Professional Documents
Culture Documents
Learning Objectives
Objects in BW3.0
Learn the basics of Planning and Strategize BW
Authorizations
Know the dos and donts on BW Authorizations
SAP NetWeaver
SAP NetWeaver
People Integration
Multi-Channel Access Composite Application Framework Portal Collaboration Life Cycle Management
Information Integration
Business Intelligence Knowledge Management
Process Integration
Integration Broker Business Process Management
Application Platform
J2EE ABAP
.NET
WebSphere
Agenda
Special Topics on BW Reporting Authorizations Planning & Strategize BW Authorizations Whats New in BW 3.0 The Dos and Donts
Agenda
Special Topics on BW Reporting Authorizations Planning & Strategize BW Authorizations Whats New in BW 3.0 The Dos and Donts
Tracing Authorizations in BW
Users are assigned roles Roles contain profiles Profiles contain authorizations Roles are maintained using same tool (PFCG transaction) Can be administered via CUA (Central User Administration)
Authorization objects define specific permissions There are standard authorization objects available in the system
Whats different
Unique BW Objects (InfoProvider, InfoArea, InfoObject, Query) Unique SAP BW Authorization Tool to administer BEx Reporting data security It is possible to use variable security runtime parameters It is possible to generate profiles from datasources
Analyzer
2
Administrator Workbench
Administration Administration Scheduling Scheduling Monitor Monitor Meta Data Repository OLAP OLAP Processor Processor
Business Explorer
InfoCubes
ODS
1
Non Non R/3 R/3 Production Production Data Extractor Data Extractor Non Non R/3 R/3 OLTP OLTP Applications Applications
SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 10
Types of BW Authorizations
Reporting
no authorization relevant object definition is delivered set of tools to define customer specified concept embedded in SAP BW administration
Object Object
Object Object
Field Field
Field Field
Value Value
SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 12
Value Value
0..10
<...>
SAP BW InfoProviders
SAP BW Objects
SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 13
Authorizations
2
Tracing Authorizations in BW
Characteristic Variable
RESULT:
Amelia have authorization to view HR_US ONLY !!!
HR_EMEA
HR_US
OSS note 653383
HR_ASIA
HR_EMEA
HR_US
HR_ASIA
OSS notes 653383 557924
2. 3. 4.
$VAR
$VAR initiates User exit Read Customer AUTH Table User Exit RSR00001 Structure: RRRANGEEXIT
ZAUTH
RESULT:
Brain 804 no authorization
Solution:
Define and use Hierarchy Node Variable
Tracing Authorizations in BW
Tracing Authorizations
Note: Trace ST01 can be used either in BW and R/3 source system.
3 2
Agenda
BW Authorizations Overview Planning & Strategize BW Authorizations Whats New in BW 3.0 The Dos and Donts
Guiding Principals
Integrate in your Development Life Cycle
Plan Authorizations Early on in your Development Life Cycle Authorizations requirement collection at Blue Print Phase Identify and Assign Data Ownership
Develop Authorizations Matrix to collect authorization requirement for blue print phase
5. 6. 7. 8. 9.
10. 11.
12.
13. 14.
Define BW Reporting Objects for InfoObjects per step 6 Consider using Hierarchy node authorization based on user access pattern For complex & detailed authorizations needs, consider using Authorizations Variable to ease maintenance
Develop BW User Security request and approval processes Consider a Web-based authorization request workflow and user guide Develop a BW Security Administration checklist Define Periodic BW Security Reviews and Assessment Process
22. 23.
BW Authorizations Training for Security Administrators Include BW Authorizations impact on data access as a part of the BW user training.
Agenda
BW Authorizations Overview Planning & Strategize BW Authorizations Whats New in BW 3.0 The Dos and Donts
S_RS_COMP1
Is checked additionally with S_RS_COMP Checks for authorizations on query components dependent on the owner (creator RSZOWNER) Authorizations are necessary, e.g. for creating queries
S_RS_FOLD
Suppress InfoArea view of BEx elements Specify X (true) in the authorization maintenance for suppressing
S_RS_ISET
For displaying / maintaining InfoSets (new object in BW)
S_RFC
Authorization for GUI activities Add following RFC_NAMEs with RFC_TYPE FUGR and ACTVT 16
RRXWS:
BW Web Interface RS_PERS_BOD: Personalization of Bex Open Dialog RSMENU: Roles and Menus
S_GUI
Authorization forGUI activities. Add the activity 60 (upload)
ODS Population
From R/3: HR Structural Authorizations From R/3: Cost Center (BW 3.1 content) From Flat Files
0TCTAUTHH
0ORGUNIT 0EMPLOYEE
Value
0TCA_DS01
Hierarchy
0TCA_DS02
Text
0TCA_DS03
User Assign
0TCA_DS04
ODS-Objects
Update Rules
Value Value
InfoSource
Mapping & Transfer Rules DataSource Mapping & Transfer Rules DataSource
SAP BW Server
replicated Metadata
BW S-API
File File
SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 42
Other Other
R/3 R/3
HR Structural Authorizations
Key Benefits
Reduced the Redundant Security Setup Provide Cross System Consistency
Structural Authorization in BW
PSA
R/3 Org. Structure
T77PR Profile R H B A U S 0 0
Transfer Rules
Struc Auth
Security Check
INDX Cluster
(0HR_PA_2 & 0HR_PA_3) Data Sources
T77UA Assignment
Update Rules
T77UU User
RSSM Trans
OR
Program Modules RSSB_Generate _Authorizations
R/3 OLTP
SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 45
BW
Create Structural Authorization Profile (IMG or TR-OOSP) Assign User to Profile (IMG or TR-OOSB) Update T77UU table to include User Name Execute program RHBAUS00 to create INDX Activate 0HR_PA_2 & 3 DataSource in R/3 and BW Activate or Create 0HR_PA_2 & 3 InfoSource & Communication Structure
10
Use Transaction code: RSSM or Execute RSSB Function Modules to generate BW Authorization Create Authorization Variables Create Query with Authorization Variables
11 12
0 1 2 3 4 5 6
Determine what you want to secure Mapping Objects & create Flat file Mark InfoObjects Auth. Relevant Define Reporting Auth Object via RSSM Use 0TCA_DS01 as template ODS name must be xxxx_DS01 Use 0TCA_DS02 as template ODS name must be xxxx_DS02 The data format = yyyymmdd or per Your Default Format Several Objects can define as constant RSSM: Find your ODSs & Mark Auth Obj Exec RSSB_Generate_Authorizations Define Variables for Auth InfoObjects Include Variables in your Queries
Create Authorization Value Infosoure & ODS Create Authorization Hier Infosoure & ODS Create Update Rules for ODS Loads Generate Profiles via RSSM or RSSB program Create Authorizations Variable in Query Def.
Alternatives
For top executives: setup a role to give full authorizations Use Hierarchy variables for queries initial view with Hierarchy Use RSR00001 User exit against the populated ODSs
How To Paper
HTTP://WWW.Service.SAP.com/BW -> Service & Implementation -> How to Papers
Agenda
BW Authorizations Overview Planning & Strategize BW Authorizations Whats New in BW 3.0 The Dos and Donts
Check out the BW Online document on Security with Scenarios Use caution when request of user query publishing in Production
Limit number of users authorized Setup specific user published reporting roles with administrative process (clean-up) and alert users as Uncertified Reports
Donts
Dont setup Field level specific security just because youve been asked Challenge the requester for legal or policy requirements
Further Information
Public Web:
www.sap.com/solutions/bi/ SAP Customer Services Network: www.service.sap.com/BW
Consulting Contact
Roy Wood, VP SAP NetWeaver Consulting Practice (r.wood@sap.com)
Questions?
Q&A
Feedback
Please complete your session evaluation and drop it in the box on your way out. Be courteous deposit your trash, and do not take the handouts for the following session.
permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors.
Microsoft, WINDOWS, NT, EXCEL, Word, PowerPoint and SQL Server are registered trademarks of
Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,
OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix and Informix Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.
ORACLE is a registered trademark of ORACLE Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, the Citrix logo, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, MultiWin and
other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C, World Wide Web Consortium,
their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies.
Form auch immer, ohne die aus-drckliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen knnen ohne vorherige Ankn-digung gendert werden.
Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte knnen Softwarekomponenten auch
Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390,
OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix und Informix Dynamic ServerTM sind Marken der IBM Corporation in den USA und/oder anderen Lndern.
ORACLE ist eine eingetragene Marke der ORACLE Corporation. UNIX, X/Open, OSF/1 und Motif sind eingetragene Marken der Open Group. Citrix, das Citrix-Logo, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, MultiWin und
andere hier erwhnte Namen von Citrix-Produkten sind Marken von Citrix Systems, Inc.
HTML, DHTML, XML, XHTML sind Marken oder eingetragene Marken des W3C, World Wide Web Consortium,
sowie die entsprechenden Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und anderen Lndern weltweit. Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen.