How Analysis Authorizations (row level security) for ADSOs and InfoObjects are supported in NextTables

NextTables has previously supported analysis authorizations for tables based on aDSO. With version 7.0, this feature is also available for InfoObjects. In this article, I will explain how to use analysis authorizations with NextTables.

How analysis authorizations work in SAP BW

But first, let’s explore what analysis authorizations actually are and what differentiates them from object authorizations. Object authorizations provide access protection on the InfoProvider level. These authorizations are required by all users, for example, to call up NextTables tables and change data. These authorizations cover general access to InfoProviders. There are no access restrictions on the data contents of these objects.

These are covered by analysis authorizations. Analysis authorizations restrict access to the data content of the InfoProvider. This means that certain data content can be unlocked for a certain user. This enables fine-grained authorization assignment. Analysis authorizations are also called  Row Level Security (RLS) in the SQL world.

Imagine a chocolate box with different chocolates. The object permissions determine whether you can open the box of chocolates at all. The analysis permissions allow you to take certain types of chocolates. For example, you may take the nougat chocolates, but not touch the marzipan ones.

In the same way, object authorizations determine whether you can access the table with company codes’ sales data. Analysis authorizations allow you to only see certain company codes. In the screenshot below you can view an example of analysis authorizations for company codes.

Analysis authorizations

How to turn on Analysis Authorizations Check in NextTables

You can turn on analysis authorizations check in the configuration of table properties. Menu path CONFIG →  WIZARD → Table Properties. Please change the option “Check analysis authorization?” to 1 (Check analysis authorization), as illustrated on the screenshot below.

Turn on analysis authorizations check

Authorization check for DSOs

Authorization checks are executed for ADSOs and classic DSO, also Direct Update ones. A DSO can contain several authorization-relevant InfoObjects. NextTables automatically generates variables for each InfoObject that is flagged as authorization relevant. You can set the variables in the global filter, as you can see on the screenshot below.

Authorization variables in a DSO

An user only sees the company codes for which he is authorized. In our example, company codes 1000 and 3000. This are the company codes you saw in the analysis authorization.

Only authorized company codes are displayed

Why do we use variables? With the variables in place the user will see that his view is restricted and therefore might look different from what other users see. Furthermore, templates / bookmarks can be created with variables and shared, so that each user will see "their" data.

If the user tries to request data that is outside his permissions, an error message is displayed.

Error message DSO

When writing back data authorization check will be done as well. All values that are being updated have to be within the scope of user’s authorizations.

When authorization check is enabled, NextTables uses the function module RSDRI_INFOPROV_READ. Therefore, some fields, which are not relevant for reporting, e.g. RECORDMODE cannot be fetched. A message will be displayed in the console, listing the fields which cannot be displayed. You can see the console in the developer tools of your browser.

Console messages are displayed in developer tools of the browser

Authorization check for InfoObjects

For the authorization check to work, the InfoObject must be marked as an InfoProvider. Please check the setting “Usable as InfoProvider” in the properties of respective characteristic.

InfoObject usable as InfoProvider

NextTables automatically generates variables for each InfoObject that is flagged as authorization relevant. You can set the variable in the global filter.

Variables can be set in the global filter

Thus, the user only sees those elements for which he is authorized. In our example, the user sees the company codes 1000 (Germany) and 3000 (France). This are the company codes you saw in the analysis authorization.

Only authorized company codes are displayed

Why do we use variables? With the variables in place the user will see that his view is restricted and therefore might look different from what other users see. Furthermore, templates / bookmarks can be created with variables and shared, so that each user will see "their" data.

If the user tries to request data that is outside his permissions, an error message is displayed.

Not sufficient authorizations

When writing back data all records will be checked against existing analysis authorizations of the user. Compounded InfoObjects are supported as well. 

Technical Tutorials

Do you have a question regarding NextTables?