Advanced Features of SAP BW Reporting Authorizations

Advanced Features of SAP BW Reporting Authorizations

Session 709

Amelia LoPlatinum Consultant, SAP NetWeaver RIG

SAP Labs, LLC

© SAP AG 2003 ASUG BITI Forum Session 709, Amelia Lo / 2

Learning Objectives

As a result of this workshop, you will be able to:

Have a good handle of the most misunderstood features of the BW Reporting Authorization

Understand how authorizations variable worksUnderstand how hierarchy node variable works

Learn the new functionality and new BW Authorizations Objects in BW3.0 Learn the basics of Planning and Strategize BW AuthorizationsKnow the dos and don’ts on BW Authorizations


SAP NetWeaver™The integration and application platform for lower TCO

Unifies and aligns people, information and business processes

Integrates across technologies and organizational boundariesA safe choice with full .NET and J2EE interoperability

The business foundation for SAP and partners

Powers business-ready solutions that reduce custom integrationIts Enterprise Services Architecture increases business process flexibility

DB and OS Abstraction

.NET WebSphere…

People Integration

Com

posi

te A

pplic

atio

n Fr

amew

ork

Process IntegrationIntegration

BrokerBusiness Process

Management

Information IntegrationBusiness

IntelligenceKnowledge

Management

Multi-Channel Access

SAP NetWeaverSAP NetWeaver™™

Portal Collaboration

Life Cycle M

anagement

Master Data Management

J2EE ABAP

Application Platform

DB and OS Abstraction


Don’t Miss the SAP Business Solutions Tour!

Your chance to see SAP NetWeaver in action – see live demonstrations of:

SAP Enterprise Portal

SAP Business Information Warehouse

SAP Exchange Infrastructure

SAP Web Application Server

SAP Mobile Infrastructure

SAP Master Data Management

30-minute tour timeslots availableMonday 10:30 – 5:10Tuesday 9:40 – 5:30Wednesday 8:00 – 12:00

Located at Wyndham Hotel Parking Lot


Agenda

Special Topics on BW Reporting Authorizations

Planning & Strategize BW Authorizations

What’s New in BW 3.0

The Dos and Don’ts


Agenda

Special Topics on BW Reporting Authorizations





Special Topics of BW Reporting Authorizations

A Quick Review of BW Reporting Authorizations

A few most misunderstood FeaturesVariable filled AuthorizationsImportant parameter when use Global Variable Customer Exit Hierarchy Authorizations with Compound Characteristics

Tracing Authorizations in BW


Open Data Warehouse Architecture


SAP R/3 vs. BW Authorizations

What’s the sameRole Based Security Authorizations

Users are assigned rolesRoles contain profilesProfiles contain authorizationsRoles are maintained using same tool (“PFCG” transaction) Can be administered via CUA (Central User Administration)

Authorization objects define specific permissionsThere are standard authorization objects available in the system

What’s differentUnique BW Objects (InfoProvider, InfoArea, InfoObject, Query…)Unique SAP BW Authorization Tool to administer BEx Reporting data security It is possible to use variable security runtime parametersIt is possible to generate profiles from datasources


Authorization Concept Overview

Meta Data ManagerMeta Data Manager

Business Explorer

Business InformationWarehouse Server

Meta DataRepositoryMeta DataRepository

InfoCubesInfoCubesData ManagerData Manager

Non R/3 Production Data Extractor

Non R/3 Production Data Extractor

Non R/3 OLTP ApplicationsNon R/3 OLTP Applications

OLAP ProcessorOLAP Processor

3rd party OLAP client

3rd party OLAP client

ODSODSStaging EngineStaging Engine

BAPIBAPI

R/3 OLTP ApplicationsR/3 OLTP Applications

OLTP Reporting

OLTP Reporting

Production DataExtractor

Production DataExtractor

3

SchedulingScheduling

MonitorMonitor

Administrator Workbench

AdministrationAdministration

2

1

Bex BrowserBex Browser

Analyzer

Bex Query Designer

Bex Analyzer

Web Appl DesignerWeb Appl Designer Web ReportWeb Report

Bex AnalyzerBex Analyzer

Query DesignerQuery Designer


Types of BW Authorizations

Systems Communication Authorizations

AdministrationConcept very close to standard R/3 all authorization relevant objects are delivered by SAPPre-defined Templates can be used as a starting pointAdministration of authorizations like in R/3

Reportingno authorization relevant object definition is deliveredset of tools to define customer specified concept embedded in SAP BW administration


SAP BW Authorization Overview

UserUser

ProfileProfile

AuthorizationAuthorization

ValueValue

ObjectObject

FieldField

AUTHORIZATION OBJECT CLASS: BUSINESS INFORMATION

WAREHOUSE-Administration

AUTHORIZATION OBJECT CLASS: AUTHORIZATION OBJECT CLASS: BUSINESS INFORMATION BUSINESS INFORMATION

WAREHOUSEWAREHOUSE--AdministrationAdministration

ValueValue

ObjectObject

FieldField

AUTHORIZATION OBJECT CLASS: BUSINESS INFORMATION

WAREHOUSE- REPORTING

AUTHORIZATION OBJECT CLASS: AUTHORIZATION OBJECT CLASS: BUSINESS INFORMATION BUSINESS INFORMATION

WAREHOUSEWAREHOUSE-- REPORTINGREPORTING

RoleRole

Profile GeneratorProfile Generator


SAP BW Reporting Authorizations Objects

0..n

SAP BW ObjectsSAP BW InfoProviders

1..m

< Authorization Object >

<field 1>

<field 2>

<...>

Key Figure Object (1KFYNM)

Authorization Relevant Characteristic

Hierarchy Node

0..1

0..10

0..10

0..n

•• Only “one” 0TCTAUTHH Only “one” 0TCTAUTHH per Reporting per Reporting Authorization ObjectAuthorization Object

•• Many Hierarchy Many Hierarchy Authorizations can be Authorizations can be entered characteristicentered characteristic

0TCTAUTHH

0ORGUNIT

0Costcenter

0Profitcenter

<...>


Steps to Create Reporting Authorizations

1 Mark characteristics as "Authorization Relevant”

Create an Authorization Object for Reporting(Transaction: RSSM)

• Include required “Authorization Relevant Characteristics” • If key figure authorization required, include 1KYFNM, • If Hierarchy authorization required, Include 0TCTAUTHH and

leaf Characteristics,

Create Hierarchy Authorizations• Define a description of a hierarchy authorization.• Create an authorization for the new authorization object. Enter

the technical name of the description of a hierarchy authorization as value for field 0TCTAUTHH.

Create Authorizations with the values

2

3

4


Mark InfoObject Authorization Relevant

1


Authorizations

2


Create Authorization Object for Reporting

2


Authorization Definition for Hierarchy

3


BW Reporting Object in a Profile & Assign Value


0EMPLOYEE

0ORGUNIT

0TCTAUTHH

4







Create Authorizations Variables

VARIABLE WIZARD IN BEx

Characteristic Variable

Hierarchy Node Variable


Authorization Variables of Customer Exit type

Create Variable1

2 Assign Variable to Query


Use of Variable filled Authorizations Scenario 1

SCENARIO: • You defined two Reporting Authorization Objects with same authorization relevant characteristic (0ORGUNIT)

• RA_OBJ1 contains values HR_EMEA & HR_US; RA_OBJ2 contains HR_US & HR_ASIA

• Both Reporting Authorization Objects are assigned to User Amelia’s Profile

RESULT: Amelia have authorization to view “HR_US” ONLY !!!

HR_US

< RA_OBJ1 >Orgunit

<...>

HR_EMEA

< RA_OBJ2 >Orgunit

<...>

HR_ASIA

OSS note653383


Use of Variable filled Authorizations – Scenario 1

Possible Approach: Define one Reporting Authorization Object and populate the values in one of the following ways:

• Manually populated in the profile

• Automated authorizations generation from the authorizations ODSs

• Derive the values via the authorizations Users Exit (RSR000001)

< RA_OBJ >Orgunit

<...>

HR_EMEA HR_US HR_ASIAOSS notes

653383 557924


Maintain Global Variable for Authorization: via User Exit

$VAR

Query with authorizations varaible

User Exit “RSR00001”

Structure: RRRANGEEXIT

$VAR initiates User exit

ZAUTH

Read CustomerAUTH Table

Authorization Check

1. Use transaction “CMOD” to develop User Exit “RSR00001”, Function Module: EXIT_SAPLRRS0_001

2. Maintain Customer Authorization Table as required

3. Create Authorization Variable4. Include Variable in your query

Return Result


Be Aware Your Import Parameter Specification

I_Step Values:I_Step = 0 -> Enhancement is not called (Default)I_Step = 1 -> Enhancement is called up before Variable EntryI_Step = 2 -> Enhancement is called up after Variable EntryI_Step = 3 -> Called up to check the Variable Value; Variable appears once more


Compounded Hierarchy Authorizations - Scenario 2

SCENARIO: • You defined a Reporting Authorization Objects for a Hierarchy with Compounded characteristics (0CO_Area and 0CostCenter)

• You filled the authorizations variable with “Flat Values” for 0Costcenter


0CO_Area

0Costcenter

0TCTAUTHH

RESULT: Brain 804 “no authorization”

Solution:Define and use Hierarchy Node VariableHierarchy Node Variable







Tracing Authorizations

ST01ST01

SU53SU53

RSSMRSSM


Tracing Authorization: Overview

Trace functionality embedded in SAP R/3 basisRecording of authority checks for system (Transaction ST01)Display the last failed authority check of user (Transaction SU53)

SAP BW reporting authority trace* set up user related trace recording for OLAP authority checks Transaction RSSM

*Authorizations checked against Reporting Objects are not supported withstandard trace functionality's


Recording of Authority Checks

Start Transaction ST01

Configure detail of trace recording

Activate trace

Perform actions on system

Analyze trace using transaction ST01

Note: Trace ST01 can be used either in BW and R/3 source system.

1

2

3

4

5


Recording of Authority Checks

2

3

5


SAP BW Reporting Authority Trace

Start transaction RSSM in SAP BW

Choose Authorization trace from Authorization object reporting menu or locate it from the bottom of the screen.

Insert user

Perform reporting activity

Analyze trace

1

2

3

4

5

3

5

2


Agenda

BW Authorizations Overview





Guiding Principals

Integrate in your Development Life CyclePlan Authorizations Early on in your Development Life CycleAuthorizations requirement collection at Blue Print PhaseIdentify and Assign Data Ownership

KISS Principal (Keep it Simple and Small)A balance act among Granularity vs. Maintenance vs. Performance Design for simplicity and Ease of Maintenance without compromising “Mandatory” data securityDivide user into Groups and manage security at InfoArea or InfoProvider level

Thorough Authorizations TestingMust be a part of system Integration Test planPerformance testing is a essential part of test plan

Staffing for BW AuthorizationsR/3 Authorization expert does not equivalent to BW Authorizations ExperienceSegregation of Duties among BW Users and Administrator


BW Authorizations Roadmap (I)

Develop Authorizations Strategy1. Consider company policy:2. Consider Legal requirements3. Classify types of users & required roles4. Consider Proof of Concept phase to valid

complex authorization model

5. Define Data Ownership and Responsibility 6. Develop questionnaire for blue print7. Document requirements in Matrix8. Develop naming convention for Authorization9. Design the Roles – consider segregate

Activities from Data Access roles

10. Use SAP delivered templates as the baseline11. Revise to meet your requirements

12. Define BW Reporting Objects for InfoObjectsper step 6

13. Consider using Hierarchy node authorization based on user access pattern

14. For complex & detailed authorizations needs, consider using Authorizations Variable to ease maintenance

Develop Authorizations Matrix to collect authorization requirement for blue print phase

Define BW Authorization for Admin workbench

Define BW reporting authorizations


BW Authorizations Roadmap (2)

Testing BW Authorizations Testing

15. Develop detailed test scenarios and planInvolve Business in authorizations testing

16. Develop performance test plan and establish the test environment and data volume

17. Incorporate BW Authorizations testing in the overall SAP System Tests (R/3 and non R/3).

18. Develop BW User Security request and approval processes

19. Consider a Web-based authorization request workflow and user guide

20. Develop a BW Security Administration checklist

21. Define Periodic BW Security Reviews and Assessment Process

22. BW Authorizations Training for Security Administrators

23. Include BW Authorizations impact on data access as a part of the BW user training.

Develop Administrative and Monitoring Process for BW Authorizations

Conduct BW Authorization Training


Agenda






New in Authorization Objects, Frontend (3.0)

S_RS_COMPNew Authorizations Check for Variables in Query DefinitionObject type is ‘VAR’

S_RS_COMP1Is checked additionally with S_RS_COMPChecks for authorizations on query components dependent on the owner (creator RSZOWNER)Authorizations are necessary, e.g. for creating queries

S_RS_FOLDSuppress InfoArea view of BEx elementsSpecify ‚X‘ (true) in the authorization maintenance for suppressing


New Authorization Objects, Backend (3.0)

S_RS_IOBJAuthorization object for working with InfoObjectsIs checked if authorization is not available via S_RS_ADMWBAdditional checks for update rule authorizations

S_RS_ISETFor displaying / maintaining InfoSets (new object in BW)

S_RFCAuthorization for GUI activitiesAdd following RFC_NAMEs with RFC_TYPE ‚FUGR‘ and ACTVT ‚16‘

RRXWS: BW Web InterfaceRS_PERS_BOD: Personalization of Bex Open DialogRSMENU: Roles and Menus

S_GUIAuthorization forGUI activities. Add the activity 60 (upload)


Automated Authorization Generator

Sourced from Two types of ODS Objects

Authorization Value ODSHierarchy ODS

ODS Population

From R/3: HR Structural AuthorizationsFrom R/3: Cost Center (BW 3.1 content)From Flat Files

New RSSM User Interface


ValueValue

ODS-Objects

SAP BWServer

InfoSource

Automated Authorization Generation: the Architecture

Update Rules

Mapping & Transfer Rules

DataSource

BW Metadata

replicated Metadata

DataSource

FileFile R/3R/3OtherOther

BWS-API

Mapping & Transfer Rules

Value Hierarchy Text User Assign

0TCA_DS01 0TCA_DS02 0TCA_DS03 0TCA_DS04

Tcode: RSSM – Generate AuthorizationTcode: RSSM – Generate Authorization< Auth Object >

0TCTAUTHH

0ORGUNIT

0EMPLOYEE


HR Structural Authorizations


BW/HR Structural Authorizations

What’s BW/HR Structural Authorizations

Bring R/3 Structural Authorizations to BW via Standard ExtractionAssociate with BW Authorizations via execution of special ModuleFull Refresh on a Customer Selected Frequency

Key Benefits

Reduced the Redundant Security SetupProvide Cross System Consistency


BWBWR/3 OLTPR/3 OLTP

Structural Authorization in BWStructural Authorization in BW

RSSMTrans

Security Security CheckCheck

ORProgramModulesRSSB_Generate_Authorizations

PSA PSAPSA PSA

0HR_PA_20HR_PA_2DataData

SourceSource

Struc Auth

0PA_DS02

PSAPSATransfer Rules

ODSsODSs

UpdateRules

0HR_PA_30HR_PA_3DataData

SourceSourceStruc Auth

0PA_DS03

R/3 Org. StructureR/3 Org. Structure

INDXINDXClusterCluster

(0HR_PA_2(0HR_PA_2&&

0HR_PA_3)0HR_PA_3)DataData

SourcesSources

RHBAUS00

T77UAT77UAAssignmentAssignment

T77UUT77UUUserUser

T77PRT77PRProfileProfile


12 Steps to Install Structural Authorizations

Create Structural Authorization Profile (IMG or TR-OOSP)1

Assign User to Profile (IMG or TR-OOSB)2

Update T77UU table to include User Name3

Execute program RHBAUS00 to create INDX4

Activate 0HR_PA_2 & 3 DataSource in R/3 and BW5

Activate or Create 0HR_PA_2 & 3 InfoSource & Communication Structure

6


12 Steps to Install Structural Authorizations

Activate and load ODS from R/3 7

Activate Target InfoObjects “Authorization Relevant”8

Create Authorization Object (Transaction Code: RSSM)9

Use Transaction code: RSSM or Execute RSSB Function Modules to generate BW Authorization

10

Create Authorization Variables11

Create Query with Authorization Variables12


Steps to Create Authorization from Flat Files

Planning & Mapping 0 • Determine what you want to secure• Mapping Objects & create Flat file

1 • Mark InfoObjects Auth. Relevant• Define Reporting Auth Object via RSSMDefine Reporting Object

2 Create Authorization Value Infosoure & ODS

• Use 0TCA_DS01 as template• ODS name must be xxxx_DS01

3 Create Authorization HierInfosoure & ODS

• Use 0TCA_DS02 as template• ODS name must be xxxx_DS02

4 •The data format = yyyymmdd or per Your Default Format

•Several Objects can define as constant

Create Update Rules forODS Loads

Generate Profiles via RSSM or RSSB program5 • RSSM: Find your ODSs & Mark Auth Obj

• Exec RSSB_Generate_Authorizations

6 Create Authorizations Variable in Query Def.

• Define Variables for Auth InfoObjects• Include Variables in your Queries


Tips & Hints for Automatically Generated Authorizations

Performance If you have very large number of values in your user master record, the query performance will be significantly impactedIt is a multiplication effect of: # authorization objects X # values X Ex: 20 orgunits X 10,000 EE X 5 objects = 1,000,000 checking

AlternativesFor top executives: setup a role to give full authorizationsUse Hierarchy variables for queries initial view with Hierarchy Use RSR00001 User exit against the populated ODSs

How To PaperHTTP://WWW.Service.SAP.com/BW -> Service & Implementation -> How to Papers

BW/HR Authorizations Generate Authorizations Profile from Flat File

http://www.service.sap.com/


Agenda






Dos and Don’ts

Dos

Keep the four guiding principals in mind when planning BW authorizations

Consider a Proof of Concept phase for complex authorizations model

Check out OSS Notes on AuthorizationsApply BW 3.0B SP15 for performance enhancement & correctionsNote 625049: Improved performance Note 315094: Authorization recommendation

Check out the BW Online document on Security with Scenarios

Use caution when request of user query publishing in ProductionLimit number of users authorizedSetup specific user published reporting roles with administrative process (clean-up) and alert users as “Uncertified Reports”


Dos and Don’ts

Dos

Create an effective OSS Message for authorizations Prepare a query which is as simple as possible and still reproduces the errorPrepare a SAP_ALL user and a restricted user.If you use variables (customer exits) replace their content intoprofile of the restricted user(we do not support customer code)explain clearly what you expect to see and what the error is.don't forget to give all the necessary information: usernames, passwords, System, names, open the system.

Don’ts

Don’t setup Field level specific security just because you’ve been asked – Challenge the requester for legal or policy requirements


Further Information

Public Web:www.sap.com/solutions/bi/SAP Customer Services Network: www.service.sap.com/BW

Consulting ContactRoy Wood, VP SAP NetWeaver Consulting Practice ([email protected])

Related SAP Education Training Opportunitieshttp://www.sap.com/usa/education/BW 365, Business Information Warehouse Authorizations

Related Workshops/Lectures at ASUG BITI Forum 2003


Questions?

Q&A


Feedback

Please complete your session evaluation and drop it in the box on your way out.

Be courteous — deposit your trash, and do not take the handouts for the

following session.


Copyright 2003 SAP AG. All Rights Reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation.

IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®, MVS/ESA, AIX®, S/390®, AS/400®, OS/390®, OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informix and Informix® Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.

ORACLE® is a registered trademark of ORACLE Corporation.

UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.

Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.

HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

JAVA® is a registered trademark of Sun Microsystems, Inc.

JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.

SAP, R/3, mySAP, mySAP.com, xApps, xApp and other SAP products and services mentioned herein as well astheir respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies.


Copyright 2003 SAP AG. Alle Rechte vorbehalten

Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die aus-drückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankün-digung geändert werden.

Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten.

Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® und SQL Server® sind eingetragene Marken der Microsoft Corporation.

IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®, MVS/ESA, AIX®, S/390®, AS/400®, OS/390®, OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informixund Informix® Dynamic ServerTM sind Marken der IBM Corporation in den USA und/oder anderen Ländern.

ORACLE® ist eine eingetragene Marke der ORACLE Corporation.

UNIX®, X/Open®, OSF/1® und Motif® sind eingetragene Marken der Open Group.

Citrix®, das Citrix-Logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® und andere hier erwähnte Namen von Citrix-Produkten sind Marken von Citrix Systems, Inc.

HTML, DHTML, XML, XHTML sind Marken oder eingetragene Marken des W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

JAVA® ist eine eingetragene Marke der Sun Microsystems, Inc.

JAVASCRIPT® ist eine eingetragene Marke der Sun Microsystems, Inc., verwendet unter der Lizenz der von Netscape entwickelten und implementierten Technologie.

MarketSet und Enterprise Buyer sind gemeinsame Marken von SAP AG und Commerce One.

SAP, R/3, mySAP, mySAP.com, xApps, xApp und weitere im Text erwähnte SAP-Produkte und –Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und anderen Ländern weltweit. Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen.

Date post:	30-Nov-2015
Category:	Documents
Upload:	abhi-chandan
View:	271 times
Download:	17 times

Advanced Features of SAP BW Reporting Authorizations

Documents