NextTables has previously supported analysis authorizations for tables based on aDSO. With version 7.0, this feature is also available for InfoObjects. In this article, I will explain how to use analysis authorizations with NextTables.
How analysis authorizations work in SAP BW
But first, let’s explore what analysis authorizations actually are and what differentiates them from object authorizations. Object authorizations provide access protection on the InfoProvider level. These authorizations are required by all users, for example, to call up NextTables tables and change data. These authorizations cover general access to InfoProviders. There are no access restrictions on the data contents of these objects.
These are covered by analysis authorizations. Analysis authorizations restrict access to the data content of the InfoProvider. This means that certain data content can be unlocked for a certain user. This enables fine-grained authorization assignment. Analysis authorizations are also called Row Level Security (RLS) in the SQL world.
Imagine a chocolate box with different chocolates. The object permissions determine whether you can open the box of chocolates at all. The analysis permissions allow you to take certain types of chocolates. For example, you may take the nougat chocolates, but not touch the marzipan ones.
In the same way, object authorizations determine whether you can access the table with company codes’ sales data. Analysis authorizations allow you to only see certain company codes. In the screenshot below you can view an example of analysis authorizations for company codes.
How to turn on Analysis Authorizations Check in NextTables
You can turn on analysis authorizations check in the configuration of table properties. Menu path Settings -> Configuration -> enter the desired table. Please change the option “Check analysis authorization?” to 1 (Check analysis authorization), as illustrated on the screenshot below.
Authorization check for DSOs
Authorization checks are executed for ADSOs and classic DSO, also Direct Update ones. A DSO can contain several authorization-relevant InfoObjects. NextTables automatically generates variables for each InfoObject that is flagged as authorization relevant. You can set the variables in the global filter, as you can see on the screenshot below.
An user only sees the company codes for which he is authorized. In our example, company codes 1000 and 3000. This are the company codes you saw in the analysis authorization.
Why do we use variables? With the variables in place the user will see that his view is restricted and therefore might look different from what other users see. Furthermore, templates / bookmarks can be created with variables and shared, so that each user will see "their" data.
If the user tries to request data that is outside his permissions, an error message is displayed.
When writing back data authorization check will be done as well. All values that are being updated have to be within the scope of user’s authorizations.
When authorization check is enabled, NextTables uses the function module RSDRI_INFOPROV_READ. Therefore, some fields, which are not relevant for reporting, e.g. RECORDMODE cannot be fetched. A message will be displayed in the console, listing the fields which cannot be displayed. You can see the console in the developer tools of your browser.
Authorization check for InfoObjects
For the authorization check to work, the InfoObject must be marked as an InfoProvider. Please check the setting “Usable as InfoProvider” in the properties of respective characteristic.
NextTables automatically generates variables for each InfoObject that is flagged as authorization relevant. You can set the variable in the global filter.
Thus, the user only sees those elements for which he is authorized. In our example, the user sees the company codes 1000 (Germany) and 3000 (France). This are the company codes you saw in the analysis authorization.
Why do we use variables? With the variables in place the user will see that his view is restricted and therefore might look different from what other users see. Furthermore, templates / bookmarks can be created with variables and shared, so that each user will see "their" data.
If the user tries to request data that is outside his permissions, an error message is displayed.
When writing back data all records will be checked against existing analysis authorizations of the user. Compounded InfoObjects are supported as well.
Which License is needed for this feature Professional ✔ | Enterprise ✔