How Can We Help?

Search for answers or browse our knowledge base.

Documentation | Demos | Support

< All Topics
Print

Insight Creator – Authorization Guide

Posted
Updated

Overview

The SAP authorization concept protects transactions, programs, and services in SAP systems from unauthorized access. To access business objects or execute SAP transactions, a user requires corresponding authorizations, as business objects or transactions are protected by authorization objects.

InsightSAP Products adehere SAP authorization with no exception!

InsightSAP was designed to enable on-Production working thus, it was designed – bottom-up – with Authorization in mind. Note, that InsightSAP fully adheres to the SAP authorization concept and uses it as its corner-stone. In no case, InsightSAP will allow, authorization-wise, things that SAP standard does not.

InsightSAP suite (Insight Creator, Insight Publisher, and Insight Creator Modules: Excel-In, Change-Log Viewer, and IDoc Monitor+) authorization was built on-top (and using) SAP authorization concept. Thus, whoever invokes a transaction using one of the suite’s products, must first have the Authorization needed to invoke that transaction.

Actually, using InsightSAP tools, one may enforce additional authorization checks per objects (report/query/DB table). The checks could be done either at a Record level (just like it’s done by standard SAP code) and at a Column level.

Using pre-defined Authorization Roles

InsightSAP Roles made easy

The InsightSAP suite is delivered with the following pre-defined authorization roles:

  1. Product administrator
  2. Group administrator 
  3. Maker
  4. Business end-user
  5. Authorization administrator

Product administrator

Role ID – /DPS/RAINBOW_ADMIN

The product administrator is the one in-charge of setup at the Product level. The job includes configuration of the product together with setting up what activities could be used product-wide. 

The Product Administrator role should be granted to one of two employees.

Group Administrator 

Role ID – /DPS/RAINBOW_GROUP_ADMIN

Groups are an important notion within Insight Creator and Insight Publisher – Groups are used to split content by working-teams, a thing that’s achieved by InsightSAP Authorization. Therefore, almost all the authorization-objects provided by InsightSAP, use the field Group. 

As a result, people belong to the same Group will be able to share the various artifacts. By the same token, people belong to different groups, will not be able to see other Group’s artifacts. 

InsightSAP is provided w/o specific groups built-in. 

One exception is the virtual group 1MY (My Objects): By default, each Insight Creator Variant or Insight Publisher job that was created by the current user, and isn’t assigned to a specific Group, is automatically assigned to the virtual group 1MY, provided by the system. For all other users, the group field of such a report/job will remain unassigned/empty.

The various groups, needed by the organization, should be locally configured. A common convention is setting relevant SAP modules (or any related aggregation) as the basis for Group. This way, groups such as FI-CO, MM, and Logistics often can be found.

The Groups are not shared between Products and the group customization is to be done separately and specifically per Product.

The Group Administrator role should be granted to one of two employees per Group.

Creator 

Role ID – /DPS/RAINBOW_ADMIN

Makers are those who prepare Insight Creator Reports and Insight Publisher Jobs for the business end-users across the organization. The most recurring question in the topic is: “Who should be assigned as Makers in the organization”. The answer is often tricky. As InsightSAP requires very little (to none) code-writing, there is no real technical barrier preventing none-developers from being Makers. Therefore, in some organizations, one may find IT personnel (with some business understanding) handling InsightSAP as makers and in other organizations, top-users (with a bit of technical orientation) take that role – It is all about attitude. 

Makers walk around InsightSAP corridors and therefore need specific InsightSAP Authorization. The Maker role should be granted to as many employees in a Group that should build Insight Creator variants or/and Insight Publisher jobs.

Business end-users

Role ID – /DPS/RAINBOW_END_USER (a template authorizations role for end-user).

In opposed to Makers, business end-users in many cases do not even know that they are triggering InsightSAP transactions. They could not care less about who created the report/interface they are using. That’s why business end-users have no special InsightSAP role.

Instead, business end-users are given ad hoc authorization per given Insight Creator variant. 

Authorization Administrator

Role ID – /DPS/RAINBOW_AUTH_ADMIN

To understand how authorization is essential in InsightSAP, a specific role was granted to those who in-charge of InsightSAP Authorization. Authorization administrators may decide who will see what (content-wise), yet they – themselves – will not be able to see that content. Indeed, the may grant themselves the missing authorization objects (or even SAP_ALL) yet, this (traceable action)  would be a whole different story.

This way, authorization administrators may proactively force authorization checks upon business end-users who are to use a given Insight-Creator variant.

The Authorization Administrator role should be granted to one of two employees per Group.

Authorization Roles

The following authorization rolled are available:

  • /DPS/RAINBOW_User – For InsightSAP User
  •  /DPS/RAINBOW_END_USER (a template authorizations role for end-user)
  • /DPS/RAINBOW_ADMIN – For InsightSAP Administrator
  • /DPS/RAINBOW_GROUP_ADMIN – For InsightSAP Group Administrator
  • /DPS/RAINBOW_AUTH_ADMIN – For InsightSAP  Authorization Administrator
  • /DCM/FILE_VIEW:
    • /DCM/FILE_VIEW_ADMIN – Manage the File View
    • /DCM/FILE_VIEW_END_USER – A template is available. This template must be replaced with a real group.
  • /DCM/AU_REPORTS – maintain Insight Creator special reports’ authorization:
      • /DCM/APPLOG
      • /DCM/JOBREPORT
      • /DCM/TRS4US
      • /DCM/USERLIST
      • /DCM/SE16N

Assign the user with the relevant roll per job type:

  • Transaction: /DPS/Rainbowalv
  • Maintain authorization object “/DPS/RET” , “/DPS/RETAD” , /DPS/RETF & /DPS/RETC

For InsightSAP manager maintain in Transaction Code fill “*” and in InsightSAP Authorization Activities “*” for all/relevant jobs groups.

  • Authorization Object /DPS/RET – Insight Creator:
Object – /DPS/RETOBSub Object – /DPS/RETSBGlobalActivity
C – ColumnC – Comment

D – DB Lookup

E – DB Lookup – Expert

F – Formula

I – Input

L – Long Text

M – Input Info

S – Standard

T – Text		01 – Create

02 – Change

03 – Display

06 – Delete

90 – Copy
P – PaintP – Private (User-Specific)

C – Public (Global)

O – Public – Own controls only Public objects which were created by the user.		02 – Change

03 – Display
R – Paint RuleR – Paint RuleP – Private (User-Specific)

C – Public (Global)

O – Public – Own controls only Public objects which were created by the user.		01 – Create

02 – Change

03 – Display

06 – Delete
N – CommentP – Private (User-Specific)

C – Public (Global)

O – Public – Own controls only Public objects which were created by the user.		01 – Create

02 – Change

03 – Display

06 – Delete
D – Drill Down01 – Create

02 – Change

03 – Display

06 – Delete
G – Graphics01 – Create

02 – Change

03 – Display

06 – Delete
T – Group01 – Create

02 – Change

03 – Display

06 – Delete01 – Create

02 – Change

03 – Display

06 – Delete
F – Function01 – Create

02 – Change

03 – Display

06 – Delete
A – Authorization01 – Create

02 – Change

03 – Display

06 – Delete
K – Key01 – Create

02 – Change

03 – Display

06 – Delete
I – Input Data01 – Create

02 – Change

03 – Display

06 – Delete
U – User Variant01 – Create

02 – Change

03 – Display

06 – Delete
  • Authorization Object /DPS/RETAD – Insight-Creator Monitor:
Object – /DPS/RETADValue
/DPS/RETGR – GroupSelected list of Insight Creator Groups (/DPS/RETGR)
/DPS/RET_G – GlobalC – Public

O – Public Own

P – Private
Activity01 – Create or generate

02 – Change

03 – Display

06 – Delete

08 – Display change documents

16 – Execute

48 – Simulate

60 – Import

61 – Export

90 – Copy

 

  • Authorization Object /DPS/RETF – Insight-Creator Function:
Object – /DPS/RETGRSub Object /DPS/RET_T/DPS/RET_FActivity
Insight-SAP GroupNew transaction (optional)Function code (Assigned function code, not function name. e.g. 9CUST_01)16 – Execute

 

  • Authorization Object /DPS/RETC – Insight Creator Column:
You may restrict output of columns and/or allow input (in input columns) only to specific users.
 
This will grant the system administrator the flexibility to restrict output/input of specific columns by authorization (either by authorization group or by column).
In addition to input/output activities, there are two more activities:
  1. Activity 78 (Assign) – Set value of authorization group. If user has no authorization he won’t be able to set this value of authorization group.
  2. Activity 02 (Change) – Change column. If user has no authorizations (In addition to standard /DPS/RET auth.) he won’t be able to change column (attributes).
An additional attribute “Authorization Group” (both for standard and custom columns) allow grouping of dependent columns to one authorization group.
Only columns with maintained authorization group (Value is set) will be checked for authorization.
 
 
Maintenance of authorization group is allowed only for users with authorization object /DPS/RET for /DPS/RETOB=C and ACTVT = C3 (New Activity: Maintenance of manual authorization), in addition to standard activities 01 (Create), 02 (Change).
 
In case there is no authorization for output of column, it will be removed (set as technical) from ALV layout and also from maintenance of other objects: Formula column, DB Lookup column, Paint rule, Graph.
It will still be evaluated internally for existing objects. e.g. Formula column which is based on column w/o authorization will be still evaluated correctly, but user won’t be able to use unauthorized column in new Formula column.
 
Internal colors aren’t set for technical columns (It shouldn’t affect advanced filter).
Advanced filter by comment doesn’t take into account comments of technical columns.
 
The customizing table (IMG activity “Define Column Authorization Groups”) allows you to maintain a list of authorization groups.
ObjectDescriptionValue
/DPS/COLColumn nameSelect field
/DPS/RETGRGroupRainbow Variant Group
/DPS/RET_TInsight Creator – New transactionInsight Creator New Transaction Code
ACTVTActivity02 – Change

34 – Write

06 – Delete

35 – Output

78 – Assign
BRGRUAuthorization GroupThe authorization group allows extended authorization protection for particular objects.
  • Authorization Object /DCM/TFILE – Tabular File:
Object – /DCM
D’PROS Auth. ObjectsTabular File16 (Execute) – Execution of file (Display file contents/ALV in /DCM/FILE_VIEW).

23 (Maintain) – Maintain Columns of file (when file is displayed in /DCM/FILE_VIEW).

70 (Administrator) – Assignment/maintenance of files in transaction /DCM/TFILE.
  • Authorization Object /DPS/RETV – Variables Input/Output:
Object – /DPS/RETSub Object – /DPS/RETVGlobalActivity
Rainbow Creator GroupP – Private (User-Specific)

C – Public (Global)		35 (Output) – Display variable

34 (Write) – Update value of variable

78 (Assign) – Set value of authorization group. If user has no authorization, he won’t be able to set this value of authorization group

02 (Change) – Change variable. If user has no authorization, he won’t be able to change the variable (attributes)

Copyright

© Copyright 2021 D’PROS Ltd. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without
the express permission of D’PROS Ltd. The information contained herein may be changed without prior
notice.

 

Tags: