Thursday, January 30, 2020

Authorization relevant t-codes in SAP BW

Here’s a brief overview of BW authorization / security relevant t-codes.

Transaction Code     Short text
RSECADMIN            Manage Analysis Authorizations
RSECAUTH               Maintenance of Analysis Auth.
RSECAUTH02           Mass Maintenance - Analysis Auths
RSECENVI                Assignment Environment Authorization
RSECPROT               Maintenance of Analysis Auth.
RSECSY                   Mass Maintenance - Analysis Auths
RSU01                     User Maint. BI Analysis Auth.
RSUDO                    Execution as Other User
RSUDU                    Execution as Other User

More information:
2182164 - RSECADMIN Overview [VIDEO]
1234567 - The authorization log RSECADMIN
2552884 - HowTo: Bex query authorization analysis - decision tree
177875 - Authorizations for investigation of OLAP problems
2044628 - How to record and save an OLAP authorization trace using transaction RSECADMIN

Wednesday, January 29, 2020

Few remarks on usage of RSUDO / RSECADMIN t-codes

Suite of t-codes like RSECADMIN (central t-code Analysis Authorization management) and RSUDO (Execution as Other User) are very important while analyzing issues of production queries. Very important is feature of the RSUDO (btw it is very smart name of the t-code, similarly like on OS level – execute something on behalf of other user) which simply executes the BW report on behalf of other user.

Normally we can expect that while user A executes particular query on behalf of other user (let’s say user B) the query result should be the same as the same query is executed by user B directly.

However, such an assumption might be wrong. Especially it can be wrong on cases in where customer exit variable is used in the query definition or in user's authorization definition. Other case can be while a system variable sy-uname is used in customer exit variable coding.

Reason is that value of variable sy-uname can’t be converted in case one user executes the query on behalf of other. The system cannot change the sy-uname variable. Thus the A value of the sy-uname is in place for user A and B value for the same is in place for user B.

One of the solution how to avoid such a situation is to avoid usage of sy-uname in the customer exit coding. This can be done at least for cases when variable is used in the query definition or in user's authorization definition. By leveraging function module  RSEC_GET_USERNAME in coding a proper user name (the one of which analysis authorization should be evaluated ) can be retrieved.

See also help pop-up in t-code RSUDO available under button “How does this work”.

More information:

1914703 - Transaction RSECADMIN "Execute as User" has different BW query result compared to direct BW query execution result by this user