I will take you on a journey through my problem 
Present situation: in ECC (R/3 HR) system: HR Structural Authorizations have been implemented with the context-sensitive switch activated
Goal: HR Structural Authorization should become available in BI 7.0. Changes in the Organizational Structure in ECC (R/3 HR) should be automatically made available in SAP BI (on a daily basis).
SAP Solution: In the SAP Business Content 2 DataSources (0HR_PA_2 & 0HR_PA_3) are available to bring the Structural Authorizations to BI. The input are the R/3 table T77PR, T77UA & T77UU and the eventual output are the generated analysis authorizations in BI.
This method is described in these white papers:
- [BW/HR Authorization ASAP for BW Accelerator|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e1cba990-0201-0010-43ae-af579aee7a73] (BW 3.0)
- [BW 3.0 Authorizations|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/39f29890-0201-0010-1197-f0ed3a0d279f], page 6-34 (BW 3.0)
Gap: implementing context-sensitive authorization means that the user-structural profile assignment is made within authorization object P_ORGINCON (field PROFL) rather than assignment via table T77UA (transaction OOSB). (edited on 01-07: we use the BAdI HRBAS00_GET_PROFL to get the profile values, otherwise structural profile authorization assignment has 2 sources which for me seems to be a recipe for confusion)
Table T77UA will not be maintained anymore, hence the input for the DataSources will be incorrect. SAP does not have a solution for this issue. In fact, I have found numerous unanswered questions about this topic, for example [here|Structural Authorizations in NetWeaver2004;, [here|BI/HR Structural Authorizations;, [here|Structural Authorizations in BI; and [here|BI 7.0 Context sensitive Structiral Authorizations;.
Question: Does anybody know of a best practice which can solve this issue?
Possible solution I can think of:
Create a table join (ABAP report, Query or Quick view) which connects tables USR02, AGR_USERS and AGR_1251. Make the following selection variant:
Table-Field Option Value USR02-GLTGV LE SY-DATUM USR02-GLTGB GE SY-DATUM AGR_1251-OBJECT EQ P_ORGINCON AGR_1251-FIELD EQ PROFL AGR_1251-DELETED NE X AGR_USERS-FROM_DAT LE SY-DATUM AGR_USERS-TO_DAT GE SY-DATUM
Your output will consist of a list with active userids and active structural profile values.
Now you have 2 options:
1. Use the output of the table join as an input for table T77UA for the sole reason to be able to use the standard Data Sources 0HR_PA_2 & 0HR_PA_3. Of course, before each new output (daily) table T77UA should be made empty again. The table join, the clearing and updating of table T77UA and the extraction of the DataSources should be scheduled in a daily background job. The remainder of the procedure is the same as the default procedure for HR structural authorizations to BI
2. Use the output of the table join as in input for report RHAUTH01. This will lead to an output of active users and the Organizational Units they are authorized for. This output can be loaded into a flat file (on a daily basis) and imported into BI. The remainder of the procedure is the same as the default procedure for using flat file authorization.
If you haven't lost me already(!) could you please let me know:
- if these solutions make sense
- what I am forgetting here
- if you have a better best practice (or standard SAP solution)
- which option you prefer and for what reason
Thank you very much for your cooperation!
Kind regards,
Lodewijk Borsboom
Edited by: Lodewijk Borsboom on Jan 7, 2009 10:12 AM