B W Authorizations Aug 30

BW Authorizations
Deborah Board, BW RIG
01
Agenda
General Security Considerations
Authorization Concept
Role Based User Concept
BW Authorization Scenarios
New Functionality in BW 3.0
02
SAP AG 2001, Title of Presentation, Speaker Name 2
Different Roles of Security
Protecting Data
Security concept need to protect data regarding laws, agreements, policies and training. Protecting naming conventions and data quality
Guide people to relevant data

Authorization model is an actual model of the current organization of the company Stored information about authorization can also be used to show relevant data to employees (e.g. show revenues of my sales organization, costs of my cost center ...)
03
Different tasks for different systems

Transactional system (OLTP)
balance oriented actual data
focus on consistency (normalisation) process oriented (Transaction Concept) local view
Analytical System (OLAP)

historical data subject oriented (customer not customer number) focus on analytical needs
global view (transformed and reorganised)
04
Controlling of OLTP data
clearly divided into several business areas ( Finance, Controlling, Logistics, Human Resources ...)
based on transactions for:

master data (customer master, material master ...) business process data (sales order, posting ....)
separated into different activities

create change display delete
05
Controlling of analytical data

clearly divided into several business areas ( Finance, Controlling, Logistics, Human Resources ...)
OLAP benefit means combining data from different areas
based on transactions for:

master data (customer master, material master ...) business process data (sales order, posting ....) Analytical processing is not transaction oriented
separated into different activities

create change delete display OLAP processing 99% display
06
Data Entry versus Data Access Security
Reporting Environment
Business Processes
Measures
Assets
07
Agenda
08
Authorization Concept Overview

4
Browser
3rd party OLAP client
Analyzer (hosted by MS Excel)
Business Explorer
2
Administrator Workbench
Administration Scheduling Meta Data Repository
OLAP Processor
3
InfoCubes
Meta Data Manager
Data Manager
Monitor
Business Information Warehouse Server
Staging Engine
BAPI
Operational Data Store
1
Non R/3 Production Data Extractor
Non R/3 OLTP Applications
Production Data Extractor
OLTP Reporting
R/3 OLTP Applications
09
Authorization Concept: Information complexity

+ simplification - security detail User User Role (Activity Groups)
InfoAreas
InfoCubes & ODS Objects
Queries
InfoObjects - Key figures
InfoObjects - Characteristic Values
- simplification + security detail

10
SAP BW Deliverables
Administration
Concept very close to standard R/3 all authorization relevant objects are delivered by SAP Administration of authorizations like in R/3
Reporting
no authorization relevant object definition is delivered set of tools to define customer specified concept embedded in SAP BW administration
11
Browser
Business Explorer Administrator Workbench

OLAP Processor
InfoCubes
Meta Data Manager
Data Manager
Monitor
Staging Engine
BAPI
1
OLTP Reporting
12
Basic Administration of SAP BW
Basic System settings

Business Content BW technology
Transport System Development Workbench
ABAP basis Kernel
Background Job Administration User Administration SAP IMG ...
BW Server
Standard R/3 Security Concept all standard authorization objects available usage of all standard tools possible
13
System Communication Authority

System communication for extraction and customizing is handled by ABAP basis layer -> authorization is controlled by the basis layer Asynchronous communication needs two different users
BW -> R/3 ALEREMOTE (any customer defined user but unique for every BW-R/3 RFC-Connection) R/3 -> BW BWREMOTE ( customer defined but unique for every BW instance )
Business Content BW technology
Customer Applicat. SAP Application
ALEREMOTE
ABAP basis ABAP basis
BWREMOTE
Kernel Kernel
BW Server
SAP R/3
14
Usage of Remote Communication Users
Administration Scheduling Monitor Meta Data Repository
OLAP Processor InfoCubes
Meta Data Manager
Data Manager
Staging Engine
Customizing of R/3 Extractors
OLTP Reporting
3rd Party Extraction
ALEREMOTE BWREMOTE
15
Restrict DataSource for R/3 Extraction
Business Information Warehouse A
Business Information Warehouse B
Decline
Request data
Request data
Send Data
R/3 System
Extract Data
16
Different Tasks Different Remote User
Business Information Warehouse

<RFC_DESTINATION> <RFC_DESTINATION>_DIALOG
Extracting Data
All Dialog Options
CPI/C-User ALEREMOTE
Current User
S_BI-WX_RFC
User specific Authorization
SAP Source System

17
Browser
Business Explorer
2
OLAP Processor
InfoCubes
Meta Data Manager
Data Manager
Monitor
Staging Engine
BAPI

OLTP Reporting
18
Central point of BW administration and control
Scheduling data load Executing data load BW Design Maintenance Administration

Admin Workbench
Monitoring data load Monitoring update process
19
Authorization Relevant Elements
Warehouse Design
Workbench Objects Variables Query Objects InfoCube Objects ODS Objects InfoSources InfoObjects Source Systems
Warehouse Administration
InfoPackages Monitor Meta Data Reporting Agent Settings
20
SAP BW Authorization Overview

Role
User
Profile
Profile Generator
Authorization
AUTHORIZATION OBJECT CLASS: BUSINESS INFORMATION WAREHOUSE-Administration
AUTHORIZATION OBJECT CLASS: BUSINESS INFORMATION WAREHOUSE- REPORTING
Object
Object
Field
Field
Value
Value
21
Authorization Objects SAP BW
Reporting relevant
<REPORTING OBJECTS>
company defined reporting objects
S_RS_COMP
S_RS_GVAR S_RS_HIER S_RS_ICUBE S_RS_ISRCM S_RS_ISOUR S_RS_IOMAD S_RS_ADMWB
Administration relevant
Business Explorer - components

Business Explorer - Global Variables Hierarchy InfoCube InfoSource (master data) InfoSource (transaction data) Master data Administrator Workbench - Objects
22
Authorization Objects
Object class Authorization object
Business Information Warehouse - Reporting
Custom BW Reporting Authorization object for Characteristic #1 (i.e. Cost Center)
Business Information Warehouse - Reporting

Customized reporting objects exist for each BW system. One example shown here is the custom reporting authorization objects for the cost center characteristic Other examples can be created for other organizational level restrictions These objects can be used to define a restriction to all InfoCubes and thus, restricting users from seeing sensitive data
Custom BW Reporting Authorization object for Characteristic #2
Business Information Warehouse

Authorization Objects exist for Administration Workbench Hierarchy, InfoCubes, InfoSources...
Business Information Warehouse -Administrat.
Administrator Workbench - Hierarchy
Administrator Workbench - InfoCube
23
Authorization Objects
< object_name >

<field 1> <field 2> <...>
Authorization object
Defines a set of fields for authorization purposes
Example:
Classified by an Authorization Object Class
S_RS_ADMWB
ACTVT
ADMWO
Activity
Workbench
24
Browser

OLAP Processor
3
InfoCubes
Meta Data Manager
Data Manager
Monitor
Staging Engine
BAPI

OLTP Reporting
25
SAP BW Reporting Objects
< Authorization Object >

<field 1>
0..n
0..1
Key Figure Object

0..10
<field 2> <...>

0..n 1..m 0..10
authorization Relevant Characteristic Hierarchy Node
SAP BW InfoCubes
SAP BW Objects
26
Reporting Object
A Reporting Object is an Authorization Object with an additional relation to InfoCubes. OLAP processor will only check reporting objects assigned to the actual reported InfoCube.
< Authorization Object > 1KYFNM SALESO DISTCHA < Authorization Object > 1KYFNM SALESO DISTCHA
Authorization Object
Reporting Object
27
Reporting Object Values
Standard R/3 authorization concept ( include principle )*

Single values
Intervals Mask (e.g. *, 0SD* ...)
Extended SAP BW values ( include principle )*

# Not assigned (Initial) : Values aggregated $ Authorization variables
* it is not possible to exclude authorization

28
Three Steps to set up a Reporting Authorization
1 Mark the InfoObject as "Authorization Relevant

Reporting 2 Create an Authorization Object forObjects) (use Basic Settings -> Authorizations -> Reporting
3 Create Authorizations with the values
29
Authorization Object for Hierarchy Node

2 < Authorization Object > 0TCTAUTHH Business Content 1
0TCTAUTHH
DMGATE <...>
The authorization on a hierarchy is implemented with the InfoObject 0TCTAUTHH of the technical Content (InfoObject Catalogue 0BWTCT_CHA01). Transfer this InfoObject first from the content and activate it. Make sure that the indicator is set is set to 'authorizationrelevant'.
30
Authorization for Hierarchy Node
< Authorization Object >
0TCTAUTHH
PROFITCTR <...>
31
Unassigned Leafs of a Hierarchy
Note that the authorization does not automatically authorize to display a query for the highest node of a hierarchy because a hierarchy additionally includes a node Not Assigned.
Use Option Top of Hierarchy in the hierarchy authorization maintenance to include also this node!
ROOT
Europe
Asia
All leafs of current Query result set are assigned regarding hierarchy definition All other leafs are assigned to Not Assigned
Not Assigned
32
Authorization Variables I
1 Create Variable
2 Define Variable Properties
33
Authorization Variables II
3 Assign Variable to Query
34
Enhanced Maintenance of Authorizations
Maintain all BW reporting authorizations Single values Hierarchy nodes

35

4
Browser

OLAP Processor
InfoCubes
Meta Data Manager
Data Manager
Monitor
Staging Engine
BAPI

OLTP Reporting
36
Distribution of Queries to Roles
SAP Queries are embedded into SAP BW Workbooks ( MS Excel ) Workbooks can be assigned to roles in the Business Explorer Reporting Users are also assigned to roles Maintain query specific authorizations (if required) in the profile generator. Currently no Authorization Object available to set up authority for Workbooks.
37
Distribution of Queries to Roles
Problem:
Authority check for embedded SAP BW Queries will first take place on refreshing the Query.
Query results saved with the Workbook will be visible to the user even if they are unauthorized. But no navigation without refreshing the Query!
Solution:
Save Workbooks to the Role only without Query results Use AutoRefresh functionality within the Querie properties to ensure authority check.
38
Browser
?

OLAP Processor
InfoCubes
Meta Data Manager
Data Manager
Monitor
Staging Engine
BAPI

OLTP Reporting
39
Authority 3rd Party OLAP client
Not authorization relevant.

There is no authorization check within the communication to 3rd party reporting clients needed. All levels of reporting security are handled be the SAP BW OLAP processor. Every 3rd party reporting will access data only by using SAP BW users and ODBO released queries. Every 3rd party user is a SAP BW user!! All existing SAP BW reporting authorization will be also used for 3rd party reporting. No difference to Business Explorer.
One place of security !
40
Agenda
41
BW Authority, a role based approach

BW System Administrator
BW Reporting User
BW Reporting Developer
42
Main User Roles in SAP BW

Reporting Activities Administration Activities
Set up Queries, Workbooks
Execute Queries
Maintain InfoCatalog
Set up Data Model Set up Data Flow Control Data Flow
Role: Reporting User,

Power User
Role: Data Modeller,

Staging Manager
43
Profile Generator
What is the Profile Generator? A tool to automatically generate authorization profiles
What are the Benefits?

Only necessary authorization objects will be used Authorization profiles are automatically generated Communication level between security administrator and end-user is the functionality
It is easier to define authorization profiles
44
Roles: Activities
Description
Menu Personalization Authorizations User
Description of Activity Group Assign Transactions Assign Workflow Tasks
Maintain and Generate Authorization Profiles

Assign User
45
Roles: Maintain Authorization Profile
46
Roles: Generate Authorization Profile
Generate Authorization Profile
47
Define Roles
Identify Roles in your company
Task oriented (Reporting, Administration, .... ) Function oriented (Board, Assistant, Manager, Controller, Analyst ) Subject oriented (Sales, FI, .... )
Define responsibility for an identified role Set up role oriented authorization Assign new users to a role
48
Role - Object Relation
Role Reporting User Reporting Developer Reporting Power User Data Manager Data Modeller System admin.
Query
R E R EM R EMD R EM R EM
InfoCube InfoSource InfoObject
RM
RM
R EMD R EM
MR R EM
Activities
R C
Display Create
E Execute D Delete
M Maintain
49
User Master Records: Concept
User Master Record
...
Role 1
Role 2
P1
P2
P3
P...
... A1 A...
... A...
... A...
...
50
Templates
Templates can be created to contain a series of authorization objects, and default values, to be imported into activity groups
Templates are provided by SAP BW for the following, E.g.:

S_RS_RDEAD S_RS_RDEMO S_RS_ROPAD S_RS_ROPOP S_RS_RREDE S_RS_RREPU Role: Administrator (development system) Role: Modeler (development system) Role: Administrator (productive system) Role: Operator (productive system) Role: Reporting developer (productive system) Role: Reporting user
51
Usage of Templates
The template can be a subset of the target Activity Group

Template
Add authorizations (manually)
Target Activity Group
The template can be a superset of the target Activity Group

Template Remove authorizations Target Activity Group
52
Usage of Templates II
The template can have an intersection with the target

Template
More than one template can be used

Template 1 Template 2
53
Example for SAP BW Business Content Roles
54
Agenda
55
Scenario 1: Authorization Check User Entry

If Refresh
User Entry Variable Values 0Profit_Ctr NE 0Cost_Ctr 1000 Assume no hierarchy node in the query definition Hierarchy Processing
If Drill-down
Query Results
Query is executed
Authorization Check
c
user profile data (buffered)
Authorization Check (buffered)
Hierarchy definitions (buffered)
Database Access
Steps to the authorization check

1. Read profile buffer
CCTR 1000 = OK PCTR NE = not OK

2. Read leaves on hierarchy if no
User Master Record
0Cost_Ctr 0TCTAUTHH 0PCTR North ''
1000
hierarchy is in the query definition. Node North on the hierarchy contains NE and NW so PCTR NE = OK - this user will pass the authorization check.
North = Default Node
Legend Default Node Hierarchy Hierarchy Node
Scenario 1: Authorization CheckUser Entry Scenario
56
Scenario 2: Authorization - RSSB

Query Results User Entry Variable Values 0Cost_Ctr 1000 Hierarchy Processing
Query is executed
Authorization Check
user profile data (buffered)
Authorization Check (buffered)
User Master Record 0Cost_Ctr 1000 Note: If the RSSB_AUTH_MODIFY function module is used, multiple values or ranges are stored in a cluster table and the authorization contains the $! value only.
hierarchy definitions (buffered)
Database Access
Scenario 2: Authorization - RSSB

57
Scenario 3: Authorization Variable

Query Results Variable Values 0Profit_Ctr * 0Cost_Ctr 1000 Hierarchy Node North Hierarchy Processing
Query is executed
Authorization Check
1st Read SAP Exit "filled by authorization"
2nd Read (Buffered) Reduce hierarchy to authorized parts
Values selected: 0Profit_Ctr * 0Cost_Ctr 1000 Herarchy Node North See Comment 1
3rd Read (Buffered) Authorization Check
Database Access
Values selected: Herarchy Nodes North, West, East
User Master Record 0Profit_Ctr 0Cost_Ctr 0TCTAUTHH 0Customer * 1000 North, West, East :
North = Default Node
Legend Default Node Hierarchy Hierarchy Node
Scenario 3: Authorization Variable
58
Scenario 4: Authorization InfoCube
Query 2 Selection Criteria: User Name SAP exit to read system user name Output profit centers per user name.
Query 2 results are used as selection criteria in Query 1
Query 1 Selection Criteria: Profit Center
$Var
Query 1 executes Query 2
Note: variable type for profit center = fill by query. Specify the authorization InfoCube query in the global variable definition by entering the technical name for query 2.
Authorizations Data
Data Load User Name: John Deer Cost Cetner 1000 Profit Center NE
Scenario 4: Authorization InfoCube

59
Scenario 4a: Authorization InfoCube

Query 2 Selection Criteria: User Name SAP exit to read system user name Output profit centers per user name. Query 1 executes Query 2 Query 2 results are used as selection criteria in Query 1 Query 1 Selection Criteria: Profit Center
$Var
Note: variable type for profit center = fill by query. Specify the authorization InfoCube query in the global variable definition by entering the technical name for query 2.
Authorizations Data
RSSB_READ_AUTH_IN_INFOCUBE
Data Load User Name: John Deer Cost Cetner 1000 Profit Center NE
RSSB_BW_AUTH_MODIFY Customer Report User Master Record
Scenario 4a: Authorization InfoCube

60
Agenda
61
New Mode for Hierarchy Nodes
62
Scenario 4a is Replaced by ODS Objects and RSSM
63
Scenario 4a is Replaced by ODS Objects and RSSM
64
BW Authorizations
Deborah Board, BW RIG 65

B W Authorizations Aug 30

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

B W Authorizations Aug 30

Загружено:

Авторское право:

Доступные форматы

BW Authorizations

Deborah Board, BW RIG

General Security Considerations

Different Roles of Security

Guide people to relevant data

Different tasks for different systems

focus on consistency (normalisation) process oriented (Transaction Concept) local view

Analytical System (OLAP)

global view (transformed and reorganised)

Controlling of OLTP data

based on transactions for:

separated into different activities

Controlling of analytical data

based on transactions for:

separated into different activities

Data Entry versus Data Access Security

SAP AG 2001, Title of Presentation, Speaker Name 7

General Security Considerations

Authorization Concept Overview

3rd party OLAP client

Analyzer (hosted by MS Excel)

Meta Data Manager

Business Information Warehouse Server

Operational Data Store

Production Data Extractor

R/3 OLTP Applications

Authorization Concept: Information complexity

InfoCubes & ODS Objects

InfoObjects - Key figures

InfoObjects - Characteristic Values

- simplification + security detail

Authorization Concept Overview

3rd party OLAP client

Analyzer (hosted by MS Excel)

Business Explorer Administrator Workbench

Meta Data Manager

Business Information Warehouse Server

Operational Data Store

Production Data Extractor

R/3 OLTP Applications

Basic Administration of SAP BW

Basic System settings

Transport System Development Workbench

ABAP basis Kernel

Background Job Administration User Administration SAP IMG ...

System Communication Authority

Business Content BW technology

Customer Applicat. SAP Application

Usage of Remote Communication Users

OLAP Processor InfoCubes

Meta Data Manager

Business Information Warehouse Server

Operational Data Store

Customizing of R/3 Extractors

Production Data Extractor

3rd Party Extraction

R/3 OLTP Applications

Restrict DataSource for R/3 Extraction

Business Information Warehouse A

Business Information Warehouse B

Different Tasks Different Remote User

Business Information Warehouse

Intervals Mask (e.g. , 0SD ...)