The following list shows possible values for the Activity field.
Maintain - 03
Execute-16
Administer document storage - 23
Update metadata - 66
Description
Administrator Workbench
-Objects S_RS_ADMWB
IOBJ.
S_RS_IOMAD
BW InfoObject Security
Thus, a query is more the technical definition of what the results should look like.
Workbooks are actual results that have been formatted and can be refreshed each time the
workbook is executed.
How the reporting user accesses workbooks, and security related to workbooks.
You must set up security to control who can save workbooks, where they can be saved,
and which workbooks appear in the BEx Browser for a specific user.
Workbooks can also be created in the BEx Analyzer. After executing a query, choose
Save Save as new workbook.
Securing Workbooks
In order to save a workbook, a user needs two authorization objects. The two objects
listed below are the minimum authorizations a user needs to save workbooks.
Using both S_GUI and S_BDS_DS will enable a user to save workbooks to their
Favorites folder.
The authorization object S_GUI has one field, Activity. The activity field must be set to
60. For S_BDS_DS, the user needs activities 03 and 30. The Class Type field should be
set to OT.
1. In the BEx Analyzer, choose Open Queries from the BEx toolbar.
2. On the next screen, choose New. This brings you to a selection screen containing
all of the InfoCubes for which you can define a new query.
3. Select the InfoCube on which you want the query to be based by selecting it with
the mouse. You can see the technical name of the InfoCube by choosing Technical
Name (wrench icon).
4. After selecting an InfoCube, choose New to create the query.
5. The objects available for the InfoCube you have selected are shown as a tree
structure in the left-hand part of the BEx Query Designer. These objects include
the key figures of the fact table and the characteristics of the dimensions.
6. The right-hand part of the screen contains empty windows for filter selections,
rows, columns, and the free characteristics of the query. The bottom right-hand
part of the screen shows a preview of the query result area. This area is empty at
first.
7. By choosing the plus or minus symbols for the directories, you can expand or
compress the directory structure. By expanding the key figure node in the
InfoCube tree, for example, you can display a list of all the key figures for the
InfoCube.
8. You can drag the characteristics and key figures for the InfoCube into the
windows for the query definition (filter, rows, columns, and free characteristics).
9. When you have finished defining your query, choose Save Query. Choose Quit
and Use Query (check mark icon) to execute and start working with the query.
Before you can make authorizations for hierarchies, you must first transfer and activate
the Info Object 0TCTAUTHH from Content. Make sure that the indicator relevant for
authorization is set. You must also create an authorization object for which you want to
make the authorization.
1.
2.
3.
4.
certain depth below his initial node, but this node is moved to another level when
the hierarchy is restructured.)
5. Specify a technical name for this definition. If you do not enter a value, a unique
ID is set.
6. Now create an authorization for the new authorization object. To do this, enter the
technical name of the definition as a characteristic value for the characteristic
0TCTAUTHH. For the characteristic defined on the hierarchy, specify the
value" ." (blank). It often makes sense to also enter ":" (colon) so that queries
without this characteristic are also allowed.
Hint: If you enter the value "*" here (all characteristic values), the user is allowed
to view data for all characteristic values, regardless of whether a hierarchy is used
or a complete drilldown is carried out.
7. Optionally you can use the following fields:
Top of hierarchy: This option allows you to select the top of the hierarchy
instead of a node in the hierarchy.
If, for example, you want to authorize a user to work with a hierarchy
from the top node, down to a particular level, you can of course authorize
the user for the highest node in the hierarchy. If, on the other hand, the
hierarchy is used in the query without a filter set for this node, the user is
not able to execute the query.
This is because the node that is displayed at the highest level in the
hierarchy, is not actually the top of the hierarchy. For example, there is
the .All Other Leaves. node. This is an internal node, but a node in the
hierarchy nevertheless, and it is this node that is at the top of the hierarchy,
a level higher than the highest node that appears in the hierarchy display.
If the hierarchy is used in the query, and the top-level node has not been
specified explicitly, the system checks the authorization against the highest
node in
the hierarchy, meaning the internal node that is not displayed. This option,
therefore, allows you to determine the top-level node of the hierarchy
yourself, so that you can ensure that users are assigned the appropriate
authorizations.
Hierarchy level : Within the framework of the authorization check, you
can use this value to specify to which level the user can expand the
hierarchy.
Please note that this is an absolute value and refers to the entire hierarchy.
The highest node of a hierarchy stands at level 1.
If you have entered
the value 3 for the hierarchy level, for example, then the user can
expand/see the hierarchy up to level 3.
Validity period :
0: Name, Version, and key Date identical
1: Name and version identical
2. Name identical
3. All hierarchies
Node variable default value: If this option is chosen, this definition of a
hierarchy authorization is used as the default value for node variables.
If a user is allocated several authorizations for subareas of the same
hierarchy, one of these authorizations must be defined as the default value
in this way. Only one node can be chosen for a node variable in the
variable screen of a query. In order that this variable be filled from the
authorizations, the correct variable type must be chosen and an
authorization must be marked as the default value.
Summary
Step-by-step list, explaining how to link a BW system to an EP system. (Note: Those are
the personal notes an EP novice, they should not be used as a reference!)
Linking a BW System to the Enterprise Portal (EP6.0):
In the following article, I want to share my experience in linking a BW System (release
BW3.5) to an Enterprise Portal (release BW6.0SP2). Before diving into the subject
matter, I want to note that I am fairly technically experienced in the BW system, however
so far only had very limited exposure to the EP, or to J2EE platforms in general. Given
this, first I was ready to hand over the task of linking the two systems to an experienced
colleague. On a second thought, however, I said to myself "heck, lets give it a try".
After browsing through the documentation and some system settings, after about 2 hours
I had successfully built (and tested) the connection (again, with NO prior experience in
this area at all)! (Ok, I admit, 5 minutes counseling by an EP expert probably had helped
as well).
[Before I go into details, just a warning: The steps before worked for me. However results
may vary, things depend partially on your local IT infrastructure. Also, some of my
statements below *could* be incorrect. For any serious activities, you should make sure
to either receive the proper training, or to consult with an expert in the respective area.]
Those were the steps I had to take (btw, I had super user rights on the EP):
1. Once logged into the EP, choose "System Administration", then "System
Configuration", then "System".
2. You will see a screen "System Landscape Editor", and on the left to it "Portal
Content". Right-Click on "Portal Content", and choose New >> System".
3. The System Wizard comes up. Choose "SAP_R3_LoadBalacing" (if your system
is load balanced, like in my case). Click "next".
4. Enter the following:
System Name (here I choose the 3 digit system name from the logon, something like
BW1?)
System ID (here I choose the logical system ID, like BW1CLNTT003; you can get this
e.g. from table T000 in the BW system)
System ID Prefex (a prefix to find and group your settings, e.g. BW)
Then save as system. Click "next".
1. Choose "Property Category = Connector", and maintain the following fields:
Application Host (the address of the host; you can get this e.g. from the BW WAD from a
web query URL string; it?s what comes after http:// and before ?:[port]"; something like ?
usbw0101.xxx.com")
Logical System ID (you can get from table T000 in the BW system, something like
"BW1CLNT003")
SAP Client (BW client name)
SAP System Name (here I entered the 3 letter system name, like "BW1")
SAP System Number (you get this e.g. from the BW logon properties)
Server Port (this again you get e.g. from the query URL string mentioned above, it?s the
number which comes after the Application host; e.g. ?8100?)
System Template Name (here I used again the logical system ID from above)
System Type ("SAP_BW", of course)
1. Choose "Property Category = WAS", and maintain the following fields:
WAS description (same as System Name above, e.g. "BW1")
WAS host name (same as application host above, but together with port number from
above, i.e. something like "usbw0101.xxx.com:8100")
WAS path "/sap/bw/bex"
WAS protocol ("http")
1. Choose "Property Category = User Management", and maintain the following:
Logon Method ("SAPLOGONTICKET").
User mapping fields ("{003,800}Client;Language")
User Mapping Type ("admin, user")
Save all your settings.
1. Still from the same screen, choose "System Aliases". Create and save a new
"System Alias". Basically, I picked the logical system ID "BW1CLNT003" as
system alias, and saved this.
2. Almost finished: As a next step, I had to perform what?s called ?user mapping?
(so the EP can talk to the BW on behalf of a specific user). I went to "User
Administration", the "User Mapping". I searched (in this case) for my user in
"Users", then (under "Logon Data for System") selected the BW system, and
maintained the login settings.
Final Step: Now you are ready to test the system connection! For this purpose, go to
"System Administration", then "Support", from here to "SAP Application". Under "Tool"
select "BWReport", and push ?Run?. Select your BW system, and a BEx Web
Application Query String (you can use the string from the WAD URL above, basically
the piece which starts with "cmd"; e.g. like? cmd=ldoc&TEMPLATE_ID=LSTEMP?).
Execute, and you should see the query results right in your Portal!
Setting up RFC to R3 system BW RFC / ALE Setup.In SAP BW, you should create a
system (not a dialog) user called BWALE. BWALE should have the authorization profile
(not Role)S_BI-WHM_RFC. ...More
Setting up RFC
BW RFC / ALE Setup
In SAP BW, you should create a system (not a dialog) user called BWALE. BWALE
should have the authorization profile (not Role)S_BI-WHM_RFC.
You can convert this profile to a role, if you want.
This profile will give user BWALE the access needed to extract from
an OLTP system. The profile also provides the access required for staging
steps to get the data into InfoCubes.
SAP R3 RFC/ALE Set Up
You must set up a user on each SAP system sending data to SAP BW. For this example
we will use R3 system.
Create a system user called BWR3ALE.
This user should have the authorization profile (not Role) S_BI-WX_RFC.
This profile will give user BWR3ALE the access needed to connect
and send data to the SAP BW system.
Set up RFC destinations using SM59. If you dont know ask your Basis Admin to set this
up for you.
Transaction Code in BW
Important Notes
540720: FAQ Information on S_RS_COMP and S_RS_COMP1
150315: BW-Authorizations for Remote-User in BW and OLTP
315094: Recommendations for authorizations in BW Reporting 2.0B (even though the
note was written for 2.0B, it still applies to 3.x)
374297: Checking for referencing characteristics/navigation
The following list shows possible values for the Activity field.
Maintain - 03
Execute-16
Administer document storage - 23
Update metadata - 66
For a complete list of objects, go to transaction code SU03 and drill down
to the authorization object class Business Information Warehouse.
You will notice some objects we dealt with in reporting that are also used
here: S_RS_HIER, S_RS_ICUBE, S_RS_COMP, and S_RS_COMP1. If your
company is storing data in ODS objects, you will need to use S_RS_ODSO.
Note: Some companies use ODS objects to hold large amounts of
detailed data. An ODS object is another storage location for data,
similar in some respects to an InfoCube. If you are using ODS
objects, you will use object S_RS_ODSO in the same way that you
use object S_RS_ICUBE.
S_RS_ODSO: Authorizations for working with ODS objects and their sub-objects.
In addition to InfoCubes, the SAP BW administrator may create ODS objects to handle
large amounts of transaction data. The user again needs access to the data in some of the
ODS objects. S_RS_ODSO is to ODS objects as S_RS_ICUBE is to InfoCubes.
The fields for this object are similar to S_RS_ICUBE and S_RS_ODSO. They all access
by InfoArea, activity (display), and access to the data.
S_RS_COMP: Authorizations for using different components for the query definition.
This authorization object is very important for reporting
The authorization object S_RS_COMP restricts query component activities. For example,
it restricts if someone can create queries, change queries, or execute queries. You can
restrict query creation, change, and execution by the InfoArea and InfoCube. If your
company has one InfoCube for sales information and another for financial data, you can
restrict a user to only those queries written for the sales InfoCube or the financial
InfoCube.
You could also use S_RS_COMP if you want to protect by query name. For example, you
have an InfoCube for sales data. Every sales manager needs access to this InfoCube.
However, sales managers in different lines of business are not allowed to execute the
same query.
The following table contains specific information about the fields in S_RS_COMP and
how they are used.
S_RS_COMP1: Authorization for queries from specific owners. This object is new in
SAP BW 3.0. It can be used to limit, by the query owner, which queries a user can see.
For example, you can only see queries created by the power user for your area.
Authorization object S_RS_COMP1 secures the list of queries seen by the user via the
BEx Analyzer or Web-based reporting (this authorization object began with release
3.0A).With S_RS_COMP1, you can limit the list of queries by the query owner. For
example, you are a manager for a local sales team. You can only run queries created by
the power user for your geographic region. S_RS_COMP1 limits both what queries you
can see in the BEx Analyer tool, what queries you can display, and what queries you can
execute. The Owner field in S_RS_COMP1 works in conjunction with the fields
in S_RS_COMP.
If the special value $USER is entered as an authorization value for the Owner field, then
a user can only change their queries and cannot change any other queries. The $USER
will also limit the queries the user can see and display in the analyzer tool.
Authorization objects S_RS_COMP and S_RS_COMP1 are evaluated together. A user
must have access to both objects. The actions you can take related to a query in
S_RS_COMP are complemented by the owner field in S_RS_COMP1.
The following table details the fields in S_RS_COMP1 and how they are used.
S_RS_FOLD Display authorization for folder. This object is new in SAP BW 3.0
If you do not want InfoAreas to appear as an option, then use the authorization object
S_RS_FOLD. This object is not required. You only need to use it if you do not want users
to even see the InfoAreas listing of queries. The object has one field - Hide .Folder. Push
button. If this field is set to X (True), then the InfoAreas button will not appear in the BEx
Analyzer Open Queries dialog box
When a user brings up the BEx Analyzer or uses the Query Designer for Web-based
reporting, there are four categories from which they may choose existing queries:
History, Favorites, Roles, and InfoAreas. Authorization object S_RS_FOLD will allow
you to disable the InfoAreas category