Module 13: Authorizations in BW/4HANA (BW/4HANA 2.0)

Authorizations in BW/4HANA control who can see which data, not just who can run a report.
Unlike OLTP systems, BW authorizations are data-driven and analytical.

This module covers:

Analysis authorizations
BW authorization objects
Variable-based authorizations
CDS-based authorization (intro)
BW vs S/4HANA authorization concepts

1. Authorization Philosophy in BW/4HANA

BW authorization design focuses on:

Data visibility (row-level security)
Analytical semantics
Central governance

Key Difference

BW answers "What data can the user analyze?",
S/4 answers "What transaction can the user execute?"

2. Analysis Authorizations (Core BW Concept)

2.1 What are Analysis Authorizations?

Analysis Authorizations restrict data access based on:

Characteristics (e.g. Company Code, Sales Org)
Characteristic values
Authorizations assigned to users

They are evaluated:

At query runtime
Per user session

2.2 How Analysis Authorizations Work

User
 ↓
Assigned Analysis Authorization
 ↓
Characteristic Restrictions
 ↓
BW Query Result

Example:

User can see:

Company Code = 1000, 2000

2.3 Authorization-Relevant Characteristics

Only characteristics marked as:

Authorization-Relevant = X

are checked during query execution.

Best Practice

Mark only truly sensitive characteristics as authorization-relevant.

3. Authorization Objects in BW/4HANA

3.1 Key BW Authorization Objects

Authorization Object	Purpose
S_RS_AUTH	Analysis authorizations
S_RS_COMP	InfoProvider access
S_RS_COMP1	Query-level access
S_RS_ADMWB	Modeling permissions
S_RS_DTP	Data load permissions

3.2 Separation of Duties

Role	Typical Permissions
Modeler	Design-time access
Operator	Load & monitoring
End User	Query execution

warning

Never mix modeling and data consumption roles.

4. Variable-Based Authorizations

4.1 What are Variable-Based Authorizations?

Variable-based authorizations dynamically restrict data using:

Variables
User attributes
Derived values

Example:

Company Code = User Attribute

4.2 Typical Use Cases

Country-based access
Region-based reporting
User-specific defaults

4.3 Best Practices

Use replacement path variables
Align variables with master data

AVOID

Complex customer exit logic
Hardcoded user logic

5. CDS-Based Authorization (Intro)

5.1 CDS Authorizations – What They Are

CDS-based authorizations use:

DCL (Data Control Language)
Roles defined on CDS views

Primarily used in:

S/4HANA Embedded Analytics
HANA-native scenarios

5.2 CDS Authorizations in BW Context

Important

CDS authorizations are not a replacement for BW analysis authorizations.

In BW/4HANA:

CDS auth may apply to Open ODS Views
BW Queries still rely on analysis authorizations

When CDS Authorization Makes Sense in BW

Federated scenarios
Direct HANA access
Mixed BW + Embedded analytics

6. BW vs S/4HANA Authorization Concepts (Very Important)

Conceptual Comparison

Aspect	BW/4HANA	S/4HANA
Focus	Data visibility	Transaction control
Granularity	Row-level	Object/action-level
Evaluation	Query runtime	Transaction runtime
Tools	Analysis auths	PFCG roles

Practical Example

Scenario	BW	S/4
Company Code restriction	Characteristic-based	Authorization object
Report execution	Query-level	Transaction code
Data filtering	Runtime	Pre-execution

Interview One-Liner

BW authorizations filter data; S/4 authorizations control actions.

7. Authorization Design Best Practices (VERY IMPORTANT)

DOs

Design authorizations early
Use authorization-relevant characteristics wisely
Reuse authorization concepts
Test with real user roles

DON'Ts

Don't mark too many characteristics as auth-relevant
Don't hardcode user logic
Don't mix BW & CDS auth concepts blindly

8. Common Authorization Issues

Issue	Root Cause
No data visible	Missing analysis auth
Partial data	Wrong characteristic restriction
Performance issue	Too many auth-relevant chars
Inconsistent results	Mixed auth models

9. Interview-Grade Questions

Q1. What are analysis authorizations in BW?

Answer: Analysis authorizations restrict data access at runtime based on characteristic values and are evaluated during BW query execution.

Q2. Can CDS authorization replace BW authorization?

Answer: No. CDS authorization is primarily for embedded analytics. BW queries still rely on BW analysis authorizations.

10. Summary

Analysis authorizations are core to BW
Authorization objects control design vs execution
Variable-based auth enables dynamic restrictions
CDS auth is complementary, not a replacement
BW and S/4 authorization concepts differ fundamentally

11. What's Next?

➡️ Module 14: Process Chains & Automation

Learning Tip

Security mistakes in BW are data leaks, not just technical bugs.

1. Authorization Philosophy in BW/4HANA​

2. Analysis Authorizations (Core BW Concept)​

2.1 What are Analysis Authorizations?​

2.2 How Analysis Authorizations Work​

2.3 Authorization-Relevant Characteristics​

3. Authorization Objects in BW/4HANA​

3.1 Key BW Authorization Objects​

3.2 Separation of Duties​

4. Variable-Based Authorizations​

4.1 What are Variable-Based Authorizations?​

4.2 Typical Use Cases​

4.3 Best Practices​

5. CDS-Based Authorization (Intro)​

5.1 CDS Authorizations – What They Are​

5.2 CDS Authorizations in BW Context​

When CDS Authorization Makes Sense in BW​

6. BW vs S/4HANA Authorization Concepts (Very Important)​

Conceptual Comparison​

Practical Example​

7. Authorization Design Best Practices (VERY IMPORTANT)​

8. Common Authorization Issues​

9. Interview-Grade Questions​

Q1. What are analysis authorizations in BW?​

Q2. Can CDS authorization replace BW authorization?​

10. Summary​

11. What's Next?​