Catalog of roles and authorizations objects used for each BW applications :

Link to the google doc :

Old file managed by SoonAik WEE :

https://drive.google.com/file/d/1ibLr8rVvsplr8UX49hVH0Rx-m3Ko5YNK9IOQfTJ-F2M/view

WBP Security Matrix

Link to the matrix :

Authorizationmatrix.xls

Link for the documentation :

https://drive.google.com/file/d/15JsFlJ9IGwiDJXjuMIpIAeJprKyT0Gb4MTVB-cjf7MU/view

How to check user authorization

First, you need to know:

1. Username of the user

2. The query name that user use

3. Selection criteria that user enter at Prompt

How:

1. Go to Tcode: RSUDO

2. Enter username of the user and click on 'Start Transaction'

TECHNO - BI TEAM > BW Authorizations > image2015-7-29 15:49:8.png

3. Enter query name and click on 'Execute + Debug' by selecting 'Execute and Explain

TECHNO - BI TEAM > BW Authorizations > image2015-7-29 16:3:23.png

4. Mark option 'Authorization Log'

TECHNO - BI TEAM > BW Authorizations > image2015-7-29 16:3:45.png

5. Enter selection criteria same as user, Then click on 'Execute'

TECHNO - BI TEAM > BW Authorizations > image2015-7-29 16:4:49.png

6. The result will be the same as user. In this case, if there is authorization problem, it will show as below

TECHNO - BI TEAM > BW Authorizations > image2015-7-29 16:5:21.png

7. Click back button, the system will explain why this user does not have authorization.

TECHNO - BI TEAM > BW Authorizations > image2015-7-29 16:5:42.png

TECHNO - BI TEAM > BW Authorizations > image2015-7-29 16:7:27.png

How to do authorization trouble shooting

After BW upgrading, the authorization way has changed a lot.

The DSO DPBWAU01 will not be used any more.

TECHNO - BI TEAM > Attachment Library > Authorization_html_m6ff557b4.png

Instead, security team will change authorizations directly into roles (for companies, plants, families, etc. ) .

3 kinds of rôles are used to control authorizations:

Rôle menus
Application menus
Perimeter Menus

How to find all existing rôles

1. Go to TCode PFCG

2. Select rôle "ZR_RCS_ALL_MENU" and click on the glass

TECHNO - BI TEAM > BW Authorizations > image2015-7-29 16:19:21.png

3. In the "Rôles" tab, see all existing rôles

TECHNO - BI TEAM > BW Authorizations > image2015-7-29 16:20:35.png

Or the authorization matrix to know which one is still active ( topic BW Catalog of roles and authorizations objects used for each BW applications )

How to find role basing on query name

In case if user already know the query eg. BW_QRY_MVCOPA01_0004 and you want to find a role to access that user, you can
1. SE16 on table /BIC/ADBAUTH0400 (active table of DSO DBAUTH04)

Enter selection

TECHNO - BI TEAM > BW Authorizations > image2022-9-19_11-53-1.png

You will get

TECHNO - BI TEAM > BW Authorizations > image2022-9-19_11-53-46.png

How to find the user's rôles

1. Go to TCode SU01

2. Choose the user and click on the glass

TECHNO - BI TEAM > BW Authorizations > image2015-7-29 16:28:22.png

3. Go to "Rôles" tab and see the rôles authorized for this user

TECHNO - BI TEAM > BW Authorizations > image2015-7-29 16:30:4.png

Issues Rôle menu

Description :

The user can't see a rôle menu containing queries or workbooks

Solution :

1. Find the menu rôles authorized for this user (ending with Mxx)

2. Compare with the list of all existing menu rôles

3. Find the missing rôle and ask security team to add it to the user's authorizations.

Issues Application menu

Description :

The user can see a query in a rôle, can't execute it.

Solution :

1. Find the application rôles authorized for this user (ending with Axx)

2. Compare with the list of all existing application rôles

3. Find the missing rôle and ask security team to add it to the user's authorizations.

Issues Perimeter menu

Description :

The user can see a query in a rôle, can execute it, but can't access to a defined perimeter (Company, Plant, ...)

Solution :

1. Find the perimeter rôles authorized for this user (not ending with Mxx nor Axx)

2. Compare with the list of all existing perimeter rôles

3. Find the missing rôle and ask security team to add it to the user's authorizations.

Old documentation - no more used today in actual WBP application

And we can check user’s perimeters by checking table /BIC/ADPBWAU0100 in SE16.

The former way of checking authorization object by RSSM is no longer applicable use RSECADMIN to check.

2.

TECHNO - BI TEAM > Attachment Library > Authorization_html_577d8188.png

TECHNO - BI TEAM > Attachment Library > Authorization_html_1ea20258.png

TECHNO - BI TEAM > Attachment Library > Authorization_html_m467cde98.png

3. We can also use RSECADMIN to “Execution as” a user’s account, and then check logs to troubleshoot.

+Important : before to do it, you have to add some breakpoint on the Class Builder (SE24) to change the actual user because if not the user tested it will be your and not the user entered (execution as)

TECHNO - BI TEAM > Attachment Library > screenshot se19 wbp for wiki page 20140801.jpg

After you can use the RSECADMIN

TECHNO - BI TEAM > Attachment Library > Authorization_html_5be34462.png

TECHNO - BI TEAM > Attachment Library > Authorization_html_m220603f9.png

4. For some authorization objects ( Z_PS kind of things ), sometimes a dimension might be missing. For example, CPFCTR1_2 was missing for PS. Then when we troubleshoot with a user’s account, it prompts “No authorization” and in the log, it shows CPFCTR1_2 is empty. Then we add the dimensions in Z_PS and it’s ok.

TECHNO - BI TEAM > Attachment Library > Authorization_html_m369084c8.png

5. For dimensions with [] as below, if they exist in a query, we need to add filters for them in the Query Designer. The filters can be one of the three kinds:

User selection filters
Authorization filters
Customer exit filters

TECHNO - BI TEAM > Attachment Library > Authorization_html_m6d4ddca6.png

Authorization Contacts:

Security Team Contact: sbs-is-appli-sd-securite@solvay.com