Administrator Workbench – RSA1
In the present article, we will explore some of the common transactions/tools used in SAP BW. By no means is this a comprehensive list but the transactions referred to here are certainly among the more common ones and needed almost on a daily basis. We have already mentioned that BW security is different from ECC as the security requirements in an OLAP environment are significantly different from an OLTP system. However other than the reporting transactions which use the OLAP security model, SAP BW also contains a huge number of transactions, typically dealing with administration of the BW system or SAP Basis, which continue to use the conventional authorization model using authorization model.
We start our discussion by looking at the BW Administrator Workbench (transaction RSA1) – The administrator workbench is the central cockpit used for the administration of almost the entire BW system. As shown below, the RSA1 main screen can be divided into three general areas. The extreme left area, allows us to chose BW modelling components like Infoproviders, InfoObjects, InfoSources and DataSources. All of these components form part of the ETL (extraction, transformation and loading) concepts in SAP BW. Choosing any of the components, opens a view with a list of objects of the said type in the middle portion of the RSA1 screen. For example, if the component InfoProviders has been chosen, the main screen area shows a list of InfoProviders built in the specific BW installation. Individual BW components represented by different icons, the double diamonds being InfoAreas, the cubes being InfoCubes and the cylinders being Operational Data Store (ODS) objects. InfoAreas are not InfoProviders themselves but help to group similar InfoCubes under them. Other than InfoCubes, ODS objects, Multicubes and Infosets are other types of InfoProviders which can be encountered.
Right-clicking on an InfoProvider/InfoArea opens up a context menu which allows us to carry out different operations on the said object. For example we can create a new InfoProvider or change/display an existing one. The details of the chosen InfoProvider is now displayed in the right-most portion of the screen.
An InfoCube in general is made up of a number of information units called InfoObjects. These store data about the objects that are reported on. We can display a list of infoobjects defined in the system by choosing the InfoObjects option from the left hand screen as shown below. A right click on an individual InfoObject and following the options in the context menu allows us to display/change details for an InfoObject. InfoObjects can be of two types, Characteristics and Keyfigures. For example an InfoCube which stores sales data will store data about Customers. In this case, Customer is an characterististic which is part of the sales cube. Monthly unit of sales or similar data will be a keyfigure. As we can appreciate, Characteristic and Keyfigures store different kinds of data. They appear differently in reports and are secured through means. From the security standpoint, the fact whether we can selectively control access to an InfoObject is controlled by the contents of the Authorization Relevant flag in the explorer tab for an InfoObject. In the screen below, InfoObject 0COSTCENTER is marked as authorization relevant.
InfoObjects in turn can also have their own attributes. Following the earlier example, the InfoObject Customer would have attributes like Customer Address, Bank Details, Tax number etc. The following screen shows the the attributes of InfoObject 0COSTCENTER. We can observe that the attributes can be two types, Display attributes (DIS) and Navigational Attributes (NAV).Security for a navigational attribute can be enabled by switching on the authorization relevant flag shown in the screen below. The latest version of BW (BI 7) allows Navigational Attributes to be secured differently from the base InfoObject. Thus BI 7 can allow different security for InfoObject 0COMP_CODE and the navigational attribute 0COSTCENTER_0COMP_CODE depending on requirements.
Hi Aninda,
First of all many thanks for providing help the people like me and many thanks for your effort.
Can you please provide me more idea (information) about Navigation Attributes and how we restrict these Navigational Attributes with a Business (real time) example.
Thanks and Regards
Kasi
Hi Kasi,
In BI 7, you secure navigational attributes in the same way as you would secure any other characteristics. Whether a characteristic is added to a cube as navigational or as a base characteristic is totally dependent on the BW developer and the reporting requirements. The navigational attributes are distinguished by a underscore (_) between the name of the base characteristic and the attribute. (ex 0COSTCENTER_0COMPANY_CODE). Once you have the list of navigational attributes from the BW developer, just add them to your analysis authorizations as you would any other characteristic.
Regards,
Aninda
Hi Aninda,
It seems the following statement in above discussion is not complete. Kindly review & update it if correct.
“The latest version of BW (BI 7) allows Navigational Attributes to be secured differently from the base InfoObject by —– ”
Regards,
Venkata
Also I think the infoobject name in the following statement should be 0COSTCENTER instead of 0COMP_CODE
“Thus BI 7 can allow different security for InfoObject 0COMP_CODE and the navigational attribute 0COMP_CODE”
let me know if I am wrong.
It really doesn’t matter what is the exact name of the auth object that I mention in the article as these are strictly examples. I might be using a using a completely a different set of infoobjects from you in my installation.
Thanks for pointing out. I have now updated the article.
When we can use copy roles?
When you want to copy the authorizations maintained in a role to a new role name?
Hi Aninda,
First of all many thanks for your work.
I understood that a characteristic can be both base and navigational for a Cube.
If one IOBJ 0COMPANY_CODE is a base and used as nav as 0COSTCENTER_0COMPANY_CODE.
can you please let me know how the reporting affects if we restrict authorizations to certain company code in base and nav.
I.e 1) If i give ‘*’ in base and some restriction in nav
2) If i give some restrictions in base and ‘*’ in nav.
Am new to BW security, sorry if my question doesn’t make sense.
Hi Jai,
Both the base characteristic and the navigational attribute of 0COMPANY_CODE will hold essentially the same data in the data warehouse and should be restricted to the same authorization values. I can only accept giving different security values, if the data sources contains different values. You can check with your data loading team if your BW design fits such a scenario
Regards,
Aninda
Hi Aninda,
Even i got a similar reply from my colleague. However if both base and nav gonna have same authorisation values, then what’s the significane in making nav as authorisation relevant?
Kind regards,
Jaisuryan
In some design scenarios your proposal might work and even lead to less maintenance. Now, think about a scenario where you maintain 0COMP_CODE with values : (colon) and the actual company code values. The navigational attribute for company code is not auth relevant. You will be able to run your queries with any value of company code and defeat any security restriction for company code thats in place.
So if i maintain 0comp_code as : with actual company codes and the nav 0COSTCENTER_0COMP_CODE with few company codes, the user will be able to see data only for company codes mentioned in nav?
Yes, as long as 0COMP_CODE is in free characteristics for the query.
Hi aninda,
can u tell me what is the main purpose of attribute tab in RSD1?
Like the name suggests, the attributes tab list the attributes for an InfoObject. Attributes can be of two types – display attributes and navigational attributes. The navigational attributes of an InfoObject can be auth relevant and this is set in this screen.
How are RSA1 and RSD1 different? What exactly can we do in RSD1?
RSD1 is used to maintain InfoObjects while RSA1 is the Admin Workbench can be used to administer the entire data model (including InfoObjects). Thanks