Implementing BI Security Properly With Tip and Tricks PDF

[ Implementing BI Security Properly,
Tips and Tricks

Rob Bishop of
[ Learning Points
Introduction to BI Security.
Tools for Administering BI Security.
Effectiveness of BI Security and Analysis Authorizations.
Real Industry Examples.
Tips throughout.
Real Experience. Real Advantage. 2

[ Introduction to BI Security
BI is an Online Analytical Processing (OLAP) environment
versus a traditional Online Transaction Processing
(OLTP) environment like ECC.
Access is controlled by a users data need rather than by
a discreet business process.
This means that we can allow users to run the same
query and only the appropriate data is presented to the
user.

[ Introduction to BI Security - Continued
Characteristics OLTP (ECC) OLAP (BI)
Source of Data Original Operational Data Data Comes from OLTP
Purpose of Data Business Tasks Planning, Decision Making
Amount of Data per Usually Small Can be very large
Transaction
Type of Data Detailed Summary
Timeliness of Data Must be Current Current and Historical
Updates to Data Frequently Less Frequently, new data only
Database Design Normalized Lots of tables De-normalized fewer tables

Number of Many (100s to 1000s) Few
transaction/users
Response Time Quick Reasonable/Slow
Queries Standard/Simple queries Complex/Aggregations
Database Add, Modify, Delete, Update, Read
Operations Read
Type of Processing Well-Defined Ad hoc
Impact on security
[ Introduction to BI Security - Continued
BI access is granted to users in a few different ways.
This presents us with options discussed later.
Options:
Standard Authorizations
Based on Role and Authorization concept as in ECC.
Administrators and Developers
Reporting Authorizations
Granted through Standard Authorizations
Limitations
Analysis Authorizations
As of Netweaver 2004
Allows reporting and analysis in BI
5
Real Experience. Real Advantage.
[ Tools for Administering BI Security
Transactions
RSD1
RSECADMIN
RSECAUTH
RSU01
RSUDO
PFCG
Tables (via SE16, SM30, etc)
RSEC*

[ Tools for Administering BI Security - Continued
RSD1
InfoObjects must be
made authorization
relevant if they are to
be checked or used to
secure data.
Once this check is on,

any infoprovider
that includes this
infoObject can only be
accessed by analysis
authorizations that are
explicitly given access.

RSECADMIN
Transaction
RSECADMIN is the
portal to other
transactions
Like SU01,PFCG and

ST01 of BI all
combined
RSUDO
RSECAUTH
RSU01

RSECADMIN (Continued) - RSECAUTH
Analysis Authorizations
are the roles of BI.

RSECADMIN (Continued) RSECAUTH (Continued)
Analysis authorizations
can
be secured on many
levels:
Infocube
Characteristic
Characteristic Value
Key Figure
Hierarchy Node

There are 3 special BI

Characteristics. You
will typically always
include at least one or
all of these in your
authorizations:
0TCAACTVT (Activity)
0TCAIPROV (InfoProvider)
0TCAVALID (Validity Period)

Adding additional characteristics requires
knowledge of the query, data being accessed
and the organizational structure of the client.
A BI Analyst/Developer or the query owner is

required to determine these requirements.
Some possible characteristics:

Drilling in to the
characteristic allows
the admin to provide
values.
3 Operators:
EQ
BT
CP
-Use CP if value is *
-Wildcards are allowed
-0SD*

RSECADMIN (Continued) RSU01
BI User Maintenance
happens here
SU01
ECC User
Maintenance

RSECADMIN (Continued) RSU01 (Continued)
Notice there is no
Create button.
Guesses?

Assignment of
Analysis
Authorizations takes
place here.

Analysis Authorization
are transported from
here.
User assignments can

also be transported!

RSECADMIN (Continued) RSUDO
BI has some very
nice analysis tools
built in. to it.
Much like the BI

equivalent of ST01
and SU53 combined.

PFCG as it pertains to BI (S_RS_*)
If using Standard
Authorizations, this
will take place in
PFCG using the BI
authorization objects
S_RS_*
You can control this

with analysis
authorizations, or
objects via a standard
role.

Tables (via SE16, SM30, etc.)
Access to certain
tables can be very
useful to BI Admins.
SUIM does not

provide the same
reporting capabilities
for Analysis
Authorizations as it
does for
Roles/Profiles.
Viewing tables RSEC*

can be very beneficial.

[ Effectiveness of BI Security and Analysis Authorizations
As compared to OLTP system security, OLAP system
security is far more effective at controlling access to data,
queries and reporting.
Users can run the same query and get different data
returned to them based on the access defined for them.
Insanity: doing the same thing over and over and

expecting different results. Albert Einstein

[ Effectiveness of BI Security and Analysis Authorizations -
Continued
A single query can be run by multiple users. Queries do
not have to be tailored to users/groups.
The users analysis authorizations determine what data
the users will be presented.
Analysis Authorizations restrict at different levels -
InfoCube
Characteristic
Characteristic Value
Key Figure
Hierarchy Nodes

Continued
Possible Arguments to restrict access (vary by level)
Include I Grant Authorization
Exclude E Deny Authorization
Single Value EQ Exactly one date
Range BT Range of dates
Less or Equal LE Everything value in FROM Field
Greater Than GT Everything > value in FROM Field
Greater or Equal GE Everything value in FROM Field
Less Than LT Everything < value in the FROM Field

Pattern CP Selection
All * All possible Values
Like a '*' but for Exactly one
All for a specific single character + character
Allows only aggregated data - no line
Aggregated Data : items

Continued
Aggregate Argument (:)
Allows a user to see summary aggregated data without
viewing the with out the drill down or specific details
Example
A user can see totals for a particular sales area, but cannot see
individual sales by each sale representative.

Continued
Example Analysis Authorization -

Continued
Example Analysis Authorization (continued) -
Multiple exact values Single exact value

being granted to being provided for
InfoProviders custom Outside Sales
characteristic. Representative
characteristic.
(0TCAIPROV)
(ZSOLDTO__ZSALESEMP)

Continued
As compared to OLTP system security, OLAP system
security is far more effective at controlling access to data,
queries and reporting.
Users can run the same query and get different data
returned to them based on the access defined for them.
Different levels of detail can be displayed based on what
is appropriate for the user by using some special
characters.

Continued
All or Nothing
Query
Query Selection
Authorizations
Selection
Authorizations
Authorization Check NOT OK: Authorization Check OK:
If query selection is not a subset If query selection is a subset

of the authorization results are of the authorization results are
not shown. shown.
Real Experience. Real Advantage.

Continued
All or Nothing Exceptions can include the following
Hierarchies are being used and certain levels are
automatically filtered. The levels that are authorized will be
presented to the user.
Key figures are authorization relevant and a particular key
figure is not authorized. The figures that are authorized will
only be shown.

Continued
Hierarchies (dependent on each organization) -

Continued
In Sum
There are many ways to control the flow of data to users in
a BI system.
Fully utilizing the security tool available in a BI system can
be VERY effective for any organization.

[ Real Industry Example
Mueller Sports Medicine with

[ Real Industry Example (continued)
Scenario
Multinational Corporation
Relatively few BI users
Users need access specific to their own sales and aggregated
data to their sales areas
Sales Managers need access to sales areas to include line items
Corporate users need wide ranging access
Relatively few queries necessary
Users access nearly identical

Solution
Infocubes were created and/or defined that held the
necessary sales data.
Two custom characteristics were created to capitalize of the
already existing sales representative IDs.
The IDs were made part of the query and a mandatory
entry.
Analysis Authorizations were built for the sales reps that
included access to data tagged by the corresponding ID.
Aggregation of data was also made available to the rest of
the sales structure.

Solution (continued)

Solution (continued)
Analysis Authorizations were very quickly copied between
sales users.
Identical except for the ID.
Queries were built around standard set of infocubes.
Very few queries were needed.

Some additional Role and analysis authorization were
created using the basic available options
Options:
Standard Authorizations - Some
Based on Role and Authorization concept as in ECC.
Administrators and Developers
Reporting Authorizations - Few
Granted through Standard Authorizations
Limitations
Analysis Authorizations Most
As of Netweaver 2004
Allows reporting and analysis in BI

[ Return on Investment
To maximize the ROI in your BI system it
has to be fully utilized.
Managers can work with BI developers,
admins and query owners to develop the
most appropriate security solution for their
particular BI environment.
With a good security solution in place,
Managers can feel confident granting
access to the BI system.

[ Best Practices
Design and use your SAP BI environment the way SAP
intended by architecting an appropriate and best practice
security solution.

[ Key Learnings
You now, (if you didnt before)
understand the difference between OLAP vs OLTP systems
are familiar with the basic BI security tools
see that you can effectively secure your BI environment
while maximizing user access
have benefited from an actual industry example

[
Thank you for participating.
Please remember to complete and return your
evaluation form following this session.
For ongoing education on this area of focus, visit the
Year-Round Community page at www.asug.com/yrc
]
[ SESSION CODE:
1008

Implementing BI Security Properly With Tip and Tricks PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Implementing BI Security Properly With Tip and Tricks PDF

Uploaded by

Copyright:

Available Formats

[ Implementing BI Security Properly,

Tips and Tricks

Real Experience. Real Advantage. 2

Real Experience. Real Advantage. 3

Database Design Normalized Lots of tables De-normalized fewer tables

Real Experience. Real Advantage. 6

Once this check is on,

Real Experience. Real Advantage. 7

Like SU01,PFCG and

Real Experience. Real Advantage. 8

Real Experience. Real Advantage. 9

Real Experience. Real Advantage. 10

There are 3 special BI

Real Experience. Real Advantage. 11

A BI Analyst/Developer or the query owner is

Some possible characteristics:

Real Experience. Real Advantage. 12

Real Experience. Real Advantage. 13

Real Experience. Real Advantage. 14

Real Experience. Real Advantage. 15

Real Experience. Real Advantage. 16

User assignments can

Real Experience. Real Advantage. 17

Much like the BI

Real Experience. Real Advantage. 18

You can control this

Real Experience. Real Advantage. 19

SUIM does not

Viewing tables RSEC*

Real Experience. Real Advantage. 20

Insanity: doing the same thing over and over and

Real Experience. Real Advantage. 21

Real Experience. Real Advantage. 22

Less Than LT Everything < value in the FROM Field

Real Experience. Real Advantage. 23

Real Experience. Real Advantage. 24

Real Experience. Real Advantage. 25

Multiple exact values Single exact value

Real Experience. Real Advantage. 26

Real Experience. Real Advantage. 27

Authorization Check NOT OK: Authorization Check OK:

If query selection is not a subset If query selection is a subset

Real Experience. Real Advantage.

Real Experience. Real Advantage. 29

Real Experience. Real Advantage. 30

Real Experience. Real Advantage. 31

Mueller Sports Medicine with

Real Experience. Real Advantage. 32

Real Experience. Real Advantage. 33

Real Experience. Real Advantage. 34

Real Experience. Real Advantage. 35

Real Experience. Real Advantage. 36

Real Experience. Real Advantage. 37

Real Experience. Real Advantage. 38

Real Experience. Real Advantage. 39

Real Experience. Real Advantage. 40

Real Experience. Real Advantage. 41

You might also like