Big4Guy

Providing users authorizations in SAP BW is a hot question for organizations implementing SAP Business Warehouse BW. Ideally, desigining authorizations should always begin with designing user roles in BW. Due to the inherent structure of many organizations, user roles need to be defined at the same level of detail as individual users. Such a design for user access within SAP BW requires a lot of maintenance. As an alternative, organizations can create a few roles and assign as many users to it as required. Though this approach is maintenance friendly, any changes to user roles may have an adverse impact on other users.

The transaction code used to provide authorizations in SAP BW is RSSM. Though the T-Code PFCG Profile Generator can also be used to provide authorizations. Authorization administration is much easier through transaction RSSM in case reporting authorizations are required to be attached to user roles.

The best practice approach in providing authorizations in SAP BW is to design authorizations based on SAP BW meta-data objects. Roles can be defined to restrict user access to a particular query or InfoCube. The key is to keep the authorizations design role centric rather than user centric. This is because with user roles in SAP BIW, additional features such as portal integration and user menu specification become possible which cannot be done using user based authorization. To help secure access in SAP BW, I would suggest that restricting user access to a particular reporting query or transaction based on user menus. Normally, users are not sophisticated enough to guess transactions. They only play with what appears in the user access menu in front of them.

More on SAP R/3

SAP R/3 Auditor Authorizations
SAP BEx Analyzer Toolbar
SAP CATT Computer Aided Test Tool
SAP Basis Transaction Codes