BI 7 Security

BI 7 Security

1
Prerequisite: The pre requisite of this presentation is that audience
should have knowledge about the BW 3.x SAP Security.

2
Topics Covered

1. Differences between BW 3.x & BI 7

2. BI 7 Security Features
3. Authorization Trace
4. Creation of Analysis Authorization
5. Assignment of authorization
6. Additional authorization objects

3
Differences between BW 3.x & BI 7

4
Differences between 3.x & BI 7

There was no SAP delivered SAP delivered Auth object S_RS_AUTH

authorization object to link the (Class RS) can be added to the Roles
hierarchies to Roles. Customized Auth and further linked to analysis
object need to be created which will authorization
fall under SAP Class RSR.

5
Contd…

RSSM RSECADMIN

New transaction : RSECADMIN

Old transaction: RSSM
Concept of authorization: 'Analysis
Concept of authorization: 'Reporting
Authorization'
Authorization'

6
Contd…

Authorization:
Authorization: PFCG (Role based approach)
PFCG (Role based approach) RSECAUTH (Analysis Authorization Based
Approach)

7
Contd…

0BI_ALL: Allow full authorization for the IO

authorization relevant,

Used in the authorization object: S_RS_AUTH

Full Authorization:
SAP_ALL, SAP_NEW
Full Authorization:
SAP_ALL, SAP_NEW

8
BI 7 Security Features

9
BI 7 Security Features

Concept of BW security remains the same in BI 7 while changes are

more with respect to new authorization features, more authorization
objects, newer Tcodes and more flexibility.

1. Analysis Authorization
2. Authorization Relevance
3. Special Characteristics
4. Special Authorization: 0BI_ALL
5. Variables in Authorization
6. Key Figure Authorization
7. Authorizing Navigational Attributes

10
Analysis Authorization

• Analysis Authorizations are fundamental building blocks of the new

reporting concept which contains both the data value and hierarchy
restrictions.

• This is also called data level access. With the new NW2004s analysis
authorisation principles it is now possible to create an analysis
authorisation object directly on an info object

• The authorisation can either be single values or a value range or

created with a reference to a hierarchy, provided the info object is
created with a hierarchy and the info object is authorisation relevant.

11
Authorization Relevance

Before restricting authorization on characteristics, we have to mark it as

authorization relevant.

1. Execute Tcode RSD1

2. Enter the info object name
3. Go to Business Explorer Tab
4. Select the check box
“Authorization Relevant”
5. Activate the info object

12
Special Characteristics

These special characteristics must be assigned to a user in at least one

authorization

• 0TCAACTVT: Restrict access to activities i.e. display, create, change etc

• 0TCAIPROV: Restrict access to the InfoProvider i.e. InfoCube, ODS,
Multiprovider etc
• 0TCAVALID: Provides the validity of the analysis authorization
• All these authorization should be marked as authorization relevant

13
Special Authorization: 0BI_ALL

• An authorization for all values of authorization-relevant characteristics is

created automatically in the system. It has the name 0BI_ALL. It can be
viewed, but not changed. Every user that receives this authorization
can access all the data at any time. Each time an Info Object is
activated and the property “authorization relevant” is changed for the
characteristic or a navigation attribute, 0BI_ALL is automatically
adjusted.

• A user that has a profile with the authorization object S_RS_AUTH and
has entered 0BI_ALL (or has included value as *) has complete access
to all data.

14
Key Figure Authorizations

This restriction is used to grant authorization to particular key figures to

the users.

• Technical name: 0TCAKYFNM

• Possible values:
- Single value (EQ) Exactly one key figure
- Range (BT) Selection of key figures
- Pattern (CP) Selection of key figures based on pattern

Note: If a particular key figure is defined as authorization-relevant, it will

be checked for every InfoProvider

15
 Authorizing Navigational Attributes

To restrict the access to authorizations on navigational attributes, it

should be marked as authorization-relevant in attribute tab strip

Note: The referencing characteristic does not need to be authorization-relevant.

16
Authorization Trace

17
Authorization Trace

In BI 7 we can Trace :
1) Authorization Monitoring
2) Change log of Analysis authorization

18
Authorization Monitoring

Checking Authorizations
• Log on with your own user ID (production support role)
• Check query execution with the authorizations of a specific user

19
Contd……..

Evaluate Log Protocol

• Turn on logging of user activities related to analysis authorizations
• View detailed information about authorization checks

20
Change log of Analysis authorization

Activate the following Virtual Providers from the Business Content (VAL =
Values, HIE = Hierarchies, UA = User Assignment)

The system records all changes to authorizations and user assignments.

Queries can be built on these Info Providers to find out the trace of
- How many users have access to a given InfoCube?
- Which users have access to company code X?
- When was authorization “XYZ” created, and by whom?

21
Creation of Analysis
Authorization

22
Creation of Analysis Authorization

There are two ways to create the analysis authorization in BI 7

1. Manual creation of analysis authorization through RSECAUTH Tcode
2. Automatic generation of analysis authorization approach (for mass
creation and assignment)

23
Creation through RSECADMIN

1) Execute Tcode RSECADMIN

2) Go to Maintenance in Authorization Tab
3) Enter The Analysis Authorization and click Create

24
Automatic generation of analysis authorization

With the generation of analysis authorizations, we can load authorized

values from other systems into Data Store objects and generate
authorizations from them. This approach is generally used for mass
creation of analysis authorization and assignment of these authorizations
to the users.
Steps to be performed:
Data Warehouse Workbench (RSA1):
1. Activate Business Content
2. Load of Data Store Objects
Management of Analysis Authorizations (RSECADMIN):
3. Generate Authorizations
4. View Generation Log
25
Activate Business Content

SAP delivers Business Content for storing authorizations and user

assignment of authorizations should be activated

26
Load of Data Store Objects

• Fill the Data Store objects with the user data and authorizations
• Extract the data, for example, from an SAP R/3 source system or from
a flat file
Note: Some consistency checks should be added to avoid errors during
the generation later

27
Generate Authorizations

Start the generation by specifying the relevant Data Store objects

28
View Generation Log

Detailed log can be viewed once the generation is completed

29
Assignment of Analysis
Authorization

30
Assignment of authorization

• Direct assignment of Analysis authorization through RSECADMIN

• Indirect assignment through Roles (PFCG)

31
Direct assignment

• Direct assignment of Analysis authorization through RSECADMIN

32
Pros and Cons

Analysis authorization based Approach:

Pros:
• This approach removes the use of creating Roles for the
corresponding analysis authorization .
Cons:
• No Change documents are provided by SAP for assigning and
removal of Analysis authorization from the user
• No SUIM (System User Information Management) reports are
provided by SAP for analysis authorization
• No possible way to assign mass analysis authorization to the users
at a stretch.

33
Contd…..

• If an id is deleted using SU01 who is having analysis authorization

assigned to it, these authorization will not get deleted from the
user’s profile. If the same id is recreated, automatically user id will
be populated with the earlier analysis authorizations.
So if this approach is followed, it is always recommended that
analysis authorization are manually deleted from the user id using
RSU01 and then id using SU01

34
Indirect assignment through Roles (PFCG)

• Alternatively to the direct assignment, we can also assign authorizations

to roles, which can then be assigned to users.
• Use authorization object S_RS_AUTH for the assignment of
authorizations to roles
• Maintain the authorizations as values for field BIAUTH

35
Pros and Cons

Pros:
• All the Change documents are already available
• All the existing SUIM reports are already available
• Possible to perform mass assign role assignment
Cons:
• Roles need to be created corresponding to the analysis authorization
which will include more maintenance in the system

36
New Authorization Objects

37
BI 7 new Authorization Objects

Below are the new authorization objects in BI7 for administration workbench,
business Explorer and analysis authorization.
Authorization objects for the Data Warehousing Workbench:
S_RS_DS: For the DataSource or its sub objects (NW2004s)
S_RS_ISNEW: For new InfoSources or their sub objects (NW 2004s)
S_RS_DTP: For the data transfer process and its sub objects
S_RS_TR: For transformation rules and their sub objects
S_RS_CTT: For currency translation types
S_RS_UOM: For quantity conversion types
S_RS_THJT: For key date derivation types
S_RS_PLENQ: Authorizations for maintaining or displaying the lock settings
S_RS_RST: Authorization object for the RS trace tool
S_RS_PC: For process chains
S_RS_OHDEST: Open Hub Destination
38
Authorization objects for the Business Explorer:
S_RS_DAS: For Data Access Services
S_RS_BTMP: For BEx Web templates
S_RS_BEXTX: Authorizations for the maintenance of BEx texts

Authorization objects for the Admin of analysis authorizations

S_RSEC: Authorization for assignment and administration of analysis
authorizations
S_RS_AUTH: Authorization object to include analysis authorizations in roles

Changed Authorization Objects:

S_RS_ADMWB (Data Warehousing Workbench: Objects): New values for filed
RSADMWBOBJ has been added like BIA_ZA, CNG_RUN, CONT_ACT etc
for activities like BI Accelerator Monitor Checks and Attribute Change Run.

39
Questions

40