KEMBAR78
BI Security Overview | PDF | Information Management | Information Retrieval
Scribd
Upload
152 views68 pages

BI Security Overview

BI Security Overview

Uploaded by

Apple Vodkaa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
152 views68 pages

BI Security Overview

BI Security Overview

Uploaded by

Apple Vodkaa
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 68

SAP BI Security

Vishwas Goel

Copyright 2010 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
Course Objective

SAP BI & BEx Overview


Security Components in BI
Securing Data Access for Reporting Users
Analysis Authorizations
Authorization Maintenance
Create Analysis Authorizations
Assign Analysis Authorizations
Monitoring Analysis Authorizations

Copyright 2010 Accenture All Rights Reserved. 2


SAP BI Security

SAP BI Overview

Copyright 2010 Accenture All Rights Reserved. 3


What is Business Intelligence?

Business intelligence refers to the


process of turning data into
information, information into
knowledge and knowledge into action Data Information
for business gain.

It is an end-user activity that is


facilitated by various analytical and
collaborative tools and applications
as well as a data warehousing
infrastructure.
Action Knowledge

Copyright 2010 Accenture All Rights Reserved. 4


BI Objectives

Standardized structuring and display of all business


information.
Simple access to business information via a single point of
entry.
Highly developed reporting for analysis with self service
for all areas.
Quick and cost-efficient implementation.
High performance environment. Data modeling from
heterogeneous sources.
Relieving OLTP systems.

Copyright 2010 Accenture All Rights Reserved. 5


BI Architecture

Copyright 2010 Accenture All Rights Reserved. 6


Extracting, Transforming & Loading
Data

Copyright 2010 Accenture All Rights Reserved. 7


Information in BI

In BI, objects that provide information for reporting and analysis are called
InfoProviders. There are two types of InfoProviders:

InfoObjects, InfoCubes, and Data Store Objects contain PHYSICAL data.


InfoSets, RemoteCubes, and MultiProviders are LOGICAL structures and do not
contain data.

An InfoCube is a transaction data container. In an InfoCube, data is organized in


terms of business dimensions. When reporting from an InfoCube, users can perform
multidimensional analysis from different business perspectives. For example, sales
analysis could be performed across different geographic regions or distribution
channels.

MultiProviders are used to combine data from various objects. A MultiProvider


provides access to data from several InfoProviders and makes the data available for
reporting and analysis. A MultiProvider can be assembled from different
combinations of InfoProviders.
Copyright 2010 Accenture All Rights Reserved. 8
SAP BI Security

Business Explorer
Suite

Copyright 2010 Accenture All Rights Reserved. 9


Business Explorer Suite

Copyright 2010 Accenture All Rights Reserved. 10


Business Explorer Suite

The Business Explorer Browser is the instrument for


accessing reports and other executable objects which are
assigned to a user.

The Business Explorer Analyzer can be used to execute,


navigate, and further process reports using MS Excel.

The Query Designer is used to create BI queries. It is a very


flexible and user-oriented tool.

Copyright 2010 Accenture All Rights Reserved. 11


Exercise

Create and Execute


a BI Query

Copyright 2010 Accenture All Rights Reserved. 12


SAP BI Security

Security
Components in BI

Copyright 2010 Accenture All Rights Reserved. 13


Authorization Concept

Based on roles and authorization concept


Users are assigned to roles
Roles contain authorizations
Authorizations are defined for authorization objects
The system checks authorization objects against the
authorizations of the user

Copyright 2010 Accenture All Rights Reserved. 14


Comparison of OLTP Systems &
OLAP Systems
OLTP Systems OLAP Systems
(Operative Environment) (Informative Environment)

Efficiency through automation of


Target Generating knowledge
business processes

High availability, higher data Simple to use, flexible access to


Priorities
volumes data
View of Data Detailed Aggregated

Age of Data Current Historical

Add, modify, delete (update) and


Database operations Read
read
Typical data structures Flat tables Multidimensional structures
Integration of Data from
Minimal Comprehensive
various applications

Data set 6-18 months 2-7 years


Archiving Yes Yes
Copyright 2010 Accenture All Rights Reserved. 15
Comparison of OTLP and OLAP
Security

Security in mySAP ERP (OLTP)


Transaction-based security
Restricts on:
Transaction codes
Specific field values
Which activities a user can perform
Focused on getting daily work completed as quickly and efficiently as possible

Security in SAP NetWeaver BI (OLAP)


Analysis-based security
Restricts on:
InfoProviders (InfoCube, DataStore Objects)
Queries
Data or Infoareas
Different business purpose and goals than OLTP
Focused on displaying, planning, and analyzing data

Copyright 2010 Accenture All Rights Reserved. 16


Authorizations in NW2004s

Standard Authorizations
Based on standard role and authorization concept of SAP
Was and still are used for BI administrator and developer activities
Reporting Authorizations
Old security concept up to SAP NetWeaver 04 (up to SAP BW 3.5)
Control for which data a user has access to in a query
Realized through the standard authorization concept, which has many
limitations
Analysis Authorizations
New security concept as of SAP NetWeaver 2004s
Is not based on standard authorization concept in order to overcome the
limitations
Takes features of reporting and analysis in BI into consideration

Copyright 2010 Accenture All Rights Reserved. 17


Limitations of earlier SAP BW
releases

Copyright 2010 Accenture All Rights Reserved. 18


Improvements with SAP NetWeaver
2004s

Copyright 2010 Accenture All Rights Reserved. 19


Authorizations in BI

Authorization Objects in BI
Authorization objects are grouped according to authorization object
classes. The major authorization object class in BI is RS.

Primary Authorization object used by Reporting Users - S_RS_COMP

Primary Authorization object used by Administrators - S_RS_ADMWB

Copyright 2010 Accenture All Rights Reserved. 20


Exercise

Explore the
Authorization Objects
S_RS_COMP &
S_RS_ADMWB

Copyright 2010 Accenture All Rights Reserved. 21


S_RS_COMP

Copyright 2010 Accenture All Rights Reserved. 22


S_RS_ADMWB

Copyright 2010 Accenture All Rights Reserved. 23


SAP BI Security

Securing Data
Access for Reporting
Users

Copyright 2010 Accenture All Rights Reserved. 24


Authorization Level

On InfoCube Level
On Characteristic Level
On Characteristic Value Level
On Key Figure Level
On Hierarchy Node Level

Copyright 2010 Accenture All Rights Reserved. 25


On Characteristic Level

Authorization

Copyright 2010 Accenture All Rights Reserved. 26


On Characteristic Value Level

Authorization

Copyright 2010 Accenture All Rights Reserved. 27


On Key Figure Level

Authorization
Copyright 2010 Accenture All Rights Reserved. 28
SAP BI Security

Analysis
Authorizations

Copyright 2010 Accenture All Rights Reserved. 29


Analysis Authorizations

Analysis Authorizations are fundamental building blocks of the


new reporting concept which contains both the data value and
hierarchy restrictions.

This is also called data level access. With the new NW2004s
analysis authorisation principles it is now possible to create an
analysis authorisation object directly on an info object

The authorisation can either be single values or a value range or


created with a reference to a hierarchy, provided the info object is
created with a hierarchy and the info object is authorisation
relevant.

Copyright 2010 Accenture All Rights Reserved. 30


Analysis Authorizations

Scenario: Sufficient Authorizations


Complete selection is subset of
Query
authorizations Selection
Query results will be shown
Authorizations

Scenario: Insufficient Authorizations


Complete or part of selection is outside
of authorizations
Query results will not be Query
Selection
shown at all
Authorizations

Copyright 2010 Accenture All Rights Reserved. 31


Exceptions for All-or-Nothing Rule

Display hierarchies are automatically filtered by the


authorization
Key figure values are not displayed if the key figure is not
authorized

Copyright 2010 Accenture All Rights Reserved. 32


SAP BI Security

Authorization
Maintenance

Copyright 2010 Accenture All Rights Reserved. 33


Before You Start

Activate all Business Content related to authorizations before you


get started
InfoObjects: 0TCA* (and 0TCT* if not done already)
InfoCubes: 0TCA*

Set the following InfoObjects as authorization-relevant


0TCAACTVT
0TCAIPROV
0TCAVALID
0TCAKYFNM

Copyright 2010 Accenture All Rights Reserved. 34


Authorization Relevant
Characteristics

InfoObjects must be flagged as Authorization Relevant before


they can be secured.

1. Execute T-code RSD1


2. Enter the info object name
3. Go to Business Explorer Tab
4. Select the check box
Authorization Relevant
5. Activate the info object

Copyright 2010 Accenture All Rights Reserved. 35


Authorizing Characteristic Values

Copyright 2010 Accenture All Rights Reserved. 36


Authorizing Characteristic Values

Possible Values
EQ: Single value
BT: Range of values
CP: Contains (simple) patterns ending with * (e.g., XY*)

Copyright 2010 Accenture All Rights Reserved. 37


Special Authorization Values

* (asterisk)
Denotes a set of arbitrary characters
Used alone to grant access to all values
Used at the end of a value to specify a simple pattern (example: SAP*)
: (colon)
Allows access only to aggregated data (e.g., allows information on all
sales areas only on aggregated level not on particular sales areas)
+ (plus)
Denotes exactly one character
Used at the end of a value to specify a simple pattern (example: RED+)
Used to specify date patterns (only for Validity (0TCAVALID))
# (hash)
Stands for the initial or unassigned value

Copyright 2010 Accenture All Rights Reserved. 38


Special Authorization
Characteristics

These special characteristics must be assigned to a user in at least


one authorization:

0TCAACTVT: Restrict access to activities i.e. display, create,


change etc.
0TCAIPROV: Restrict access to the InfoProvider i.e. InfoCube,
ODS, MultiProvider etc.
0TCAVALID: Provides the validity of the analysis authorization

All these authorization should be marked as authorization relevant.

Copyright 2010 Accenture All Rights Reserved. 39


Authorization Variables

Variables of type Customer Exit can be used with the special


value $ (as escape sequence) as prefix before the variable
name. This enables dynamic granting of authorizations
(authorized values are retrieved at runtime).

Customer exit reads the variable values using a selection


routine placed in the function module EXIT_SAPLRRBR_001
inside of enhancement RSR0001. (This Enhancement is
accessed via transaction code CMOD).

Copyright 2010 Accenture All Rights Reserved. 40


Contd

The advantage of this method is


that you can give all users the
same authorization by placing
the variable name with a $ sign
in front of it instead of a value in
the characteristic value (or the
hierarchy node).

Copyright 2010 Accenture All Rights Reserved. 41


Key Figure Authorizations

This restriction is used to grant authorization to particular key figures


to the users.

Technical name: 0TCAKYFNM


Possible values:
- Single value (EQ) Exactly one key figure
- Range (BT) Selection of key figures
- Pattern (CP) Selection of key figures based on pattern

Note: If a particular key figure is defined as authorization-relevant, it


will be checked for every InfoProvider

Copyright 2010 Accenture All Rights Reserved. 42


Authorizing Navigational
Attributes

To restrict the access to navigational attributes, it should be marked


as authorization-relevant in attribute tab strip.

Note: The referencing characteristic does not need to be


authorization-relevant.

Copyright 2010 Accenture All Rights Reserved. 43


Special Authorization: 0BI_ALL

An authorization for all values of authorization-relevant


characteristics is created automatically in the system. It
has the name 0BI_ALL. It can be viewed, but not changed.
Every user that receives this authorization can access all
the data at any time. Each time an Info Object is activated
and the property authorization relevant is changed for the
characteristic or a navigation attribute, 0BI_ALL is
automatically adjusted.

A user that has a profile with the authorization object


S_RS_AUTH and has entered 0BI_ALL (or has included
value as *) has complete access to all data.

Copyright 2010 Accenture All Rights Reserved. 44


Minimum Authorization Requirements
for a Reporting User

Analysis authorizations for an InfoProvider


S_RS_COMP (Activities 03, 16)
S_RS_COMP1 (Query owner)
S_RFC (BEx Analyzer or BEx Browser only)
S_TCODE (RRMX for BEx Analyzer)

Copyright 2010 Accenture All Rights Reserved. 45


SAP BI Security

Create Analysis
Authorization

Copyright 2010 Accenture All Rights Reserved. 46


Creation of Analysis Authorization

There are two ways to create the analysis authorization in


BI 7

1. Manual creation of analysis authorization through


RSECAUTH T-code.
2. Automatic generation of analysis authorization
approach (for mass creation and assignment).

Copyright 2010 Accenture All Rights Reserved. 47


Creation through RSECADMIN

1)Execute T-code RSECADMIN


2)Go to Maintenance in Authorization Tab
3)Enter The Analysis Authorization and click Create

Copyright 2010 Accenture All Rights Reserved. 48


Automatic generation of analysis
authorization
With the generation of analysis authorizations, we can load authorized
values from other systems into Data Store objects and generate
authorizations from them. This approach is generally used for mass
creation of analysis authorization and assignment of these authorizations to
the users.

Steps to be performed:
Data Warehouse Workbench (RSA1):
1. Activate Business Content
2. Load of Data Store Objects
Management of Analysis Authorizations (RSECADMIN):
3. Generate Authorizations
4. View Generation Log

Copyright 2010 Accenture All Rights Reserved. 49


Activate Business Content

There are five Data Store Objects delivered with Business Content
that serve as templates:

0TCA_DS01 Authorization data Values


0TCA_DS02 Authorization data Hierarchies
0TCA_DS03 Descriptive Text Authorizations
0TCA_DS04 Assignment User Authorizations
0TCA_DS05 Generate users for Authorizations

Copyright 2010 Accenture All Rights Reserved. 50


Load of Data Store Objects

Fill the Data Store objects with the user data and authorizations
Extract the data, for example, from an SAP R/3 source system or
from a flat file
Note: Some consistency checks should be added to avoid errors
during the generation later

Copyright 2010 Accenture All Rights Reserved. 51


Generate Authorizations

Start the generation by specifying the relevant DataStore


objects

Copyright 2010 Accenture All Rights Reserved. 52


View Generation Log
Detailed log can be viewed once the generation is completed

Copyright 2010 Accenture All Rights Reserved. 53


SAP BI Security

Assign Analysis
Authorization

Copyright 2010 Accenture All Rights Reserved. 54


Assignment of authorization

Direct assignment of Analysis authorization through


RSECADMIN
Indirect assignment through Roles (PFCG)

Copyright 2010 Accenture All Rights Reserved. 55


Direct assignment

Direct assignment of Analysis authorization through RSECADMIN

Copyright 2010 Accenture All Rights Reserved. 56


Pros and Cons
Analysis authorization based Approach:

Pros:
This approach removes the use of creating Roles for the
corresponding analysis authorization .

Cons:
No Change documents are provided by SAP for assigning and
removal of Analysis authorization from the user
No SUIM (System User Information Management) reports are
provided by SAP for analysis authorization
No possible way to assign mass analysis authorization to the users at
a stretch.

Copyright 2010 Accenture All Rights Reserved. 57


Contd..
If an id is deleted using SU01 who is having analysis authorization
assigned to it, these authorization will not get deleted from the users
profile. If the same id is recreated, automatically user id will be
populated with the earlier analysis authorizations.

So if this approach is followed, it is always recommended that analysis


authorization are manually deleted from the user id using RSU01 and then
id using SU01

Copyright 2010 Accenture All Rights Reserved. 58


Indirect Assignment

Alternatively to the direct assignment, we can also assign


authorizations to roles, which can then be assigned to users.
Use authorization object S_RS_AUTH for the assignment of
authorizations to roles
Maintain the authorizations as values for field BIAUTH

Copyright 2010 Accenture All Rights Reserved. 59


Pros and Cons
Indirect Assignment Approach
Pros:
All the Change documents are already available.
All the existing SUIM reports are already available.
Possible to perform mass assign role assignment.
Cons:
Roles need to be created corresponding to the analysis authorization
which will include more maintenance in the system.

Copyright 2010 Accenture All Rights Reserved. 60


Exercise

Add Analysis
Authorizations to
user profile

Copyright 2010 Accenture All Rights Reserved. 61


SAP BI Security

Monitoring Analysis
Authorizations

Copyright 2010 Accenture All Rights Reserved. 62


Using the Trace

There are two primary transaction codes that can be used to trace
authorizations: ST01 and RSECADMIN.

Transaction code ST01 is a system trace that is used for SAP-


provided objects.

Transaction code RSECADMIN is specific to BI and only traces the


custom analysis authorizations you create to control access to
InfoObject values. This trace can be very helpful when you need to
debug an authorization error.

Copyright 2010 Accenture All Rights Reserved. 63


Authorization Monitoring

Checking Authorizations
Log on with your own user ID (production support role)
Check query execution with the authorizations of a specific user

Copyright 2010 Accenture All Rights Reserved. 64


Evaluate Log Protocol

Evaluate Log Protocol


Turn on logging of user activities
related to analysis authorizations
View detailed information about
authorization checks

Copyright 2010 Accenture All Rights Reserved. 65


Change log of Analysis
authorization

Activate the following Virtual Providers from the Business Content


(VAL = Values, HIE = Hierarchies, UA = User Assignment)

The system records all changes to authorizations and user


assignments. Queries can be built on these Info Providers to find
out the trace of
- How many users have access to a given InfoCube?
- Which users have access to company code X?
- When was authorization XYZ created, and by whom?
Copyright 2010 Accenture All Rights Reserved. 66
Exercise

Trace the missing


authorizations

Copyright 2010 Accenture All Rights Reserved. 67


Q&A

Copyright 2010 Accenture All Rights Reserved. 68

You might also like