Scalable security modeling sap bw analysis authorizations

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BA - boc.sap.com | UAC - uac.sap.com

© 2011 SAP AG 1

SAP BW Analysis Authorizations –

Scalable Security Modeling

Applies to:

SAP ECC 6.0, SAP BI 7.0. For more information, visit the EDW homepage.

Summary

This paper will summarize the use of SAP BW analysis authorizations for authorization-relevant characteristics and restrict the query output based on customer exit hierarchy node variable values.

Standard BI security control model is not efficient to maintain user access to its respective profit centers as it requires significant development and maintenance efforts. This customized authorization concept will reduce maintenance effort from security team significantly.

Author: Srinivasa Raju B

Company: Deloitte Consulting India Private Ltd.

Created on: 27 September 2011

Author Bio

Srinivasa Raju B is currently working in Deloitte Consulting India Private Ltd. He is experienced in SAP BI, BO and ABAP.

SAP BW Analysis Authorizations – Scalable Security Modeling


© 2011 SAP AG 2

Table of Contents

Introduction ......................................................................................................................................................... 3

Problem Definition .............................................................................................................................................. 4

Step-by-step solution .......................................................................................................................................... 5

1. Create BEx hierarchy node variable ........................................................................................................... 5

2. Maintain authorizations using RSECADMIN ............................................................................................... 5

3. Assign authorization object to users ........................................................................................................... 7

4. Custom table for characteristic values ........................................................................................................ 7

5. Enhancement RSR00001 to populate hierarchy node variable based on custom table entries ................ 8

6. Execute the report ....................................................................................................................................... 9

Benefits ............................................................................................................................................................. 10

Conclusion ........................................................................................................................................................ 10

Related Content ................................................................................................................................................ 11

Disclaimer and Liability Notice .......................................................................................................................... 12



© 2011 SAP AG 3

Introduction

With the introduction of SAP NetWeaver version, all users who want to display data from authorization-relevant

characteristics or navigation attributes in a query require analysis authorizations. This type of authorization is not

based on the standard authorization concept of SAP. The formerly used reporting authorization concept is

replaced by the current analysis authorization concept. The system setting allows using either one of the concepts.

The analysis authorization uses the features of reporting and analysis in BW. Analysis authorizations are not based on authorization objects; instead they are based on BW objects. The authorization-relevant BW objects are the so called info objects. Info objects are the smallest unit within Business Warehouse for the evaluation of business-relevant data.

Any BW info object could be check marked as authorization relevant; the objects 0TCAIPROV, 0TCAVALID, and 0TCAACTVT are checked default.

0TCAACTVT — to restrict the authorization to activities, default value: Display;

0TCAIPROV — to restrict the authorization to Info Providers, default value: all (*);

0TCAVALID — to restrict the validity of the authorization, default value: always valid (*).

If you want to authorize access to key figures, add 0TCAKYFNM characteristic to the authorization. The authorizations are then assigned to roles. The role assignment is generally not mandatory, but can be recommended for an aligned conceptual approach. Some of the key benefits for analysis authorizations are that they are modifiable afterwards and may contain as many info objects as necessary and desired.

Relevant tables:

RSECHIE Status of hierarchy authorizations

RSECHIE_CL Change log of hierarchy authorizations

RSECTXT Authorization text

RSECTXT_CL Change log of authorization texts

RSECVAL Authorization values status

RSECVAL_CL Change log for authorization values status

RSECBIAU Changes to authorizations

RSECUSERAUTH BI Analysis authorization — assignment to users

RSECUSERAUTH_CL BI Analysis authorization — assignment to users (change log)



© 2011 SAP AG 4

Problem Definition

While executing the query, the hierarchy node variable values would be populated or restricted based on the

authorizations of the user who is executing the report. These authorization mappings are maintained in the

custom table.

In this scenario, we need to restrict profit center hierarchy node based on the custom table entries while

executing the reports.

Assumption: Profit center info object is made as authorization relevant.



© 2011 SAP AG 5

Step-by-step solution

1. Create hierarchy node variable on profit center hierarchy.

2. Maintain authorization using RSECADMIN

3. Assign authorization objects to users

4. Maintain characteristic values (hierarchy nodes/values) using custom table

5. Populate the variable in the enhancement RSR00001

6. Execute the report

1. Create BEx hierarchy node variable

Create Hierarchy node customer exit variable on the profit center (0PROFIT_CTR) hierarchy in BEx Query

Designer.

2. Maintain authorizations using RSECADMIN

Go to the transaction RSECADMIN and click on Maintenance in Authorization tab to create a custom

authorization object ZTEST01.

Add special characteristics 0TCAACTVT (activity), 0TCAIPROV (Info Provider), and 0TCAVALID (validity).

You do not have to include these special characteristics in every authorization, but we recommend it for

reasons of simplicity. Every user, however, has to have authorizations for each of these special

characteristics.



© 2011 SAP AG 6

All the characteristics that are added here should be flagged as authorization relevant in the info object.

Add the relevant characteristics, in our case it is 0PROFIT_CTR.

Using Detail Maintenance of Characteristic/Dimension, you can access maintenance of values and hierarchy

authorizations for the characteristic profit center.

Create Hierarchy Authorization variable by selecting the profit center hierarchy and the hierarchy node

variable that was created on profit center in earlier step.



© 2011 SAP AG 7

3. Assign authorization object to users

In the transaction RSECADMIN, go to Assignments button in User tab.

Assign the authorization object ZTEST01 that was created in earlier step to users who require to access

store reports.

4. Custom table for characteristic values

Create a transparent table in SE11 to maintain the store (profit center) mappings to users.

Create table maintenance for this table and make sure this table entries are updated or changed by

authorized people.



© 2011 SAP AG 8

Please find the entries after the table is populated by admin/security team.

5. Enhancement RSR00001 to populate hierarchy node variable based on custom table entries

Go to the enhancement RSR00001, and implement the function exit EXIT_SAPLRRS0_001. Now write the

code for the hierarchy node variable to populate values from the mapping table based on the user who is

executing the report.

Since it is driven by authorization object, we should write the code in i_step = 1.



© 2011 SAP AG 9

6. Execute the report

Create a query ZSTORE_REPORT_TEST which uses hierarchy node variable that was

created earlier.

Execute the report with the user ID (SBHETAL) to which the authorization object is assigned.



© 2011 SAP AG 10

Click on F4 Help for Profit center hierarchy, it will display only nodes (stores) for which the user is authorized

to access based on the entries maintained in the user store mapping table.

Benefits

Three key benefits may be realized by applying this customized authorization concept. They are as follows:

This customized authorization concept will reduce the maintenance effort from security team significantly

This concept will provide one place to maintain mappings between users and stores using custom table

Custom logic could be tweaked to handle more complex scenarios

Conclusion

This customized approach of maintaining the authorizations in a custom table and populated using user exit

will reduce the development effort and security teams’ maintenance activity significantly.

Standard BI security control model is not efficient to maintain user access to its respective profit centers as it

requires significant development and maintenance efforts. This customized authorization concept will reduce

maintenance effort from security team significantly.

This design is scalable for any number of authorization objects and considerably reduces ongoing

maintenance effort. This concept of BEx OLAP Authorization variable seamlessly integrates with BOBJ Webi

filter.



© 2011 SAP AG 11

Related Content

Analysis Authorizations

For more information, visit the EDW homepage

http://help.sap.com/saphelp_nw70/helpdata/en/66/019441b8972e7be10000000a1550b0/frameset.htm

http://www.sdn.sap.com/irj/sdn/edw



© 2011 SAP AG 12

Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.

SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk.

SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.