Friday, March 8, 2013

Difference in SAP authorization: what is role and is profile?

Authorization is synonym to authorization object. Authorization object element of authorization system. It contains various fields (up to 10) which are checked during the runtime. To successful pass the authorization check each field contained in the object must be checked successfully.

Example of BW’s Authorization object: Business Explorer - Components [S_RS_COMP] has following fields: 

1. Activity (ACTVT) has following values which grant access to:
01      Create or generate
02      Change
03      Display
06      Delete
16      Execute
22      Enter, Include, Assign

2. InfoArea (RSINFOAREA) grants access to particular InfoAreas created in BW (e.g. Finance, Purchasing, etc.).

3. InfoCube (RSINFOCUBE) grants access to particular infocubes created in BW (e.g. 0QM_C04 Business Content infocube Inspection Results: General Data).

4. Name (ID) of a reporting component (RSZCOMPID) grants access to BW report’s components e.g. BEx query names.

5. Type of a reporting component (RSZCOMPTP) grants access to different BW reporting components:
CKF    Calculated key figure
QVW   Query View
REP     Query
RKF    Restricted key figure
SOB    Selection object
STR    Template structure
VAR    Variable

Notice that there are many other BW’s Authorization objects e.g.:
S_RS_COMP1 - Business Explorer - Components: Enhanced to the Owner,
S_RS_FOLD - Business Explorer - Folder View On/Off,
S_RS_HIER - Data Warehousing Workbench – Hierarchy,
S_RS_ICUBE - Data Warehousing Workbench – InfoCube,
S_RS_MPRO - Data Warehousing Workbench – MultiProvider,
S_RS_ODSO - Data Warehousing Workbench - DataStore Object,
S_RS_PARAM - Business Explorer - Variants in Variable Screen.
S_RS_TR - Data Warehousing Workbench – Transformation
S_RS_WSPAC - BW Workspace
S_RS_XCLS - Front-end Integration - Xcelsius Visualization
S_RS_LPOA - Data Warehousing Workbench - Semantically Partitioned Object
S_RS_ISRCM - Data Warehousing Workbench - InfoSource (Direct Update)
S_RS_HIER - Data Warehousing Workbench - Hierarchy
S_RS_HIST - Authorizations for TLOGO Object History
S_RS_HYBR - Data Warehousing Workbench - HybridProvider
S_RS_IOMAD - Data Warehousing Workbench  - Maintain Master Data
S_RS_ISOUR - Data Warehousing Workbench - InfoSource (Flexible Update)
R_STS_CUST - Planning: Customizing for Status and Tracking
S_RS_ADMWB - Data Warehousing Workbench - Objects
S_RS_AINX - Analytic Index
S_RS_AUTH - BI Analysis Authorizations in Role
S_RS_CPRO - Authorization Object for BW Composite Provider
S_RS_DTP - Data Warehousing Workbench - Data Transfer Process

Profile represents a grouping of authorizations (max 150 authorizations in one profile) together. Usually BW’s apps are complex ones comprised from many objects linked and working together. To be able to enable grouping of objects Profiles are used.

Finally we are coming to the Role. Role represents a container of Profiles. By this it is easier to track authorization requirements. Also role overcomes limits of profiles as it can hold only 150 authorizations).

Also note that speaking of classic SAP’s transaction codes (TA or T-codes) they are not assigned directly to the users. You need to assign into the roles. Then role is assigned to the user (TA SU01) and this automatically populates profile assignment. That’s why we see both tabs in SU01: Role tab along with Profile tab.

No comments: