11.5    Roles

SAP BW/4HANA uses SAP NetWeaver role-based authorizations. All users are defined with one or more roles assigned.

It’s possible to combine roles into composite roles—a combination of one or more roles—for easier maintenance of users and roles. However, you should define a role-based security model with as few composite roles as possible to minimize support costs and make it easier for users to request access. You can create both basic and composite roles via Transaction PFCG, which is used for role maintenance, as shown in Figure 11.5.

Role Maintenance/Display via Transaction PFCG

Figure 11.5    Role Maintenance/Display via Transaction PFCG

Analysis authorizations are assigned to roles using authorization object S_RS_AUTH with the assigned value of the defined analysis authorization.

Note

The combined authorizations for the roles assigned to a user are evaluated when authorization checks are executed.

In this section, we’ll cover the different role types in SAP BW/4HANA for administrators and end users. We’ll conclude with a discussion of the most useful role templates provided by SAP.

11.5.1    Administrator Roles

Administrator roles are required to support the SAP BW/4HANA system. These roles are normally granted to members of the support organization and vary by system in the landscape.

Table 11.5 shows the roles that are regarded as best practices in an SAP BW/4HANA system landscape.

Development System Test System Production System
Developer Production developer Production developer
Development support Production support Production support
Change and transport manager Change and transport manager Change and transport manager
SAP Basis support—development SAP Basis support—production SAP Basis support—production

Table 11.5    Recommended Administrator Roles by System in Landscape

SAP does provide some template roles that can be used as a starting point for defining support roles, but these roles have extensive access to SAP Basis administration tasks. Therefore, you should modify them to reduce the risk of giving too many people access to change system settings.

11.5.2    End User Roles

There are three general types of end users in an SAP BW system, as follows:

  1. Authors and analysts
    Authors and analysts require advanced analysis functionality and the ability to perform special data analysis. To accomplish their tasks, they need useful, manageable reporting and analysis tools.
  2. Executives and knowledge workers
    Executives and knowledge workers require personalized, context-related information provided in an intuitive UI. They generally work with predefined navigation paths but sometimes need to perform deeper data analysis.
  3. Information consumers
    Information consumers require specific information (snapshots of specific data sets) to be able to perform their operative tasks.

End users’ roles should be defined to give access to reporting functionality and reports. We recommend that you limit the number of roles created in the system as much as possible to make maintenance easier and avoid confusion when end users request access to reports.

You should decide on end user roles based on three dimensions, as follows:

  1. Business process
  2. Business function
  3. Business role

Each of these could lead to a different number of technical roles to be defined in the system. Try to choose the method that best suits your organizational setup. An additional dimension for end user roles is access to business information. This access is controlled via analysis authorizations.

We recommend that you assign analysis authorizations via roles if there are fewer than one hundred roles to be maintained. If there are more than one hundred roles, you should maintain access via user assignment in Transaction RSECADMIN by generating the analysis authorizations, as described in Section 11.4.3.

In addition to the end user roles that allow for executing the reports, you can also have a role for super users that allows such users to create ad hoc queries and reports directly in production. This role should allow users to create the objects with a specific name prefix and be limited to that exact prefix. It shouldn’t provide access to create global, calculated, and restricted key figures and structures.

11.5.3    Role Templates

SAP delivers a set of standard role templates. The templates for SAP BW/4HANA user roles start with S_RS_R (except for the roles for SAP Business Planning and Consolidations (SAP BPC), which start with S_RS_PL). The templates for SAP BW/4HANA workspace user roles start with S_RS_T.

Use the template roles when creating new roles to quickly add all the authorizations from the template into the profile for the new role.

Table 11.6 describes the most useful role templates and the tasks they facilitate.

Technical Name
of Template 		Description Tasks
S_RS_RDEAD SAP BW/4HANA role: SAP BW administrator (development system)
  • Maintaining the source system and uploading metadata
  • Executing queries for statistics InfoCubes
  • Maintaining aggregates
  • Maintaining analysis authorizations
  • Scheduling broadcast settings
  • Maintaining currency and quantity conversion types, as well as key date derivation types
S_RS_ROPAD SAP BW/4HANA role: SAP BW administrator (productive system)
  • Maintaining the connection to the source system and executing queries for statistics InfoCubes
S_RS_RDEMO SAP BW/4HANA role: Modeler (development system)
  • Defining InfoObjects, InfoProviders, transformation rules, DTPs, and process chains
  • Scheduling broadcast settings
  • Maintaining currency and quantity conversion types, as well as key date derivation types
S_RS_ROPOP SAP BW/4HANA role: Operator (productive system)
  • Uploading data from the source system
  • Executing DTPs
  • Monitoring processes
S_RS_RREDE SAP BW/4HANA role: Reporting developer (development system)
  • Designing queries, reports, and web applications
  • Maintaining analysis authorizations and their assignments to roles
  • Scheduling broadcast settings
  • Maintaining currency and quantity conversion types, as well as key date derivation types
S_RS_RREPU SAP BW/4HANA role: Reporting user
  • Executing queries in SAP BEx analyzer or on the web
S_RS_PL_PLANMOD_D SAP BW/4HANA role: Planning modeler (development system)
  • Defining aggregation levels
  • Defining data slices and characteristic relationships
  • Defining planning functions, planning sequences, and planning function types
  • Defining queries and web applications
S_RS_PL_ADMIN SAP BW/4HANA role: Planning administrator
  • Defining data slices
  • Executing planning functions and planning sequences
S_RS_PL_PLANNER SAP BW/4HANA role: Planner
  • Displaying plan data in queries and web applications
  • Manually entering data in queries that are ready for input
  • Executing planning functions and planning sequences
S_RS_TWSPA SAP BW/4HANA workspace administrator
  • Creating SAP BW/4HANA workspaces, defining their properties, making central data available in them, and managing them
S_RS_TWSPD SAP BW/4HANA workspace designer
  • Loading personal data into a workspace and then creating CompositeProviders
S_RS_TWSPQ SAP BW/4HANA workspace query user
  • Executing queries on CompositeProviders

Table 11.6    Role Templates Delivered in SAP BW/4HANA

A full list of role templates can be accessed in Transaction PFCG via the menu option Utilities • Templates, as shown in Figure 11.6. It’s also possible to define new templates from this same screen.

Role Templates in the System

Figure 11.6    Role Templates in the System

Using template roles provides a quick start for defining the roles required in the SAP BW/4HANA system. Of course, you can expect some modification to authorizations from the standard templates when defining the roles that will be assigned to the users in the system via user administration.