In SAP NetWeaver BW release 7.3 a new Analysis Authorizations BAdI was introduced: BAdI RSEC_VIRTUAL_AUTH_BADI as part of Enhancement Spot RSEC_VIRTUAL_AUTH. The authorized values or hierarchy nodes can be determined dynamically during query runtime. It does not require any Analysis Authorization objects and PFCG Roles. Virtual Authorizations can be used to enhance any existing “classic” authorization model. I.e. you do not have to make an exclusive choice for one or the other, both classic and virtual can be used simultaneously and complementary.

I would like to share my implementation experience with virtual Profit Center and Cost Center authorizations. This introductory blog will discuss the rationale, a comparison between classic and virtual authorizations, and the different call scenarios for which the BAdI is processed.

On a short notice I will publish a second blog with the solution details and a document with implementation details.

Rationale

The main problem with a classic authorization concept is that it is less flexible in situations with a big user population, many authorization objects/roles and frequent changes. E.g. organizational changes effecting large parts of the organization and ongoing roll-outs with big increments in the user population.

Classic use cases for a more flexible and dynamic approach are Profit Center and Cost Center authorizations. Often we have to deal with hierarchy authorizations as well as value authorizations. There might exist multiple hierarchies which have to be authorized on many hierarchy nodes. The number of required authorization objects and roles is likely to become high.

As a consequence, TCD (Total Cost of Development) as well as TCO (Total Cost of Ownership) is likely to become too high.

Classic versus Virtual Authorizations

Before diving into the Virtual Authorizations, Iet’s try to compare the classic model with the virtual model.

Figure 1: Evaluation Matrix

The biggest draw-back of the classic model pops up in the efficiency with a big user population in combination with many authorization objects and roles. Here the virtual model shows its added value.

On the other hand, the virtual model is less transparent and clear compared to the classic model. Also in the area of compliance we do not have the out-of-the-box functionality compared to the classic model.

Different Call Scenarios

During query run-time the BAdI is called multiple times. This might be a bit confusing in the beginning when you start working with the BAdI. There are 3 call scenarios:

• Call scenario 1: InfoProvider-independent or cross-InfoProvider authorizations;
• Call scenario 2: InfoProvider specific authorizations ;
• Call scenario 3: Documents protected with authorizations.

Call scenario 1: InfoProvider-independent or cross-InfoProvider authorizations

Scenario 1 can be called multiple times. Importing Parameter I_IOBJNM is not initial and Importing Parameter I_INFOPROV is initial. Importing Parameter I_T_ATR might be filled with authorization-relevant Attributes of the respective Characteristic, if any.

In this call scenario the following authorization is processed:

• Authorization-relevant InfoObjects; e.g. I_IOBJNM = '0PROFIT_CTR';
• Authorization-relevant Attributes; e.g. I_IOBJNM = '0WBS_ELEMT' and I_T_ATR with ATTRINM = '0PROFIT_CTR' *);
• Authorization-relevant Navigational Attributes; e.g. I_IOBJNM = '0WBS_ELEMT__0PROFIT_CTR'.

*) Display Attributes need full authorization; see also SAP Note 1951019 - Navigation Attribute and Display Attribute for BW Analysis Authorization.

Call scenario 2: InfoProvider-specific authorizations

Scenario 2 will be called once only. Importing Parameter I_IOBJNM is initial and Importing Parameter I_INFOPROV is not initial. You can determine the authorization-relevant InfoObjects using Function Module RSEC_GET_AUTHREL_INFOOBJECTS.

In this call scenario the following authorization is processed:

• Authorization-relevant InfoObjects; e.g. I_IOBJNM = '0PROFIT_CTR';
• Authorization-relevant Navigational Attributes; e.g. I_IOBJNM = '0WBS_ELEMT__0PROFIT_CTR'.

Call scenario 3: Documents protected with authorizations

I did not experiment with scenario 3 yet. It can be called in the context of documents which are protected with authorizations. In this case, both Importing Parameter I_IOBJNM and Importing Parameter I_INFOPROV are initial.

Conclusion

In this introductory blog we discussed the rationale of virtual authorizations, a comparison between classic and virtual authorizations, and the different call scenarios for which the BAdI is processed.

On a short notice I will publish a second blog with the solution details and a document with implementation details.