SECURITY IN BW

AUTHORIZATIONS

What is authorizations
An authorization defines what a user can do, and to which SAP objects. For example, a user may be able to display and execute, but not change, a query. Authorizations are defined using authorization objects

Security in OLTP(R/3)
In general r/3 security is focused on Transaction codes. Specific field values. Which activities a user can perform.

. So the security is set accordingly. The primary activities in BW are displaying data and analyzing results.Security needs in BW(OLAP) The business goals and purpose of BW system is exactly different than R/3. There is no updating of buisness data in BW.

Security Focus in SAP-BW SAPSecurity is primary focused on data itself. Mainly its focused on: Info areas Info providers Queries .

on authorized business objects. The maximum number of characters allowed for the technical name is 10. such as display and execution. It has fields with values that specify authorized activities.Authorization Objects An authorization object is used to define user authorizations. such as queries. .

Buisness information warehousewarehouseReporting You need to create authorization for field level security as required. Buisness information warehouse: Authorization objects are delivered to protect all major authorizations .Authorization objects in BW Group of activities and objects which a user can have access to.

Following objects are there .

Authorizations primary for reporting purpose S_RS_ICUBES_RS_ICUBE-Info cube access S_RS_COMPS_RS_COMP-one field relates to query and one relates to info cube S_RS_COMP1S_RS_COMP1-Secure query using user name. S_RS_FOLDS_RS_FOLD-display authorization for favorite folder. S_RFCS_RFC-to enable the logon access to business explorer .

Wb S_RS_IOBJS_RS_IOBJ-Authorization for info objects S_RS_ISOURS_RS_ISOUR-Authorization for source system(transaction data info sources) S_RS_ISRCMS_RS_ISRCM-Authorization for source system (master data info sources) .Authorizations objects used primarily by administrators S_RS_ADMWBS_RS_ADMWB-individual objects of admis.

s_rs_icube. Security is primarily tied to : INFO AREA INFOPROVIDER QUERY This check can be performed using s_rs_comp. s_rs_comp1.Securing Reporting Users Securing reporting users comes in picture starting from user enters Bex explorer.s_rfc .

S_RS_COMP Activity:Display(03) Execute(16) Info Area: Specific Info Area name Info Cube: Specific Info Cube or ODS name Name of Reporting component:Specific query technical name or ´*´. Type of reporting component:REP .

S_RS_COMP1 Every field is present in conjunction with OWNER .

.Roles In Profile Generator. A user assigned to the role automatically has the corresponding authorization profile. The maximum number of characters allowed for the technical name is 30. an authorization profile corresponds to a role. A user can be assigned to multiple roles.

Setting up role There is hierarchy to be followed: ROLES AUTHORIZATION PROFILE AUTHORIZATION OBJECTS .

ObjectsS_RS_ICUBE.Creating Roles Tcode PFCG Authorization Objects-S_RS_COMP.S_RFC .

.

.

.

.

.

Info object level security Make the info object authorization relevant. .

Create your own authorization object. Tcode:RSSM .

.

Authorization for infoobject is checked but since the data its picking up from infocube and for infocube no authorization is being set. Create a variable for your query. . Now if you execute the query you will see all the values.Now add this authorization object in role.

Making info cube Authorization relevant .

. And uncheck ready to input checkbox.Now check the query it will only give the result for which user is authorized. Also you can make the query variable itself checking the authorization: In the variable screen give variable type as authorization variable.

.Authorizing Hierarchies Make the info object used as Hierarchy node authorization relevant.

.Create an authorization object for hierarchy and go to radio button authorization definition fr hier.

Fill The entries: .

And execute the query.Also check that field 0tctauthh is made authorization relevant and included in your authorization object. You should see only the node which you made authorization relevant. Generate the profile. . Enter the authorization object in your role.

Authorization Objects: S_GUI authorization for gui activities S_BDS_DS authorization for document set.Securing workbooks Go to Programs buisness explorer Browser. To save workbooks to roles: S_user_agr: Authorizations:Role check S_user_tcd: Transaction in roles .

so that only authorized user can access workbooks.Go to Menu tab in the roles and insert two folders Now save your workbooks in these roles . .