BI 7 Security Concepts

Topics Covered:

• Difference between BW 3.x and BI 7• Securing reporting users access• Authorization Trace• Creation of Analysis Authorization• Assignment of Analysis Authorization• Securing Access to Workbooks• Additional BI7 Security Features• New Authorization Objects

There was no SAP delivered authorization object to link the hierarchies to Roles. Customized Auth object need to be created which will fall under SAP Class RSR.

Difference between BW 3.x and BI Security

SAP delivered Auth object S_RS_AUTH (Class RS) can be added to the Roles and further linked to analysis authorization

Contd…

RSSM RSECADMIN

Old transaction: RSSM

Concept of authorization: 'Reporting Authorization'

New transaction : RSECADMIN

Concept of authorization: 'Analysis Authorization'

Contd…

Authorization: PFCG (Role based approach)

Authorization: PFCG (Role based approach)RSECAUTH (Analysis Authorization Based Approach)

Contd…

Full Authorization: SAP_ALL, SAP_NEW

0BI_ALL: Allow full authorization for the IO authorization relevant,

Used in the authorization object: S_RS_AUTH

Full Authorization: SAP_ALL, SAP_NEW

Authorization objects are grouped according to authorization object classes. The major authorization object class in BI is RS.

S_RS_COMP: Decides which Info area, Info provider’s data user can view

S_RS_COMP1: Decides which owner’s queries a user can execute

S_RS_FOLD: Hide or display the “Info Area” push button for end users

S_RS_AUTH: Gives access to analysis Authorizations

S_RS_ADMWB: Used by BW administrator for Modeling and controlling

Some other Auth objects: To save workbooks/Queries to Roles

S_USER_AGR: In which Role user can add workbooks and Queries

S_USER_TCD: should have value as RRMX and used in conjunction with S_USER_AGR

Authorization Objects in BI 7

In BI 7, reporting users access needs to be restricted to certain levels like

InfoCube Level: Restrict at the InfoCube level.

Characteristic Level/Info Object: Restrict access to all values for a particularcharacteristic.

Characteristic Value Level: Restrict access to certain values of a particularcharacteristic.

Key Figure Level: Restrict access to certain key figures.

Hierarchy Node: Restrict access to certain nodes of a hierarchy

Restricting access in BI

Below are the minimum authorization requirements for a reporting user:

• Analysis authorizations for an Info Provider• S_RS_COMP (Activities 03, 16)• S_RS_COMP1 (Query owner)• S_RFC (Bex Analyzer or Bex Browser only)• S_TCODE (RRMX for Bex Analyzer)

A reporting user must have authorizations for the S_RS_COMP, S_RS_COMP1authorization objects as well as analysis authorizations for the Info Provider onwhich the query is based.

In addition, if the reporting user will be using the Bex Analyzer reporting tool,they will need authorizations for object S_RFC and S_TCODE with authorizationfor transaction code RRMX.

Securing Data Access for Reporting Users

Secure by Info Cube: If the authorizations need to be checked only on Info Provider level. You can then create roles that allow you to run queries from the specified Info Provider (s).

Securing by Query: Another option would be to use the Info Provider in conjunction with the query name. To do this, you will need a strict naming convention for query names so that security does not have to be updated each time a new query is created.

Securing by Info Object: Allowing two user to execute the same query, but to get different results based on their assigned data access for division, cost center, or some other Info Object, is known as info Object level security or field level security

Options for Securing Data Access

The more granular level of restricting access of the users is at Info Object/Field level . The following procedure shows the steps you must be following when setting upsecurity for an Info Object:

1. Define the Info Object as authorization relevant.2. Create (or adjust) analysis authorizations for the Info Object.3. Assign authorizations to users.4. Add a variable to the queries.

Securing by Info Object:

The Authorization Relevant setting for an Info Object made in the Info Object definition on the Business Explorer tab. The business needs will drive which Info Objects should be relevant for security.

• Execute Tcode RSD1• Enter the info object

name• Go to Business Explorer

Tab• Select the check box “Authorization Relevant”• Activate the info object

Authorization Relevance

Analysis Authorizations are fundamental building blocks of the new reporting concept which contains both the data value and hierarchy restrictions.

• Execute Tcode RSECADMIN• Go to Maintenance in Authorization Tab• Enter The Analysis Authorization and click Create

Create analysis authorizations:

Once you have created analysis authorizations, users will need accessto the right authorizations according to business needs. You can assignauthorizations in roles using S_RS_AUTH or directly in transaction RSECADMIN or RSU01.

Assign authorizations to users:

Add a variable to the queries

If we want a query to only provide results based on the division, for example, then thequery itself needs the ability to filter specific division values. Before we can secure on division, the query must be able to restrict data by division. The only way the query can restrict data dynamically is through a variable. The variable can be added anytime independent of the other steps listed here.

Exercises:

• Create a simple query from an existing Info Cube, execute it, and save it as a new workbook

• Defining Info Object-Level Security for Reporting Users

• Limit query access within the Bex Analyze using S_RS_COMP1 and S_RS_FOLD

Authorization Trace

Trace Tool : ST01 and RSECADMIN

Transaction code ST01 executes a trace tool that exists on all ABAP based systems. Among other purposes, this tool serves as trace for all SAP-provided authorizations objects. You simply turn on the trace (for a specific user), and when the trace is completed you can see which authorization objects were checked and the results of the check.

In transaction RSECADMIN →Analysis you can execute a trace that is specific to BI analysis authorizations. Analysis authorizations will not appear in the ST01 trace

Authorization Trace

In BI 7 we can Trace :

1) Authorization Monitoring2) Change log of Analysis authorization

Authorization Monitoring

Checking Authorizations• Log on with your own user ID • Check query execution with the authorizations of a specific user

Contd……..

Evaluate Log Protocol• Turn on logging of user activities related to analysis authorizations• View detailed information about authorization checks

Change log of Analysis authorization

Activate the following Virtual Providers from the Business Content (VAL = Values, HIE = Hierarchies, UA = User Assignment)

The system records all changes to authorizations and user assignments. Queries can be built on these Info Providers to find out the trace of

- How many users have access to a given InfoCube?

- Which users have access to company code X?

- When was authorization “XYZ” created, and by whom?

Exercise (s):

• Trace BI authorizations• ST01 Trace

Creation of Analysis Authorization

Creation of Analysis Authorization

There are two ways to create the analysis authorization in BI 7

1. Manual creation of analysis authorization through RSECAUTH Tcode2. Automatic generation of analysis authorization approach (for mass creation and

assignment)

Creation through RSECADMIN

1) Execute Tcode RSECADMIN2) Go to Maintenance in Authorization Tab3) Enter The Analysis Authorization and click Create

Automatic generation of analysis authorization

With the generation of analysis authorizations, we can load authorized values from other systems into Data Store objects and generate authorizations from them. This approach is generally used for mass creation of analysis authorization and assignment of these authorizations to the users.

Steps to be performed:Data Warehouse Workbench (RSA1):

1. Activate Business Content

2. Load of Data Store Objects

Management of Analysis Authorizations (RSECADMIN):

3. Generate Authorizations

4. View Generation Log

Activate Business Content

SAP delivers Business Content for storing authorizations and user assignment of authorizations should be activated

Load of Data Store Objects

• Fill the Data Store objects with the user data and authorizations• Extract the data, for example, from an SAP R/3 source system or from a flat file

Note: Some consistency checks should be added to avoid errors during the generation later

Generate Authorizations

Start the generation by specifying the relevant Data Store objects

View Generation Log

Detailed log can be viewed once the generation is completed

Assignment of Analysis Authorization

Assignment of authorization

1. Direct assignment of Analysis authorization through RSECADMIN2. Indirect assignment through Roles (PFCG)

Direct assignment

Direct assignment of Analysis authorization through RSECADMIN

Pros:• This approach removes the use of creating Roles for the corresponding analysis

authorization .Cons:• No Change documents are provided by SAP for assigning and removal of Analysis

authorization from the user• No SUIM (System User Information Management) reports are provided by SAP for

analysis authorization• No possible way to assign mass analysis authorization to the users at a stretch.

Analysis authorization based Approach:

• If an id is deleted using SU01 who is having analysis authorization assigned to it, these authorization will not get deleted from the user’s profile. If the same id is recreated, automatically user id will be populated with the earlier analysis authorizations.So if this approach is followed, it is always recommended that analysis authorization are manually deleted from the user id using RSU01 and then id using SU01

Contd…..

Indirect Assignment

• Alternatively to the direct assignment, we can also assign authorizations to roles, which can then be assigned to users.

• Use authorization object S_RS_AUTH for the assignment of authorizations to roles• Maintain the authorizations as values for field BIAUTH

Pros:

• All the Change documents are already available• All the existing SUIM reports are already available• Possible to perform mass assign role assignment

Cons:• Roles need to be created corresponding to the analysis authorization which will

include more maintenance in the system

Pros and Cons

Query is more the technical definition of what the results should look like. Workbooks are actual results that have been formatted and can be refreshed each time the workbook is executed.

The query is a definition of what data the query should fetch and how the data should be initially displayed. A query definition includes rows, columns, filters, and free characteristics.

The workbook is a result set of the query. In this workbook, the data is displayed by sales organization. Every time the user executes the workbook, the data will be refreshed, but the format can remain the same, depending on the settings for the query in the workbook.

Multiple query results saved in workbooks from the same query definition enable users to customize how they want to review the results and analyze the data.

Queries and Workbooks:

If a user wants to save a workbook to a location where it can be easily accessed byothers, they need to save to a Role. Saving to a Role means saving to a securityrole. You may want to set up roles specifically for saving workbooks. You can thenassign the role to all parties who need to share workbooks.

In order to save workbooks to roles, a user needs:• S_USER_AGR: Authorizations: Role check• S_USER_TCD: Transactions in roles

The authorization object S_USER_AGR has two fields: Activity and Role Name. For the Activity field, the user must have at least values 01, 02 and 22. If the user can delete workbooks, they will also need value 06. For the Role Name, you should enter the specific roles you have created for saving workbooks.

Authorization object S_USER_TCD has one field, Transaction Code. The user needs value RRMX in this field.

Saving workbooks to Queries:

Exercise (s):

Securing Access to Workbooks

BI 7 Security Features

Concept of BW security remains the same in BI 7 while changes aremore with respect to new authorization features, more authorization objects, newer Tcodes and more flexibility.

1. Analysis Authorization2. Special Characteristics3. Special Authorization: 0BI_ALL4. Variables in Authorization (Custom Exit)5. Colon authorization6. Pound Authorization7. Key Figure Authorization8. Authorizing Navigational Attributes

BI 7 Security Features

Analysis Authorizations are fundamental building blocks of the new reporting concept which contains both the data value and hierarchy restrictions.

This is also called data level access. With the new NW2004s analysis authorisation principles it is now possible to create an analysis authorisation object directly on an info object

The authorisation can either be single values or a value range or created with a reference to a hierarchy, provided the info object is created with a hierarchy and the info object is authorisation relevant.

Analysis Authorization:

These special characteristics must be assigned to a user in at least one authorization

0TCAACTVT: Restrict access to activities i.e. display, create, change etc0TCAIPROV: Restrict access to the Info Provider i.e. Info Cube, ODS,

Multi provider etc0TCAVALID: Provides the validity of the analysis authorizationAll these authorization should be marked as authorization relevant

Special Characteristics:

An authorization for all values of authorization-relevant characteristics is created automatically in the system. It has the name 0BI_ALL. It can be viewed, but not changed. Every user that receives this authorization can access all the data at any time. Each time an Info Object is activated and the property “authorization relevant” is changed for the characteristic or a navigation attribute, 0BI_ALL is automatically adjusted.

A user that has a profile with the authorization object S_RS_AUTH and has entered 0BI_ALL (or has included value as *) has complete access to all data.

0BI_ALL

Variables of type Customer Exit can be used with the special value $ (as escape sequence) as prefix before the variable name. This enables dynamic granting of authorizations (authorized values are retrieved at runtime).

Customer exit reads the variable values using a selection routine placed in the function module EXIT_SAPLRRBR_001 inside of enhancement RSR0001. (This Enhancement is accessed via transaction code CMOD).

Custom Exit:

The advantage of this method is that youcan give all users the same authorization by placing the variable name with a $ sign in front of it instead of a value in The characteristic value (or the hierarchy node)

Colon (: )as Authorization

Two Purposes for Colon Authorization Value: If the Info Provider has sensitive data, it could be that you do not want the user to see any summarized data. For example, let us assume you have an Info Provider that has sensitive forecasting data. In this business scenario you have chosen to secure by Info Objects (for example, Company Code). If you do not want a user with access to Company Code 1000 to see ANY data from other company codes, then you might not Give this user the colon (:) value in the authorization. This would mean that ANY queries on your Info Provider that do not use the Company Code Info Object will fail for this user.

Second purpose of the Colon authorization is to give user access to the aggregated data. For example, user can see Total of sales done by all sales organization but details data of only his sales organization.

Pound (#) as Authorization

Using a Pound Sign (#) as an Authorization Value:

When data is loaded into SAP BW, some fields may be marked as no valueassigned (posted with INITIAL). If you have secured an Info Object that has datathat is unassigned in the Info Cube, you may choose to give the user a pound sign(#) in order to avoid an authorization error at runtime.The # character is interpreted as authorization for the display of the valueNot assigned (posted with INITIAL).

Key Figure Authorization

This restriction is used to grant authorization to particular key figures to the users.

• Technical name: 0TCAKYFNM• Possible values:

- Single value (EQ) Exactly one key figure- Range (BT) Selection of key figures- Pattern (CP) Selection of key figures based on pattern

Note: If a particular key figure is defined as authorization-relevant, it will be checked for every Info Provider

Authorizing Navigational Attributes:

To restrict the access to navigational attributes, it should be marked as authorization-relevant in attribute tab strip.

Note: The referencing characteristic does not need to be authorization-relevant

Authorizing Navigational Attributes:

To restrict the access to navigational attributes, it should be marked as authorization-relevant in attribute tab strip.

Note: The referencing characteristic does not need to be authorization-relevant

New Authorization Objects

Below are the new authorization objects in BI7 for administration workbench, business Explorer and analysis authorization.Authorization objects for the Data Warehousing Workbench:S_RS_DS: For the DataSource or its sub objects (NW2004s)S_RS_ISNEW: For new InfoSources or their sub objects (NW 2004s)S_RS_DTP: For the data transfer process and its sub objectsS_RS_TR: For transformation rules and their sub objectsS_RS_CTT: For currency translation typesS_RS_UOM: For quantity conversion typesS_RS_THJT: For key date derivation typesS_RS_PLENQ: Authorizations for maintaining or displaying the lock settingsS_RS_RST: Authorization object for the RS trace toolS_RS_PC: For process chainsS_RS_OHDEST: Open Hub Destination

BI 7 new Authorization Objects

Authorization objects for the Business Explorer:S_RS_DAS: For Data Access ServicesS_RS_BTMP: For BEx Web templatesS_RS_BEXTX: Authorizations for the maintenance of BEx texts

Authorization objects for the Admin of analysis authorizationsS_RSEC: Authorization for assignment and administration of analysis authorizationsS_RS_AUTH: Authorization object to include analysis authorizations in roles

Changed Authorization Objects:S_RS_ADMWB (Data Warehousing Workbench: Objects): New values for filed RSADMWBOBJ has been added like BIA_ZA, CNG_RUN, CONT_ACT etc for activities like

BI Accelerator Monitor Checks and Attribute Change Run.