Hi,
The Virtual Authorizations' BAdI will certainly be helpful in your scenario. If you have to maintain 1000+ authorization objects / roles (and possibly subject to frequent changes), the regular concept of authorization objects and roles becomes unmanageable. Here comes the added value of the Virtual Authorizations' approach.
It should be possible to combine it with the 0TCA* DSOs which you mentioned. Alternatively, you can define and fill custom tables. It depends on where you are maintaining the authorization data. If you maintain it BW, then a table could be the best choice. If you maintain it elsewhere, the an upload into the 0TCA* DSOs might be a good choice.
An alternative approach could be the generation scenario with the mentioned 0TCA* DSOs. However, please be aware of the massive number of 1000+ objects / roles which have to be generated and assigned.
Last but not least, you should be able to store Key Figure authorization in DSO 0TCA_DS01. You have to use:
0TCTIOBJNM = 0TCAKYFNM
0TCTSIGN = I
0TCTOPTION = EQ
0TCTLOW = <key_figure>
Best regards,
Sander