Professional Documents
Culture Documents
Applies to:
SAP Business Intelligence 7.0
For more information, visit the Security homepage.
Summary
In this unit we will focus only the options for securing SAP BI administrator and the system security
requirements for BI.Here it will List the types of tasks required by administration users and describe how to
secure those tasks.
Author:
Ashok Dalai
Author Bio
Ashok Dalai has more than 3 and half years of experience. He has good understanding of SAP R3 and
NetWeaver Components. He worked in r3 security, BI security and CRM security and currently working for
Intelligroup Inc as a Basis Consultant.
Table of Contents
Course Overview ................................................................................................................................................3
Securing Data Warehousing Workbench Objects ..............................................................................................4
Data Warehousing Objects Secured with S_RS_ADMWB.............................................................................4
Authorization Object S_RS_ICUBE ................................................................................................................6
Authorization Object S_RS_DS2 ....................................................................................................................9
Authorization Object S_RS_DTP ..................................................................................................................10
Authorization Object S_RS_ISNEW .............................................................................................................11
Authorization Object S_RS_ISRCM..............................................................................................................13
Authorization Object S_RS_TR ....................................................................................................................14
Authorization Object S_RS_IOBJ .................................................................................................................15
Securing Process Chains..............................................................................................................................16
Authorization Object S_RS_OHDST.............................................................................................................17
Securing Master Data and Documents .........................................................................................................18
Securing BI Documents ................................................................................................................................20
System Communication Security ..................................................................................................................21
BI Security Setup .......................................................................................................................................................21
Other SAP Security Set Up ........................................................................................................................................21
RFC Destinations.......................................................................................................................................................22
Using the <RFC_DESTINATION>_DIALOG Destination ...........................................................................................23
Related Content................................................................................................................................................24
Disclaimer and Liability Notice..........................................................................................................................25
Course Overview
There are two major types of authorizations in BI. One type focuses on Administrative users and another
type focuses on Reporting users. Authorizations for Administrative users in many ways Parallel to mySAP
ERP security, but securing BI reporting users is much different. In this unit we will focus only the options for
securing SAP BI administrator and the system security requirements for BI. Here it will List the types of tasks
required by administration users and describe how to secure those tasks.
1. Explain how to secure Data Warehousing Workbench objects such as InfoProviders, Data Transfer
2. Processes, DataSources, Open Hub Destinations and Process Chains.
3. Explain how to protect maintenance of Master Data and Documents.
4. Briefly describe how to secure Information Broadcasting distribution and Data Mining Objects.
5. Explain the required security set up for communication between BI and other systems.
6. Explain the RFC destinations required.
Note: For authorizations at naming convention level, you need to note the following:
User A can edit InfoProviders that lie in InfoAreas with prefix /AB/. User A cannot edit an InfoProvider that lies in
InfoArea /CD/. However, if the user has drag and drop authorization, the user can move the InfoProvider from /CD/
to /AB/ and edit it from there.
Activity:
Specifies whether you are permitted to display or maintain a subobject
InfoArea:
o
InfoCube:
o
Here you enter the InfoArea key for which the user can edit InfoCubes.
Notes on InfoCube:
o
You use this subobject to specify the part of the InfoCube that the user is permitted to edit. The
following subobjects exist:
Definition - Definition
Aggregate - Aggregate
Data - Data
Activity:
Specifies whether you are permitted to display, delete, or update a subobject.
Some other important authorization object related to Data Warehousing Workbench objects.
DataSource: Enter the name of the DataSource that a user is allowed to edit.
Source System: Specify the name of the source system for which a user is allowed to edit DataSources.
DataSource Subobject: When you specify a subobject, you specify the part of the DataSource that the user is
permitted to edit. There are the following subobjects:
DEFINITION: Definition
DATA: Data
INFOPACK: InfoPackage
Activities:
Type of Source: Specify the type of source here that which a user can create a DTP
Subtype of the Source: Here, specify the subtype of the source for which a user can create a DTP.
Source: Specify the name of the source for which a user can create a DTP
Type of Target: Specify the type of target here for which a user can create a DTP
Subtype of the Target: Specify the subtype of the target for which a user can create a DTP.
Target: Specify the name of the target for which a user can create a DTP
Activities:
Note that the subtypes currently only exist for the type InfoObject. Possible alternatives are ATTRIBUTES, and
HIERARCHIES.
The authorizations assigned for the DTP object have a higher priority than the authorizations for the
underlying TLOGO objects. Users that have DTP authorization for a source/target combination, thus
require no read authorization for the source object and no write authorization for the target object for
execution of the DTP.
Application component: Enter the key for the application component here for which a user can
edit InfoSources.
Activities:
Display InfoSource (Activity = 03)
Maintain InfoSource (Activity = 23)
You can use the authorization object S_RS_ISOUR to restrict the handling of InfoSources with
flexible updating and their subobjects.
The authorization object contains four fields:
Application component: Enter the application component key here for which a user is allowed to edit
InfoSources.
InfoSource: Enter the InfoSources with flexible updating the user is allowed to edit here.
Subobject for InfoSource: You use the subobject to specify the part of the InfoSource that the user is
allowed to edit.
Definition Definition
Data Data
InfoPackag InfoPackage
MetaData Metadata
Activity: Determines whether you are allowed to display maintain, request or update a subobject:
The display and maintenance of the InfoSource data is checked in the PSA tree and in the monitor.
Application components: Here you enter the application component key for which a user is allowed to
InfoSource: A user is allowed to edit the master data InfoSources you specify here.
Subobject for the InfoSource: You can use the subobject to specify the part of the InfoSource the
Data Data
InfoPackag InfoPackage
MetaData Metadata
Activity: Determines whether you are allowed to display, maintain, request or update a subobject:
Display and maintenance of InfoSource data is checked in the PSA tree and in the Monitor.
Type of Source: Enter the type of source here for which a user can create a transformation
Subtype of Source: Specify the subtype of the source here for which a user can create transformation
rules.
Source: Enter the name of the source for which a user can create a transformation.
Type of Target: Specify the type of target for which a user can create a transformation here
Subtype of Source: Specify the subtype of the target for which a user can create a transformation.
Target: Specify the name of the target for which the user can create a transformation
Activities:
Note: That subtypes only exist for the TLOG type InfoObject. Possible alternatives are "ATTRIBUTES", "TEXTS" and
"HIERARCHIES".
If no InfoObject was selected as a TLOGO type the standard setting '*' should be selected
InfoObjectCatalog: This is where you specify the key of the InfoObject catalog that a user is
authorized to work with.
InfoObject: A user is authorized to work with the InfoObjects that you specify here.
Sub-object of the InfoObject: You use the sub-object to specify the parts of the InfoObject that a user
Definition
UpdateRule
Activity: Determines whether a user is allowed to display, delete, maintain, or update a sub-object.
Note: This authorization object is checked only if the user is not authorized to maintain or display InfoObjects
(authorization object: S_RS_ADMWB-InfoObject, activity: maintain/display)
To create and maintain process chains, authorization for authorization object S_RS_PC is required. This
authorization object determines whether process chains can be displayed, changed or executed, and
whether logs can be deleted.
The object includes four fields:
Process chain:
o
Application Components:
o
Here you enter the name of the process chain that a user can edit.
Here you enter the name of the application components the process chains of which a user can edit.
With the subobject, you specify the part of the process chain that can be edited by the user. The
following subobjects exist:
Runtime
Activity:
Here you enter the name of the Open Hub Destination that a user can edit.
Here you enter the name of the logical target system for which a user can edit the Open Hub
Destinations.
With the subobject, you specify the part of the Open Hub Destination that can be edited by the user.
The following subobjects exist:
Data - Data
Activity:
To grant authorizations for characteristics, activate authorization assignment by setting Authorization Check
indicator in the Master Data/Texts tab page.
The next step is to create a role with the authorizations.
With authorization checks by characteristic value, the system generates an organization criterion for the
characteristic. The organization criterion generates a connection between table key fields and the
authorization fields for the authorization object S_TABU_LIN.
Using authorization object S_TABU_LIN you are able to enter characteristic values in each key field of the
master data table for which the user is to have authorization. Do this in the profile generator in role
maintenance. In this way you are able to use authorizations to protect the maintenance and display of master
data/ texts for this characteristic at single record level.
Characteristic values for which the user has no authorization are then not displayed in the input helps either.
To grant authorizations for characteristics, proceed as follows:
Activate authorization assignment by characteristic value by setting the Master Data Maintenance with
Authorization Check indicator in the Master Data/Texts tab page. Activate the characteristic.
In Role Maintenance (Transaction PFCG): For blanket authorizations for characteristics, add authorization
object S_RS_IOMAD to the role. For authorizations for single characteristic values, add authorization object
S_TABU_LIN to the role.
Securing BI Documents
In order to edit documents in the Documents functional area of the Data Warehousing Workbench, the user
needs authorization for the authorization object S_RS_ADMWB,
Data Warehousing Workbench Object, with the following:
Metadata: DOC_META
Authorization to display or to edit a metadata object also authorizes the user to display or edit the documents
for these metadata objects. Valid activities are: 03 (display), 23 (maintain)
Master data: DOC_MAST
Authorization to display or to edit in specific master data also authorized the user to display or edit the
documents for these characteristic values. Valid activities are: 03 (display), 23 (maintain)
InfoProvider data: DOC_TRAN
Authorization objects for transaction data, InfoProviders, are not delivered. They are created as required
using Analysis Authorizations (RSECADMIN).
Each analysis process is only valid for the application for which it was created. The authorizations are also
assigned specific to an application and are protected with authorizations object RSANPR.
The only authorization necessary for the online execution of broadcasting settings is the authorization for the
execution of the underlying reporting objects (for example, the Web template). Any user that has
authorization to create background jobs also has authorization for direct scheduling in the background. The
authorization object S_BTCH_NAM is required for regular scheduling in background jobs.
This profile will give user BWREMOTE the access needed to extract from an OLTP system. The profile also
provides the access required for staging steps to get the data into InfoCubes.
Other SAP Security Set Up
You must set up a user on each SAP system sending data to BI. This includes mySAP ERP, Customer
Relationship Management (CRM), Supplier Relationship Management (SRM), Advanced Planning Optimizer
(APO), R/3 or any other component SAP system that is sending data to BI. On each of these systems, you
should create a system user called BWALEREMOTE.
This user should have the authorization profile S_BI-WX_RFC.
Note: S_BI-WX_RFC is a profile, not a role.
This profile will give user BWALEREMOTE the access needed to connect and send data to the BI system.
It is permissible to use a different name for the users BWREMOTE and BWALEREMOTE. What matters is
that the user in BI has the profile S_BI-WHM_RFC and the user in the other SAP system has the profile
S_BI-WX_RFC.
RFC Destinations
RFC (Remote Function Call) destinations tell BI where the source systems are physically located. RFC
destinations on the SAP source system tell the source system where the BI system is physically located.
RFC destinations define where the other systems reside and how to log on to the other systems.
Setting up RFC destinations is normally not the responsibility of the security administrator. However, the
security administrator normally creates the user that is used in the RFC destinations.
The following graphic shows transaction code SM59 on a BI system. This RFC destination is pointing to an
SAP system by providing the location of the system and details on how to log on to that system. Whenever
this RFC destination is used, you see BWALEREMOTE, who is logged on to the SAP system. The extraction
program that uses the RFC destination has access to all objects to which the user BWALEREMOTE has
access.
When setting up the RFC destination <RFC_DESTINATION>_DIALOG, you have some choices regarding
the user ID specified: Force the user to always log on to mySAP ERP after selecting OLTP by leaving the
User field blank in <RFC_DESTINATION>_DIALOG.
Create a generic user in mySAP ERP with access to monitor IDOCS; use this user in the
FC_DESTINATION>_DIALOG destination.
In the RFC destination, select Current User. This will use the current BI user's user ID to log them on to
mySAP ERP.
You must decide how you want the BI user to log on to mySAP ERP from BI to perform the requested task,
whether that is jumping from report to report or monitoring the IDOCS generated with data extraction. If you
use Current User, the system tries to use the same user ID in BI and mySAP ERP. If this is successful, the
BI user can work in mySAP ERP with the usual access rights. If the user ID does not exist in mySAP ERP,
then the user will be prompted for a user ID and password.
Related Content
http://service.sap.com/security
http://service.sap.com/securityguide
https://www.sdn.sap.com/irj/sdn/nw-bi
For more information, visit the Security homepage.