Gold Client BW 2.2 Security
© 2010-2013 Hayes Technology Group, Inc.
Copyright
© 20010 Hayes Technology Group, Inc. All rights reserved.
No part of this document may be reproduced or transmitted in any form or for any
purpose without the express permission of Hayes Technology Group, Inc.
Hayes Technology Group makes no warranties or representations with respect to the
content hereof, and assumes no responsibility for errors in this document. Hayes
Technology Group shall not be liable for special, indirect, incidental, or consequential
damages, including without limitation, lost revenues or lost profits which may result
from the use of these materials. The information contained in this document is
subject to change without notice.
Trademarks
Gold Client and the Gold Client logo are registered trademarks of Hayes Technology
Group, Inc.
SAP, SAP NetWeaver, ABAP and other SAP products and services mentioned herein
as well as their respective logos are trademarks or registered trademarks of SAP AG
in Germany and in several other countries all over the world.
All other product and company names herein may be trademarks of their respective
owners.
Gold Client BW 2.2 Security
1 © 2010-2013 Hayes Technology Group, Inc.
Introduction
This document serves as a guide for enabling and configuring the security
authorization for use of the Gold Client BW tool. This guide will explain the Gold
Client BW authorization object and other authorizations needed to execute different
parts of the tool.
Additional security is built into the tool so when Gold Client BW is installed in
production the import functionality and selective deletion functionality is disabled.
Gold Client BW Security Object
Overview
Gold Client BW delivers its own authorization object Z_GC_BW. Each button on the
main Gold Client BW screen can be activated or deactivated with this authorization
object. Along with this object there are additional authorizations needed to enable
the Gold Client BW user to use the tool.
Enabling and Disabling Gold Client BW Security
Gold Client BW is installed with the authorization disabled. To enable the Gold Client
BW security the following program needs to be executed with transaction SE38.
/HTG/OP
To disable Gold Client BW Security execute the following.
/HTG/VAN
Note: The programs will not show a completed screen when executed.
Gold Client BW 2.2 Security
2 © 2010-2013 Hayes Technology Group, Inc.
Authorization Object Z_GC_BW
The authorization Object Z_GC_BW when added to a role gives the ability to enable
or disable certain functionality within Gold Client BW. The authorization is controlled
by enabling or disabling each button on the main screen in Gold Client BW. The
following is a screen shot of the different options for the authorization object.
Gold Client BW 2.2 Security
4 © 2010-2013 Hayes Technology Group, Inc.
Below is the main screen of Gold Client BW. Each button is controlled by the
authorization object Z_GC_BW.
Gold Client BW 2.2 Security
5 © 2010-2013 Hayes Technology Group, Inc.
Data Transfer
Data Transfer (for Master and Transaction Data) located on the right hand side of the
main Gold Client BW screen is the area that is used to define, configure, export, and
import data. Each activity is controlled by the authorization object.
40 Transactional Data Transfer: ALL
All Buttons from 41 to 44
41 Transactional Data: Export
42 Transactional Data: Import
43 Transactional Data: Scenario Create, Copy & Change
44 Transactional Data: Scenario Delete + 43
Gold Client BW 2.2 Security
6 © 2010-2013 Hayes Technology Group, Inc.
50 Gold Client Administrator
The Gold Client BW Administrator has 51, 52 and 53 assigned to enable
setting up the framework, maintain configuration, memory settings for Gold
Client BW, file path et al.
51 Setup Framework
The setup framework is required to identify and catalog all existing BW Cubes,
DSO and InfoObjects which are active and have data i.e. relevant for export.
This needs to be run each time new objects are added to the exporting
system.
52 Utilities
Utilities button will allow users to view and execute utilities as determined by
the administrator.
53 Admin Tools
Admin tools are required by the Gold Client BW Administrator to maintain
configuration, utilities, memory settings for Gold Client BW, file path et al.
Gold Client BW 2.2 Security
7 © 2010-2013 Hayes Technology Group, Inc.
54 Compare InfoProvider
This will allow users to VIEW InfoProvider structures and the differences (if
any) between BW systems.
55 Align InfoProvider
This will allow users to create/change and activate InfoProvider structures
based on the structure in a different BW system. This is NOT available in
Production system
56 Copy Queries
This will allow users to create Queries based on the structure in a different
BW system. This is NOT available in Production / source system
60 Custom Data Transfer: ALL
All Buttons from 61 to 64
61 Custom Data: Export
62 Custom Data: Import
Gold Client BW 2.2 Security
8 © 2010-2013 Hayes Technology Group, Inc.
63 Custom Data: Scenario Create, Copy & Change
64 Custom Data: Scenario Delete + 43
70 Master Data Transfer: ALL
All Buttons from 71 to 74
71 Master Data: Export
72 Master Data: Import
73 Master Data: Scenario Create, Copy & Change
Gold Client BW 2.2 Security
9 © 2010-2013 Hayes Technology Group, Inc.
74 Master Data: Scenario Delete + 73
75 Master Data: Enable Export
80 Delete Data
81 Delete Data: Transactional
82 Delete Data: Master
Gold Client BW 2.2 Security
10 © 2010-2013 Hayes Technology Group, Inc.
Sample Roles
Overview
The following are three sample roles for using Gold Client BW. They are examples of
how the authorizations can be configured for different users and can easily be
adjusted for different activities depending on the user’s role. During the installation
and training of the Gold Client BW software roles and responsibilities will be
discussed.
Gold Client BW 2.2 Security
11 © 2010-2013 Hayes Technology Group, Inc.
Administrator Role
A sample Administrator role would enable the BW Lead or Basis person to execute all
parts of the Gold Client BW tool. Historically, the Basis team is responsible for
moving data from a source client to the target client, but the Gold Client BW will give
the flexibility to the BW team too.
Gold Client BW 2.2 Security
13 © 2010-2013 Hayes Technology Group, Inc.
End User Role
A sample End User Role would enable the authorization to export or import the data.
This example also gives the ability to use the Utility Application, as well as compare
InfoProviders and Copy queries.
Gold Client BW 2.2 Security
14 © 2010-2013 Hayes Technology Group, Inc.
The End user role does not have the ability to create InfoProviders using the Align
InfoProvider functionality.
If this functionality is required for a particular user, it is best to assign the SUPERUSER
role instead of ENDUSER role.
Gold Client BW 2.2 Security
15 © 2010-2013 Hayes Technology Group, Inc.
Super User Role
A sample Super User role would enable the same activity the end user role has but
also enables the Gold Client BW Setup Framework function and the Align
InfoProvider functionality
Gold Client BW 2.2 Security
17 © 2010-2013 Hayes Technology Group, Inc.
Exporter Role
A sample Exporter role would enable the user role to export data and enables the
Gold Client BW Setup Framework function. This is an additional security measure to
not allow any data imports into the Source (typically Production)
Gold Client BW 2.2 Security
19 © 2010-2013 Hayes Technology Group, Inc.
Importer Role
A sample Importer role would enable the user role to import data. This is an
additional security measure to not allow any data exports from the Target systems
(typically Development, SandBox or Training)
Gold Client BW 2.2 Security
21 © 2010-2013 Hayes Technology Group, Inc.
Table Authorization Group HTG
All /HTG/ tables have been assigned to authorization group HTG. This will allow
Security to develop roles that only give table maintenance access to /HTG/ tables
without compromising access to non-Gold Client BW tables.
Additional Authorization to use Gold Client BW
Along with the Gold Client BW authorization object, additional authorization is
needed to use Gold Client BW.
Access to run transaction ZGOLDBW is needed.
S_TCODE
Ability to change and display Gold Client BW tables. All Gold Client BW tables are in
the namespace /HTG/ with authorization group HTG.
S_BTCH_ADM
Gold Client BW 2.2 Security
22 © 2010-2013 Hayes Technology Group, Inc.
Ability to run jobs in the Background.
S_BTCH_JOB
If a user has authorization to export data within Gold Client BW then authorization to
write to the Gold Client BW File Path is needed.
S_DATASET
S_GUI
S_TABU_DIS
S_ALV_LAYO
Gold Client BW 2.2 Security
23 © 2010-2013 Hayes Technology Group, Inc.
If a user has authorization to import data within Gold Client BW then authorization to
open to the Gold Client BW File Path is needed.
S_C_FUNCT
BW authorizations needed (if not already setup for user)
S_RS_ADMWB
S_RS_AUTH
Gold Client BW 2.2 Security
24 © 2010-2013 Hayes Technology Group, Inc.
The below are required for importing data.
S_RS_ISNEW
S_RS_ISOUR
S_RS_ISRCM
S_RS_COMP
S_APPL_LOG
Gold Client BW 2.2 Security
26 © 2010-2013 Hayes Technology Group, Inc.
The below are required for Comparing InfoProviders between systems, Creating
InfoProviders based on definition in other system and Copying Queries between
systems.
S_RFC_ADM
S_RS_ICUBE
S_RS_ODSO
S_TRANSLAT
Gold Client BW 2.2 Security
27 © 2010-2013 Hayes Technology Group, Inc.
S_CTS_ADMI
S_CTS_SADM
S_DOKU_AUT
Gold Client BW 2.2 Security
28 © 2010-2013 Hayes Technology Group, Inc.
Additional Authorization to Install and Configure Gold Client BW
During the installation process the Install Engineer will require additional
authorization to complete the install process. Along with all activities in the Gold
Client BW authorization object other standard authorizations will be needed.
Specifically the transactions ST05, SE11, SE16, STMS, SM30, access to maintain
tables in /HTG/* (authorization S_TABU_DIS), write authorization for the Gold Client
BW file path (authorization S_DATASET), and the ability to create transports and
release them.
Usually assigning a Basis role with the additional S_TABU_DIS and S_DATASET Gold
Client BW authorizations is sufficient for installing and configuring Gold Client BW
during the install week.
NOTE for SAP BW 7.3 systems:
SAP introduced a new table in BW release 7.3 which is updated the first time profiles
are generated. This is a way to prevent unauthorized role changes with an added
layer of security. Gold Client authorization activity fields need to be part of this table
and if missing from this table will not display the Z_GC_BW Auth. Object screen
properly (as in the screen shots in this Guide)
To resolve this, update the missing entries in this table using SAP function module
SAUT_UPD_AUTH_FLDINFO_TMP (via transaction SE37)
It has three parameters.
AUTH_FLDINFO_TMP_T – Fill the following values for field Fieldname.
"ZGCBWACTVT"
"Z_GC_BW"
LANGU – This can be left blank.
Mode – ‘M’ Modify.
Gold Client BW 2.2 Security
29 © 2010-2013 Hayes Technology Group, Inc.
Support Information
Hayes Technology Group, Inc. can be contacted either by telephone or via email. Any
support related issue regarding problems with or use of the Gold Client software and
process can be reported for resolution.
If our offices are closed, or staff is unable to directly respond to a support request,
we will respond within 24 hours of the initial call. Problems related to the export or
import processing may require code enhancements. If a code enhancement or fix is
required, resolution time may vary.
As per the maintenance agreement, any repairs or enhancements to the Gold Client
software will immediately be deployed to all customers up-to-date with their
maintenance contract. It is the choice of the customer as to if and when such
enhancements are implemented. In addition, customers may request a planning
session with Hayes Technology Group to review changes in the software and how the
changes might impact their environment.
We can also be contacted to discuss application or feasibility of using the Gold Client
process to resolve a current challenge the project team faces. When this is required,
a planning session can be scheduled in advance to ensure proper participation by
both Hayes Technology Group and the client.
Corporate Offices:
Hayes Technology Group, Inc.
Three Hawthorn Parkway
Suite 225
Vernon Hills, IL 60061
USA
Website:
www.hayestechnology.com
Contact:
1-877-484-8982 (Toll Free in the USA)
Phone: 847-543-8982
Fax: 847-543-9053