Upload
pallavi-koppula
View
61
Download
13
Embed Size (px)
Citation preview
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BA - boc.sap.com | UAC - uac.sap.com
© 2011 SAP AG 1
SAP BW Analysis Authorizations –
Scalable Security Modeling
Applies to:
SAP ECC 6.0, SAP BI 7.0. For more information, visit the EDW homepage.
Summary
This paper will summarize the use of SAP BW analysis authorizations for authorization-relevant characteristics and restrict the query output based on customer exit hierarchy node variable values.
Standard BI security control model is not efficient to maintain user access to its respective profit centers as it requires significant development and maintenance efforts. This customized authorization concept will reduce maintenance effort from security team significantly.
Author: Srinivasa Raju B
Company: Deloitte Consulting India Private Ltd.
Created on: 27 September 2011
Author Bio
Srinivasa Raju B is currently working in Deloitte Consulting India Private Ltd. He is experienced in SAP BI, BO and ABAP.
SAP BW Analysis Authorizations – Scalable Security Modeling
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BA - boc.sap.com | UAC - uac.sap.com
© 2011 SAP AG 2
Table of Contents
Introduction ......................................................................................................................................................... 3
Problem Definition .............................................................................................................................................. 4
Step-by-step solution .......................................................................................................................................... 5
1. Create BEx hierarchy node variable ........................................................................................................... 5
2. Maintain authorizations using RSECADMIN ............................................................................................... 5
3. Assign authorization object to users ........................................................................................................... 7
4. Custom table for characteristic values ........................................................................................................ 7
5. Enhancement RSR00001 to populate hierarchy node variable based on custom table entries ................ 8
6. Execute the report ....................................................................................................................................... 9
Benefits ............................................................................................................................................................. 10
Conclusion ........................................................................................................................................................ 10
Related Content ................................................................................................................................................ 11
Disclaimer and Liability Notice .......................................................................................................................... 12
SAP BW Analysis Authorizations – Scalable Security Modeling
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BA - boc.sap.com | UAC - uac.sap.com
© 2011 SAP AG 3
Introduction
With the introduction of SAP NetWeaver version, all users who want to display data from authorization-relevant
characteristics or navigation attributes in a query require analysis authorizations. This type of authorization is not
based on the standard authorization concept of SAP. The formerly used reporting authorization concept is
replaced by the current analysis authorization concept. The system setting allows using either one of the concepts.
The analysis authorization uses the features of reporting and analysis in BW. Analysis authorizations are not based on authorization objects; instead they are based on BW objects. The authorization-relevant BW objects are the so called info objects. Info objects are the smallest unit within Business Warehouse for the evaluation of business-relevant data.
Any BW info object could be check marked as authorization relevant; the objects 0TCAIPROV, 0TCAVALID, and 0TCAACTVT are checked default.
0TCAACTVT — to restrict the authorization to activities, default value: Display;
0TCAIPROV — to restrict the authorization to Info Providers, default value: all (*);
0TCAVALID — to restrict the validity of the authorization, default value: always valid (*).
If you want to authorize access to key figures, add 0TCAKYFNM characteristic to the authorization. The authorizations are then assigned to roles. The role assignment is generally not mandatory, but can be recommended for an aligned conceptual approach. Some of the key benefits for analysis authorizations are that they are modifiable afterwards and may contain as many info objects as necessary and desired.
Relevant tables:
RSECHIE Status of hierarchy authorizations
RSECHIE_CL Change log of hierarchy authorizations
RSECTXT Authorization text
RSECTXT_CL Change log of authorization texts
RSECVAL Authorization values status
RSECVAL_CL Change log for authorization values status
RSECBIAU Changes to authorizations
RSECUSERAUTH BI Analysis authorization — assignment to users
RSECUSERAUTH_CL BI Analysis authorization — assignment to users (change log)
SAP BW Analysis Authorizations – Scalable Security Modeling
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BA - boc.sap.com | UAC - uac.sap.com
© 2011 SAP AG 4
Problem Definition
While executing the query, the hierarchy node variable values would be populated or restricted based on the
authorizations of the user who is executing the report. These authorization mappings are maintained in the
custom table.
In this scenario, we need to restrict profit center hierarchy node based on the custom table entries while
executing the reports.
Assumption: Profit center info object is made as authorization relevant.
SAP BW Analysis Authorizations – Scalable Security Modeling
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BA - boc.sap.com | UAC - uac.sap.com
© 2011 SAP AG 5
Step-by-step solution
1. Create hierarchy node variable on profit center hierarchy.
2. Maintain authorization using RSECADMIN
3. Assign authorization objects to users
4. Maintain characteristic values (hierarchy nodes/values) using custom table
5. Populate the variable in the enhancement RSR00001
6. Execute the report
1. Create BEx hierarchy node variable
Create Hierarchy node customer exit variable on the profit center (0PROFIT_CTR) hierarchy in BEx Query
Designer.
2. Maintain authorizations using RSECADMIN
Go to the transaction RSECADMIN and click on Maintenance in Authorization tab to create a custom
authorization object ZTEST01.
Add special characteristics 0TCAACTVT (activity), 0TCAIPROV (Info Provider), and 0TCAVALID (validity).
You do not have to include these special characteristics in every authorization, but we recommend it for
reasons of simplicity. Every user, however, has to have authorizations for each of these special
characteristics.
SAP BW Analysis Authorizations – Scalable Security Modeling
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BA - boc.sap.com | UAC - uac.sap.com
© 2011 SAP AG 6
All the characteristics that are added here should be flagged as authorization relevant in the info object.
Add the relevant characteristics, in our case it is 0PROFIT_CTR.
Using Detail Maintenance of Characteristic/Dimension, you can access maintenance of values and hierarchy
authorizations for the characteristic profit center.
Create Hierarchy Authorization variable by selecting the profit center hierarchy and the hierarchy node
variable that was created on profit center in earlier step.
SAP BW Analysis Authorizations – Scalable Security Modeling
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BA - boc.sap.com | UAC - uac.sap.com
© 2011 SAP AG 7
3. Assign authorization object to users
In the transaction RSECADMIN, go to Assignments button in User tab.
Assign the authorization object ZTEST01 that was created in earlier step to users who require to access
store reports.
4. Custom table for characteristic values
Create a transparent table in SE11 to maintain the store (profit center) mappings to users.
Create table maintenance for this table and make sure this table entries are updated or changed by
authorized people.
SAP BW Analysis Authorizations – Scalable Security Modeling
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BA - boc.sap.com | UAC - uac.sap.com
© 2011 SAP AG 8
Please find the entries after the table is populated by admin/security team.
5. Enhancement RSR00001 to populate hierarchy node variable based on custom table entries
Go to the enhancement RSR00001, and implement the function exit EXIT_SAPLRRS0_001. Now write the
code for the hierarchy node variable to populate values from the mapping table based on the user who is
executing the report.
Since it is driven by authorization object, we should write the code in i_step = 1.
SAP BW Analysis Authorizations – Scalable Security Modeling
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BA - boc.sap.com | UAC - uac.sap.com
© 2011 SAP AG 9
6. Execute the report
Create a query ZSTORE_REPORT_TEST which uses hierarchy node variable that was
created earlier.
Execute the report with the user ID (SBHETAL) to which the authorization object is assigned.
SAP BW Analysis Authorizations – Scalable Security Modeling
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BA - boc.sap.com | UAC - uac.sap.com
© 2011 SAP AG 10
Click on F4 Help for Profit center hierarchy, it will display only nodes (stores) for which the user is authorized
to access based on the entries maintained in the user store mapping table.
Benefits
Three key benefits may be realized by applying this customized authorization concept. They are as follows:
This customized authorization concept will reduce the maintenance effort from security team significantly
This concept will provide one place to maintain mappings between users and stores using custom table
Custom logic could be tweaked to handle more complex scenarios
Conclusion
This customized approach of maintaining the authorizations in a custom table and populated using user exit
will reduce the development effort and security teams’ maintenance activity significantly.
Standard BI security control model is not efficient to maintain user access to its respective profit centers as it
requires significant development and maintenance efforts. This customized authorization concept will reduce
maintenance effort from security team significantly.
This design is scalable for any number of authorization objects and considerably reduces ongoing
maintenance effort. This concept of BEx OLAP Authorization variable seamlessly integrates with BOBJ Webi
filter.
SAP BW Analysis Authorizations – Scalable Security Modeling
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BA - boc.sap.com | UAC - uac.sap.com
© 2011 SAP AG 11
Related Content
Analysis Authorizations
For more information, visit the EDW homepage
SAP BW Analysis Authorizations – Scalable Security Modeling
SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BA - boc.sap.com | UAC - uac.sap.com
© 2011 SAP AG 12
Disclaimer and Liability Notice
This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.
SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk.
SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.