Search for answers or browse our knowledge base.
-
Insight Creator
-
Insight Publisher
-
IDoc Montior+
-
Changer (Change Log Viewer)
-
FAQs
-
Older Versions
- Main
- Insight Creator
- Insight Creator Guides
- Insight Creator - Authorization Guide
Insight Creator – Authorization Guide
Overview
The SAP authorization concept protects transactions, programs, and services in SAP systems from unauthorized access. To access business objects or execute SAP transactions, a user requires corresponding authorizations, as business objects or transactions are protected by authorization objects.
InsightSAP Products adehere SAP authorization with no exception!
InsightSAP was designed to enable on-Production working thus, it was designed – bottom-up – with Authorization in mind. Note, that InsightSAP fully adheres to the SAP authorization concept and uses it as its corner-stone. In no case, InsightSAP will allow, authorization-wise, things that SAP standard does not.
InsightSAP suite (Insight Creator, Insight Publisher, and Insight Creator Modules: Excel-In, Change-Log Viewer, and IDoc Monitor+) authorization was built on-top (and using) SAP authorization concept. Thus, whoever invokes a transaction using one of the suite’s products, must first have the Authorization needed to invoke that transaction.
Actually, using InsightSAP tools, one may enforce additional authorization checks per objects (report/query/DB table). The checks could be done either at a Record level (just like it’s done by standard SAP code) and at a Column level.
Using pre-defined Authorization Roles
InsightSAP Roles made easy
The InsightSAP suite is delivered with the following pre-defined authorization roles:
- Product administrator
- Group administrator
- Maker
- Business end-user
- Authorization administrator
Product administrator
Role ID – /DPS/RAINBOW_ADMIN
The product administrator is the one in-charge of setup at the Product level. The job includes configuration of the product together with setting up what activities could be used product-wide.
The Product Administrator role should be granted to one of two employees.
Group Administrator
Role ID – /DPS/RAINBOW_GROUP_ADMIN
Groups are an important notion within Insight Creator and Insight Publisher – Groups are used to split content by working-teams, a thing that’s achieved by InsightSAP Authorization. Therefore, almost all the authorization-objects provided by InsightSAP, use the field Group.
As a result, people belong to the same Group will be able to share the various artifacts. By the same token, people belong to different groups, will not be able to see other Group’s artifacts.
InsightSAP is provided w/o specific groups built-in.
One exception is the virtual group 1MY (My Objects): By default, each Insight Creator Variant or Insight Publisher job that was created by the current user, and isn’t assigned to a specific Group, is automatically assigned to the virtual group 1MY, provided by the system. For all other users, the group field of such a report/job will remain unassigned/empty.
The various groups, needed by the organization, should be locally configured. A common convention is setting relevant SAP modules (or any related aggregation) as the basis for Group. This way, groups such as FI-CO, MM, and Logistics often can be found.
The Groups are not shared between Products and the group customization is to be done separately and specifically per Product.
The Group Administrator role should be granted to one of two employees per Group.
Creator
Role ID – /DPS/RAINBOW_ADMIN
Makers are those who prepare Insight Creator Reports and Insight Publisher Jobs for the business end-users across the organization. The most recurring question in the topic is: “Who should be assigned as Makers in the organization”. The answer is often tricky. As InsightSAP requires very little (to none) code-writing, there is no real technical barrier preventing none-developers from being Makers. Therefore, in some organizations, one may find IT personnel (with some business understanding) handling InsightSAP as makers and in other organizations, top-users (with a bit of technical orientation) take that role – It is all about attitude.
Makers walk around InsightSAP corridors and therefore need specific InsightSAP Authorization. The Maker role should be granted to as many employees in a Group that should build Insight Creator variants or/and Insight Publisher jobs.
Business end-users
Role ID – /DPS/RAINBOW_END_USER (a template authorizations role for end-user).
In opposed to Makers, business end-users in many cases do not even know that they are triggering InsightSAP transactions. They could not care less about who created the report/interface they are using. That’s why business end-users have no special InsightSAP role.
Instead, business end-users are given ad hoc authorization per given Insight Creator variant.
Authorization Administrator
Role ID – /DPS/RAINBOW_AUTH_ADMIN
To understand how authorization is essential in InsightSAP, a specific role was granted to those who in-charge of InsightSAP Authorization. Authorization administrators may decide who will see what (content-wise), yet they – themselves – will not be able to see that content. Indeed, the may grant themselves the missing authorization objects (or even SAP_ALL) yet, this (traceable action) would be a whole different story.
This way, authorization administrators may proactively force authorization checks upon business end-users who are to use a given Insight-Creator variant.
The Authorization Administrator role should be granted to one of two employees per Group.
Authorization Roles
The following authorization rolled are available:
- /DPS/RAINBOW_User – For InsightSAP User
- /DPS/RAINBOW_END_USER (a template authorizations role for end-user)
- /DPS/RAINBOW_ADMIN – For InsightSAP Administrator
- /DPS/RAINBOW_GROUP_ADMIN – For InsightSAP Group Administrator
- /DPS/RAINBOW_AUTH_ADMIN – For InsightSAP Authorization Administrator
- /DCM/FILE_VIEW:
- /DCM/FILE_VIEW_ADMIN – Manage the File View
- /DCM/FILE_VIEW_END_USER – A template is available. This template must be replaced with a real group.
- /DCM/FILE_VIEW_ADMIN – Manage the File View
- /DCM/AU_REPORTS – maintain Insight Creator special reports’ authorization:
- /DCM/APPLOG
- /DCM/JOBREPORT
- /DCM/TRS4US
- /DCM/USERLIST
- /DCM/SE16N
Assign the user with the relevant roll per job type:
- Transaction: /DPS/Rainbowalv
- Maintain authorization object “/DPS/RET” , “/DPS/RETAD” , /DPS/RETF & /DPS/RETC
For InsightSAP manager maintain in Transaction Code fill “*” and in InsightSAP Authorization Activities “*” for all/relevant jobs groups.
- Authorization Object /DPS/RET – Insight Creator:
Object – /DPS/RETOB | Sub Object – /DPS/RETSB | Global | Activity |
---|---|---|---|
C – Column | C – Comment D – DB Lookup E – DB Lookup – Expert F – Formula I – Input L – Long Text M – Input Info S – Standard T – Text | 01 – Create 02 – Change 03 – Display 06 – Delete 90 – Copy |
|
P – Paint | P – Private (User-Specific) C – Public (Global) O – Public – Own controls only Public objects which were created by the user. | 02 – Change 03 – Display |
|
R – Paint RuleR – Paint Rule | P – Private (User-Specific) C – Public (Global) O – Public – Own controls only Public objects which were created by the user. | 01 – Create 02 – Change 03 – Display 06 – Delete |
|
N – Comment | P – Private (User-Specific) C – Public (Global) O – Public – Own controls only Public objects which were created by the user. | 01 – Create 02 – Change 03 – Display 06 – Delete |
|
D – Drill Down | 01 – Create 02 – Change 03 – Display 06 – Delete |
||
G – Graphics | 01 – Create 02 – Change 03 – Display 06 – Delete |
||
T – Group | 01 – Create 02 – Change 03 – Display 06 – Delete01 – Create 02 – Change 03 – Display 06 – Delete |
||
F – Function | 01 – Create 02 – Change 03 – Display 06 – Delete |
||
A – Authorization | 01 – Create 02 – Change 03 – Display 06 – Delete |
||
K – Key | 01 – Create 02 – Change 03 – Display 06 – Delete |
||
I – Input Data | 01 – Create 02 – Change 03 – Display 06 – Delete |
||
U – User Variant | 01 – Create 02 – Change 03 – Display 06 – Delete |
- Authorization Object /DPS/RETAD – Insight-Creator Monitor:
Object – /DPS/RETAD | Value |
---|---|
/DPS/RETGR – Group | Selected list of Insight Creator Groups (/DPS/RETGR) |
/DPS/RET_G – Global | C – Public O – Public Own P – Private |
Activity | 01 – Create or generate 02 – Change 03 – Display 06 – Delete 08 – Display change documents 16 – Execute 48 – Simulate 60 – Import 61 – Export 90 – Copy |
- Authorization Object /DPS/RETF – Insight-Creator Function:
Object – /DPS/RETGR | Sub Object /DPS/RET_T | /DPS/RET_F | Activity |
---|---|---|---|
Insight-SAP Group | New transaction (optional) | Function code (Assigned function code, not function name. e.g. 9CUST_01) | 16 – Execute |
- Authorization Object /DPS/RETC – Insight Creator Column:
- Activity 78 (Assign) – Set value of authorization group. If user has no authorization he won’t be able to set this value of authorization group.
- Activity 02 (Change) – Change column. If user has no authorizations (In addition to standard /DPS/RET auth.) he won’t be able to change column (attributes).
Object | Description | Value |
---|---|---|
/DPS/COL | Column name | Select field |
/DPS/RETGR | Group | Rainbow Variant Group |
/DPS/RET_T | Insight Creator – New transaction | Insight Creator New Transaction Code |
ACTVT | Activity | 02 – Change 34 – Write 06 – Delete 35 – Output 78 – Assign |
BRGRU | Authorization Group | The authorization group allows extended authorization protection for particular objects. |
- Authorization Object /DCM/TFILE – Tabular File:
Object – /DCM | ||
---|---|---|
D’PROS Auth. Objects | Tabular File | 16 (Execute) – Execution of file (Display file contents/ALV in /DCM/FILE_VIEW). 23 (Maintain) – Maintain Columns of file (when file is displayed in /DCM/FILE_VIEW). 70 (Administrator) – Assignment/maintenance of files in transaction /DCM/TFILE. |
- Authorization Object /DPS/RETV – Variables Input/Output:
Object – /DPS/RET | Sub Object – /DPS/RETV | Global | Activity |
---|---|---|---|
Rainbow Creator Group | P – Private (User-Specific) C – Public (Global) | 35 (Output) – Display variable 34 (Write) – Update value of variable 78 (Assign) – Set value of authorization group. If user has no authorization, he won’t be able to set this value of authorization group 02 (Change) – Change variable. If user has no authorization, he won’t be able to change the variable (attributes) |
Copyright
© Copyright 2021 D’PROS Ltd. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without
the express permission of D’PROS Ltd. The information contained herein may be changed without prior
notice.