You are on page 1of 32

_________________________________

_________________________________

An A-to-Z Guide on How _________________________________


to Develop a Flexible _________________________________
Position-Based Security _________________________________
Model for SAP _________________________________
NetWeaver Business
_________________________________
Intelligence
_________________________________
Tracey Brookes _________________________________
Sapient Corp _________________________________
© 2008 Wellesley Information Services. All rights reserved.

What We’ll Cover …


_________________________________
• What makes a good BI security model? _________________________________
• How and why to set up a flexible position-based model _________________________________
ΠRoles for BI user type
_________________________________
ΠSpecial function roles
ΠInfoArea and Data Target-level security _________________________________
ΠInfoObject-level security _________________________________
• How to control ad hoc query creation using role menus _________________________________
• How to leverage the company organizational hierarchy _________________________________
• Wrap-up
_________________________________
_________________________________

What Makes A Good BI Security Model?


_________________________________
• Many mistakes from a bad security model come from _________________________________
trying to apply SAP ERP security principles to a
_________________________________
Business Intelligence (BI) model
Œ An SAP ERP transaction code does not equal SAP NetWeaver® _________________________________
BI transaction code _________________________________
ΠSAP NetWeaver BI is not transaction-driven, but data- and
function-driven! _________________________________
f Data access is controlled in SAP NetWeaver BI by _________________________________
configuring different restrictions on authorization object
S_RS_COMP _________________________________
_________________________________
_________________________________

2
What Should My Security Strategy Achieve?
_________________________________
• Recognizes that positions and departments may change _________________________________
• Recognizes that people may change _________________________________
• Recognizes that roles need to be flexibly assembled so _________________________________
that they can be easily changed
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________

BI Security Model Dos and Don’ts


_________________________________
• Do: _________________________________
Œ Use your organization’s structural hierarchy for role allocation
_________________________________
ΠUse single roles
ΠDocument common transactions in only one role _________________________________
ΠIdentify common elements across requirements and groups _________________________________
accordingly
ΠCapture distinct activities in one role _________________________________
f E.g., ad hoc query creation _________________________________
ΠCreate a logical naming standard for InfoProviders and queries
_________________________________
f Use wildcards (*) in restricting values assigned to
authorization objects _________________________________
ΠSeparate roles that have authorization objects and menus _________________________________
ΠSeparate roles that hold reports that are transported
(standardized/certified) vs. production-created reports (ad hoc)
4

BI Security Model Dos and Don’ts (cont.)


_________________________________
• Don’t: _________________________________
ΠAssign roles directly to user IDs
_________________________________
ΠUse composite roles
ΠUse one role to contain everything for a specific position _________________________________
(~ most SAP-delivered roles) _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________

5
Using Your Organization’s Structural Hierarchy
_________________________________
• Do seek the benefits of using your organization’s _________________________________
structural hierarchy for role allocation
_________________________________
Organizational Unit/Work Center _________________________________
_________________________________
Job
Indirec
t Role (AG) Dire _________________________________
ct
Position (S) _________________________________
Employee (P)
_________________________________
UserID (US) _________________________________
_________________________________
• Value represented between ( ) = SAP ERP object types
6

Using Your Organization’s Structural Hierarchy (cont.)


_________________________________
• Indirect Role Assignment _________________________________
ΠThis allows for authorizations to be inferred from the higher _________________________________
levels in the organizational hierarchy down to the lower levels
ΠThe use of single roles allocated across an organizational _________________________________
hierarchy thus functions similarly as a composite role would. _________________________________
Thus the reasoning: composite roles are no longer required.
ΠAdded flexibility if employees change positions; roles do not _________________________________
have to be moved as roles are allocated to the position and not _________________________________
the person
f Authorization update is immediate with no maintenance lag
_________________________________
in time. Not violating company security policy. _________________________________
_________________________________

Using Your Organization’s Structural Hierarchy (cont.)


_________________________________
• Recognize the difference in role assignments _________________________________
ΠIndirect: blue (best approach)
_________________________________
ΠDirect: black
_________________________________
_________________________________
_________________________________
_________________________________
Direct _________________________________
Indirect
_________________________________
_________________________________

8
Using Your Organization’s Structural Hierarchy (cont.)
_________________________________
• Since the use of the Organizational Hierarchy allows for _________________________________
inferring authorizations, there is no need for doubling up
_________________________________
on the same authorizations or using composite roles
_________________________________
• No longer a need for one role to contain all authorizations
for a requirement (~ SAP-Delivered roles) _________________________________
ΠPurchasing Manager: _________________________________
f Execute Business Explorer (BEx) Analyzer via RRMX
_________________________________
f Execute, create, and modify queries prefixed ZM*

ΠPurchasing Operations: _________________________________


f Execute Business Explorer (BEx) Analyzer via RRMX _________________________________
f Execute queries prefixed ZM*
_________________________________

Using Your Organization’s Structural Hierarchy: Result


_________________________________
_________________________________
S_TCODE: RRMX Query
User _________________________________
_________________________________
S_TCODE: RRMX _________________________________
Power User
_________________________________
_________________________________
S_TCODE: RRMX Department Administrator _________________________________
_________________________________
_________________________________
S_TCODE: RSA1, RRMX BI Developer

10

Using Your Organization’s Structural Hierarchy:


Result (cont.) _________________________________
S_RS_COMP: InfoArea = 0MM*; InfoCube = *;
Component = ZM*; Activity = Display ; MM _________________________________
Subobject = REP Query
User _________________________________

S_RS_COMP: InfoArea = 0MM*; InfoCube = *; _________________________________


Component = ZM*; Activity = Create, Modify; MM
Subobject = REP
_________________________________
Power User
_________________________________

S_RS_COMP: InfoArea = 0MM*; InfoCube = *; _________________________________


MM
Component = ZM*; Activity =; Delete; Department Administrator
Subobject = REP
_________________________________
_________________________________
S_RS_COMP: n/a
BI Developer _________________________________
**BI Developer infers all of the above under
the hierarchy allocation scheme 11
What We’ll Cover …
_________________________________
• What makes a good BI security model? _________________________________
• How and why to set up a flexible position-based model _________________________________
ΠRoles for BI user type
_________________________________
ΠSpecial function roles
ΠInfoArea and Data Target-level security _________________________________
ΠInfoObject-level security _________________________________
• How to control ad hoc query creation using role menus _________________________________
• How to leverage the company organizational hierarchy _________________________________
• Wrap-up
_________________________________
_________________________________

12

Pros and Cons of the SAP-Delivered Roles


_________________________________
• Pros _________________________________
ΠProvides a template for role analysis if no roles exist _________________________________
ΠGrants ideas for role creation rather than building roles entirely
from scratch _________________________________
ΠGood guideline when you have no experience in SAP _________________________________
NetWeaver BI security, but I don’t recommend it in general
_________________________________
ΠTechnical Content for areas like BI Statistics and
Administration Cockpit have delivered SAP roles already _________________________________
configured for use
_________________________________
f Contains all complex iViews, queries, Web templates, and
authorizations necessary for displaying the BI Statistics’ _________________________________
Technical Content
_________________________________
f Will never change unless SAP updates them

13

Pros and Cons of the SAP-Delivered Roles (cont.)


_________________________________
• Cons _________________________________
ΠA lot of the delivered roles have been around since
SAP BW 1.2b
_________________________________
ΠHighly position-based at the lowest level; very specific _________________________________
ΠRoles are not unique Рauthorization objects are duplicated _________________________________
ΠUse composite roles
_________________________________
ΠTend to require a lot of maintenance since all of the roles need
to be modified rather than one role radiating downwards _________________________________
through a tree
_________________________________
ΠNot SOX compliant
_________________________________
_________________________________

14
Pros and Cons of the SAP-Delivered Roles (cont.)
_________________________________
• The one SAP-delivered role I would recommend using: _________________________________
SAP_SAP_BW_BI_ADMINISTRATOR. Why?
_________________________________
ΠBI Technical Content is all SAP-Delivered Objects and
thus requires no additional “tweaking” to make it work _________________________________
ΠIf modifications are made to the BI Technical Content, SAP
_________________________________
would also update the reliant role
ΠBI Technical Content is same across every Business _________________________________
Intelligence installation; thus non-client specific
_________________________________
ΠBI Technical Content is segregated from the rest of the
Data Warehouse _________________________________

ΠMake sure you have the latest SAP modifications by using current versions
_________________________________
of all the SAP-Delivered Objects related to the Administration Cockpit
_________________________________
f If you make enhancements or use your own naming convention as a copy
of the role, you could fall behind maintenance if BI Technical Content is
reinstalled 15

How to Set up a (More) Flexible, Position-Based Model


_________________________________
• Let’s revisit a few statements: _________________________________
Œ “Since the use of the Organizational Hierarchy allows for _________________________________
inferring authorizations, there is no need for doubling up on the
same authorizations or using composite roles.” _________________________________
Œ “No longer a need for one role to contain all authorizations for a _________________________________
requirement”
Œ “BI is not transaction-driven but data- and function-driven” _________________________________
• All authorizations can be grouped according to: _________________________________
ΠFunction or action a user can perform _________________________________
ΠData a user can view
_________________________________
The roles defined in this presentation also work in an SAP NetWeaver BI 7.0
environment. However, they should be modified to incorporate the new _________________________________
authorization objects rolled out as part of that release.
16

How to Set up a (More) Flexible, Position-Based


Model (cont.) _________________________________
• User Actions _________________________________
ΠBI User Type Roles
f Examples – Query User, Power User, Department
_________________________________
Administrator, Developer _________________________________
ΠSpecial Function Roles
f Examples – Release Transports, Delete InfoObject Master data
_________________________________
• User Data Viewed _________________________________
ΠInfoArea/Data Target Roles _________________________________
f Examples – MM, FI, HR, SD, PM
Supply Costing: Financial Data assigned to MM users _________________________________
ΠInfoObject Restrictions (InfoObject/data-level security)
_________________________________
f Examples – 0COSTCENTER, 0CO_AREA
ΠMenu Folder Roles _________________________________
f Example – Finance queries viewed only by Finance Dept.
17
Four Key BI User Types
_________________________________
_________________________________
Query
User _________________________________
_________________________________

Power User
_________________________________
_________________________________
_________________________________
Department Administrator _________________________________
_________________________________
_________________________________
BI Developer

18

Translating Requirements into User Role Types


_________________________________
• Identify tasks for each BI User Type _________________________________
ΠTransactions that are common between roles belong in the one _________________________________
role allocated to the highest level of the organization hierarchy
f Transaction RRMX is assigned to the Query User role only _________________________________
f Since the Query User role is allocated at a node higher than _________________________________
other roles, the authorizations are inherited down to the
lower levels _________________________________
• “1_Task Matrix.xls” _________________________________
ΠThe document lists all tasks associated with each BI User Type _________________________________
role defined in this presentation
_________________________________
ΠYour requirements may vary depending on your business, but
these assignments were derived from more than one company _________________________________
Client
Issue 19

Four Key BI User Types


_________________________________
• BI User Type role definitions in this presentation are _________________________________
based on actions defined in the Task Matrix
_________________________________
Task Query Power SAP _________________________________
User User NetWeaver
BI Dept. _________________________________
Admin.
Execute BEx from SAPGUI (RRMX) or Start Programs X X X _________________________________
Execute queries/workbooks X X X
_________________________________
Create/Change own query (BWD/BWQ/BWP) X X
_________________________________
Create/Change another user’s query (BWD/BWQ/BWP) X

Save ad hoc query to ad hoc menu role (BWD/BWQ/BWP) X X _________________________________


Save standard query to standard menu role (BWD) X
_________________________________
Delete a query X

20
1 – Query User Role
_________________________________
• Applies to ALL systems _________________________________
• Ability to execute BEx Analyzer _________________________________
ΠS_TCODE
_________________________________
f Transaction code = RRMX

ΠS_GUI _________________________________
f Activity = 60, 61 (Import, Export) _________________________________
f Authorization for GUI activities, execution of workbooks
_________________________________
ΠS_BDS_DS and S_BDS_D
f Activity = 03, 30; Class Type = OT
_________________________________
f Authorization for document set _________________________________
f S_GUI and S_BDS_DS enables users to save workbooks to
_________________________________
their Favorites Folder
21

1 – Query User Role (cont.)


_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________

• InfoArea tab should not be seen _________________________________


on Query Open _________________________________
ΠS_RS_FOLD _________________________________
f Hide ‘Folder’ Pushbutton = X (True)

22

1 – Query User Role (cont.)


_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• Role usertype_queryuser_ZBW_A_UT_QU_AL_ALL that
you can import into your system 23
2 – Power User Role
_________________________________
• Applies to ALL systems _________________________________
• Ability to save queries to Ad hoc Menu
ΠS_USER_AGR
_________________________________
f Activity: 01,02,22 _________________________________
f Role Name: {based on role naming convention} ZBW_M_FI_D

• Ability to create and change department ad hoc BEx queries …


_________________________________
ΠS_RS_COMP
Z* = Ad hoc queries _________________________________
f Activity: 01,02; InfoArea: 0COOM; InfoCube: *
Y* = Certified/
Component: ZF* (ad-hoc); Type: REP Standard Queries
_________________________________
• … Only related to their user ID _________________________________
ΠS_RS_COMP1
f Activity: 02; Component: ZF* ; Type: REP ; Owner = $USER
_________________________________
• InfoArea tab should be seen on Query Open _________________________________
ΠS_RS_FOLD
f Hide ‘Folder’ Pushbutton = ‘ ’ (False) 24

2 – Power User Role (cont.)


_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• Role usertype_poweruser_finance_ZBW_A_UT_PU_FI_ALL
25

2 – Power User Role (cont.)


_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• Individual user requirements would define the need for an
_________________________________
SAP BW development-only role
• Only an example of the ALL role is supplied in this _________________________________
presentation _________________________________
_________________________________
• Role usertype_poweruser_finance_ZBW_A_UT_PU_FI_ALL
26
3 – BI Department Administrator Role
_________________________________
• Different authorizations apply to ALL systems and BWD-only _________________________________
systems
_________________________________
• Ability to modify queries in the Standard Menu (BWD)
ΠS_USER_AGR _________________________________
f Activity: 01,02,06,22
_________________________________
f Role Name: {based on role naming convention} ZBW_M_FI_C
• Ability to modify department Standard BEx queries (BWD) … _________________________________
ΠS_RS_COMP _________________________________
f Activity: 01,02,06; InfoArea: 0COOM; InfoCube: *
Component: YF* (standard/transported); Type: REP
_________________________________
• … Related to any user ID Z* = Ad hoc queries
Y* = Certified/ Standard
_________________________________
ΠS_RS_COMP1 Queries
_________________________________
f Activity: 02,06; Component: YF* ; Type: REP ; Owner = *

27

3 – BI Department Administrator Role (cont.)


_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• Role usertype_deptadmin_bwd_ZBW_A_UT_DA_FI_BWD

28

3 – BI Department Administrator Role (cont.)


_________________________________
• Ability to delete queries in the Department Menu (ALL) _________________________________
ΠS_USER_AGR
_________________________________
f Activity: 06

f Role Name: {based on role naming convention} ZBW_M_FI_D _________________________________


• Ability to modify and delete department ad hoc BEx _________________________________
queries (ALL) … Where is Display (03) See InfoArea/ _________________________________
ΠS_RS_COMP and Execute (16)? Data Target roles
_________________________________
f Activity: 06; InfoArea: 0COOM; InfoCube: *
Component: ZF* (standard/transported); Type: REP _________________________________
• … Related to any user ID Z* = Ad hoc queries
_________________________________
Y* = Certified/
ΠS_RS_COMP1 Standard Queries
_________________________________
f Activity: 02,06; Component: ZF* ; Type: REP ; Owner = *

29
3 – BI Department Administrator Role (cont.)
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• Role usertype_deptadmin_all_ZBW_A_UT_DA_FI_ALL
30

3 – BI Department Administrator Role (cont.)


_________________________________
• Ability to display all Master Data related to Finance _________________________________
• Master Data viewable in ALL systems _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• Role usertype_deptadmin_all_ZBW_A_UT_DA_FI_ALL
31

4 – BI Developer Role
_________________________________
• All authorizations to do with query development would _________________________________
be inherited by the power user and department
_________________________________
administrator classifications
• BI developer roles have two different role distinctions _________________________________
similar to the BI Department Administrator _________________________________
ΠSAP BW developer-only: this role is not transported _________________________________
ΠALL: this role is transported and is applicable to SAP NetWeaver
BI Dev, QA, and Prod environments _________________________________
_________________________________
ΠDue to the number of tasks and size, screenshots of this role are _________________________________
not included in this presentation. Refer to the take-home CD.
f Role usertype_developer_all_ZBW_A_UT_DV_IT_ALL
_________________________________
f Role usertype_developer_bwd_ZBW_A_UT_DV_IT_BWD
32
Organizational Hierarchy and BI User Type Impacts
_________________________________
_________________________________
Query User Role _________________________________
1000 Corporate
_________________________________
1001 Logistics Department
Job_1 MM Dept. Admin. Role
_________________________________
1001001 Purchasing Manager _________________________________
1002111 Purchase Operations 1
MM Power User Role _________________________________
1002112 Purchase Operations 2
Job_2 _________________________________
1002 Finance Department _________________________________
_________________________________

33

What We’ll Cover …


_________________________________
• What makes a good BI security model? _________________________________
• How and why to set up a flexible position-based model _________________________________
ΠRoles for BI user type
_________________________________
ΠSpecial function roles
ΠInfoArea and Data Target-level security _________________________________
ΠInfoObject-level security _________________________________
• How to control ad hoc query creation using role menus _________________________________
• How to leverage the company organizational hierarchy _________________________________
• Wrap-up
_________________________________
_________________________________

34

Special Function Roles


_________________________________
• Special Function roles are distinct from the main stream _________________________________
roles as they are functions that are assigned temporarily
_________________________________
or address one-off scenarios
• Highly company-dependent _________________________________
• Examples: _________________________________
ΠDisplay Data Warehouse Workbench _________________________________
f Assigned to BI Department Administrators during testing
_________________________________
phase
ΠRelease Transports _________________________________
f When BI Developers are not permitted to release transports _________________________________
Πsuper user reviews and releases transports
_________________________________
f Assigned to BI Department Administrators for controlling
BEx Transport releases in their area alone
35
Special Function Roles (cont.)
_________________________________
• Examples: _________________________________
ΠDelete Data from Data Targets
_________________________________
f Assigned to control data maintenance

f Data is not owned nor is it the responsibility of the BI


_________________________________
Developer; Data is owned by the responsible functional areas _________________________________
or business analysts assigned to the functional area
_________________________________
ΠMaintenance of Master Data
f In this solution, maintenance of master data is tasked under _________________________________
the appropriate Department’s BI Administrator
_________________________________
f This function could be split out to a special function
depending on company requirements _________________________________
f Each master data is owned only by one department _________________________________

36

What We’ll Cover …


_________________________________
• What makes a good BI security model? _________________________________
• How and why to set up a flexible position-based model _________________________________
ΠRoles for BI user type
_________________________________
ΠSpecial function roles
ΠInfoArea and Data Target-level security _________________________________
ΠInfoObject-level security _________________________________
• How to control ad hoc query creation using role menus _________________________________
• How to leverage the company organizational hierarchy _________________________________
• Wrap-up
_________________________________
_________________________________

37

InfoArea and Data Target-Level Security


_________________________________
S_RS_COMP: InfoArea = 0MM*; InfoCube = *;
Component = ZM*; Activity = Display ; MM _________________________________
Subobject = REP Query
User _________________________________

S_RS_COMP: InfoArea = 0MM*; InfoCube = *; _________________________________


Component = ZM*; Activity = Create, Modify; MM
Subobject = REP Power User
_________________________________
_________________________________

S_RS_COMP: InfoArea = 0MM*; InfoCube = *; _________________________________


MM
Component = ZM*; Activity = Delete; Department Administrator
Subobject = REP
_________________________________
_________________________________
S_RS_COMP: n/a
BI Developer _________________________________

38
InfoArea and Data Target-Level Security (cont.)
_________________________________
• SAP NetWeaver BI 7.x has impacted these role _________________________________
classifications
_________________________________
• S_RS_COMP is still valid
_________________________________
• The use of S_RS_ICUBE, S_RS_ISET, S_RS_ODSO, and
S_RS_MPRO has changed _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________

39

InfoArea and Data Target-Level Security (cont.)


_________________________________
• SAP states the following on help.sap.com: Where
to
_________________________________
ΠAuthorization Objects for InfoProvider Access FIND it
_________________________________
The authorization objects S_RS_ICUBE, S_RS_MPRO,
S_RS_ISET, and S_RS_ODSO will no longer be checked during _________________________________
query processing. Instead, the check is performed using
_________________________________
special characteristics 0TCAIPROV, 0TCAACTVT, and
0TCAVALID. These authorization objects are offered during _________________________________
migration configuration as a migration option. If you select
these authorization objects, authorization for these special _________________________________
characteristics are generated according to the entries in the _________________________________
Activity and the associated field for the corresponding
InfoProvider and then assigned to the users. _________________________________
• What does this mean and what are the impacts? _________________________________
Where
to
Πhttp://help.sap.com/saphelp_nw70/helpdata/en/ad/8f7842fdb70f53e10000000a
FIND it 155106/frameset.htm 40

InfoArea and Data Target-Level Security (cont.)


_________________________________
• After you migrate to the new Reporting Analysis _________________________________
Authorization concept, the following authorization
_________________________________
restriction combinations are no longer needed
ΠS_RS_ICUBE, S_RS_IOBJ, S_RS_ISET, S_RS_MPRO _________________________________
f Activity: 03 _________________________________
f Subobject: DATA
_________________________________
• The above restrictions can be removed from existing
_________________________________
roles as they have been replaced by the restrictions
defined on authorization object S_RS_AUTH, created _________________________________
under transaction RSECADMIN (RSECADMIN replaces _________________________________
transaction RSSM for building InfoObject level security)
_________________________________

41
InfoArea and Data Target-Level Security (cont.)
_________________________________
• Pre BI 7.x – Obsolete Concept enabled the INACTIV authorization _________________________________
object – should be active as they are still used
• The following illustrates Post BI 7.x – new Reporting Analysis _________________________________
Concept enabled and thus INACTIV status: _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________

42

InfoArea and Data Target-Level Security (cont.)


_________________________________
• The InfoArea/Data Target role should be created to look _________________________________
like the following illustration on version BI 7.x when the _________________________________
Reporting Analysis Concept has been switched to the
new concept _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
InfoArea_datatarget_fico_all_ZBW_A_DT_0FMCO_ALL
43

InfoArea and Data Target-Level Security (cont.)


_________________________________
• Organizational Hierarchy _________________________________
_________________________________
1000 Corporate 0SCM Supply Chain Management
1001 Logistics Department InfoArea _________________________________
Job_1 _________________________________
ZFPU_M01 Goods
1001001 Purchasing Manager Receipts (Finance)
_________________________________
1002111 Purchase Operations 1
_________________________________
1002112 Purchase Operations 2
Job_2 0FI Finance InfoArea
_________________________________
1002 Finance Department (includes 0FICO InfoArea) _________________________________
_________________________________

44
What We’ll Cover …
_________________________________
• What makes a good BI security model? _________________________________
• How and why to set up a flexible position-based model _________________________________
ΠRoles for BI user type
_________________________________
ΠSpecial function roles
ΠInfoArea and Data Target-level security _________________________________
ΠInfoObject-level security _________________________________
• How to control ad hoc query creation using role menus _________________________________
• How to leverage the company organizational hierarchy _________________________________
• Wrap-up
_________________________________
_________________________________

45

InfoObject Level Security


_________________________________
• Prior to SAP NetWeaver BI 7.x (SAP BW 2.x, 3.x) _________________________________
ΠRSSM: Transaction used to create InfoObject level security roles _________________________________
automatically
• Now with SAP NetWeaver BI 7.x _________________________________
ΠRSECADMIN: Transaction used to create InfoObject level _________________________________
security roles automatically
_________________________________
ΠProgram RSEC_MIGRATION: Program that assists in migrating
SAP BW 3.x authorization objects to new BI 7.x format _________________________________
_________________________________
ΠFor more information on InfoObject level security concepts for either SAP BW _________________________________
3.x or SAP NetWeaver BI 7.x, please refer to presentation “Options, Strategies,
and Best Practices for Migrating to and Using SAP NetWeaver Business _________________________________
Intelligence 7.0 Authorization Concepts”
46

InfoObject Level Security (cont.)


_________________________________
• Organizational Hierarchy _________________________________
Enterprise-wide Authorization Object (ZBI_ALL) _________________________________
1000 Corporate (ZBI_ALL = 0BI_ALL – FI restriction)

1001 Logistics Department _________________________________


Job_1 _________________________________
1001001 Purchasing Manager _________________________________
1002111 Purchase Operations 1
_________________________________
1002112 Purchase Operations 2
Job_2 Cost Center Restrictions (ALL) _________________________________
1002 Finance Department Cost Center Restrictions (1001 ONLY) _________________________________
Cost Center Restrictions (2* – 3*)
_________________________________
This is based on
BI 7.x concepts
47
What We’ll Cover …
_________________________________
• What makes a good BI security model? _________________________________
• How and why to set up a flexible position-based model _________________________________
ΠRoles for BI user type
_________________________________
ΠSpecial function roles
ΠInfoArea and Data Target-level security _________________________________
ΠInfoObject-level security _________________________________
• How to control ad hoc query creation using role menus _________________________________
• How to leverage the company organizational hierarchy _________________________________
• Wrap-up
_________________________________
_________________________________

48

How to Control Ad Hoc Query Creation Using Menus in


Roles _________________________________
• What are menu folder roles? _________________________________
ΠAreas to define the folder structures where workbooks and _________________________________
queries are saved for storage in SAP NetWeaver BI and are
accessed by other SAP NetWeaver BI users. They are defined _________________________________
by the Basis team under the PFCG transaction code in the
_________________________________
role’s Menu tab and are separate from Authorization Roles.
ΠSAP NetWeaver BI users can access the queries and _________________________________
workbooks stored in the Menu roles from the BEx Analyzer
_________________________________
under the Role tab.
_________________________________
_________________________________
_________________________________

49

How to Control Ad Hoc Query Creation Using Menus in


Roles (cont.) _________________________________
• What are menu folder roles? (cont.) _________________________________
ΠAd hoc menu folder roles
_________________________________
f Capture reports that users have created in the production
environment directly where users want to circulate them to a _________________________________
greater audience (e.g., Department)
_________________________________
ΠStandard (Certified) menu folder roles
f Capture reports that users have created in development and
_________________________________
transported to production. They are certified through quality, _________________________________
usually tested thoroughly for performance, and follow
company query design standards _________________________________
_________________________________
_________________________________

50
How to Control Ad Hoc Query Creation Using Menus in
Roles (cont.) _________________________________
• Accessing _________________________________
Menu
_________________________________
Folder
Roles from _________________________________
SAPGUI _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________

51

How to Control Ad Hoc Query Creation Using Menus in


Roles (cont.) _________________________________
• Accessing _________________________________
Menu Folder
Roles from _________________________________
SAP BEx _________________________________
Analyzer
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________

52

How to Control Ad Hoc Query Creation Using Menus in


Roles (cont.) _________________________________
• Rules to prevent loss of information _________________________________
ΠInitially, both ad hoc and Standard/Certified menu roles should
be created in SAP NetWeaver BI Development and transported
_________________________________
through the system landscape _________________________________
ΠOn-going maintenance or adjustments to Standard/Certified
_________________________________
Menus will still be conducted in the development environment
ΠOn-going maintenance or adjustments to ad hoc menus will be _________________________________
maintained directly in the affected system and never be _________________________________
transported again after the initial folder setup to prevent
query/folder overwriting during transport _________________________________
f Any additional folders need to be added manually in the
_________________________________
Production environment
ΠAll transported queries and workbooks need a menu role _________________________________
assigned; otherwise, they cannot be viewed by the users
53
How to Control Ad Hoc Query Creation Using Menus in
Roles (cont.) _________________________________
• DO separate roles that have authorization objects and _________________________________
menus
_________________________________
• DO separate roles that hold reports that are transported
(standardized/certified) versus production-created _________________________________
reports (ad hoc) _________________________________
• But why? _________________________________
ΠAuthorizations and menus operate on a different modification
schedule: Menus get updated more frequently with queries, _________________________________
workbooks, and Web reports _________________________________
ΠEnsures ad hoc queries, workbooks, and Web reports created in
a Production system are not overwritten by the same role after _________________________________
transporting from Development: Two separate roles – one ad
_________________________________
hoc (Production developed objects) and one standard/certified
(Development created objects) should be used.
54

How to Control Ad Hoc Query Creation Using Menus in


Roles (cont.) _________________________________
• Ad hoc query creation controlled through menus and _________________________________
naming conventions under the BI User Type definitions _________________________________
BW Dev. (BWD) BW Prod. (BWP)
Y* Standard
Y* Standard
Query Query _________________________________
Standard Standard
Standard Workbooks
Workbooks
Standard _________________________________
Menu Menu
Standard Web Reports
Standard Web Reports _________________________________
Z* Ad hoc Query _________________________________
Ad hoc Workbooks _________________________________
BWD Ad hoc Ad hoc Web Reports
_________________________________
Menu Z* Ad hoc Query BWP Ad hoc _________________________________
Correct Ad hoc Workbooks Menu
Setup Ad hoc Web Reports
55

How to Control Ad Hoc Query Creation Using Menus in


Roles (cont.) _________________________________
• Incorrect setup overwrites any ad hocs created in BWP _________________________________
_________________________________
BWD
Y* Standard Query _________________________________
Standard Workbooks _________________________________
One Standard Web Reports _________________________________
Menu _________________________________
_________________________________
_________________________________
Z* Ad hoc Query (BWD)
_________________________________
Incorrect Ad hoc Workbooks (BWD)
Setup Ad hoc Web Reports (BWD) 56
How to Control Ad Hoc Query Creation Using Menus in
Roles (cont.) _________________________________
• Incorrect setup overwrites any ad hocs created in _________________________________
BWP (cont.)
_________________________________
BWD BWP
Y* Standard
Y* Standard Query Query _________________________________
Standard
Standard Workbooks
Workbooks _________________________________
One Standard Web Reports
Standard Web Reports _________________________________
Menu One _________________________________
Menu _________________________________
_________________________________
Z* AdZ*hoc
Ad Query
hoc Query
(BWD)
(BWP)
_________________________________
Incorrect AdAd
hoc
hoc
Workbooks
Workbooks
(BWD)
(BWP)
Setup Ad
Adhoc
hocWeb
WebReports
Reports(BWD)
(BWP) 57

How to Control Ad Hoc Query Creation Using Menus in


Roles (cont.) _________________________________
• Incorrect setup overwrites any ad hocs created in _________________________________
BWP (cont.) _________________________________
BWD BWP
Y* Standard Query
_________________________________
Standard Workbooks _________________________________

Standard Web Reports _________________________________


One _________________________________
Menu _________________________________
_________________________________
Z*
Z* Ad
Ad hoc
hoc Query
Query (BWD)
(BWP)
_________________________________
Incorrect Ad
Adhoc
hocWeb
Workbooks
Reports (BWD)
(BWP)
Setup Ad
Adhoc
hocWeb
Workbooks
Reports (BWD)
(BWP) 58

How to Control Ad Hoc Query Creation Using Menus in


Roles (cont.) _________________________________
• How to set up Menu role in transaction PFCG _________________________________
ΠMenu light will
be red if Menu _________________________________
folders are _________________________________
empty. This is
okay for initial _________________________________
setup. _________________________________
ΠAuthorization
light will _________________________________
remain red as _________________________________
Authorizations
and Menus are _________________________________
defined in two _________________________________
separate roles
59
How to Control Ad Hoc Query Creation Using Menus in
Roles (cont.) _________________________________
• Organizational Hierarchy _________________________________
Corporate Menu Folders
_________________________________
1000 Corporate
Logistics Department Menu Folders _________________________________
1001 Logistics Department
(Both Ad hoc and Standard Menus)
Job_1 _________________________________
1001001 Purchasing Manager _________________________________
1002111 Purchase Operations 1
_________________________________
1002112 Purchase Operations 2
Job_2 _________________________________
Finance Department Menu Folders
1002 Finance Department _________________________________
(Both Ad hoc and Standard Menus)
_________________________________

60

How to Control Ad Hoc Query Creation Using Menus in


Roles (cont.) _________________________________
• Loss of functionality in SAP NetWeaver BI 7.x _________________________________
ΠEnter in Role feature no longer supported in BEx
_________________________________
_________________________________
GOTCHA! _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________

61

How to Control Ad Hoc Query Creation Using Menus in


Roles (cont.) _________________________________
• So how can you get queries and workbooks into Menus? _________________________________
• Queries: can still be saved into the role. This doesn’t _________________________________
create a new technical ID.
_________________________________
• Workbooks: cannot be saved into the role, as this would
create a new technical ID _________________________________
ΠWorkaround for saving reports/workbooks into menu roles _________________________________
f Option 1: Use the old SAP BW 3.x tools to assign them. This
_________________________________
doesn’t affect the version the query is developed in.
Tip f OR _________________________________
f Option 2: Go into transaction PFCG and assign the _________________________________
reports/workbooks manually. You may need to review your
authorization strategy for this since transaction PFCG is _________________________________
usually a Security Administrator’s role only.
62
How to Control Ad Hoc Query Creation Using Menus in
Roles (cont.) _________________________________
• Go into transaction PFCG and assign the reports/ _________________________________
workbooks manually:
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Tip _________________________________

63

What We’ll Cover …


_________________________________
• What makes a good BI security model? _________________________________
• How and why to set up a flexible position-based model _________________________________
ΠRoles for BI user type
_________________________________
ΠSpecial function roles
ΠInfoArea and Data Target-level security _________________________________
ΠInfoObject-level security _________________________________
• How to control ad hoc query creation using role menus _________________________________
• How to leverage the company organizational hierarchy _________________________________
• Wrap-up
_________________________________
_________________________________

64

How to Distribute the HR Organization Structure


_________________________________
• Cannot use normal BI extraction toolset under the Data _________________________________
Warehouse Workbench (transaction RSA1)
_________________________________
ΠSAP NetWeaver BI master data extraction of InfoObject
0ORGUNIT populates the data warehouse _________________________________
ΠThe HR Organization Structure used for role allocation is _________________________________
separate from the data warehouse and thus functions
differently (e.g., distribute method and loading outside of SAP _________________________________
NetWeaver BI ETL toolsets)
_________________________________
• Prerequisites
_________________________________
ΠInfotype 0105 is maintained
ΠTable T77S0, Group PLOGI, Semantic Abbreviation PLOGI has _________________________________
01 Active Plan version in both systems _________________________________
ΠAll users must exist in both systems (Central User
Administration [CUA] distribution) 65
How to Distribute the HR Organization Structure (cont.)
_________________________________
• Six steps to distribution _________________________________
ΠCreate the HR-ORG distribution model (view of entire tree) in
_________________________________
the source system (e.g., SAP ERP)
ΠGenerate partner profiles in SAP ERP and CUA systems _________________________________
ΠIf employee (P) object type is undefined in the source system, _________________________________
create an outbound filter using the customer exit in the source
system _________________________________
ΠActivate the change pointers, write change pointers in Infotype _________________________________
0105
_________________________________
ΠDistribute the initial HR-ORG hierarchy
ΠDistribute changes to the HR-ORG hierarchy _________________________________
• Refer to document for greater details _________________________________
Œ “Indirect Role Assignment using HR-ORG.pdf”
66

How to Distribute the HR Organization Structure (cont.)


_________________________________
• Potential issues _________________________________
Œ Model doesn’t distribute. Under step “Creating an HR-ORG _________________________________
Distribution Model in the Sending System,” the filter definitions
for the HR System as Target System may not work as _________________________________
documented
_________________________________
f Solution: Create different Filter Groups, run different
parameters during initialization and delta of objects _________________________________
f Refer to document for greater details _________________________________
“Indirect Role Assignment using HR-ORG Supplement.doc”
_________________________________
Œ Model isn’t found in target system under CUA model, although _________________________________
it is successfully distributed
_________________________________
f Solution: Plan the Report RPDAPP01 with type HRMD_ABA

67

How to Allocate Roles Using HR Organization Structure


_________________________________
• Ensure the Organization Model setting is active _________________________________
ΠExecute transaction PFCG
_________________________________
ΠSelect Goto ΠSettings
Œ Choose option “Complete view (Organizational Management _________________________________
and workflow)” _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________

68
How to Allocate Roles Using HR Organization
Structure (cont.) _________________________________
• Nine steps to HR-ORG role allocation _________________________________
ΠExecute transaction PFCG
_________________________________
ΠSpecify the role for assignment
ΠChoose the User tab page _________________________________
ΠClick the Organizational Mgmt button _________________________________
ΠClick the Assignment button _________________________________
ΠChoose Agent Type Organizational unit
_________________________________
ΠEnter Search term * and select Org tree icon. HR-ORG is
displayed. _________________________________
ΠSelect the node for allocation. Choosing a high node auto _________________________________
selects lower level nodes.
ΠSpecify relationship validity period. Create. _________________________________

69

How to Allocate Roles Using HR Organization


Structure (cont.) _________________________________
• Step 1 – Execute transaction PFCG _________________________________
• Step 2 – Specify the role for assignment _________________________________
• Step 3 – Choose the User tab page _________________________________
• Step 4 – Click the Organizational Mgmt button
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________

70

How to Allocate Roles Using HR Organization


Structure (cont.) _________________________________
• Step 5 – Click the Assignment button _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
ΠAny user IDs that appear green in the tree have been _________________________________
directly assigned to the role _________________________________
_________________________________

71
How to Allocate Roles Using HR Organization
Structure (cont.) _________________________________
• Step 6 – Choose Agent Type Organizational unit _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• Step 7 – Enter Search term * and select Org tree icon _________________________________

72

How to Allocate Roles Using HR Organization


Structure (cont.) _________________________________
• Step 8 – Select the node for allocation _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________

73

How to Allocate Roles Using HR Organization


Structure (cont.) _________________________________
• Step 9 – Specify relationship validity period. Create. _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________

74
How to Allocate Roles Using HR Organization
Structure (cont.) _________________________________
• Result of the allocation from the HR-ORG tree _________________________________
perspective:
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• Organization levels that appear blue in the tree have had Indirect _________________________________
role assignments allocated. Green highlights are Direct role
assignments.
75

How to Allocate Roles Using HR Organization


Structure (cont.) _________________________________
• Result of the allocation from role perspective defined _________________________________
under transaction PFCG _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Direct
Indirect _________________________________
_________________________________
_________________________________

76

What We’ll Cover …


_________________________________
• What makes a good BI security model? _________________________________
• How and why to set up a flexible position-based model _________________________________
ΠRoles for BI user type
_________________________________
ΠSpecial function roles
ΠInfoArea and Data Target-level security _________________________________
ΠInfoObject-level security _________________________________
• How to control ad hoc query creation using role menus _________________________________
• How to leverage the company organizational hierarchy
_________________________________
• Wrap-up
_________________________________
_________________________________

77
Query User Example (Direct User Assignment)
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________

78

Power User Example (Direct User Assignment)


_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________

79

BI Department Administrator Example (Direct User


Assignment) _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________

80
Resources
_________________________________
• SAP Service Marketplace note _________________________________
Œ 934848 “Collective note: (FAQ) BI Administration Cockpit”
• Documentation BI Administration Cockpit _________________________________
Πhttp://help.sap.com/saphelp_nw70/helpdata/en/43/15c54048035a39e10000000 _________________________________
a422035/content.htm
• Documentation BI Query Runtime Statistics _________________________________
Πhttp://help.sap.com/saphelp_nw70/helpdata/en/ef/372242c4e05033e10000000 _________________________________
a155106/content.htm
• How to Upload Roles into your BI System _________________________________
Œ “How to Upload the Roles.doc” _________________________________
• Indirect Role Assignments
Πhttp://help.sap.com/saphelp_nw04/helpdata/en/8b/3c713eeaac5441e10000000 _________________________________
a114084/frameset.htm
_________________________________
f “Indirect Role Assignment Using HR-ORG.PDF”

f “Indirect Role Assignment Using HR-ORG Supplement.doc”


81

Resources (cont.)
_________________________________
• Indirect Role Assignments (cont.) _________________________________
ΠSAP Service Marketplace (https://websmp109.sap-ag.de/notes *) _________________________________
f SAP Note 200343: HR-CA-ALE: Composite SAP Note Re
Distributing HR Master Data _________________________________
f SAP Note 363187: HR-CA-ALE: Initial Distribution w. _________________________________
HRMD_A/ HRMD_ABA (hint)
_________________________________
f SAP Note 200066: HR-CA-ALE: Q&A for Setting Up HR-ALE
Scenarios _________________________________
ƒ This note contains links to the QuickStart documentation
_________________________________
for ALE and the ALE HR business processes
f SAP Note 581019: Distribute PFCG HR-ORG model for _________________________________
indirect role assignment _________________________________

82

7 Key Points to Take Home


_________________________________
• Use the HR Organizational Hierarchy to distribute roles _________________________________
across an organization
_________________________________
• Allocate roles to positions, jobs, and organizational unit
nodes and not a user’s logon ID _________________________________
• Capture common transactions at the highest point _________________________________
defined in the dependency of BW User Types _________________________________
ΠE.g., if an action is required by both Power User and
_________________________________
Department Administrator, modify the Power User role
• Use Single roles and allow the hierarchy to build the _________________________________
combined “composite-like” authorizations _________________________________
_________________________________

83
7 Key Points to Take Home (cont. )
_________________________________
• More effort is required in the initial setup of a flexible _________________________________
model. However, an inflexible one requires higher on-
_________________________________
going maintenance and is more prone to security
inconsistencies. _________________________________
• Separate roles that control user actions with roles that _________________________________
control viewing of data _________________________________
• Separate roles that have authorizations defined within _________________________________
them from roles that contain only menus as they operate
on a different maintenance schedule _________________________________
_________________________________
_________________________________

84

Your Turn!
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
How to contact me: _________________________________
Tracey Brookes _________________________________
tbrookes@sapient.com
85
Notes:
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
Notes:
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
Wellesley Information Services, 990 Washington Street, Suite 308, Dedham, MA 02026
Copyright © 2008 Wellesley Information Services. All rights reserved.