We take a brief look at the authorization objects that need to be included in a PFCG-role for a user that is only allowed to do the bare minimum in BPC embedded: Open a report or input form in the web frontend.
We assume that the report or input form is defined on model myModel of the environment myEnvironment.
Consuming Global BW Reporting/Planning Queries
BW Analysis Authorizations
As BPC embedded extends BW in the sense that BW objects (queries etc.) can also be consumed in BPC embedded, this comes as no surprise.
Object | Remark |
S_RS_AUTH | Analysis authorization objects as maintained in RSECADMIN. These can be extended by the BPC-specific concept of environment authorizations and Data Access Profiles |
S_RS_COMP | Authorizations by query component |
S_RS_COMP1 | Authorization by query owner |
Data Access Profiles
The concept of analysis authorizations is extended by environment authorizations and Data Access Profiles (DAPs) in BPC.
As our objective is to build a minimal example, we would like to keep the analysis authorizations as configured in the BW backend. To do so, we have to configure a DAP for the model our input form or report live on.
The resulting authorization for the user will be calculated as the intersection of the RSECADMIN analysis authorizations and the DAP. So we create a DAP for myModel, assign our user to the DAP and choose *-authorizations for all authorization relevant dimensions of this DAP.
Authorizations for Library Access
Object | Value | Remark |
S_USER_GRP | Act: 03 (Display) | Required for opening reports/input forms |
RSBPC_ID | App SetID: myEnvironment | Access (logon to) environment |
RSBPC_WKSP | Act: 03 (Display) App SetID: myEnvironment Folder: * Resource Type: * | See folders, input forms, reports. |
If we want to be very strict, we can even restrict RSBPC_WKSP to Folder [PUBLIC] or [NON_PUBLIC]. Nonetheless, the user will always have read access to the team folders for all teams that he/she is a member of. Write access to team folders is determined by the “Team Lead” flag in the team maintenance UI.
Useful Extensions
Favorites
If our user should have the possibility to add input forms/reports to his/her favorites, we need to add
Object | Value | Remark |
RSBPC_WKSP | Act: 23 Resource Type: LINK | Allow things to be added to "favorites" |
Consuming Local Objects
If our user should have permission to consume data from local providers, the authorization for the respective BW-workspace needs to be added. The name of this workspace corresponds to the name of the BPC environment:
Object | Value | Remark |
S_RS_WSPAC | Act: 16 (Execute) Name: myEnvironment | Access to local providers of the environment |