SAP BW/4HANA Authorization: Understanding Query Scenarios and Restricting Query Access

SAP BW/4HANA users can access only authorized data while executing a query. This is controlled using Authorization Objects, Analysis Authorizations, and InfoObject restrictions. To identify which BW query uses a specific authorization variable, follow steps to correlate RSZCOMPDIR, RSZELTXREF, and RSZRANGE tables in the backend. This helps understand the impact of changes to the variable or associated InfoObject on BW queries.

In SAP BW/4HANA, controlling access to authorized data during query execution is crucial for maintaining data security and compliance. This is achieved through the use of Authorization Objects, Analysis Authorizations, and InfoObject restrictions. Understanding which BW queries use specific authorization variables is essential for making informed changes and ensuring data integrity.

To identify which BW query uses a specific authorization variable, one can follow a structured process involving the correlation of RSZCOMPDIR, RSZELTXREF, and RSZRANGE tables in the backend. This process helps understand the impact of changes to the variable or associated InfoObject on BW queries.

First, enter the authorization variable name in the RSZCOMPDIR table to obtain the COMPUID. Then, enter the COMPUID in the RSZRANGE table to get the ELTUID. Next, use the ELTUID in the RSZELTXREF table to obtain the SELTUID. Finally, enter the SELTUID in the RSZCOMPDIR table to get the list of BW queries where the authorization variable is used.

Similarly, to identify which BW query uses a specific InfoObject in the fixed filter section, one can follow a similar process. Enter the InfoObject name in the RSZRANGE table to obtain the ELTUID. Then, use the ELTUID in the RSZELTXREF table to obtain the SELTUID. Finally, enter the SELTUID in the RSZCOMPDIR table to get the list of BW queries where the InfoObject is used.

Restricting BW query access by authorization-relevant InfoObject is another critical task. For instance, the InfoObject for Company Code (0COMP_CODE) is often used to separate financial data within an enterprise. To ensure data security, users should only be able to access data relevant to their roles. This can be achieved by creating an authorization variable on the 0COMP_CODE InfoObject and inserting it into the BW query filter. Additionally, maintaining analysis authorizations in the RSECADMIN transaction ensures that users are granted access to only the authorized company codes.

By following these steps, SAP BW/4HANA users can ensure that they access only authorized data while executing queries, thereby enforcing data-level security and compliance.

References:
[1] https://community.sap.com/t5/technology-blog-posts-by-members/driving-authorization-of-a-bw-query-in-sap-bw-4hana/ba-p/14131899