Catalog of roles and authorizations objects used for each BW applications :

Link to the google doc :

Old file managed by SoonAik WEE :  

https://drive.google.com/file/d/1ibLr8rVvsplr8UX49hVH0Rx-m3Ko5YNK9IOQfTJ-F2M/view

WBP Security Matrix

Link to the matrix :

Authorizationmatrix.xls

Link for the documentation :

https://drive.google.com/file/d/15JsFlJ9IGwiDJXjuMIpIAeJprKyT0Gb4MTVB-cjf7MU/view

How to check user authorization

First, you need to know:

5. Enter selection criteria same as user, Then click on 'Execute'

6. The result will be the same as user. In this case, if there is authorization problem, it will show as below

How to do authorization trouble shooting

After BW upgrading, the authorization way has changed a lot. 

The DSO DPBWAU01 will not be used any more.

Instead, security team will change authorizations directly into roles (for companies, plants, families, etc. )  .

3 kinds of rôles are used to control authorizations:

• Rôle menus
• Application menus
• Perimeter Menus

How to find all existing rôles

1. Go to TCode PFCG

2. Select rôle "ZR_RCS_ALL_MENU" and click on the glass

3. In the "Rôles" tab, see all existing rôles

Or the authorization matrix to know which one is still active ( topic BW Catalog of roles and authorizations objects used for each BW applications )

How to find role basing on query name

In case if user already know the query eg. BW_QRY_MVCOPA01_0004 and you want to find a role to access that user, you can 
1. SE16 on table /BIC/ADBAUTH0400 (active table of DSO DBAUTH04)

Enter selection

You will get

How to find the user's rôles

1. Go to TCode SU01

2. Choose the user and click on the glass

3. Go to "Rôles" tab and see the rôles authorized for this user 

Issues Rôle menu

Description :

The user can't see a rôle menu containing queries or workbooks

Solution : 

1. Find the menu rôles authorized for this user (ending with Mxx) 

2. Compare with the list of all existing menu rôles

3. Find the missing rôle and ask security team to add it to the user's authorizations.

Issues Application menu

Description :

The user can see a query in a rôle, can't execute it.

Solution : 

1. Find the application rôles authorized for this user (ending with Axx) 

2. Compare with the list of all existing application rôles

3. Find the missing rôle and ask security team to add it to the user's authorizations.

Issues Perimeter menu

Description :

The user can see a query in a rôle, can execute it, but can't access to a defined perimeter (Company, Plant, ...)

Solution : 

1. Find the perimeter rôles authorized for this user (not ending with Mxx nor Axx) 

2. Compare with the list of all existing perimeter rôles

3. Find the missing rôle and ask security team to add it to the user's authorizations.

Old documentation - no more used today in actual WBP application

And we can check user’s perimeters by checking table /BIC/ADPBWAU0100 in SE16.

2.  

3. We can also use RSECADMIN to “Execution as” a user’s account, and then check logs to troubleshoot.

+Important : before to do it, you have to add some breakpoint on the Class Builder (SE24) to change the actual user because if not the user tested it will be your and not the user entered (execution as)

After you can use the RSECADMIN

4. For some authorization objects ( Z_PS kind of things ), sometimes a dimension might be missing. For example, CPFCTR1_2 was missing for PS. Then when we troubleshoot with a user’s account, it prompts “No authorization” and in the log, it shows CPFCTR1_2 is empty. Then we add the dimensions in Z_PS and it’s ok.

5. For dimensions with [] as below, if they exist in a query, we need to add filters for them in the Query Designer. The filters can be one of the three kinds:

• User selection filters
• Authorization filters
• Customer exit filters

Authorization Contacts:

Security Team Contact: sbs-is-appli-sd-securite@solvay.com