IntroductionSAPBusiness InformationWarehouse (SAPBW)as a core component of SAPNetWeaver data warehousing functionality, provides both a business intelligence platformand a suite of business intelligence tools. With the tool set provided, relevant businessinformation can be integrated into SAP BW and transformed and consolidated there. SAPBW enables analysis andinterpretationas well asthedistributionof thisinformation.Based on this analysis, sound decisions can be made and goal oriented activities can beinitiated. With extensive predefined information models provided for the various roles inacompanyB!"ontent#, SAP BWalsoincreasestheusabilityoftheseanalysesandenables a $uic%, cost&effective implementation.'ata warehousing in SAP BW represents the integration, transformation, consolidation,cleanupandstorageof data. !t alsosignifies theextractionof datafor analysis andinterpretation. (he data warehousing process includes data modeling, data extraction andthe management of the data warehouse management processes.SAP BW Authorization Specifics !n an SAP BW system there are two different types of authori)ation ob*ects. +. Standard authori)ation ob*ects, (his type of authori)ation ob*ects is provided bySAP andcoversallchec%sfore.g.systemadministrationtas%s,datamodelingtas%s, andforgrantingaccessto!nfoProvidersforreporting. -orthistypeofauthori)ations the same concept and techni$ue is used as in an SAP ./0 system. 1. .eportingauthori)ationob*ects, -ormoregranularauthori)ationchec%sonan!nfoProvider2s data you need another type of authori)ation ob*ects defined by thecustomer. With theseob*ectsyoucan specifywhichpartofthe datawithinan!nfoProvider a user is allowed to see. Both types of authori)ation ob*ects use the same authori)ation framewor%. (echnicallythey are treated in the same way. 3owever, the design of reporting authori)ations is morecomplex because you need to design the reporting authori)ation ob*ects first. (his is anadditional step that needs to be treated with care because the structure of the authori)ationob*ects determines the possible use in regards to selections, combinations and granularity.!n your pro*ect you need expertise in the area of reporting authori)ations4 %nowledge ofthe basis authori)ation framewor% is not sufficient. User Type in BW(here are different types of users in SAP BW. 5ost of your users will be the users whoexecute $ueries and wor%boo%s. (hese people could be considered 6reporting users6 or6end users.6(o read more about how to secure reporting users clic% hereReporting User SecurityAuthori)ation 7b*ects 8sed Primarily by .eporting 8sers !n order to execute any $uery, you must have access to S_RS_ICUBE, S_RS_COMP, S_RS_COMP1 and S_RS_FOLD. S9.S9"75P is a powerful ob*ect that enables you to ma%e choices on how to secure. (here is one field in S9.S9"75P that relates to the $uery, and another field that relates to the !nfo"ube. (his gives you the option to secure by $uery name, !nfoArea, or !nfo"ube.(ips : !nfoArea ; group of !nfo"ubes: !nfo"ube ; actual data: !nfo7b*ect;field for example, company code, plant, or cost center#(here are also users who develop new $ueries. Some people may refer to them as 6power users6 or 6data analysts.6 (he users who develop $ueries may also create new wor%boo%s and may be responsible for publishing that information to the right audience.(hen, there are users who create new ob*ects li%e !nfo"ubes, !nfoAreas, and !nfo7b*ects.(hey also schedule data loads, create update rules for !nfo"ubes, monitor performance, and set up source systems. (he users who do these tas%s are normally referred to as 6administration users.6 read more about how to secure administrator users clic% hereAdministrator(here are users who create new ob*ects li%e !nfo"ubes,!nfoAreas, and !nfo7b*ects. (hey also schedule data loads, create updaterules for !nfo"ubes, monitor performance, and set up source systems. (heusers who do these tas%s are normally referred to as 6administration users.6Some of the common tas%s performed by administration users are, Set up and maintain different source systems and connections to SAP BW 5anage metadata and define new !nfo7b*ects, 'ataSources, and !nfoSources "reate transfer rules and update rules 'esign!nfo"ubes Schedule and monitor data&loading processes Administration authori)ation ob*ects are primarily used when doinganything in the Administrator Wor%bench transaction code.SA+#. (heprimary ob*ects used are, S_RS_A!WB, Administrator Wor%bench & 7b*ectsAuthori)ation ob*ect S9.S9A'5WB is the most critical authori)ationob*ect in administration protection. When you do anything in transactioncode .SA+, ob*ect S9.S9A'5WB is the first ob*ect chec%ed. (here are twofields in this ob*ect, Activity and Administrator or!"#nc$ O"%#ct. 0 &for the node+ &for a subtree below the node1 &for a subtree below the node up to and including levels for a subtree below thenode0 &for the entire hierarchyF &for a subtree below the node up to and including levels relative# Eou must specify a level that is defined relative to the node for this type. !t ma%es sense to specify a relative distance if an employee may only expand the hierarchy to a certain depth below his initial node, but this node is moved to another level when the hierarchy is restructured.# G. Specify a technical name for this definition. !f you do not enter a value, a uni$ue !' is set. ?. Now create an authori)ation for the new authori)ation ob*ect. (o do this, enter thetechnical name of the definition as a characteristic value for the characteristic >("(A8(33. -or the characteristic defined on the hierarchy, specify the value6 .6 blan%#. !t often ma%es sense to also enter 6,6 colon# so that $ueries without this characteristic are also allowed.*int. !f you enter the value 6N6 here all characteristic values#, the user is allowedto view data for all characteristic values, regardless of whether a hierarchy is usedor a complete drilldown is carried out. I. 7ptionally you can use the following fields, Top of hierarchy, (his option allows you to select the top of the hierarchyinstead of a node in the hierarchy. !f, for example, you want to authori)e a user to wor% with ahierarchy from the top node, down to a particular level, you can of course authori)e the user for the highest node in the hierarchy. !f, on the other hand, the hierarchy is used in the $uery without a filter set for this node, the user is not able to execute the $uery. (his is because the node that is displayed at the highest level in the hierarchy, is not actually the top of the hierarchy. -or example, there is the .All 7ther =eaves. node. (his is an internal node, but a node in the hierarchy nevertheless, and it is this node that is at the top of the hierarchy,a level higher than the highest node that appears in the hierarchy display. !f the hierarchy is used in the $uery, and the top&level node has not been specified explicitly, the system chec%s the authori)ation against the highestnode in the hierarchy, meaning the internal node that is not displayed. (his option, therefore, allows you to determine the top&level node of the hierarchy yourself, so that you can ensure that users are assigned the appropriate authori)ations. *ierarchy &e-e& . Within the framewor% of the authori)ation chec%, you can use this value to specify to which level the user can expand the hierarchy. Please note that this is an absolute value and refers to the entire hierarchy. (he highest node of a hierarchy stands at level +. !f you have entered the value 0 for the hierarchy level, for example, then the user can expand/see the hierarchy up to level 0. =a&idity period . >, Name, Oersion, and %ey 'ate identical+, Name and version identical1. Name identical0. All hierarchies;ode -aria#&e defau&t -a&ue.!f this option is chosen, this definition of ahierarchy authori)ation is used as the default value for node variables. !f a user is allocated several authori)ations for subareas of the same hierarchy, one of these authori)ations must be defined as the default value in this way. 7nly one node can be chosen for a node variable in the variable screen of a $uery. !n order that this variable be filled from the authori)ations, the correct variable type must be chosen and an authori)ation must be mar%ed as the default value. >in/ing BW to )nterprise Porta& ()P) Step&by&step list, explaining how to lin% a BW system to an in/ing BW to )nterprise Porta& ()P)Summary Step&by&step list, explaining how to lin% a BW system to an >06# SAP "lient BW client name# SAP System Name here ! entered the 0 letter system name, li%e 6BW+6# SAP System Number you get this e.g. from the BW logon properties# Server Port this again you get e.g. from the $uery 8.= string mentioned above, itSs the number which comes after the Application host4 e.g. SJ+>>S# System (emplate Name here ! used again the logical system !' from above# System (ype 6SAP9BW6, of course# +. "hoose 6Property "ategory ; WAS6, and maintain the following fields, WAS description same as System Name above, e.g. 6BW+6# WAS host name same as application host above, but together with port number from above, i.e. something li%e 6usbw>+>+.xxx.com,J+>>6# WAS path 6/sap/bw/bex6 WAS protocol 6http6# +. "hoose 6Property "ategory ; 8ser 5anagement6, and maintain the following, =ogon 5ethod 6SAP=7@7N(!"D>0,J>>U"lient4=anguage6# 8ser 5apping (ype 6admin, user6# Save all your settings.+. Still from the same screen, choose 6System Aliases6. "reate and save a new 6System Alias6. Basically, ! pic%ed the logical system !' 6BW+"=N(>>06 as system alias, and saved this. 1. Almost finished, As a next step, ! had to perform whatSs called Suser mappingS so the A, only general authori)ation protection was possible with authori)ation ob*ectS9.S9A'5WB. @eneral authori)ation protection for !nfo7b*ects stillwor%s as in the past. (his authori)ation ob*ect is chec%ed only if the user is not authori)ed to maintain or display !nfo7b*ects authori)ation ob*ect, S9.S9A'5WB&!nfo7b*ect, activity, maintain/display#. !f someone needs to update !nfo7b*ects, but they do not need other administration functions granted in S9.S9A'5WB, then you can give them S9.S9!7BA in lieu ofS9.S9A'5WB. !t will provide access to !nfo7b*ects only.(his authori)ation ob*ect is chec%ed only if the user is not authori)ed to maintain or display !nfo7b*ects authori)ation ob*ect, S9.S9A'5WB&!nfo7b*ect, activity, maintain/display#. Eou use this authori)ation ob*ect to restrict how users wor% with !nfo7b*ects and their sub&ob*ects.8ntil .elease 0.>A, only general authori)ation protection was possible with authori)ationob*ect S9.S9A'5WB. @eneral authori)ation protection for !nfo7b*ects stillwor%s as in the past. Special protection with S9.S9!7BA is only used if there is no authori)ation for S9.S9A'5WB&!7BA. (he following table contains specific information about the fieldsin S9.S9!7BA and how they are used, S_RS_IS"UR, Administrator Wor%bench & !nfoSource C transaction data Authori)ations for wor%ing with transaction data !nfoSources and their sub&ob*ects. Eou can use this authori)ation ob*ect to restrict the handling of !nfoSources with flexible updating and their sub&ob*ects. Eou have an administrator who defines what data needs to be extracted from what source systems. (his ob*ect protects access to the source systems and managing the transfer rules. Eou can use this authori)ation ob*ect to restrict the handling of !nfoSources with flexible updating, and their sub&ob*ects. !t is primarily used to protect transaction data. (his ob*ectwill be chec%ed with creating new !nfoSources and when maintaining the !nfoSource anddrilling down to monitor the data brought in from source systems. S_RS_ISR(!, Administrator Wor%bench & !nfoSource & master data Authori)ations for wor%ing with master data !nfoSources and their sub&ob*ects. With this authori)ation ob*ect you can restrict handling of !nfoSources with direct updating for master data# or with their sub&ob*ects Eou have an administrator who defines what master data needs to be extracted from specific source systems. (his ob*ect protects access to the source systems and managing the transfer rules. With this authori)ation ob*ect, you can restrict handling of !nfoSources with direct updating for master data# or with their sub&ob*ects. -or a complete list of ob*ects, go to transaction code SU56 and drill downto the authori)ation ob*ect class B&sin#ss In'ormation ar#$o&s#.Eou will notice some ob*ects we dealt with in reporting that are also usedhere, S9.S93!0 with access to loo% at the data. (he following fields are in S9.S9!S0#. Subob*ect, -or a reporting user, should be .'A(A.. (he fields for this ob*ect are similar to S9.S9!"8B< and S9.S97'S7. (hey all access by !nfoArea, activity display#, and access to the data. S_RS_*I)R. Authori)ations for wor%ing with hierarchies Authori)ations for wor%ing with hierarchies. (his ob*ect is used to determine who cancreate hierarchies, as well as who can run $ueries that use hierarchies. !n order to execute a $uery that uses a hierarchy, the user also needs access to S9.S93!0 display# and I+ analy)e# in order to see the hierarchy results and execute a $uery that uses a hierarchy. !n the ob*ect, you can further limit the user to specific !nfo7b*ects and hierarchies. S_R:( Authori)ation for @8! activitiesAdd following .-"9NA5