST | Authorizations for TLOGO object history |
| S_RS_IOBJA | Data Warehousing Workbench—InfoObject (InfoArea) |
| S_RS_IOMAD | Data Warehousing Workbench—maintain master data |
| S_RS_ISNEW | Data Warehousing Workbench—InfoSource |
| S_RS_LOPD0 | LOPD: Customizing authorizations |
| S_RS_ODSP_H | ODP: Extraction from SAP HANA |
| S_RS_ODSV | Data Warehousing Workbench—Open ODS view |
| S_RS_OHDST | Data Warehousing Workbench—Open hub destination |
| S_RS_PC | Data Warehousing Workbench—process chains |
| S_RS_PLENQ | Lock settings |
| S_RS_PLSE | Planning function |
| S_RS_PLSQ | Planning sequence |
| S_RS_PLST | Planning function type |
| S_RS_RSFC | Authorization for SAP demo content |
| S_RS_RSTT | Authorization object for RS trace tool |
| S_RS_SDATA | Authorization check for SAP BW scenario transfer tool |
| S_RS_THJT | Data Warehousing Workbench—key date derivation type |
| S_RS_TR | Data Warehousing Workbench—transformation |
| S_RS_TRCS | Data Warehousing Workbench—InfoSource (InfoArea) |
| S_RS_UOM | Data Warehousing Workbench—quantity conversion type |
| S_RS_WSPAC | SAP BW workspace |
Table 11.2 Administration Authorization Objects
These authorization objects must be maintained and assigned to developers and administrators to grant them access to develop and administer the system.
Reporting end users require access to a lot of the administrator authorization objects for activities 03 (display), 16 (execute), and 22 (enter, include, and assign) to be able to access the data in the system when executing queries.
11.3.2 Reporting Authorizations
Standard SAP BW/4HANA authorization objects are available to limit access to reporting components such as queries, reports, and dashboards.
Table 11.3 lists reporting-related authorization objects.
| Authorization Object | Description |
|---|---|
| S_RS_AO | Analysis Office: Authority object |
| S_RS_AUTH | BI analysis authorizations in role |
| S_RS_BEXTX | Business Explorer—BEx texts (maintenance) |
| S_RS_BITM | Business Explorer—BEx reusable web items (SAP NetWeaver 7.0+) |
| S_RS_BTMP | Business Explorer—BEx web templates (NW 7.0+) |
| S_RS_COMP | Business Explorer—components |
| S_RS_COMP1 | Business Explorer—components: Enhancements to the owner |
| S_RS_EREL | Business Explorer—enterprise report reusable elements |
| S_RS_ERPT | Business Explorer—enterprise reports |
| S_RS_FOLD | Business Explorer—folder view on/off |
| S_RS_PARAM | Business Explorer—variants in variable screen |
| S_RS_TOOLS | Business Explorer—individual tools |
| S_RS_XCLS | Frontend integration—Xcelsius visualization |
| S_RS_ZEN | Design Studio: Authority object |
| S_RS_ZEN_T | Design Studio: URIs accessible through HTTP tunnel via RFC |
Table 11.3 Reporting Authorization Objects
Developers and administrators also require access to these authorization objects to be able to execute queries and reports in the system and to troubleshoot problems reported by end users.
11.3.3 SAP HANA Authorizations
For certain functions in SAP BW/4HANA, you also need authorizations in SAP HANA. In the following sections, we’ll discuss the most relevant functions and their corresponding authorizations.
Generating SAP HANA Views
When creating objects in SAP BW/4HANA, you can generate SAP HANA views with the same structures during activation. This supports scenarios in which data modeled in SAP BW/4HANA is merged with data modeled in SAP HANA via SAP HANA tools (also referred to as mixed scenarios).
To be able to access SAP HANA views generated from SAP BW/4HANA, you need certain authorizations in SAP HANA and in SAP BW/4HANA. Various authorizations are provided for the administration of these objects.
Searching for Objects in SAP HANA
To perform searches with SAP HANA, the technical user requires certain system repository authorizations on the _SYS_REPO schema in SAP HANA. For security reasons, we recommend giving authorizations only for the tables required, not for the entire schema. To do this, use the following command:
GRANT SELECT ON sap<sid>.<table> TO _ sys_repo WITH GRANT OPTION;
Here, <sid> represents the system ID of the SAP BW/4HANA system. Information about what to place in <table> is provided in Table 11.4.
| Table Name | Table Name | Table Name |
|---|---|---|
| RSBOHDEST | RSDST | RSOSEGR |
| RSBOHDESTT | RSDTIM | RSOSEGRLOC |
| RSDAREA | RSDUNI | RSOSEGRT |
| RSDAREAT | RSFBP | RSPLS_ALVL |
| RSDBCHATRXXL | RSFBPFIELD | RSPLS_ALVLT |
| RSDCHA | RSFBPSEMANTICS | RSQISET |
| RSDCHABAS | RSFBPT | RSRREPDIR |
| RSDCUBE | RSKSFIELDNEW | RSTRAN |
| RSDFDMOD | RSKSNEW | RSTRANT |
| RSDFDMODT | RSKSNEWT | RSWSPLREF |
| RSDHAMAP | RSLPO | RSZCOMPIC |
| RSDHAMAPT | RSLTIP | RSZCOMPDIR |
| RSDIOBC | RSLTIPT | RSZELTDIR |
| RSDIOBCIOBJ | RSLTIPXREF | RSZELTTXT |
| RSDIOBJ | RSOADSO | RSZELTXREF |
| RSDIOBJCMP | RSOADSOLOC | RSZGLOBV |
| RSDIOBJT | RSOADSOT | RSZRANGE |
| RSDKYF | RSOHCPR | RSZWOBJTXT |
| RSDODSO | RSOHCPRT | RSZWVIEW |
| RSDS | RSOOBJXREF | TADIR |
Table 11.4 Relevant SAP BW/4HANA Tables for Searching in SAP HANA
To be able to work with SAP HANA analysis processes, you need certain authorizations in SAP HANA and in SAP BW/4HANA. In the following subsections, we’ll cover the additional authorizations and privileges you will need to work with NLS, SDA, and the Eclipse-based modeling tools.
Near-Line Storage with SAP IQ
For NLS with SAP IQ, you need the following authorization in SAP HANA:
- System privilege: CREATE REMOTE SOURCE
If the remote source isn’t created with the SAP<SID> user but with a different database user instead, then this database user must assign the corresponding object authorizations to the SAP<SID> user:
- Object privilege: CREATE VIRTUAL TABLE on VIRTUAL_TABLES (SYS)
- Object privilege: DROP on VIRTUAL_TABLES (SYS)
Authorizations for SAP HANA Smart Data Access
If you use SDA, remote data is accessed from the system with the database user used to connect the system to the SAP HANA database. When you created a remote source in SAP HANA, you specified a user for the connection to the source database. SAP HANA passes SQL statements to this user. Make sure that this user has sufficient authorizations in the relevant schemas and tables in the source database.
Authorizations for Modeling with the Eclipse-Based Modeling Tools
When working with SAP BW/4HANA modeling tools, you can only see or open objects for which you have at least display authorization. The same checks are performed for actions on objects in the modeling tools as for actions in the backend system or in the query. We therefore recommend the following role template for users who work with the modeling tools: S_RS_RDEMO.
If the authorization object has a subobject field defined for an object type (TLOGO), the user needs to have authorization *, or at least Definition, to see the object in the Project Explorer tree. In particular, modelers need authorizations that are specified in authorization objects S_RS_HCPR, S_RS_ODSV, and S_ADT_RES, as shown in Table 11.2.
In the modeling tools, a BW project represents a user-specific view of the SAP BW/4HANA metadata objects of the backend systems (SAP BW/4HANA).
Like all projects in Eclipse, BW projects also have a local representation of their data on the frontend and are managed in a workspace. If you have a BW project, there will therefore be local copies of the SAP BW/4HANA metadata objects on the frontend. This means that it’s possible to access metadata located outside the SAP repository at the local file system level.
Warning
SAP BW/4HANA metadata objects can be found by third parties.
To protect local project resources, we recommend creating workspace folders to store project resources locally, which will prevent third parties from accessing the resources. Use existing security measures available at the OS level.
Note
Files stored under Windows in the personal substructure of a user can only be accessed by that user or by local administrators.
Tip
We especially recommend using the default workspace that was created when your IDE was installed.