BI 7 Security Concepts.ppt

7/26/2019 BI 7 Security Concepts.ppt

1/53

BI 7 Security Concepts


2/53

Topics Covered:

Difference between BW 3.x and BI 7 Securing reporting users access

Authoriation !race Creation of Ana"ysis Authoriation Assign#ent of Ana"ysis Authoriation Securing Access to Wor$boo$s Additiona" BI7 Security %eatures &ew Authoriation 'b(ects


3/53

!here was no SA) de"i*ered authoriation

ob(ect to "in$ the hierarchies to +o"es.

Custo#ied Auth ob(ect need to be created

which wi"" fa"" under SA) C"ass +S+.

Difference between BW 3.x and BI Security

SA) de"i*ered Auth ob(ect S,+S,A-!

/C"ass +S0 can be added to the +o"es and

further "in$ed to ana"ysis authoriation


4/53

Contd

RSS RS!C"DI#

$%d transaction1 +SS2

Concept of aut&ori'ation1 +eportingAuthoriation

#ew transaction1 +S4CAD2I&

Concept of aut&ori'ation1 Ana"ysis

Authoriation


5/53

Contd

"ut&ori'ation:)%C5 /+o"e based approach0

"ut&ori'ation:)%C5 /+o"e based approach0+S4CA-! /Ana"ysis Authoriation BasedApproach0


6/53

Contd

(u%% "ut&ori'ation1SA),A66 SA),&4W

)BI*"++1 A""ow fu"" authoriation for the I'authoriation re"e*ant

,sed in t&e aut&ori'ation ob-ect1 S,+S,A-!

(u%% "ut&ori'ation1SA),A66 SA),&4W


7/53

Authoriation ob(ects are grouped according to authoriation ob(ect c"asses. !he #a(or

authoriation ob(ect c"ass in BI is +S.

S*RS*C$:Decides which Info area Info pro*ider8s data user can *iew

S*RS*C$/:Decides which owner8s 9ueries a user can execute

S*RS*($+D:ide or disp"ay the :Info Area; push button for end users

S*RS*",T0:5i*es access to ana"ysis Authoriations

S*RS*"DWB:-sed by BW ad#inistrator for 2ode"ing and contro""ing

So#e other Auth ob(ects1 !o sa*e wor$boo$s


8/53

In BI 7 reporting users access needs to be restricted to certain "e*e"s "i$e

InfoCube +eve%:+estrict at the InfoCube "e*e".

C&aracteristic +eve%Info $b-ect:+estrict access to a"" *a"ues for a particu"ar

characteristic.

C&aracteristic 4a%ue +eve%:+estrict access to certain *a"ues of a particu"ar

characteristic.

5ey (i6ure +eve%:+estrict access to certain $ey figures.

0ierarc&y #ode:+estrict access to certain nodes of a hierarchy

Restrictin6 access in BI


9/53

Be"ow are the #ini#u# authoriation re9uire#ents for a reporting user1

Ana"ysis authoriations for an Info )ro*ider S,+S,C'2) /Acti*ities ?3 @0 S,+S,C'2)@ /=uery owner0

S,+%C /Bex Ana"yer or Bex Browser on"y0 S,!C'D4 /++2> for Bex Ana"yer0

A reporting user #ust ha*e authoriations for the S,+S,C'2) S,+S,C'2)@

authoriation ob(ects as we"" as ana"ysis authoriations for the Info )ro*ider on

which the 9uery is based.

In addition if the reporting user wi"" be using the Bex Ana"yer reporting too"

they wi"" need authoriations for ob(ect S,+%C and S,!C'D4 with authoriation

for transaction code ++2>.

Securin6 Data "ccess for Reportin6 ,sers


10/53

Secure by Info Cube:If the authoriations need to be chec$ed on"y on Info )ro*ider

"e*e". ou can then create ro"es that a""ow you to run 9ueries fro# the specified Info

)ro*ider /s0.

Securin6 by 7uery:Another option wou"d be to use the Info )ro*ider in con(unctionwith the 9uery na#e. !o do this you wi"" need a strict na#ing con*ention for 9uery

na#es so that security does not ha*e to be updated each ti#e a new 9uery is

created.

Securin6 by Info $b-ect:A""owing two user to execute the sa#e 9uery but to get

different resu"ts based on their assigned data access for di*ision cost center or

so#e other Info 'b(ect is $nown as info 'b(ect "e*e" security or fie"d "e*e" security

$ptions for Securin6 Data "ccess


11/53

!he #ore granu"ar "e*e" of restricting access of the users is at Info 'b(ect


12/53

!he Authoriation +e"e*ant setting

for an Info 'b(ect #ade in the

Info 'b(ect definition on the

Business 4xp"orer tab. !he

business needs wi"" dri*e which

Info 'b(ects shou"d be re"e*antfor security.

4xecute !code +SD@ 4nter the info ob(ect

na#e 5o to Business 4xp"orer

!ab Se"ect the chec$ box

:Authoriation +e"e*ant; Acti*ate the info ob(ect

"ut&ori'ation Re%evance


13/53

Ana"ysis Authoriations are funda#enta" bui"ding b"oc$s of the new reporting concept which

contains both the data *a"ue and hierarchy restrictions.

4xecute !code +S4CAD2I& 5o to 2aintenance in Authoriation !ab

4nter !he Ana"ysis Authoriation and c"ic$ Create

Create ana%ysis aut&ori'ations:


14/53

'nce you ha*e created ana"ysis

authoriations users wi"" need access

to the right authoriations according to

business needs. ou can assign

authoriations in ro"es using S,+S,A-! ordirect"y in transaction +S4CAD2I& or

+S-?@.

"ssi6n aut&ori'ations to users:


15/53

"dd a variab%e to t&e 8ueries

If we want a 9uery to on"y pro*ide resu"ts based on the di*ision for exa#p"e then the

9uery itse"f needs the abi"ity to fi"ter specific di*ision *a"ues. Before we can secure on

di*ision the 9uery #ust be ab"e to restrict data by di*ision. !he on"y way the 9uery can

restrict data dyna#ica""y is through a *ariab"e. !he *ariab"e can be added anyti#e

independent of the other steps "isted here.


16/53

!xercises:

Create a si#p"e 9uery fro# an existing Info Cube execute it and sa*e it as a new

wor$boo$

Defining Info 'b(ectE6e*e" Security for +eporting -sers

6i#it 9uery access within the Bex Ana"ye using S,+S,C'2)@ and S,+S,%'6D


17/53

Authorization Trace


18/53

Trace Too% : ST)/ and RS!C"DI#

!ransaction code S!?@ executes a trace too" that exists on a"" ABA) based syste#s.

A#ong other purposes this too" ser*es as trace for a"" SA)Epro*ided authoriations ob(ects.

ou si#p"y turn on the trace /for a specific user0 and when the trace is co#p"eted you can

see which authoriation ob(ects were chec$ed and the resu"ts of the chec$.

In transaction +S4CAD2I& FAna"ysis you can execute a trace that is specific to BI ana"ysisauthoriations. Ana"ysis authoriations wi"" not appear in the S!?@ trace


19/53

"ut&ori'ation Trace

In BI 7 we can !race 1

@0 Authoriation 2onitoring

0 Change "og of Ana"ysis authoriation


20/53

"ut&ori'ation onitorin6

C&ec9in6 "ut&ori'ations

6og on with your own user ID

Chec$ 9uery execution with the authoriations of a specific user


21/53

Contd..

!va%uate +o6 rotoco%

!urn on "ogging of user acti*ities re"ated to ana"ysis authoriations

Giew detai"ed infor#ation about authoriation chec$s


22/53

C&an6e %o6 of "na%ysis aut&ori'ation

Acti*ate the fo""owing Girtua" )ro*iders fro# the Business Content /GA6 H

Ga"ues I4 H ierarchies -A H -ser Assign#ent0

!he syste# records a"" changes to authoriations and user assign#ents.

=ueries can be bui"t on these Info )ro*iders to find out the trace ofE ow #any users ha*e access to a gi*en InfoCube

E Which users ha*e access to co#pany code >

E When was authoriation :>J; created and by who#


23/53

!xercise s;:

!race BI authoriations

S!?@ !race


24/53

Creation of "na%ysis

"ut&ori'ation


25/53

Creation of "na%ysis "ut&ori'ation

!here are two ways to create the ana"ysis authoriation in BI 7

@. 2anua" creation of ana"ysis authoriation through +S4CA-! !code

. Auto#atic generation of ana"ysis authoriation approach /for #ass creation andassign#ent0


26/53

Creation t&rou6& RS!C"DI#

@0 4xecute !code +S4CAD2I&

0 5o to 2aintenance in Authoriation !ab

30 4nter !he Ana"ysis Authoriation and c"ic$ Create


27/53

"uto


28/53

"ctivate Business Content

SA) de"i*ers Business Content for storing authoriations and user

assign#ent of authoriations shou"d be acti*ated


29/53

+oad of Data Store $b-ects

%i"" the Data Store ob(ects with the user data and authoriations

4xtract the data for exa#p"e fro# an SA) +


30/53

1enerate "ut&ori'ations

Start the generation by specifying the re"e*ant Data Store ob(ects


31/53

4iew 1eneration +o6

Detai"ed "og can be *iewed once the generation is co#p"eted


32/53

Assign#ent of Ana"ysis

Authoriation


33/53

"ssi6n


34/53

Direct assi6n


35/53

ros:

!his approach re#o*es the use of creating +o"es for the corresponding ana"ysis

authoriation .

Cons:

&o Change docu#ents are pro*ided by SA) for assigning and re#o*a" of Ana"ysis

authoriation fro# the user

&o S-I2 /Syste# -ser Infor#ation 2anage#ent0 reports are pro*ided by SA) for

ana"ysis authoriation

&o possib"e way to assign #ass ana"ysis authoriation to the users at a stretch.

"na%ysis aut&ori'ation based "pproac&:


36/53

If an id is de"eted using S-?@ who is ha*ing ana"ysis authoriation assigned to it

these authoriation wi"" not get de"eted fro# the user8s profi"e. If the sa#e id is

recreated auto#atica""y user id wi"" be popu"ated with the ear"ier ana"ysis

authoriations.

So if this approach is fo""owed it is a"ways reco##ended that ana"ysis authoriationare #anua""y de"eted fro# the user id using +S-?@ and then id using S-?@

Contd..


37/53

Indirect "ssi6n


38/53

ros:

A"" the Change docu#ents are a"ready a*ai"ab"e

A"" the existing S-I2 reports are a"ready a*ai"ab"e

)ossib"e to perfor# #ass assign ro"e assign#ent

Cons:

+o"es need to be created corresponding to the ana"ysis authoriation which wi""

inc"ude #ore #aintenance in the syste#

ros and Cons


39/53

=uery is #ore the technica" definition of what the resu"ts shou"d "oo$ "i$e. Wor$boo$s are

actua" resu"ts that ha*e been for#atted and can be refreshed each ti#e the wor$boo$ is

executed.

!he 9uery is a definition of what data the 9uery shou"d fetch and how the data shou"d beinitia""y disp"ayed. A 9uery definition inc"udes rows co"u#ns fi"ters and free characteristics.

!he wor$boo$ is a resu"t set of the 9uery. In this wor$boo$ the data is disp"ayed by sa"es

organiation. 4*ery ti#e the user executes the wor$boo$ the data wi"" be refreshed but the

for#at can re#ain the sa#e depending on the settings for the 9uery in the wor$boo$.

2u"tip"e 9uery resu"ts sa*ed in wor$boo$s fro# the sa#e 9uery definition enab"e users to

custo#ie how they want to re*iew the resu"ts and ana"ye the data.

7ueries and Wor9boo9s:


40/53

If a user wants to sa*e a wor$boo$ to a "ocation where it can be easi"y accessed by

others they need to sa*e to a +o"e. Sa*ing to a +o"e #eans sa*ing to a security

ro"e. ou #ay want to set up ro"es specifica""y for sa*ing wor$boo$s. ou can then

assign the ro"e to a"" parties who need to share wor$boo$s.

In order to sa*e wor$boo$s to ro"es a user needs1 S,-S4+,A5+1 Authoriations1 +o"e chec$

S,-S4+,!CD1 !ransactions in ro"es

!he authoriation ob(ect S,-S4+,A5+ has two fie"ds1 Acti*ity and +o"e &a#e. %or the

Acti*ity fie"d the user #ust ha*e at "east *a"ues ?@ ? and . If the user can de"ete

wor$boo$s they wi"" a"so need *a"ue ?. %or the +o"e &a#e you shou"d enter the specific

ro"es you ha*e created for sa*ing wor$boo$s.

Authoriation ob(ect S,-S4+,!CD has one fie"d !ransaction Code. !he user needs *a"ue

++2> in this fie"d.

Savin6 wor9boo9s to 7ueries:


41/53

!xercise s;:

Securing Access to Wor$boo$s


42/53

BI 2 Security (eatures


43/53

Concept of BW security re#ains the sa#e in BI 7 whi"e changes are

#ore with respect to new authoriation features #ore authoriation

ob(ects newer !codes and #ore f"exibi"ity.

@. Ana"ysis Authoriation. Specia" Characteristics

3. Specia" Authoriation1 ?BI,A66

. Co"on authoriation

K. )ound Authoriation

. Ley %igure Authoriation

BI 2 Security (eatures


44/53

Ana"ysis Authoriations are funda#enta" bui"ding b"oc$s of the new reporting concept which

contains both the data *a"ue and hierarchy restrictions.

!his is a"so ca""ed data "e*e" access. With the new &W??s ana"ysis authorisation

princip"es it is now possib"e to create an ana"ysis authorisation ob(ect direct"y on an infoob(ect

!he authorisation can either be sing"e *a"ues or a *a"ue range or created with a reference to

a hierarchy pro*ided the info ob(ect is created with a hierarchy and the info ob(ect is

authorisation re"e*ant.

"na%ysis "ut&ori'ation:


45/53

!hese specia" characteristics #ust be assigned to a user in at "east one

authoriation

)TC""CT4T1 +estrict access to acti*ities i.e. disp"ay create change etc

)TC"IR$4:+estrict access to the Info )ro*ider i.e. Info Cube 'DS2u"ti pro*ider etc

)TC"4"+ID:)ro*ides the *a"idity of the ana"ysis authoriation

A"" these authoriation shou"d be #ar$ed as authoriation re"e*ant

Specia% C&aracteristics:


46/53

An authoriation for a"" *a"ues of authoriationEre"e*ant characteristics is created

auto#atica""y in the syste#. It has the na#e )BI*"++. It can be *iewed but not changed.

4*ery user that recei*es this authoriation can access a"" the data at any ti#e. 4ach ti#e an

Info 'b(ect is acti*ated and the property :authoriation re"e*ant; is changed for the

characteristic or a na*igation attribute ?BI,A66 is auto#atica""y ad(usted.

A user that has a profi"e with the authoriation ob(ect S,+S,A-! and has entered ?BI,A66

/or has inc"uded *a"ue as M0 has co#p"ete access to a"" data.

)BI*"++


47/53

Co%on : ;as "ut&ori'ation

Two urposes for Co%on "ut&ori'ation 4a%ue:

If the Info )ro*ider has sensiti*e data it cou"d be that you do not want the user to see any

su##aried data. %or exa#p"e "et us assu#e you ha*e an Info )ro*ider that has

sensiti*e forecasting data. In this business scenario you ha*e chosen to secure by

Info 'b(ects /for exa#p"e Co#pany Code0. If you do not want a user with access to

Co#pany Code @??? to see A& data fro# other co#pany codes then you #ight not

5i*e this user the co"on /10 *a"ue in the authoriation. !his wou"d #ean that A& 9ueries

on your Info )ro*ider that do not use the Co#pany Code Info 'b(ect wi"" fai" for this user.

Second purpose of the Co"on authoriation is to gi*e user

access to the aggregated data. %or exa#p"e user can see!ota" of sa"es done by a"" sa"es organiation but detai"s data

of on"y his sa"es organiation.


48/53

ound =; as "ut&ori'ation

-sing a )ound Sign /N0 as an Authoriation Ga"ue1

When data is "oaded into SA) BW so#e fie"ds #ay be #ar$ed as no *a"ue

assigned /posted with I&I!IA60. If you ha*e secured an Info 'b(ect that has data

that is unassigned in the Info Cube you #ay choose to gi*e the user a pound sign

/N0 in order to a*oid an authoriation error at runti#e.

!he N character is interpreted as authoriation for the disp"ay of the *a"ue

Not assigned/posted with I&I!IA60.


49/53

5ey (i6ure "ut&ori'ation

!his restriction is used to grant authoriation to particu"ar $ey figures to

the users.

!echnica" na#e1 ?!CAL%&2

)ossib"e *a"ues1

E Sing"e *a"ue /4=0 4xact"y one $ey figure

E +ange /B!0 Se"ection of $ey figures

E )attern /C)0 Se"ection of $ey figures based on pattern

#ote: If a particu"ar $ey figure is defined as authoriationEre"e*ant it wi"" be chec$ed for

e*ery Info )ro*ider


50/53

#ew "ut&ori'ation $b-ects


51/53

Be"ow are the new authoriation ob(ects in BI7 for ad#inistration wor$bench

business 4xp"orer and ana"ysis authoriation.

"ut&ori'ation ob-ects for t&e Data Ware&ousin6 Wor9benc&:

S*RS*DS:%or the DataSource or its sub ob(ects /&W??s0

S*RS*IS#!W:%or new InfoSources or their sub ob(ects /&W ??s0

S*RS*DT:%or the data transfer process and its sub ob(ects

S*RS*TR:%or transfor#ation ru"es and their sub ob(ects

S*RS*CTT:%or currency trans"ation types

S*RS*,$:%or 9uantity con*ersion types

S*RS*T0>T:%or $ey date deri*ation types

S*RS*+!#7:Authoriations for #aintaining or disp"aying the "oc$ settings

S*RS*RST:Authoriation ob(ect for the +S trace too"

S*RS*C:%or process chains

S*RS*$0D!ST:'pen ub Destination

BI 2 new "ut&ori'ation $b-ects


52/53

"ut&ori'ation ob-ects for t&e Business !xp%orer:

S*RS*D"S:%or Data Access Ser*ices

S*RS*BT:%or B4x Web te#p"ates

S*RS*B!?T?:Authoriations for the #aintenance of B4x texts

"ut&ori'ation ob-ects for t&e "d


53/53

Documents

BI 7 Security Concepts.ppt