Beginners Guide On BI Security

Beginners Guide on BI Security
Applies to:
SAP Business Intelligence 7.0 For more information, visit the Security homepage.
Summary
In this unit we will focus only the options for securing SAP BI administrator and the system security requirements for BI.Here it will List the types of tasks required by administration users and describe how to secure those tasks. Author: Ashok Dalai
Company: Intelligroup Inc Created on: 06 October 2008
Author Bio
Ashok Dalai has more than 3 and half years of experience. He has good understanding of SAP R3 and NetWeaver Components. He worked in r3 security, BI security and CRM security and currently working for Intelligroup Inc as a Basis Consultant.
SAP COMMUNITY NETWORK 2008 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com 1
Table of Contents
Course Overview ................................................................................................................................................3 Securing Data Warehousing Workbench Objects ..............................................................................................4 Data Warehousing Objects Secured with S_RS_ADMWB.............................................................................4 Authorization Object S_RS_ICUBE ................................................................................................................6 Authorization Object S_RS_DS2 ....................................................................................................................9 Authorization Object S_RS_DTP ..................................................................................................................10 Authorization Object S_RS_ISNEW .............................................................................................................11 Authorization Object S_RS_ISRCM..............................................................................................................13 Authorization Object S_RS_TR ....................................................................................................................14 Authorization Object S_RS_IOBJ .................................................................................................................15 Securing Process Chains..............................................................................................................................16 Authorization Object S_RS_OHDST.............................................................................................................17 Securing Master Data and Documents .........................................................................................................18 Securing BI Documents ................................................................................................................................20 System Communication Security ..................................................................................................................21
BI Security Setup .......................................................................................................................................................21 Other SAP Security Set Up ........................................................................................................................................21 RFC Destinations.......................................................................................................................................................22 Using the <RFC_DESTINATION>_DIALOG Destination ...........................................................................................23
Related Content................................................................................................................................................24 Disclaimer and Liability Notice..........................................................................................................................25
Course Overview
There are two major types of authorizations in BI. One type focuses on Administrative users and another type focuses on Reporting users. Authorizations for Administrative users in many ways Parallel to mySAP ERP security, but securing BI reporting users is much different. In this unit we will focus only the options for securing SAP BI administrator and the system security requirements for BI. Here it will List the types of tasks required by administration users and describe how to secure those tasks. 1. Explain how to secure Data Warehousing Workbench objects such as InfoProviders, Data Transfer 2. Processes, DataSources, Open Hub Destinations and Process Chains. 3. Explain how to protect maintenance of Master Data and Documents. 4. Briefly describe how to secure Information Broadcasting distribution and Data Mining Objects. 5. Explain the required security set up for communication between BI and other systems. 6. Explain the RFC destinations required.
Securing Data Warehousing Workbench Objects

BI Administrators must have access to DataWarehousing Workbench objects, such as InfoProviders, Data Transfer processes, Process Chains, Reporting Agent objects, Open Hub destinations, and DataSources. Administrators must also create and maintain many other DataWarehousing objects. Authorization object S_RS_ADMWB protects these objects. There are only 2 fields attached to this authorization object: Data Warehousing object, and activity. However, this authorization object secures many different Data Warehousing objects.
Data Warehousing Objects Secured with S_RS_ADMWB

SourceSys Source system InfoObject InfoObject Monitor Monitor ApplComp Application component InfoArea InfoArea Workbench Data Warehousing Workbench Settings Settings MetaData Metadata InfoPackag InfoPackage and InfoPackage group RA_Setting Reporting Agent setting RA_Package Reporting Agent package DOC_META Documents for metadata DOC_MAST Documents for master data DOC_HIER Documents for hierarchies DOC_TRAN Documents for transaction data DOC_ADMIN Administration of document storage CONT_ADMIN Administration of BI Content systems CONT_ACT Installation of BI Content BR_SETTING Broadcast settings (not including your own settings, which have one of the following distribution
types: Broadcast E-Mail, Broadcast to Portal, Broadcast to Printer) USE_DND Drag and drop to InfoAreas and application components
Note: For authorizations at naming convention level, you need to note the following: User A can edit InfoProviders that lie in InfoAreas with prefix /AB/. User A cannot edit an InfoProvider that lies in InfoArea /CD/. However, if the user has drag and drop authorization, the user can move the InfoProvider from /CD/ to /AB/ and edit it from there. CNG_RUN Attribute change run REMOD_RULE Modeling Rule "Modeling Rule" for the remodeling tool IMG_BI BI-relevant activities in the IMG (Customizing) OLAP_CACHE OLAP cache objects BIA_ZA BI accelerator monitor checks and activities
Activity: Specifies whether you are permitted to display or maintain a subobject

Display Source System (Activity = 03) Display InfoObject (Activity = 03) Display Monitor (Activity = 03) Display Reporting Agent Setting (Activity=03) Display Reporting Agent Package (Activity=03) Display Documents for Metadata (Activity=03) Display Documents for Master Data (Activity=03) Display Documents for Hierarchies (Activity=03) Display Documents for Transaction Data (Activity=03) Maintain Source System (Activity = 23) Maintain Application Component (Activity = 23) Maintain InfoArea (Activity = 23) Maintain InfoObject (Activity = 23) Maintain Settings (Activity = 23) Maintain InfoPackage (Group) (Activity = 23) Maintain Reporting Agent Setting (Activity=23) Maintain Reporting Agent Package (Activity=23) Maintain Documents for Metadata (Activity=23) Display Documents for Metadata (Activity=03) Maintain Documents for Master Data (Activity=23) Display Documents for Master Data (Activity=03) Maintain Documents for Hierarchies (Activity=23) Display Documents for Hierarchies (Activity=03) Maintain Documents for Transaction Data (Activity=23) Display Documents for Transaction Data (Activity=03) Manage Document Storage (Activity=23) Manage Content Systems (For example, Switch to Content System) (Activity=23) Install BI Content (Activity = 63) Display Broadcast Settings (Activity=03) Execute Broadcast Settings (Activity=16) Maintain Broadcast Settings (Activity=23) Execute Data Warehousing Workbench (Activity = 16) Update Metadata (Activity = 66) Drag and drop to InfoAreas and Application Components in the DW Workbench (Activity = 16) Start Attribute Change Run (Activity = 16) Display OLAP Cache Objects (Activity = 03) Delete OLAP Cache Objects (Activity = 06) Display BI Accelerator Monitor Check Results (Activity = 03) Execute BI Accelerator Monitor Actions (Activity = 16)
Authorization Object S_RS_ICUBE Authorization object S_RS_ICUBE protects InfoCubes and the InfoCube sub-objects. Using this authorization object, you can restrict work with the InfoCubes or their subobjects. The object contains four fields InfoArea: o
Here you enter the InfoArea key for which the user can edit InfoCubes.
InfoCube: o
A user is permitted to edit the InfoCubes that you specify here.
Notes on InfoCube: o
You use this subobject to specify the part of the InfoCube that the user is permitted to edit. The following subobjects exist:
o o o o o o o o
Definition - Definition UpdateRule - Update rules Aggregate - Aggregate Data - Data ExportISrc - Export DataSource Chavlrel - Characteristic relationships (planning relevant) Dataslice - Data slices (planning relevant) DAP - Data archiving process (modeling)
Activity:
Specifies whether you are permitted to display, delete, or update a subobject.
o o o o o o o o o o o o o o o o
Display InfoCube Definition (activity = 03) Display InfoCube Update Rules (activity = 03) Maintain InfoCube Data (Manage InfoCube) (activity = 23) Display InfoCube Aggregate (activity = 03) Delete InfoCube Data (activity = 06) Maintain InfoCube Definition (activity = 23) Maintain InfoCube Update Rules (activity = 23) Maintain InfoCube Aggregate (activity = 23) Maintain InfoCube Export DataSource (activity = 23) Update InfoCube Aggregate (activity = 66) Display InfoCube Characteristic Relationships (activity = 03) Maintain InfoCube Characteristic Relationships (activity = 23) Deactivate InfoCube Characteristic Relationships (activity = 63) Display InfoCube Data Slices (activity = 03) Maintain InfoCube Data Slices (activity = 23) Deactivate InfoCube Data Slices (activity = 63)
Some other important authorization object related to Data Warehousing Workbench objects.
Authorization Object S_RS_DS2 Authorization to secure datasources is S_RS_DS2. Using this authorization object, you can restrict work with the new DataSource or its subobjects. The object contains three fields:
DataSource: Enter the name of the DataSource that a user is allowed to edit. Source System: Specify the name of the source system for which a user is allowed to edit DataSources. DataSource Subobject: When you specify a subobject, you specify the part of the DataSource that the user is permitted to edit. There are the following subobjects:
o o o
DEFINITION: Definition DATA: Data INFOPACK: InfoPackage
Activities:
o o o o o o o o
Display DataSource definition (activity = 03) Maintain DataSource definition (activity = 23) Display PSA data (activity = 03) Maintain PSA data (activity = 23) Delete PSA data (activity = 23) Request data (activity = 49) Display DataSource InfoPackage (activity = 03) Maintain DataSource InfoPackage (activity = 23)
Authorization Object S_RS_DTP The authorizations assigned for the Data Transfer Process (DTP) object, S_RS_DTP, have a higher priority than the authorizations for the underlying objects. Users that have a DTP authorization for a source/target combination do not need read authorization for the source object or write authorization for the target object to execute the DTP.
With this authorization object you can restrict work with the data transfer process (DTP).
The object contains seven fields:

Type of Source: Specify the type of source here that which a user can create a DTP Subtype of the Source: Here, specify the subtype of the source for which a user can create a DTP. Source: Specify the name of the source for which a user can create a DTP Type of Target: Specify the type of target here for which a user can create a DTP Subtype of the Target: Specify the subtype of the target for which a user can create a DTP. Target: Specify the name of the target for which a user can create a DTP Activities:
o o o
Display DTP definition (activity = 03) Maintain DTP definition (activity = 23) Execute DTP (activity = 16)
Note that the subtypes currently only exist for the type InfoObject. Possible alternatives are ATTRIBUTES, and HIERARCHIES. If no InfoObject was selected as type the standard setting '*' is to be selected.
The authorizations assigned for the DTP object have a higher priority than the authorizations for the underlying TLOGO objects. Users that have DTP authorization for a source/target combination, thus require no read authorization for the source object and no write authorization for the target object for execution of the DTP.
Authorization Object S_RS_ISNEW Authorization to secure InfoSource is S_RS_ISNEW. (Release > BW 3.x) The authorization object includes three fields:
Application component: Enter the key for the application component here for which a user can
edit InfoSources.
InfoSource: Specify the InfoSources here that a user can edit. Activities:
Display InfoSource (Activity = 03) Maintain InfoSource (Activity = 23)
You can use the authorization object S_RS_ISOUR to restrict the handling of InfoSources with flexible updating and their subobjects. The authorization object contains four fields:
Application component: Enter the application component key here for which a user is allowed to edit
InfoSources.
InfoSource: Enter the InfoSources with flexible updating the user is allowed to edit here. Subobject for InfoSource: You use the subobject to specify the part of the InfoSource that the user is
allowed to edit.
The following subobjects exist: o o o o o o

Definition Definition CommStruc Communication structure TrnsfrRule Transfer rules Data Data InfoPackag InfoPackage MetaData Metadata
Activity: Determines whether you are allowed to display maintain, request or update a subobject:
o o o o o o o o o o o
Display InfoSource definition (Activity = 03) Display InfoSource communication structure (Activity = 03) Display InfoSource transfer rules (Activity = 03) Display InfoSource data (Activity = 03) Maintain InfoSource definition (Activity = 23) Maintain InfoSource communication structure ,(Activity = 23) Maintain InfoSource transfer rules (Activity = 23) Maintain InfoSource InfoPackage (Activity = 23) Maintain InfoSource data (Activity = 23) Delete InfoSource data (Activity = 06)
Request InfoSource data (Activity = 49)
The display and maintenance of the InfoSource data is checked in the PSA tree and in the monitor.
Authorization Object S_RS_ISRCM Authorization object S_RS_ISRCM you can restrict handling of InfoSources with direct updating (for master data) or with their subobjects. The object contains four fields:
Application components: Here you enter the application component key for which a user is allowed to
edit master data InfoSources.

InfoSource: A user is allowed to edit the master data InfoSources you specify here. Subobject for the InfoSource: You can use the subobject to specify the part of the InfoSource the
user is allowed to edit. The following subobjects are available: o o o o

TrnsfrRule Transfer rules Data Data InfoPackag InfoPackage MetaData Metadata
Activity: Determines whether you are allowed to display, maintain, request or update a subobject:
o o o o o
Display InfoSource transfer rules (Activity = 03) Display InfoSource data (Activity = 03) Maintain InfoSource transfer rules (Activity = 23) Maintain InfoSource InfoPackage (Activity = 23) Maintain InfoSource data (Activity = 23)
o o
Delete InfoSource data (Activity = 06) Request InfoSource data (Activity = 49)
Display and maintenance of InfoSource data is checked in the PSA tree and in the Monitor.
Authorization Object S_RS_TR With the authorization object S_RS_TR you can restrict working with the transformations. The object contains seven fields:
Type of Source: Enter the type of source here for which a user can create a transformation Subtype of Source: Specify the subtype of the source here for which a user can create transformation
rules.
Source: Enter the name of the source for which a user can create a transformation. Type of Target: Specify the type of target for which a user can create a transformation here Subtype of Source: Specify the subtype of the target for which a user can create a transformation. Target: Specify the name of the target for which the user can create a transformation Activities:
o o
Display transformation rules (Activity = 03) Maintain transformation rules (Activity = 23)
Note: That subtypes only exist for the TLOG type InfoObject. Possible alternatives are "ATTRIBUTES", "TEXTS" and "HIERARCHIES".
If no InfoObject was selected as a TLOGO type the standard setting '*' should be selected
Authorization Object S_RS_IOBJ You can use the authorization object S_RS_IOBJ to restrict how users work with InfoObjects and their subobjects. The object has four fields:
InfoObjectCatalog: This is where you specify the key of the InfoObject catalog that a user is authorized to work with. InfoObject: A user is authorized to work with the InfoObjects that you specify here. Sub-object of the InfoObject: You use the sub-object to specify the parts of the InfoObject that a user
is permitted to work with. There are the following sub-objects: o o

Definition UpdateRule
Activity: Determines whether a user is allowed to display, delete, maintain, or update a sub-object.
o o o o
Display InfoObject-Definition (Activity = 03) Maintain InfoObject-Definition (Activity = 23) Display InfoObject-Update Rules (Activity = 03) Maintain InfoObject-Update Rules (Activity = 23)
Note: This authorization object is checked only if the user is not authorized to maintain or display InfoObjects (authorization object: S_RS_ADMWB-InfoObject, activity: maintain/display)
Securing Process Chains For the administration processes that are included in a process chain, authorization for authorization object S_RS_ADMWB is required.
To create and maintain process chains, authorization for authorization object S_RS_PC is required. This authorization object determines whether process chains can be displayed, changed or executed, and whether logs can be deleted.
The object includes four fields:
Process chain: o
Here you enter the name of the process chain that a user can edit.
Application Components: o
Here you enter the name of the application components the process chains of which a user can edit.
Subobject of the process chain: o

With the subobject, you specify the part of the process chain that can be edited by the user. The following subobjects exist:
o o o
Definition - Metadata of process chain Protocols - Protocols of process chains Runtime - Execution of process chain
Activity:
Determines whether you can display, delete or maintain a subobject. o o o o

Display process chain definition (activity = 03) Maintain process chain definition (activity= 23) Delete protocols for a process chain (activity = 06) Execute or schedule a process chain (activity = 16)
Authorization Object S_RS_OHDST With the authorization object S_RS_OHDST you can restrict working with an Open Hub Destination or its subobjects. The object contains four fields: Open Hub Destination: o
Here you enter the name of the Open Hub Destination that a user can edit.
Logical Target System for Open Hub: o

Here you enter the name of the logical target system for which a user can edit the Open Hub Destinations.
Subobject for Open Hub Destination: o

With the subobject, you specify the part of the Open Hub Destination that can be edited by the user. The following subobjects exist:
o o
Definition - Metadata for the Open Hub Destination Data - Data
Activity:
Determines whether you are allowed to display, delete or maintain a subobject. o o o o

Open Hub Destination- Display definition (Activity = 03) Open Hub Destination-Maintain definition (Activity= 23) Display data for an Open Hub Destination (Activity = 03) Maintain data for an Open Hub Destination (Activity= 23)
Securing Master Data and Documents In order to be able to change or display master data, authorization checks are made. Authorization assignments and checks are defined by characteristic, or by characteristic value.
To grant authorizations for characteristics, activate authorization assignment by setting Authorization Check indicator in the Master Data/Texts tab page. The next step is to create a role with the authorizations.
Two authorization objects exist for this: S_RS_IOMAD a blanket authorization check takes place for a characteristic. S_TABU_LIN an authorization check takes place by characteristic value.
With authorization checks by characteristic value, the system generates an organization criterion for the characteristic. The organization criterion generates a connection between table key fields and the authorization fields for the authorization object S_TABU_LIN. Using authorization object S_TABU_LIN you are able to enter characteristic values in each key field of the master data table for which the user is to have authorization. Do this in the profile generator in role maintenance. In this way you are able to use authorizations to protect the maintenance and display of master data/ texts for this characteristic at single record level. Characteristic values for which the user has no authorization are then not displayed in the input helps either. To grant authorizations for characteristics, proceed as follows: Activate authorization assignment by characteristic value by setting the Master Data Maintenance with Authorization Check indicator in the Master Data/Texts tab page. Activate the characteristic. In Role Maintenance (Transaction PFCG): For blanket authorizations for characteristics, add authorization object S_RS_IOMAD to the role. For authorizations for single characteristic values, add authorization object S_TABU_LIN to the role.
Securing BI Documents In order to edit documents in the Documents functional area of the Data Warehousing Workbench, the user needs authorization for the authorization object S_RS_ADMWB, Data Warehousing Workbench Object, with the following: Metadata: DOC_META Authorization to display or to edit a metadata object also authorizes the user to display or edit the documents for these metadata objects. Valid activities are: 03 (display), 23 (maintain) Master data: DOC_MAST Authorization to display or to edit in specific master data also authorized the user to display or edit the documents for these characteristic values. Valid activities are: 03 (display), 23 (maintain) InfoProvider data: DOC_TRAN Authorization objects for transaction data, InfoProviders, are not delivered. They are created as required using Analysis Authorizations (RSECADMIN).
Each analysis process is only valid for the application for which it was created. The authorizations are also assigned specific to an application and are protected with authorizations object RSANPR.
The only authorization necessary for the online execution of broadcasting settings is the authorization for the execution of the underlying reporting objects (for example, the Web template). Any user that has authorization to create background jobs also has authorization for direct scheduling in the background. The authorization object S_BTCH_NAM is required for regular scheduling in background jobs.
System Communication Security This lesson will discuss security regarding communication between BI and other systems. As data is being extracted from source systems and transferred into BI, you want to ensure that the data is adequately protected. You need to understand the RFC destinations and how they are affected by security. To set up system security, you must set up security for all SAP source systems sending data to BI, in addition to setting up security on BI. BI Security Setup In BI, you should create a system (not a dialog) user called BWREMOTE. BWREMOTE should have the authorization profile S_BI-WHM_RFC.
Note: S_BI-WHM_RFC is a profile, not a role.
This profile will give user BWREMOTE the access needed to extract from an OLTP system. The profile also provides the access required for staging steps to get the data into InfoCubes. Other SAP Security Set Up You must set up a user on each SAP system sending data to BI. This includes mySAP ERP, Customer Relationship Management (CRM), Supplier Relationship Management (SRM), Advanced Planning Optimizer (APO), R/3 or any other component SAP system that is sending data to BI. On each of these systems, you should create a system user called BWALEREMOTE. This user should have the authorization profile S_BI-WX_RFC.
Note: S_BI-WX_RFC is a profile, not a role.
This profile will give user BWALEREMOTE the access needed to connect and send data to the BI system.
It is permissible to use a different name for the users BWREMOTE and BWALEREMOTE. What matters is that the user in BI has the profile S_BI-WHM_RFC and the user in the other SAP system has the profile S_BI-WX_RFC.
RFC Destinations RFC (Remote Function Call) destinations tell BI where the source systems are physically located. RFC destinations on the SAP source system tell the source system where the BI system is physically located. RFC destinations define where the other systems reside and how to log on to the other systems.
Setting up RFC destinations is normally not the responsibility of the security administrator. However, the security administrator normally creates the user that is used in the RFC destinations. The following graphic shows transaction code SM59 on a BI system. This RFC destination is pointing to an SAP system by providing the location of the system and details on how to log on to that system. Whenever this RFC destination is used, you see BWALEREMOTE, who is logged on to the SAP system. The extraction program that uses the RFC destination has access to all objects to which the user BWALEREMOTE has access.
Using the <RFC_DESTINATION>_DIALOG Destination The RFC destination we discussed is used for data extraction. The user IDs involved should be set up as system users. A system user ID cannot log on to a system via a normal GUI screen. The user ID is only for background communication. These user IDs are used exclusively for data extraction processes. Data extraction, however, is only one of the processes that may require communication between BI and another system. For other system-to-system communication processes in BI, there is another RFC destination defined: the <RFC_DESTINATION>_DIALOG destination. One of the features of BI reporting that relies on system-to-system communication is Query Drill-Through (also referred to as jump targets). With Query Drill-Through, the reporting user can select a line on a BI query result and jump to other queries in BI, or even to other reports or transactions in mySAP ERP. For example, the user may run a BI query showing key figures by material. If configured properly, the user could select a particular material on the report and then ask to jump to mySAP ERP and display the material master record. In this case, BI has to be able to communicate with mySAP ERP in order to log on and execute the transaction code to display the material master record. Another case where the <RFC_DESTINATION>_DIALOG destination is required involves the monitoring of the data extracted from the source systems. The BI administrator can do this from the BI system. Status indicators from the extraction process are stored in IDOC format. In the BI Monitoring screen, there is an OLTP button. This will connect the BI administrator to mySAP ERP so that the administrator can monitor the IDOCS on that system. Whenever the SAP BW administrator selects OLTP, the RFC destination <RFC_DESTINATION>_DIALOG is invoked. The following figure depicts the screen from the monitor function where this RFC destination is being used.
When setting up the RFC destination <RFC_DESTINATION>_DIALOG, you have some choices regarding the user ID specified: Force the user to always log on to mySAP ERP after selecting OLTP by leaving the User field blank in <RFC_DESTINATION>_DIALOG. Create a generic user in mySAP ERP with access to monitor IDOCS; use this user in the FC_DESTINATION>_DIALOG destination. In the RFC destination, select Current User. This will use the current BI user's user ID to log them on to mySAP ERP. You must decide how you want the BI user to log on to mySAP ERP from BI to perform the requested task, whether that is jumping from report to report or monitoring the IDOCS generated with data extraction. If you use Current User, the system tries to use the same user ID in BI and mySAP ERP. If this is successful, the BI user can work in mySAP ERP with the usual access rights. If the user ID does not exist in mySAP ERP, then the user will be prompted for a user ID and password.
Related Content
http://service.sap.com/security http://service.sap.com/securityguide https://www.sdn.sap.com/irj/sdn/nw-bi For more information, visit the Security homepage.
Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade. SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk. SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.

Beginners Guide On BI Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Beginners Guide On BI Security

Uploaded by

Copyright:

Available Formats

Beginners Guide on BI Security

Company: Intelligroup Inc Created on: 06 October 2008

SAP COMMUNITY NETWORK 2008 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com 1