Академический Документы
Профессиональный Документы
Культура Документы
01
Agenda
Authorization Concept
Role Based User Concept
BW Authorization Scenarios
New Functionality in BW 3.0
02
SAP AG 2001, Title of Presentation, Speaker Name 2
Protecting Data
Security concept need to protect data regarding laws, agreements, policies and training. Protecting naming conventions and data quality
03
SAP AG 2001, Title of Presentation, Speaker Name 3
04
SAP AG 2001, Title of Presentation, Speaker Name 4
clearly divided into several business areas ( Finance, Controlling, Logistics, Human Resources ...)
05
SAP AG 2001, Title of Presentation, Speaker Name 5
06
SAP AG 2001, Title of Presentation, Speaker Name 6
Reporting Environment
Business Processes
Measures
Assets
07
Agenda
Authorization Concept
Role Based User Concept
BW Authorization Scenarios
New Functionality in BW 3.0
08
SAP AG 2001, Title of Presentation, Speaker Name 8
Business Explorer
2
Administrator Workbench
Administration Scheduling Meta Data Repository
OLAP Processor
3
InfoCubes
Data Manager
Monitor
Staging Engine
BAPI
1
Non R/3 Production Data Extractor
Non R/3 OLTP Applications
SAP AG 2001, Title of Presentation, Speaker Name 9
OLTP Reporting
09
InfoAreas
Queries
10
SAP BW Deliverables
Administration
Concept very close to standard R/3 all authorization relevant objects are delivered by SAP Administration of authorizations like in R/3
Reporting
no authorization relevant object definition is delivered set of tools to define customer specified concept embedded in SAP BW administration
11
SAP AG 2001, Title of Presentation, Speaker Name 11
Browser
OLAP Processor
InfoCubes
Data Manager
Monitor
Staging Engine
BAPI
1
Non R/3 Production Data Extractor
Non R/3 OLTP Applications
SAP AG 2001, Title of Presentation, Speaker Name 12
OLTP Reporting
12
BW Server
Standard R/3 Security Concept all standard authorization objects available usage of all standard tools possible
SAP AG 2001, Title of Presentation, Speaker Name 13
13
ALEREMOTE
ABAP basis ABAP basis
BWREMOTE
Kernel Kernel
BW Server
SAP AG 2001, Title of Presentation, Speaker Name 14
SAP R/3
14
Administrator Workbench
Administration Scheduling Monitor Meta Data Repository
Data Manager
Staging Engine
OLTP Reporting
ALEREMOTE BWREMOTE
SAP AG 2001, Title of Presentation, Speaker Name 15
15
Decline
Request data
Request data
Send Data
R/3 System
Extract Data
16
SAP AG 2001, Title of Presentation, Speaker Name 16
Extracting Data
CPI/C-User ALEREMOTE
Current User
S_BI-WX_RFC
17
Browser
Business Explorer
2
Administrator Workbench
Administration Scheduling Meta Data Repository
OLAP Processor
InfoCubes
Data Manager
Monitor
Staging Engine
BAPI
OLTP Reporting
18
Administrator Workbench
19
SAP AG 2001, Title of Presentation, Speaker Name 19
Warehouse Design
Workbench Objects Variables Query Objects InfoCube Objects ODS Objects InfoSources InfoObjects Source Systems
Warehouse Administration
InfoPackages Monitor Meta Data Reporting Agent Settings
20
SAP AG 2001, Title of Presentation, Speaker Name 20
User
Profile
Profile Generator
Authorization
Object
Object
Field
Field
Value
SAP AG 2001, Title of Presentation, Speaker Name 21
Value
21
Reporting relevant
<REPORTING OBJECTS>
S_RS_COMP
S_RS_GVAR S_RS_HIER S_RS_ICUBE S_RS_ISRCM S_RS_ISOUR S_RS_IOMAD S_RS_ADMWB
Administration relevant
SAP AG 2001, Title of Presentation, Speaker Name 22
22
Authorization Objects
Object class Authorization object
23
Authorization Objects
Authorization object
Example:
S_RS_ADMWB
ACTVT
ADMWO
Activity
Workbench
24
SAP AG 2001, Title of Presentation, Speaker Name 24
Browser
OLAP Processor
3
InfoCubes
Data Manager
Monitor
Staging Engine
BAPI
OLTP Reporting
25
0..1
SAP BW InfoCubes
SAP AG 2001, Title of Presentation, Speaker Name 26
SAP BW Objects
26
Reporting Object
A Reporting Object is an Authorization Object with an additional relation to InfoCubes. OLAP processor will only check reporting objects assigned to the actual reported InfoCube.
< Authorization Object > 1KYFNM SALESO DISTCHA < Authorization Object > 1KYFNM SALESO DISTCHA
Authorization Object
Reporting Object
27
SAP AG 2001, Title of Presentation, Speaker Name 27
28
29
SAP AG 2001, Title of Presentation, Speaker Name 29
DMGATE <...>
The authorization on a hierarchy is implemented with the InfoObject 0TCTAUTHH of the technical Content (InfoObject Catalogue 0BWTCT_CHA01). Transfer this InfoObject first from the content and activate it. Make sure that the indicator is set is set to 'authorizationrelevant'.
30
SAP AG 2001, Title of Presentation, Speaker Name 30
0TCTAUTHH
PROFITCTR <...>
31
SAP AG 2001, Title of Presentation, Speaker Name 31
Note that the authorization does not automatically authorize to display a query for the highest node of a hierarchy because a hierarchy additionally includes a node Not Assigned.
Use Option Top of Hierarchy in the hierarchy authorization maintenance to include also this node!
ROOT
Europe
Asia
All leafs of current Query result set are assigned regarding hierarchy definition All other leafs are assigned to Not Assigned
Not Assigned
32
SAP AG 2001, Title of Presentation, Speaker Name 32
Authorization Variables I
1 Create Variable
33
SAP AG 2001, Title of Presentation, Speaker Name 33
Authorization Variables II
3 Assign Variable to Query
34
SAP AG 2001, Title of Presentation, Speaker Name 34
35
OLAP Processor
InfoCubes
Data Manager
Monitor
Staging Engine
BAPI
OLTP Reporting
36
SAP Queries are embedded into SAP BW Workbooks ( MS Excel ) Workbooks can be assigned to roles in the Business Explorer Reporting Users are also assigned to roles Maintain query specific authorizations (if required) in the profile generator. Currently no Authorization Object available to set up authority for Workbooks.
37
SAP AG 2001, Title of Presentation, Speaker Name 37
Problem:
Authority check for embedded SAP BW Queries will first take place on refreshing the Query.
Query results saved with the Workbook will be visible to the user even if they are unauthorized. But no navigation without refreshing the Query!
Solution:
Save Workbooks to the Role only without Query results Use AutoRefresh functionality within the Querie properties to ensure authority check.
38
SAP AG 2001, Title of Presentation, Speaker Name 38
Browser
?
3rd party OLAP client
OLAP Processor
InfoCubes
Data Manager
Monitor
Staging Engine
BAPI
OLTP Reporting
39
40
SAP AG 2001, Title of Presentation, Speaker Name 40
Agenda
Authorization Concept
Role Based User Concept
BW Authorization Scenarios
New Functionality in BW 3.0
41
SAP AG 2001, Title of Presentation, Speaker Name 41
BW Reporting User
BW Reporting Developer
SAP AG 2001, Title of Presentation, Speaker Name 42
42
Execute Queries
Maintain InfoCatalog
43
SAP AG 2001, Title of Presentation, Speaker Name 43
Profile Generator
What is the Profile Generator? A tool to automatically generate authorization profiles
44
SAP AG 2001, Title of Presentation, Speaker Name 44
Roles: Activities
Description
Menu Personalization Authorizations User
45
SAP AG 2001, Title of Presentation, Speaker Name 45
46
SAP AG 2001, Title of Presentation, Speaker Name 46
47
SAP AG 2001, Title of Presentation, Speaker Name 47
Define Roles
Identify Roles in your company
Task oriented (Reporting, Administration, .... ) Function oriented (Board, Assistant, Manager, Controller, Analyst ) Subject oriented (Sales, FI, .... )
Define responsibility for an identified role Set up role oriented authorization Assign new users to a role
48
SAP AG 2001, Title of Presentation, Speaker Name 48
Role Reporting User Reporting Developer Reporting Power User Data Manager Data Modeller System admin.
Query
R E R EM R EMD R EM R EM
RM
RM
R EMD R EM
MR R EM
Activities
R C
Display Create
E Execute D Delete
M Maintain
49
SAP AG 2001, Title of Presentation, Speaker Name 49
...
Role 1
Role 2
P1
P2
P3
P...
... A1 A...
... A...
... A...
...
50
SAP AG 2001, Title of Presentation, Speaker Name 50
Templates
Templates can be created to contain a series of authorization objects, and default values, to be imported into activity groups
51
SAP AG 2001, Title of Presentation, Speaker Name 51
Usage of Templates
52
SAP AG 2001, Title of Presentation, Speaker Name 52
Usage of Templates II
53
SAP AG 2001, Title of Presentation, Speaker Name 53
54
SAP AG 2001, Title of Presentation, Speaker Name 54
Agenda
Authorization Concept
Role Based User Concept
BW Authorization Scenarios
New Functionality in BW 3.0
55
SAP AG 2001, Title of Presentation, Speaker Name 55
User Entry Variable Values 0Profit_Ctr NE 0Cost_Ctr 1000 Assume no hierarchy node in the query definition Hierarchy Processing
If Drill-down
Query Results
Query is executed
Authorization Check
c
Database Access
1000
hierarchy is in the query definition. Node North on the hierarchy contains NE and NW so PCTR NE = OK - this user will pass the authorization check.
56
SAP AG 2001, Title of Presentation, Speaker Name 56
Query is executed
Authorization Check
User Master Record 0Cost_Ctr 1000 Note: If the RSSB_AUTH_MODIFY function module is used, multiple values or ranges are stored in a cluster table and the authorization contains the $! value only.
Database Access
57
Query is executed
Authorization Check
Values selected: 0Profit_Ctr * 0Cost_Ctr 1000 Herarchy Node North See Comment 1
Database Access
User Master Record 0Profit_Ctr 0Cost_Ctr 0TCTAUTHH 0Customer * 1000 North, West, East :
58
Query 2 Selection Criteria: User Name SAP exit to read system user name Output profit centers per user name.
$Var
Note: variable type for profit center = fill by query. Specify the authorization InfoCube query in the global variable definition by entering the technical name for query 2.
Authorizations Data
Data Load User Name: John Deer Cost Cetner 1000 Profit Center NE
59
$Var
Note: variable type for profit center = fill by query. Specify the authorization InfoCube query in the global variable definition by entering the technical name for query 2.
Authorizations Data
RSSB_READ_AUTH_IN_INFOCUBE
Data Load User Name: John Deer Cost Cetner 1000 Profit Center NE
60
Agenda
Authorization Concept
Role Based User Concept
BW Authorization Scenarios
New Functionality in BW 3.0
61
SAP AG 2001, Title of Presentation, Speaker Name 61
62
SAP AG 2001, Title of Presentation, Speaker Name 62
63
SAP AG 2001, Title of Presentation, Speaker Name 63
64
SAP AG 2001, Title of Presentation, Speaker Name 64
BW Authorizations