Вы находитесь на странице: 1из 65

BW Authorizations

Deborah Board, BW RIG

01

Agenda

General Security Considerations

Authorization Concept
Role Based User Concept

BW Authorization Scenarios
New Functionality in BW 3.0

02
SAP AG 2001, Title of Presentation, Speaker Name 2

Different Roles of Security

Protecting Data
Security concept need to protect data regarding laws, agreements, policies and training. Protecting naming conventions and data quality

Guide people to relevant data


Authorization model is an actual model of the current organization of the company Stored information about authorization can also be used to show relevant data to employees (e.g. show revenues of my sales organization, costs of my cost center ...)

03
SAP AG 2001, Title of Presentation, Speaker Name 3

Different tasks for different systems


Transactional system (OLTP)
balance oriented actual data

focus on consistency (normalisation) process oriented (Transaction Concept) local view

Analytical System (OLAP)


historical data subject oriented (customer not customer number) focus on analytical needs

global view (transformed and reorganised)

04
SAP AG 2001, Title of Presentation, Speaker Name 4

Controlling of OLTP data

clearly divided into several business areas ( Finance, Controlling, Logistics, Human Resources ...)

based on transactions for:


master data (customer master, material master ...) business process data (sales order, posting ....)

separated into different activities


create change display delete

05
SAP AG 2001, Title of Presentation, Speaker Name 5

Controlling of analytical data


clearly divided into several business areas ( Finance, Controlling, Logistics, Human Resources ...)
OLAP benefit means combining data from different areas

based on transactions for:


master data (customer master, material master ...) business process data (sales order, posting ....) Analytical processing is not transaction oriented

separated into different activities


create change delete display OLAP processing 99% display

06
SAP AG 2001, Title of Presentation, Speaker Name 6

Data Entry versus Data Access Security

Reporting Environment

SAP AG 2001, Title of Presentation, Speaker Name 7

Business Processes

Measures

Assets

07

Agenda

General Security Considerations

Authorization Concept
Role Based User Concept

BW Authorization Scenarios
New Functionality in BW 3.0

08
SAP AG 2001, Title of Presentation, Speaker Name 8

Authorization Concept Overview


4
Browser

3rd party OLAP client

Analyzer (hosted by MS Excel)

Business Explorer

2
Administrator Workbench
Administration Scheduling Meta Data Repository

OLAP Processor

3
InfoCubes

Meta Data Manager

Data Manager

Monitor

Business Information Warehouse Server

Staging Engine
BAPI

Operational Data Store

1
Non R/3 Production Data Extractor
Non R/3 OLTP Applications
SAP AG 2001, Title of Presentation, Speaker Name 9

Production Data Extractor

OLTP Reporting

R/3 OLTP Applications

09

Authorization Concept: Information complexity


+ simplification - security detail User User Role (Activity Groups)

InfoAreas

InfoCubes & ODS Objects

Queries

InfoObjects - Key figures

InfoObjects - Characteristic Values

- simplification + security detail


SAP AG 2001, Title of Presentation, Speaker Name 10

10

SAP BW Deliverables

Administration
Concept very close to standard R/3 all authorization relevant objects are delivered by SAP Administration of authorizations like in R/3

Reporting
no authorization relevant object definition is delivered set of tools to define customer specified concept embedded in SAP BW administration

11
SAP AG 2001, Title of Presentation, Speaker Name 11

Authorization Concept Overview

Browser

3rd party OLAP client

Analyzer (hosted by MS Excel)

Business Explorer Administrator Workbench


Administration Scheduling Meta Data Repository

OLAP Processor
InfoCubes

Meta Data Manager

Data Manager

Monitor

Business Information Warehouse Server

Staging Engine
BAPI

Operational Data Store

1
Non R/3 Production Data Extractor
Non R/3 OLTP Applications
SAP AG 2001, Title of Presentation, Speaker Name 12

Production Data Extractor

OLTP Reporting

R/3 OLTP Applications

12

Basic Administration of SAP BW

Basic System settings


Business Content BW technology

Transport System Development Workbench

ABAP basis Kernel

Background Job Administration User Administration SAP IMG ...

BW Server

Standard R/3 Security Concept all standard authorization objects available usage of all standard tools possible
SAP AG 2001, Title of Presentation, Speaker Name 13

13

System Communication Authority


System communication for extraction and customizing is handled by ABAP basis layer -> authorization is controlled by the basis layer Asynchronous communication needs two different users
BW -> R/3 ALEREMOTE (any customer defined user but unique for every BW-R/3 RFC-Connection) R/3 -> BW BWREMOTE ( customer defined but unique for every BW instance )

Business Content BW technology

Customer Applicat. SAP Application

ALEREMOTE
ABAP basis ABAP basis

BWREMOTE
Kernel Kernel

BW Server
SAP AG 2001, Title of Presentation, Speaker Name 14

SAP R/3

14

Usage of Remote Communication Users

Administrator Workbench
Administration Scheduling Monitor Meta Data Repository

OLAP Processor InfoCubes

Meta Data Manager

Data Manager

Business Information Warehouse Server

Staging Engine

Operational Data Store

Customizing of R/3 Extractors

Production Data Extractor

OLTP Reporting

3rd Party Extraction

R/3 OLTP Applications

ALEREMOTE BWREMOTE
SAP AG 2001, Title of Presentation, Speaker Name 15

15

Restrict DataSource for R/3 Extraction

Business Information Warehouse A

Business Information Warehouse B

Decline

Request data

Request data

Send Data

R/3 System

Extract Data

16
SAP AG 2001, Title of Presentation, Speaker Name 16

Different Tasks Different Remote User

Business Information Warehouse


<RFC_DESTINATION> <RFC_DESTINATION>_DIALOG

Extracting Data

All Dialog Options

CPI/C-User ALEREMOTE

Current User

S_BI-WX_RFC

User specific Authorization

SAP Source System


SAP AG 2001, Title of Presentation, Speaker Name 17

17

Authorization Concept Overview

Browser

3rd party OLAP client

Analyzer (hosted by MS Excel)

Business Explorer

2
Administrator Workbench
Administration Scheduling Meta Data Repository

OLAP Processor
InfoCubes

Meta Data Manager

Data Manager

Monitor

Business Information Warehouse Server

Staging Engine
BAPI

Operational Data Store

Non R/3 Production Data Extractor


Non R/3 OLTP Applications
SAP AG 2001, Title of Presentation, Speaker Name 18

Production Data Extractor

OLTP Reporting

R/3 OLTP Applications

18

Administrator Workbench

Central point of BW administration and control

Scheduling data load Executing data load BW Design Maintenance Administration


Admin Workbench

Monitoring data load Monitoring update process

19
SAP AG 2001, Title of Presentation, Speaker Name 19

Authorization Relevant Elements

Warehouse Design
Workbench Objects Variables Query Objects InfoCube Objects ODS Objects InfoSources InfoObjects Source Systems

Warehouse Administration
InfoPackages Monitor Meta Data Reporting Agent Settings

20
SAP AG 2001, Title of Presentation, Speaker Name 20

SAP BW Authorization Overview


Role

User

Profile

Profile Generator

Authorization

AUTHORIZATION OBJECT CLASS: BUSINESS INFORMATION WAREHOUSE-Administration

AUTHORIZATION OBJECT CLASS: BUSINESS INFORMATION WAREHOUSE- REPORTING

Object

Object

Field

Field

Value
SAP AG 2001, Title of Presentation, Speaker Name 21

Value

21

Authorization Objects SAP BW

Reporting relevant

<REPORTING OBJECTS>

company defined reporting objects

S_RS_COMP
S_RS_GVAR S_RS_HIER S_RS_ICUBE S_RS_ISRCM S_RS_ISOUR S_RS_IOMAD S_RS_ADMWB
Administration relevant
SAP AG 2001, Title of Presentation, Speaker Name 22

Business Explorer - components


Business Explorer - Global Variables Hierarchy InfoCube InfoSource (master data) InfoSource (transaction data) Master data Administrator Workbench - Objects

22

Authorization Objects
Object class Authorization object

Business Information Warehouse - Reporting

Custom BW Reporting Authorization object for Characteristic #1 (i.e. Cost Center)

Business Information Warehouse - Reporting


Customized reporting objects exist for each BW system. One example shown here is the custom reporting authorization objects for the cost center characteristic Other examples can be created for other organizational level restrictions These objects can be used to define a restriction to all InfoCubes and thus, restricting users from seeing sensitive data

Custom BW Reporting Authorization object for Characteristic #2

Business Information Warehouse


Authorization Objects exist for Administration Workbench Hierarchy, InfoCubes, InfoSources...

Business Information Warehouse -Administrat.

Administrator Workbench - Hierarchy

Administrator Workbench - InfoCube

23

SAP AG 2001, Title of Presentation, Speaker Name 23

Authorization Objects

< object_name >


<field 1> <field 2> <...>

Authorization object

Defines a set of fields for authorization purposes

Example:

Classified by an Authorization Object Class

S_RS_ADMWB
ACTVT
ADMWO

Activity
Workbench

24
SAP AG 2001, Title of Presentation, Speaker Name 24

Authorization Concept Overview

Browser

3rd party OLAP client

Analyzer (hosted by MS Excel)

Business Explorer Administrator Workbench


Administration Scheduling Meta Data Repository

OLAP Processor

3
InfoCubes

Meta Data Manager

Data Manager

Monitor

Business Information Warehouse Server

Staging Engine
BAPI

Operational Data Store

Non R/3 Production Data Extractor


Non R/3 OLTP Applications
SAP AG 2001, Title of Presentation, Speaker Name 25

Production Data Extractor

OLTP Reporting

R/3 OLTP Applications

25

SAP BW Reporting Objects

< Authorization Object >


<field 1>
0..n

0..1

Key Figure Object


0..10

<field 2> <...>


0..n 1..m 0..10

authorization Relevant Characteristic Hierarchy Node

SAP BW InfoCubes
SAP AG 2001, Title of Presentation, Speaker Name 26

SAP BW Objects

26

Reporting Object

A Reporting Object is an Authorization Object with an additional relation to InfoCubes. OLAP processor will only check reporting objects assigned to the actual reported InfoCube.
< Authorization Object > 1KYFNM SALESO DISTCHA < Authorization Object > 1KYFNM SALESO DISTCHA

Authorization Object

Reporting Object

27
SAP AG 2001, Title of Presentation, Speaker Name 27

Reporting Object Values

Standard R/3 authorization concept ( include principle )*


Single values

Intervals Mask (e.g. *, 0SD* ...)

Extended SAP BW values ( include principle )*


# Not assigned (Initial) : Values aggregated $ Authorization variables

* it is not possible to exclude authorization


SAP AG 2001, Title of Presentation, Speaker Name 28

28

Three Steps to set up a Reporting Authorization

1 Mark the InfoObject as "Authorization Relevant


Reporting 2 Create an Authorization Object forObjects) (use Basic Settings -> Authorizations -> Reporting

3 Create Authorizations with the values

29
SAP AG 2001, Title of Presentation, Speaker Name 29

Authorization Object for Hierarchy Node


2 < Authorization Object > 0TCTAUTHH Business Content 1
0TCTAUTHH

DMGATE <...>

The authorization on a hierarchy is implemented with the InfoObject 0TCTAUTHH of the technical Content (InfoObject Catalogue 0BWTCT_CHA01). Transfer this InfoObject first from the content and activate it. Make sure that the indicator is set is set to 'authorizationrelevant'.

30
SAP AG 2001, Title of Presentation, Speaker Name 30

Authorization for Hierarchy Node

< Authorization Object >

0TCTAUTHH
PROFITCTR <...>

31
SAP AG 2001, Title of Presentation, Speaker Name 31

Unassigned Leafs of a Hierarchy

Note that the authorization does not automatically authorize to display a query for the highest node of a hierarchy because a hierarchy additionally includes a node Not Assigned.

Use Option Top of Hierarchy in the hierarchy authorization maintenance to include also this node!

ROOT

Europe
Asia

All leafs of current Query result set are assigned regarding hierarchy definition All other leafs are assigned to Not Assigned

Not Assigned

32
SAP AG 2001, Title of Presentation, Speaker Name 32

Authorization Variables I

1 Create Variable

2 Define Variable Properties

33
SAP AG 2001, Title of Presentation, Speaker Name 33

Authorization Variables II
3 Assign Variable to Query

34
SAP AG 2001, Title of Presentation, Speaker Name 34

Enhanced Maintenance of Authorizations

Maintain all BW reporting authorizations Single values Hierarchy nodes


SAP AG 2001, Title of Presentation, Speaker Name 35

35

Authorization Concept Overview


4
Browser

3rd party OLAP client

Analyzer (hosted by MS Excel)

Business Explorer Administrator Workbench


Administration Scheduling Meta Data Repository

OLAP Processor
InfoCubes

Meta Data Manager

Data Manager

Monitor

Business Information Warehouse Server

Staging Engine
BAPI

Operational Data Store

Non R/3 Production Data Extractor


Non R/3 OLTP Applications
SAP AG 2001, Title of Presentation, Speaker Name 36

Production Data Extractor

OLTP Reporting

R/3 OLTP Applications

36

Distribution of Queries to Roles

SAP Queries are embedded into SAP BW Workbooks ( MS Excel ) Workbooks can be assigned to roles in the Business Explorer Reporting Users are also assigned to roles Maintain query specific authorizations (if required) in the profile generator. Currently no Authorization Object available to set up authority for Workbooks.

37
SAP AG 2001, Title of Presentation, Speaker Name 37

Distribution of Queries to Roles

Problem:
Authority check for embedded SAP BW Queries will first take place on refreshing the Query.

Query results saved with the Workbook will be visible to the user even if they are unauthorized. But no navigation without refreshing the Query!

Solution:
Save Workbooks to the Role only without Query results Use AutoRefresh functionality within the Querie properties to ensure authority check.

38
SAP AG 2001, Title of Presentation, Speaker Name 38

Authorization Concept Overview

Browser

?
3rd party OLAP client

Analyzer (hosted by MS Excel)

Business Explorer Administrator Workbench


Administration Scheduling Meta Data Repository

OLAP Processor
InfoCubes

Meta Data Manager

Data Manager

Monitor

Business Information Warehouse Server

Staging Engine
BAPI

Operational Data Store

Non R/3 Production Data Extractor


Non R/3 OLTP Applications
SAP AG 2001, Title of Presentation, Speaker Name 39

Production Data Extractor

OLTP Reporting

R/3 OLTP Applications

39

Authority 3rd Party OLAP client

Not authorization relevant.


There is no authorization check within the communication to 3rd party reporting clients needed. All levels of reporting security are handled be the SAP BW OLAP processor. Every 3rd party reporting will access data only by using SAP BW users and ODBO released queries. Every 3rd party user is a SAP BW user!! All existing SAP BW reporting authorization will be also used for 3rd party reporting. No difference to Business Explorer.

One place of security !

40
SAP AG 2001, Title of Presentation, Speaker Name 40

Agenda

General Security Considerations

Authorization Concept
Role Based User Concept

BW Authorization Scenarios
New Functionality in BW 3.0

41
SAP AG 2001, Title of Presentation, Speaker Name 41

BW Authority, a role based approach


BW System Administrator

BW Reporting User

BW Reporting Developer
SAP AG 2001, Title of Presentation, Speaker Name 42

42

Main User Roles in SAP BW


Reporting Activities Administration Activities

Set up Queries, Workbooks

Execute Queries
Maintain InfoCatalog

Set up Data Model Set up Data Flow Control Data Flow

Role: Reporting User,


Power User

Role: Data Modeller,


Staging Manager

43
SAP AG 2001, Title of Presentation, Speaker Name 43

Profile Generator
What is the Profile Generator? A tool to automatically generate authorization profiles

What are the Benefits?


Only necessary authorization objects will be used Authorization profiles are automatically generated Communication level between security administrator and end-user is the functionality

It is easier to define authorization profiles

44
SAP AG 2001, Title of Presentation, Speaker Name 44

Roles: Activities

Description
Menu Personalization Authorizations User

Description of Activity Group Assign Transactions Assign Workflow Tasks

Maintain and Generate Authorization Profiles


Assign User

45
SAP AG 2001, Title of Presentation, Speaker Name 45

Roles: Maintain Authorization Profile

46
SAP AG 2001, Title of Presentation, Speaker Name 46

Roles: Generate Authorization Profile

Generate Authorization Profile

47
SAP AG 2001, Title of Presentation, Speaker Name 47

Define Roles
Identify Roles in your company
Task oriented (Reporting, Administration, .... ) Function oriented (Board, Assistant, Manager, Controller, Analyst ) Subject oriented (Sales, FI, .... )

Define responsibility for an identified role Set up role oriented authorization Assign new users to a role

48
SAP AG 2001, Title of Presentation, Speaker Name 48

Role - Object Relation

Role Reporting User Reporting Developer Reporting Power User Data Manager Data Modeller System admin.

Query
R E R EM R EMD R EM R EM

InfoCube InfoSource InfoObject

RM

RM
R EMD R EM

MR R EM

Activities

R C

Display Create

E Execute D Delete

M Maintain

49
SAP AG 2001, Title of Presentation, Speaker Name 49

User Master Records: Concept

User Master Record

...

Role 1

Role 2

P1

P2

P3

P...

... A1 A...

... A...

... A...

...

50
SAP AG 2001, Title of Presentation, Speaker Name 50

Templates

Templates can be created to contain a series of authorization objects, and default values, to be imported into activity groups

Templates are provided by SAP BW for the following, E.g.:


S_RS_RDEAD S_RS_RDEMO S_RS_ROPAD S_RS_ROPOP S_RS_RREDE S_RS_RREPU Role: Administrator (development system) Role: Modeler (development system) Role: Administrator (productive system) Role: Operator (productive system) Role: Reporting developer (productive system) Role: Reporting user

51
SAP AG 2001, Title of Presentation, Speaker Name 51

Usage of Templates

The template can be a subset of the target Activity Group


Template

Add authorizations (manually)

Target Activity Group

The template can be a superset of the target Activity Group


Template Remove authorizations Target Activity Group

52
SAP AG 2001, Title of Presentation, Speaker Name 52

Usage of Templates II

The template can have an intersection with the target


Template

Target Activity Group

More than one template can be used


Template 1 Template 2

Target Activity Group

53
SAP AG 2001, Title of Presentation, Speaker Name 53

Example for SAP BW Business Content Roles

54
SAP AG 2001, Title of Presentation, Speaker Name 54

Agenda

General Security Considerations

Authorization Concept
Role Based User Concept

BW Authorization Scenarios
New Functionality in BW 3.0

55
SAP AG 2001, Title of Presentation, Speaker Name 55

Scenario 1: Authorization Check User Entry


If Refresh

User Entry Variable Values 0Profit_Ctr NE 0Cost_Ctr 1000 Assume no hierarchy node in the query definition Hierarchy Processing

If Drill-down

Query Results

Query is executed

Authorization Check
c

user profile data (buffered)

Authorization Check (buffered)

Hierarchy definitions (buffered)

Database Access

Steps to the authorization check


1. Read profile buffer

CCTR 1000 = OK PCTR NE = not OK


2. Read leaves on hierarchy if no

User Master Record

0Cost_Ctr 0TCTAUTHH 0PCTR North ''

1000

hierarchy is in the query definition. Node North on the hierarchy contains NE and NW so PCTR NE = OK - this user will pass the authorization check.

North = Default Node

Legend Default Node Hierarchy Hierarchy Node

Scenario 1: Authorization CheckUser Entry Scenario

56
SAP AG 2001, Title of Presentation, Speaker Name 56

Scenario 2: Authorization - RSSB


Query Results User Entry Variable Values 0Cost_Ctr 1000 Hierarchy Processing

Query is executed

Authorization Check

user profile data (buffered)

Authorization Check (buffered)

User Master Record 0Cost_Ctr 1000 Note: If the RSSB_AUTH_MODIFY function module is used, multiple values or ranges are stored in a cluster table and the authorization contains the $! value only.

hierarchy definitions (buffered)

Database Access

Scenario 2: Authorization - RSSB


SAP AG 2001, Title of Presentation, Speaker Name 57

57

Scenario 3: Authorization Variable


Query Results Variable Values 0Profit_Ctr * 0Cost_Ctr 1000 Hierarchy Node North Hierarchy Processing

Query is executed

Authorization Check

1st Read SAP Exit "filled by authorization"

2nd Read (Buffered) Reduce hierarchy to authorized parts

Values selected: 0Profit_Ctr * 0Cost_Ctr 1000 Herarchy Node North See Comment 1

3rd Read (Buffered) Authorization Check

Database Access

Values selected: Herarchy Nodes North, West, East

User Master Record 0Profit_Ctr 0Cost_Ctr 0TCTAUTHH 0Customer * 1000 North, West, East :

North = Default Node

Legend Default Node Hierarchy Hierarchy Node

Scenario 3: Authorization Variable

58

SAP AG 2001, Title of Presentation, Speaker Name 58

Scenario 4: Authorization InfoCube

Query 2 Selection Criteria: User Name SAP exit to read system user name Output profit centers per user name.

Query 2 results are used as selection criteria in Query 1

Query 1 Selection Criteria: Profit Center

$Var

Query 1 executes Query 2

Note: variable type for profit center = fill by query. Specify the authorization InfoCube query in the global variable definition by entering the technical name for query 2.

Authorizations Data

Data Load User Name: John Deer Cost Cetner 1000 Profit Center NE

Scenario 4: Authorization InfoCube


SAP AG 2001, Title of Presentation, Speaker Name 59

59

Scenario 4a: Authorization InfoCube


Query 2 Selection Criteria: User Name SAP exit to read system user name Output profit centers per user name. Query 1 executes Query 2 Query 2 results are used as selection criteria in Query 1 Query 1 Selection Criteria: Profit Center

$Var

Note: variable type for profit center = fill by query. Specify the authorization InfoCube query in the global variable definition by entering the technical name for query 2.

Authorizations Data

RSSB_READ_AUTH_IN_INFOCUBE

Data Load User Name: John Deer Cost Cetner 1000 Profit Center NE

RSSB_BW_AUTH_MODIFY Customer Report User Master Record

Scenario 4a: Authorization InfoCube


SAP AG 2001, Title of Presentation, Speaker Name 60

60

Agenda

General Security Considerations

Authorization Concept
Role Based User Concept

BW Authorization Scenarios
New Functionality in BW 3.0

61
SAP AG 2001, Title of Presentation, Speaker Name 61

New Mode for Hierarchy Nodes

62
SAP AG 2001, Title of Presentation, Speaker Name 62

Scenario 4a is Replaced by ODS Objects and RSSM

63
SAP AG 2001, Title of Presentation, Speaker Name 63

Scenario 4a is Replaced by ODS Objects and RSSM

64
SAP AG 2001, Title of Presentation, Speaker Name 64

BW Authorizations

Deborah Board, BW RIG 65