This action might not be possible to undo. Are you sure you want to continue?
India SAP CoE, Slide 1
BI2008 - BI 7.0 Roles & Authorization - v1.0
1 2 3
India SAP CoE, Slide 2
BI2008 - BI 7.0 Roles & Authorization - v1.0
1 2 3
India SAP CoE, Slide 3
Slide 4 .Introduction • Purpose • Use • Challenges India SAP CoE.
• Describe the steps involved to setup an ‘Analysis Authorization’ for users.Purpose • Explain the key features of new authorization concept in SAP Netweaver 2004s. • Explain migration steps requirement between old and new authorization concept. Slide 5 . India SAP CoE.
programs. India SAP CoE. • Authorizations can be added to roles that define what content is available to specific users or set of users. • Authorization allows a user to perform a certain activity on a certain object in the BI System. • It prevents unauthorized users from accessing the system.Use • The SAP authorization concept protects transactions. Slide 6 . data and services in SAP systems from unauthorized access.
ODS Object or InfoCube) and hierarchies. Query. India SAP CoE. • Migration of old authorization objects to new authorizations. • Set up of user authorizations for queries containing authorization – relevant characteristics. as query results will not be shown at all even if parts of the authorization are not met.Challenges • To define authorizations and maintain them by object ( InfoObject. Slide 7 .
0 Roles & Authorization .0 1 2 3 PrepareMe TellMe ShowMe 4 5 India SAP CoE.BI 7.BI2008 . Slide 8 LetMe HelpMe .v1.
India SAP CoE. • The authorizations represent instances of generic authorization objects and are defined depending on the activity and responsibilities of the employee. programs.SAP Authorization Concept • Involves protecting transactions. and services in SAP systems from unauthorized access. The authorizations are combined in an authorization profile that is associated with a role. • On the basis of the authorization concept. specific field values. Slide 9 . administrator assigns authorizations to the users that determine which actions a user can execute in the SAP System.
OBJECT 1:10 AUTH. FIELDS WITH VALUES COMPOSITE PROFILE M:N MANUAL PROFILE AUTHORISATION AUTH. FIELDS WITH VALUES India SAP CoE. OBJECT 1:10 AUTH.SAP Authorization Concept USER MASTER RECORD M:N COMPOSITE ROLE M:N SINGLE ROLE AUTHORISATION 1:1 AUTH. OBJECT 1:10 AUTH. Slide 10 . FIELDS WITH VALUES MANUAL PROFILE AUTHORISATION AUTH. FIELDS WITH VALUES SINGLE ROLE AUTHORISATION AUTH. FIELDS WITH VALUES GENERATED PROFILE GENERATED AUTHORISATION AUTH. OBJECT 1:10 AUTH. OBJECT 1:10 AUTH.
Datastore Object) – Queries • Two types of Authorizations Supported in SAP Netweaver ‘04: 1)Standard Authorization : Focused on Administrative users 2)Analysis Authorization : Focused on Report Users India SAP CoE. Infocube. Slide 11 .g.BI Authorization Concept • Primary activities in BI are: – Displaying Data – Analyzing Result • Primary BI Security focus is on: – Infoarea – Infoprovider (For e.
S_RS_COMP1. • Transaction PFCG is used to assign authorization objects to roles and flag relevant InfoProviders. preconfigured ‘authorization objects’ are provided by SAP. • Eg: S_RS_COMP. Slide 12 .0 Authorization Types 1) Standard authorizations • Allow Users to perform administration tasks and ability to change/delete/create meta data objects like Infocube.e. Individual authorization objects are grouped into ‘roles’. DSO in BW • Based on standard structures provided by SAP i. S_RS_FOLD India SAP CoE.BI 7.The authorizations are then entered into individual users’ master records in the form of ‘profiles’.
Authorization – 0BI_ALL • Automatically generated and not changeable. India SAP CoE. Slide 13 . • A user that has a profile with authorization object S_RS_AUTH and has entered 0BI_ALL would have complete access to all data. • Grants authorization for all values of all authorizationrelevant characteristics. • Adjusted whenever a new Infoobject is set to authorization-relevant.
Standard authorization Set Up Steps in Brief • • Create a ‘Role’ using the transaction PFCG Assign the ‘Standard Authorization object’ to the ‘Role’. Slide 14 . India SAP CoE.
Standard Authorization Set Up Step 1 : Create a ‘Role’ using the transaction PFCG Step 2: Assign the Authorization object to the role. Slide 15 . India SAP CoE.
BI 7. • Transactions : RSECADMIN and PFCG are used to assign auth objects to users or roles and specify relevant InfoProviders. • Instead these authorizations use their own concept that takes the features of reporting & analysis in BI into consideration. This type of authorization is not based on the standard authorization concept of SAP.0 Authorization Types 2) Analysis Authorizations • All users who want to display transaction data from authorization-relevant characteristics or navigation attributes in a query require analysis authorization. Using this analysis authorization concept of BI for the display of query data. Authorization Object S_RS_AUTH is assigned to roles or users. Slide 16 . critical data is protected in a better way. India SAP CoE.
key-figures are checked for every infoprovider • On Infocube Level – Restriction at Infocube Level • On Hierarchy Node Level – Restriction of access to certain nodes of a Hierarchy India SAP CoE. When 0TCTAKYFNM is flagged as authorization relevant . Slide 17 . Infoobject 0TCTAKYFNM should be included in ‘authorization’.Analysis Authorizations Options • On Characteristic Level – Restriction of access to all values of a particular characteristic • On Characteristic Value Level – Restriction of access to certain values of a particular characteristic • On Key Figure Level – Restriction of access to certain Key Figures – For using this option.
Slide 18 .Analysis authorization : Characteristic level India SAP CoE.
Slide 19 .Analysis authorization: Characteristic value level India SAP CoE.
Slide 20 .Analysis authorization : Key Figure level India SAP CoE.
This which covers all relevant objects with namespace authorizations for specific activities.Analysis Authorizations Prerequisites for managing Analysis Authorization: 1. India SAP CoE. 2. • Activate Three BI Content Characteristics Activate following 3 objects of the technical BI Content related to authorizations: – Activity (0TCAACTVT) – Infoprovider (0TCAIPROV) : For granting authorization to particular infoprovider – Validity (0TCTAVALID): For granting authorization to specific time period • They must be assigned to user in atleast one authorization and must not be included in Queries. – Authorization : Authorization object S_RSEC. Slide 21 .
Analysis Authorizations • Define Characteristics as Authorization Relevant – Select the following InfoObjects of the technical BI Content to be authorization relevant: 0TCAACTVT. All characteristics that are to be checked by authorization check should be made authorization relevant. and 0TCAKYFNM. Define the navigation attributes as authorization relevant too if these are to be checked – India SAP CoE. 0TCAIPPROV. Slide 22 . 0TCAVALID.
Navigation Attribute .Authorization • We can use navigation attributes as authorization objects in BEx. India SAP CoE. • No need to mark the main characteristic as authorization relevant in order to make the navigation attribute as authorization relevant. Slide 23 .
They are: – Authorizations – User – Analysis India SAP CoE. Slide 24 .Analysis Authorizations • Transaction : RSECADMIN ( Management of Analysis Authorizations ) provides a central entry point for all functions that are required to manage analysis authorizations. • There are three important tabs in the main screen of this transaction.
Slide 25 .Used for generating analysis authorizations 3.Authorizations Tab 1.Used for creating and changing analysis authorizations 2.RSECADMIN .Used for collecting previously created authorizations to a transport request India SAP CoE.
RSECADMIN – User Tab 3.Used for general role maintenance (opens transaction PFCG ) 2.Used to assign analysis authorizations to a user 4.To transport created and assigned authorizations India SAP CoE. Slide 26 .Used for general user maintenance 1.
Used for executing various transactions as another user for checking their authorizations 2.For checking logs of authorization check 3.For checking log of all generation runs for authorizations India SAP CoE.Analysis Tab 1. Slide 27 .RSECADMIN .
Infocube) Object maintenance. Company Code 1000) Granular access to subsets of data / data slices Customer Allows access to Used For Structure Designed by India SAP CoE. Slide 28 .Standard vs Analysis Authorization Standard Authorization Meta Data objects (Eg. Data access at high level SAP Analysis Authorization Semantic Data Slices (Eg.
x) for working with Datasources (Release > BW 3. Slide 29 .com/saphelp_nw04s/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/content.For Data Warehouse Workbench Authorization Object* S_RS_ADMWB S_RS_ODSO S_RS_HIER S_RS_IOBJ S_RS_ISNEW S_RS_DS S_RS_ICUBE S_RS_ISOUR Use for working with Individual Objects of the Data Warehousing Workbench (DWH) for working with Datastore Objects and their Subobjects for working with Hierarchies for working with individual InfoObjects and their subobjects for working with InfoSources (Release > BW 3.Authorization Objects .Refer transactions SU03/SU21 or SAP Help at http://help. for working with InfoCubes and their subobjects for working with InfoSources with flexible updating and their subobjects * For Complete List .sap.x)or its subobjects.ht m India SAP CoE.
sap.ht m India SAP CoE. Slide 30 .Authorization Objects .Business Explorer Authorization Object* S_RS_COMP S_RS_COMP1 Use for using different components for the query definition for queries from specific owners S_RS_FOLD display authorization for folders * For Complete List .com/saphelp_nw04s/helpdata/en/80/1a6859e07211d2acb80000e829fbfe/content.Refer transactions SU03/SU21 or SAP Help at http://help.
Slide 31 . 16) S_RS_COMP1 ( Query Owner) S_RFC ( BEx Analyzer or Browser only) S_TCODE ( RRMX for BEx Analyzer) In addition if BEx Analyzer tool is used by Reporting user then authorization for objects: S_RFC and S_TCODE with transaction code RRMX also needed India SAP CoE.Reporting User Authorizations Minimum authorization requirements for Reporting User: • • • • • Analysis Authorization for an infoprovider S_RS_COMP ( Activities 03.
but support – About 80% automatic migration expected – Customer exit variables for 0TCTAUTHH cannot be migrated – Intensive tests are highly recommended • Singular event • During migration to new authorization concept.Migration to new Authorizations • Migration is performed with the help of program RSEC_MIGRATION. Slide 32 . the existing concept won’t be changed. automatic migration. • No complete. India SAP CoE.
Migration Steps • Step 1: Choose users • Step 2: Choose authorization objects to be migrated • Step 3: Choose assignment method – Direct user assignment – Create new profiles – Extend existing profiles – Undo migration • Step 4: Choose details of authorization migration and check logs India SAP CoE. Slide 33 .
BI 7.BI2008 .0 1 2 3 PrepareMe TellMe ShowMe 4 5 India SAP CoE. Slide 34 LetMe HelpMe .0 Roles & Authorization .v1.
Assign analysis authorization using a role (optional).Analysis Authorizations Steps to create and assign Analysis Authorization in brief: 1. 4. 2. Enter transaction code RSECADMIN. Enter authorization name and click on ‘create’. 3. Insert 3 special characteristics and add at least one other authorization relevant infoprovider which needs to be restricted using analysis authorizations.Select ‘Authorization’ tab and choose ‘maintenance’. Slide 35 . Assign authorization to user with RSECADMIN – user tab. India SAP CoE. 5. Assign relevant value/hierarchy authorization corresponding to the infoprovider(s) and save the analysis authorization.
Analysis Authorizations Step 1 : Create Analysis Authorization Object using the transaction code: RSECADMIN ‘Authorizations’ Tab ‘Maintenance’ Option Enter the technical name and click on ‘Create’ India SAP CoE. Slide 36 .
2.Analysis Authorizations Step 2 a : Use ‘insert’ option to include special characteristics: 0TCAACTVT.Enter the text details and select ‘insert’ option to include special characteristics. 0TCAVALID 1.Auth Structure after insertion of special characteristics India SAP CoE. Slide 37 . 0TCAIPROV.
Analysis Authorizations Step 2 b: Maintain values for the characteristics Select a characteristic say ‘0TCTAACTVT’ and click on ‘Details’ to maintain values for Authorization India SAP CoE. Slide 38 .
Slide 39 .’ Tab . For e.’ assignments and Save.provide relevant ‘Operator’ and ‘Technical Character.g.Analysis Authorizations Step 2 c: Assign the value authorizations for the selected characteristic In the ‘Value Auths.: For characteristic 0TCAACTVT select the Activity ‘EQ’ to Display 03 India SAP CoE.
Choose the infoprovider option 2. Slide 40 .Provide the infoprovider name in the next pop-up and select ‘Enter’ India SAP CoE.Analysis Authorizations Step 2 d: Go back and Insert the infoprovider using for which authorizations are to be maintained using option 1.
Slide 41 .Analysis Authorizations Step 2 e: Select the authorization relevant infoobject of the infoprovider Select the authorization relevant infoobject of the infoprovider (In this case infoobject 0INFOPROV) and select ‘Enter’ India SAP CoE.
India SAP CoE. Select the authorization relevant infoobject of infoprovider (in this case 0INFOPROV) and click on ‘Details’ to assign values to it.Analysis Authorizations Step 3 a : Select the authorization relevant infoobject of infoprovider and assign ‘value authorizations’ to it. Slide 42 .
’ as per authorization requirements. operator = EQ and Technical Character.Analysis Authorizations Step 3 b : Assign Value authorization for the selected infoprovider In the ‘Value Auths. India SAP CoE.g.’ tab assign appropriate ‘operator’ and ‘Technical Character. for access to unassigned values. Slide 43 . = # is used. For e.
eg.Authorization Values Options The options available for providing the value authorizations are: • • • • • • • • • • • • • I/E Include / Exclude EQ Equal to BT Range of values LE Less than or equal to LT Less than GT Greater than GE Greater than or equal to CP Contains pattern . ABC * : aggregated values # unassigned values * any character string + for exactly one character $VARNAME Variables of type customer exit can be used India SAP CoE. Slide 44 .
In the next pop-up.Select Hierarchy/ Authorizations Tab and click in ‘Create’ 2. use the hierarchy/Authorizations tab 1.Analysis Authorizations Step 3 c : To provide hierarchy authorizations. Use ‘Select Hierarchy’ to view available hierarchies 3.Select the Hierarchy and Click on ‘Enter’ India SAP CoE. Slide 45 .
Slide 46 .Analysis Authorization Step 3 d : Assign relevant values for Hierarchy Authorizations Assign relevant authorization. For e.Type = 3 is used India SAP CoE.g. for Complete hierarchy authorization .
Slide 47 . Select ‘Assignment’ India SAP CoE.Analysis Authorization Step 4 a : Enter the transaction code: RSECADMIN -> ‘User Tab’ and Select ‘Assignment’ option for assigning analysis authorization to the User.
Analysis Authorization Step 4 b : Enter the User id to which the authorization is to be provided Enter username and click on ‘Change’. Slide 48 . India SAP CoE.
Select the required authorization and click on ‘Enter’ India SAP CoE.Analysis Authorization Step 4 c : Add the required Analysis Authorization 1.Choose ‘Help’ ( F4) option to view list of available Analysis Authorizations 2. Slide 49 .
Slide 50 .Analysis Authorization Step 4 d : Save the Assignment Analysis authorization has been assigned to user. Additional authorizations can be added if necessary. save the assignment. India SAP CoE.
Add analysis authorization to role using object S_RS_AUTH.Analysis Authorization Step 5 : This step is optional. India SAP CoE. Using the ‘Role maintenance’ option of transaction RSECADMIN in the ‘User’ Tab. Slide 51 .
generated ‘logs’ are analyzed. India SAP CoE. Slide 52 . Once this id done.> ‘Analysis’ Tab is used for analysis of the authorization errors.User executes the steps leading to the error after configuration of ‘recording’. • Execute as .Execute as another user and then Analyze the logs. Two options available for analyzing the errors are 1. Error logs .Authorization Error Analysis • Transaction RSECADMIN . 2.
Execute as Step 1 a : Select the option ‘Execute as’ on the‘Analysis’ tab of RSECADMIN transaction Select Execute as on the Analysis tab to analyze errors as another user India SAP CoE. Slide 53 . Using option .Authorization Error Analysis 1.
2. Using option .Execute as Step 1 b: Enter the Username and choose the relevant option (for example transaction : RSRT) and click on ‘Execute’: 1. Slide 54 .Authorization Error Analysis 1. India SAP CoE. Enter the username and select with log. Choose the relevant option & execute the transaction.
Authorization Error Analysis 1. Using option .Execute as Step 1 c: Enter the Query name for which authorization error is to be analyzed Step 1 d: Enter the selection parameters for the query and execute India SAP CoE. Slide 55 .
Using option . India SAP CoE.Execute as Step 1 e: Analyze the errors that appear on the screen Analyze the errors that appear on this screen.Authorization Error Analysis 1. Slide 56 .
Using option – Error Logs Step 1 a : Select the option ‘Error Logs’ on the ‘Analysis’ tab of RSECADMIN transaction Error log option is used to configure recording to track user authorization errors.Authorization Error Analysis 2. Slide 57 . India SAP CoE.
Authorization Error Analysis
2. Using option – Error Logs Step 1 b : Select the option ‘Configure Log Recordings’
Click on ‘Configure Log Recording’ to add user name for whom the Error is to analyzed.
India SAP CoE, Slide 58
Authorization Error Analysis
2. Using option – Error Logs
Step 1 c :Enter the Username and save.Next request the user to run the Query
Add username, save and go back to the previous screen. Request the user to run the query now and check the log.
India SAP CoE, Slide 59
Authorization Error Analysis
2. Using option – Error Logs
Step 1 d :Check the generated error log once the user has executed the Query .For this use the transaction RSECADMIN - > Analysis tab -> ‘Error logs’ option.
Provide the Username and time of run in the selection screen and select ‘Display’ option to view the log
India SAP CoE, Slide 60
Using option – Error Logs Step 1 e :Analyze the errors that appear in the Log India SAP CoE. Slide 61 .Authorization Error Analysis 2.
Select Class (for e. Slide 62 .Select the object and use ‘Documentation’ option for viewing further details 1.Information on authorization objects Transaction SU03 provides information about the Authorization and Roles 2.g. RS for Business Information Warehouse ) and execute ‘List Authorizations’ option India SAP CoE.
v1.BI2008 . Slide 63 LetMe HelpMe .0 Roles & Authorization .BI 7.0 1 2 3 PrepareMe TellMe ShowMe 4 5 India SAP CoE.
• Step 4. Assign analysis authorization using a role (optional).LetMe • Step 1. Assign authorization to user • Step 5. • Step 3. 0TCAVALID.Add atleast one other authorization relevant infoprovider which should be restricted using analysis authorizations. Assign the relevant values corresponding to the infoprovider(s) and save the analysis authorization. 0TCAIPROV. Create Analysis Authorization • Step 2. Insert 3 special characteristics:0TCAACTVT. Slide 64 . India SAP CoE.
BI 7.BI2008 . Slide 65 LetMe HelpMe .0 1 2 3 PrepareMe TellMe ShowMe 4 5 India SAP CoE.0 Roles & Authorization .v1.
Slide 66 . For checking errors in standard authorizations. For creating roles and assigning users to roles. India SAP CoE. For information on authorization objects.Useful Transaction codes Transaction code Use RSECADMIN PFCG SU03 / SU21 ST01 For creating and assigning analysis authorizations and checking errors in analysis authorization.
ST01 and SU53 can be used to analyze user authorization errors.Tips and Tricks • In case there are no authorization restrictions for any user (for example in a development system ) include special authorization 0BI_ALL in authorization object S_RS_AUTH. Slide 67 . • SUIM – User Information System is a useful transaction code for checking user and role Assignments. India SAP CoE. • Transaction codes RSECADMIN.
use program RSEC_MIGRATION India SAP CoE.BW 3.0. Slide 68 .X Authorizations • Reporting Authorizations Previous to SAP NetWeaver 2004s. SAP recommends using the new concept (Analysis Authorization in 2004s) because it is better suited to the requirements of BI and because the previous concept will no longer be supported.X to BI 7. then called reporting authorizations. • To migrate authorizations from BW 3. the SAP standard authorization concept was also used for analysis authorizations.
Additional Info SAP Help Site for complete information on BI 7. Slide 69 .htm India SAP CoE. http://help.0 authorizations.com/saphelp_nw04s/helpdata/en/be/07 6f3b6c980c3be10000000a11402f/frameset.sap.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.