Abstract image of a woman sitting on books and studying on a laptop

SAP BI 7 security concepts

Siva Pradeep Bolisetti, profile picture
Siva Pradeep Bolisetti

The document discusses various security concepts in SAP BI 7 including differences from BW 3.x, restricting reporting user access, authorization trace, creation and assignment of analysis authorizations, securing access to workbooks, additional security features in BI 7 like analysis authorizations and new authorization objects. It provides details on securing data access at different levels like InfoCube, characteristic, and key figure and describes options for securing data access like using queries or info objects.

Technology
Related topics:
Business Intelligence
1 of 56
1
2
3
4
5
6
7
Most read
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Most read
49
50
51
52
53
54
Most read
55
56
BI 7 Security Concepts
Topics Covered: • Difference between BW 3.x and BI 7 • Securing reporting users access • Authorization Trace • Creation of Analysis Authorization • Assignment of Analysis Authorization • Securing Access to Workbooks • Additional BI7 Security Features • New Authorization Objects
There was no SAP delivered authorization object to link the hierarchies to Roles. Customized Auth object need to be created which will fall under SAP Class RSR. Difference between BW 3.x and BI Security SAP delivered Auth object S_RS_AUTH (Class RS) can be added to the Roles and further linked to analysis authorization
Contd… RSSM RSECADMIN Old transaction: RSSM Concept of authorization: 'Reporting Authorization' New transaction : RSECADMIN Concept of authorization: 'Analysis Authorization'
Contd… Authorization: PFCG (Role based approach) Authorization: PFCG (Role based approach) RSECAUTH (Analysis Authorization Based Approach)
Contd… Full Authorization: SAP_ALL, SAP_NEW 0BI_ALL: Allow full authorization for the IO authorization relevant, Used in the authorization object: S_RS_AUTH Full Authorization: SAP_ALL, SAP_NEW
Authorization objects are grouped according to authorization object classes. The major authorization object class in BI is RS. S_RS_COMP: Decides which Info area, Info provider’s data user can view S_RS_COMP1: Decides which owner’s queries a user can execute S_RS_FOLD: Hide or display the “Info Area” push button for end users S_RS_AUTH: Gives access to analysis Authorizations S_RS_ADMWB: Used by BW administrator for Modeling and controlling Some other Auth objects: To save workbooks/Queries to Roles S_USER_AGR: In which Role user can add workbooks and Queries S_USER_TCD: should have value as RRMX and used in conjunction with S_USER_AGR Authorization Objects in BI 7
In BI 7, reporting users access needs to be restricted to certain levels like InfoCube Level: Restrict at the InfoCube level. Characteristic Level/Info Object: Restrict access to all values for a particular characteristic. Characteristic Value Level: Restrict access to certain values of a particular characteristic. Key Figure Level: Restrict access to certain key figures. Hierarchy Node: Restrict access to certain nodes of a hierarchy Restricting access in BI
Below are the minimum authorization requirements for a reporting user: • Analysis authorizations for an Info Provider • S_RS_COMP (Activities 03, 16) • S_RS_COMP1 (Query owner) • S_RFC (Bex Analyzer or Bex Browser only) • S_TCODE (RRMX for Bex Analyzer) A reporting user must have authorizations for the S_RS_COMP, S_RS_COMP1 authorization objects as well as analysis authorizations for the Info Provider on which the query is based. In addition, if the reporting user will be using the Bex Analyzer reporting tool, they will need authorizations for object S_RFC and S_TCODE with authorization for transaction code RRMX. Securing Data Access for Reporting Users
Secure by Info Cube: If the authorizations need to be checked only on Info Provider level. You can then create roles that allow you to run queries from the specified Info Provider (s). Securing by Query: Another option would be to use the Info Provider in conjunction with the query name. To do this, you will need a strict naming convention for query names so that security does not have to be updated each time a new query is created. Securing by Info Object: Allowing two user to execute the same query, but to get different results based on their assigned data access for division, cost center, or some other Info Object, is known as info Object level security or field level security Options for Securing Data Access
The more granular level of restricting access of the users is at Info Object/Field level . The following procedure shows the steps you must be following when setting up security for an Info Object: 1. Define the Info Object as authorization relevant. 2. Create (or adjust) analysis authorizations for the Info Object. 3. Assign authorizations to users. 4. Add a variable to the queries. Securing by Info Object:
The Authorization Relevant setting for an Info Object made in the Info Object definition on the Business Explorer tab. The business needs will drive which Info Objects should be relevant for security. • Execute Tcode RSD1 • Enter the info object name • Go to Business Explorer Tab • Select the check box “Authorization Relevant” • Activate the info object Authorization Relevance
Analysis Authorizations are fundamental building blocks of the new reporting concept which contains both the data value and hierarchy restrictions. • Execute Tcode RSECADMIN • Go to Maintenance in Authorization Tab • Enter The Analysis Authorization and click Create Create analysis authorizations:
Once you have created analysis authorizations, users will need access to the right authorizations according to business needs. You can assign authorizations in roles using S_RS_AUTH or directly in transaction RSECADMIN or RSU01. Assign authorizations to users:
Add a variable to the queries If we want a query to only provide results based on the division, for example, then the query itself needs the ability to filter specific division values. Before we can secure on division, the query must be able to restrict data by division. The only way the query can restrict data dynamically is through a variable. The variable can be added anytime independent of the other steps listed here.
Exercises: • Create a simple query from an existing Info Cube, execute it, and save it as a new workbook • Defining Info Object-Level Security for Reporting Users • Limit query access within the Bex Analyze using S_RS_COMP1 and S_RS_FOLD
Authorization Trace
Trace Tool : ST01 and RSECADMIN Transaction code ST01 executes a trace tool that exists on all ABAP based systems. Among other purposes, this tool serves as trace for all SAP-provided authorizations objects. You simply turn on the trace (for a specific user), and when the trace is completed you can see which authorization objects were checked and the results of the check. In transaction RSECADMIN →Analysis you can execute a trace that is specific to BI analysis authorizations. Analysis authorizations will not appear in the ST01 trace
Authorization Trace In BI 7 we can Trace : 1) Authorization Monitoring 2) Change log of Analysis authorization
Authorization Monitoring Checking Authorizations • Log on with your own user ID • Check query execution with the authorizations of a specific user
Contd…….. Evaluate Log Protocol • Turn on logging of user activities related to analysis authorizations • View detailed information about authorization checks
Change log of Analysis authorization Activate the following Virtual Providers from the Business Content (VAL = Values, HIE = Hierarchies, UA = User Assignment) The system records all changes to authorizations and user assignments. Queries can be built on these Info Providers to find out the trace of - How many users have access to a given InfoCube? - Which users have access to company code X? - When was authorization “XYZ” created, and by whom?
Exercise (s): • Trace BI authorizations • ST01 Trace
Creation of Analysis Authorization
Creation of Analysis Authorization There are two ways to create the analysis authorization in BI 7 1. Manual creation of analysis authorization through RSECAUTH Tcode 2. Automatic generation of analysis authorization approach (for mass creation and assignment)
Creation through RSECADMIN 1) Execute Tcode RSECADMIN 2) Go to Maintenance in Authorization Tab 3) Enter The Analysis Authorization and click Create
Automatic generation of analysis authorization With the generation of analysis authorizations, we can load authorized values from other systems into Data Store objects and generate authorizations from them. This approach is generally used for mass creation of analysis authorization and assignment of these authorizations to the users. Steps to be performed: Data Warehouse Workbench (RSA1): 1. Activate Business Content 2. Load of Data Store Objects Management of Analysis Authorizations (RSECADMIN): 3. Generate Authorizations 4. View Generation Log
Activate Business Content SAP delivers Business Content for storing authorizations and user assignment of authorizations should be activated
Load of Data Store Objects • Fill the Data Store objects with the user data and authorizations • Extract the data, for example, from an SAP R/3 source system or from a flat file Note: Some consistency checks should be added to avoid errors during the generation later
Generate Authorizations Start the generation by specifying the relevant Data Store objects
View Generation Log Detailed log can be viewed once the generation is completed
Assignment of Analysis Authorization
Assignment of authorization 1. Direct assignment of Analysis authorization through RSECADMIN 2. Indirect assignment through Roles (PFCG)
Direct assignment Direct assignment of Analysis authorization through RSECADMIN
Pros: • This approach removes the use of creating Roles for the corresponding analysis authorization . Cons: • No Change documents are provided by SAP for assigning and removal of Analysis authorization from the user • No SUIM (System User Information Management) reports are provided by SAP for analysis authorization • No possible way to assign mass analysis authorization to the users at a stretch. Analysis authorization based Approach:
• If an id is deleted using SU01 who is having analysis authorization assigned to it, these authorization will not get deleted from the user’s profile. If the same id is recreated, automatically user id will be populated with the earlier analysis authorizations. So if this approach is followed, it is always recommended that analysis authorization are manually deleted from the user id using RSU01 and then id using SU01 Contd…..
Indirect Assignment • Alternatively to the direct assignment, we can also assign authorizations to roles, which can then be assigned to users. • Use authorization object S_RS_AUTH for the assignment of authorizations to roles • Maintain the authorizations as values for field BIAUTH
Pros: • All the Change documents are already available • All the existing SUIM reports are already available • Possible to perform mass assign role assignment Cons: • Roles need to be created corresponding to the analysis authorization which will include more maintenance in the system Pros and Cons
Query is more the technical definition of what the results should look like. Workbooks are actual results that have been formatted and can be refreshed each time the workbook is executed. The query is a definition of what data the query should fetch and how the data should be initially displayed. A query definition includes rows, columns, filters, and free characteristics. The workbook is a result set of the query. In this workbook, the data is displayed by sales organization. Every time the user executes the workbook, the data will be refreshed, but the format can remain the same, depending on the settings for the query in the workbook. Multiple query results saved in workbooks from the same query definition enable users to customize how they want to review the results and analyze the data. Queries and Workbooks:
If a user wants to save a workbook to a location where it can be easily accessed by others, they need to save to a Role. Saving to a Role means saving to a security role. You may want to set up roles specifically for saving workbooks. You can then assign the role to all parties who need to share workbooks. In order to save workbooks to roles, a user needs: • S_USER_AGR: Authorizations: Role check • S_USER_TCD: Transactions in roles The authorization object S_USER_AGR has two fields: Activity and Role Name. For the Activity field, the user must have at least values 01, 02 and 22. If the user can delete workbooks, they will also need value 06. For the Role Name, you should enter the specific roles you have created for saving workbooks. Authorization object S_USER_TCD has one field, Transaction Code. The user needs value RRMX in this field. Saving workbooks to Queries:
Exercise (s): Securing Access to Workbooks
BI 7 Security Features
Concept of BW security remains the same in BI 7 while changes are more with respect to new authorization features, more authorization objects, newer Tcodes and more flexibility. 1. Analysis Authorization 2. Special Characteristics 3. Special Authorization: 0BI_ALL 4. Variables in Authorization (Custom Exit) 5. Colon authorization 6. Pound Authorization 7. Key Figure Authorization 8. Authorizing Navigational Attributes BI 7 Security Features
Analysis Authorizations are fundamental building blocks of the new reporting concept which contains both the data value and hierarchy restrictions. This is also called data level access. With the new NW2004s analysis authorisation principles it is now possible to create an analysis authorisation object directly on an info object The authorisation can either be single values or a value range or created with a reference to a hierarchy, provided the info object is created with a hierarchy and the info object is authorisation relevant. Analysis Authorization:
These special characteristics must be assigned to a user in at least one authorization 0TCAACTVT: Restrict access to activities i.e. display, create, change etc 0TCAIPROV: Restrict access to the Info Provider i.e. Info Cube, ODS, Multi provider etc 0TCAVALID: Provides the validity of the analysis authorization All these authorization should be marked as authorization relevant Special Characteristics:
An authorization for all values of authorization-relevant characteristics is created automatically in the system. It has the name 0BI_ALL. It can be viewed, but not changed. Every user that receives this authorization can access all the data at any time. Each time an Info Object is activated and the property “authorization relevant” is changed for the characteristic or a navigation attribute, 0BI_ALL is automatically adjusted. A user that has a profile with the authorization object S_RS_AUTH and has entered 0BI_ALL (or has included value as *) has complete access to all data. 0BI_ALL
Variables of type Customer Exit can be used with the special value $ (as escape sequence) as prefix before the variable name. This enables dynamic granting of authorizations (authorized values are retrieved at runtime). Customer exit reads the variable values using a selection routine placed in the function module EXIT_SAPLRRBR_001 inside of enhancement RSR0001. (This Enhancement is accessed via transaction code CMOD). Custom Exit: The advantage of this method is that you can give all users the same authorization by placing the variable name with a $ sign in front of it instead of a value in The characteristic value (or the hierarchy node)
Colon (: )as Authorization Two Purposes for Colon Authorization Value: If the Info Provider has sensitive data, it could be that you do not want the user to see any summarized data. For example, let us assume you have an Info Provider that has sensitive forecasting data. In this business scenario you have chosen to secure by Info Objects (for example, Company Code). If you do not want a user with access to Company Code 1000 to see ANY data from other company codes, then you might not Give this user the colon (:) value in the authorization. This would mean that ANY queries on your Info Provider that do not use the Company Code Info Object will fail for this user. Second purpose of the Colon authorization is to give user access to the aggregated data. For example, user can see Total of sales done by all sales organization but details data of only his sales organization.
Pound (#) as Authorization Using a Pound Sign (#) as an Authorization Value: When data is loaded into SAP BW, some fields may be marked as no value assigned (posted with INITIAL). If you have secured an Info Object that has data that is unassigned in the Info Cube, you may choose to give the user a pound sign (#) in order to avoid an authorization error at runtime. The # character is interpreted as authorization for the display of the value Not assigned (posted with INITIAL).
Key Figure Authorization This restriction is used to grant authorization to particular key figures to the users. • Technical name: 0TCAKYFNM • Possible values: - Single value (EQ) Exactly one key figure - Range (BT) Selection of key figures - Pattern (CP) Selection of key figures based on pattern Note: If a particular key figure is defined as authorization-relevant, it will be checked for every Info Provider
Authorizing Navigational Attributes: To restrict the access to navigational attributes, it should be marked as authorization- relevant in attribute tab strip. Note: The referencing characteristic does not need to be authorization-relevant
Authorizing Navigational Attributes: To restrict the access to navigational attributes, it should be marked as authorization- relevant in attribute tab strip. Note: The referencing characteristic does not need to be authorization-relevant
New Authorization Objects
Below are the new authorization objects in BI7 for administration workbench, business Explorer and analysis authorization. Authorization objects for the Data Warehousing Workbench: S_RS_DS: For the DataSource or its sub objects (NW2004s) S_RS_ISNEW: For new InfoSources or their sub objects (NW 2004s) S_RS_DTP: For the data transfer process and its sub objects S_RS_TR: For transformation rules and their sub objects S_RS_CTT: For currency translation types S_RS_UOM: For quantity conversion types S_RS_THJT: For key date derivation types S_RS_PLENQ: Authorizations for maintaining or displaying the lock settings S_RS_RST: Authorization object for the RS trace tool S_RS_PC: For process chains S_RS_OHDEST: Open Hub Destination BI 7 new Authorization Objects
Authorization objects for the Business Explorer: S_RS_DAS: For Data Access Services S_RS_BTMP: For BEx Web templates S_RS_BEXTX: Authorizations for the maintenance of BEx texts Authorization objects for the Admin of analysis authorizations S_RSEC: Authorization for assignment and administration of analysis authorizations S_RS_AUTH: Authorization object to include analysis authorizations in roles Changed Authorization Objects: S_RS_ADMWB (Data Warehousing Workbench: Objects): New values for filed RSADMWBOBJ has been added like BIA_ZA, CNG_RUN, CONT_ACT etc for activities like BI Accelerator Monitor Checks and Attribute Change Run.
SAP BI 7 security concepts

More Related Content

PPTX
Sap grc process control 10.0
Latha Kamal
 
PDF
Authorisations in SAP: best practices
Jonathan Eemans
 
PPTX
Master data in mm
Jaures Magloire N. Ambe
 
DOCX
What is sap security
grconlinetraining
 
PDF
SAP GRC 10 Access Control
Nasir Gondal
 
PPTX
SAP BI/BW
ChanderRajpurohit
 
PDF
Sap fiori tutorial
Nagendra Babu
 
DOC
Sap MM-configuration-step-by-step-guide
Venet Dheer
 
Sap grc process control 10.0
Latha Kamal
 
Authorisations in SAP: best practices
Jonathan Eemans
 
Master data in mm
Jaures Magloire N. Ambe
 
What is sap security
grconlinetraining
 
SAP GRC 10 Access Control
Nasir Gondal
 
SAP BI/BW
ChanderRajpurohit
 
Sap fiori tutorial
Nagendra Babu
 
Sap MM-configuration-step-by-step-guide
Venet Dheer
 

What's hot (20)

DOCX
SAP Security interview questions
Siva Pradeep Bolisetti
 
PPT
BI Security (1).ppt
csekar2
 
PPTX
Sap security interview question & answers
Nancy Nelida
 
DOCX
SAP Security important Questions
Ragu M
 
PPT
Sap Security Workshop
larrymcc
 
DOC
Authorisation Concept In SAP | http://sapdocs.info
sapdocs. info
 
DOC
sap security interview_questions
sumitmsn2
 
PDF
An expert guide to new sap bi security features
Shazia_Sultana
 
DOC
Sap security-administration
nanda nanda
 
PPTX
SAP Security & GRC Framework
Harish Sharma
 
PDF
165373293 sap-security-q
Anywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
PDF
Abap Objects for BW
Luc Vanrobays
 
PDF
081712 isaca-atl-auditing sap-grc
hkodali
 
PDF
Sap GRC Basic Information | GRC 12 online training
grconlinetraining
 
PDF
Introduction to SAP Security
Nasir Gondal
 
DOC
Cua setup procedure SAP security
Siva Pradeep Bolisetti
 
PDF
Fiori for s4 hana troubleshooting tips and tricks
Jasbir Khanuja
 
DOC
Derived master roles Configuration screenshots in SAP Security
Bharath Trainings
 
DOCX
How to perform critical authorizations and so d checks in sap systems
TL Technologies - Thoughts Become Things
 
PDF
SAP SECURITY GRC
techgurusuresh
 
SAP Security interview questions
Siva Pradeep Bolisetti
 
BI Security (1).ppt
csekar2
 
Sap security interview question & answers
Nancy Nelida
 
SAP Security important Questions
Ragu M
 
Sap Security Workshop
larrymcc
 
Authorisation Concept In SAP | http://sapdocs.info
sapdocs. info
 
sap security interview_questions
sumitmsn2
 
An expert guide to new sap bi security features
Shazia_Sultana
 
Sap security-administration
nanda nanda
 
SAP Security & GRC Framework
Harish Sharma
 
165373293 sap-security-q
Anywhere Gondodza SAP.GRC.FI.B.COM.ACC.HONS (MSU)
 
Abap Objects for BW
Luc Vanrobays
 
081712 isaca-atl-auditing sap-grc
hkodali
 
Sap GRC Basic Information | GRC 12 online training
grconlinetraining
 
Introduction to SAP Security
Nasir Gondal
 
Cua setup procedure SAP security
Siva Pradeep Bolisetti
 
Fiori for s4 hana troubleshooting tips and tricks
Jasbir Khanuja
 
Derived master roles Configuration screenshots in SAP Security
Bharath Trainings
 
How to perform critical authorizations and so d checks in sap systems
TL Technologies - Thoughts Become Things
 
SAP SECURITY GRC
techgurusuresh
 
Ad

Viewers also liked (18)

PPT
Welding and types
Siva Pradeep Bolisetti
 
PPTX
7g
96_mavg
 
PPS
01 iec t1_s1_oo_ps_session_01
Niit Care
 
PPTX
C programming tutorial for beginners
Thiyagarajan Soundhiran
 
PPT
C programming
Anurag Byala
 
PPT
03 the c language
arafatmirza
 
DOC
Step by step exercise for bw 365
Siva Pradeep Bolisetti
 
PDF
Sap security tasks
Siva Pradeep Bolisetti
 
PDF
Governance Of Enterprise IT MIA
Troy DuMoulin
 
DOCX
C tutorial
Chukka Nikhil Chakravarthy
 
PPT
How to improve user experience via roles
Siva Pradeep Bolisetti
 
PPTX
Li fi
Chukka Nikhil Chakravarthy
 
DOCX
Calculation of optimum cost of transportation of goods from godowns to differ...
Siva Pradeep Bolisetti
 
PPT
Bluetooth Technology -- detailed explanation
Siva Pradeep Bolisetti
 
PPTX
C Programming- Features of C language
Trinity Dwarka
 
PDF
Enterprise Risk Management Software
Mike Taylor
 
PDF
Sappress sap governance risk and compliance
Siva Pradeep Bolisetti
 
DOCX
Use of network scheduling technique
Siva Pradeep Bolisetti
 
Welding and types
Siva Pradeep Bolisetti
 
7g
96_mavg
 
01 iec t1_s1_oo_ps_session_01
Niit Care
 
C programming tutorial for beginners
Thiyagarajan Soundhiran
 
C programming
Anurag Byala
 
03 the c language
arafatmirza
 
Step by step exercise for bw 365
Siva Pradeep Bolisetti
 
Sap security tasks
Siva Pradeep Bolisetti
 
Governance Of Enterprise IT MIA
Troy DuMoulin
 
C tutorial
Chukka Nikhil Chakravarthy
 
How to improve user experience via roles
Siva Pradeep Bolisetti
 
Li fi
Chukka Nikhil Chakravarthy
 
Calculation of optimum cost of transportation of goods from godowns to differ...
Siva Pradeep Bolisetti
 
Bluetooth Technology -- detailed explanation
Siva Pradeep Bolisetti
 
C Programming- Features of C language
Trinity Dwarka
 
Enterprise Risk Management Software
Mike Taylor
 
Sappress sap governance risk and compliance
Siva Pradeep Bolisetti
 
Use of network scheduling technique
Siva Pradeep Bolisetti
 
Ad

Similar to SAP BI 7 security concepts (20)

PDF
SAP BI Security Features
dw_anil
 
PPTX
Visible Governance: How to set up data governance using Visible Analyst Comme...
Michael Cesino
 
PPS
Casa engl
IBS Schreiber GmbH
 
PDF
Open Source Compliance Automation Capability Map
Shane Coughlan
 
PDF
Scalable security modeling sap bw analysis authorizations
Pallavi Koppula
 
PPTX
Azure AD B2C Webinar Series: Custom Policies Part 1
Vinu Gunasekaran
 
DOCX
SAP_HANA_SECURITY_overview_online_Resear.docx
juancusa
 
PDF
552259774-VMDR-Presentation-Slides.pdf
HarkeemShaw1
 
PPTX
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
AntonioMaio2
 
PDF
MongoDB World 2019: Securing Application Data from Day One
MongoDB
 
PPT
Less11 Security
vivaankumar
 
PDF
Información de microsoft purview herramienta de microsoft
macarenabenitez6
 
PDF
Business Analytics System
Mahesh Patwardhan
 
PPTX
#SPFestSEA Introduction to #MicrosoftGraph
Vincent Biret
 
PDF
Cache Security- Adding Security to Non-Secure Applications
InterSystems Corporation
 
PPT
Data base security
Sara Nazir
 
PPTX
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
FredBrandonAuthorMCP
 
DOC
Pradeep_ETL Testing_CV with 3 years of Exerience
Pradeep Shahapur
 
PDF
Cache Security- The Basics
InterSystems Corporation
 
PDF
Software Project Management: Testing Document
Minhas Kamal
 
SAP BI Security Features
dw_anil
 
Visible Governance: How to set up data governance using Visible Analyst Comme...
Michael Cesino
 
Casa engl
IBS Schreiber GmbH
 
Open Source Compliance Automation Capability Map
Shane Coughlan
 
Scalable security modeling sap bw analysis authorizations
Pallavi Koppula
 
Azure AD B2C Webinar Series: Custom Policies Part 1
Vinu Gunasekaran
 
SAP_HANA_SECURITY_overview_online_Resear.docx
juancusa
 
552259774-VMDR-Presentation-Slides.pdf
HarkeemShaw1
 
SPTechCon Boston 2013 - Introduction to Security in Microsoft Sharepoint 2013...
AntonioMaio2
 
MongoDB World 2019: Securing Application Data from Day One
MongoDB
 
Less11 Security
vivaankumar
 
Información de microsoft purview herramienta de microsoft
macarenabenitez6
 
Business Analytics System
Mahesh Patwardhan
 
#SPFestSEA Introduction to #MicrosoftGraph
Vincent Biret
 
Cache Security- Adding Security to Non-Secure Applications
InterSystems Corporation
 
Data base security
Sara Nazir
 
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
FredBrandonAuthorMCP
 
Pradeep_ETL Testing_CV with 3 years of Exerience
Pradeep Shahapur
 
Cache Security- The Basics
InterSystems Corporation
 
Software Project Management: Testing Document
Minhas Kamal
 

Recently uploaded (20)

PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PPT
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Melanie Swan
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
How IoT Sensor Integration in 2025 is Transforming Industries Worldwide
Rejig Digital
 
PDF
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
PDF
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Metrics GmbH
 
PPTX
TEXTILE technology diploma scope and career opportunities
kriti38
 
PDF
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
PPTX
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PPTX
Configure Apache Mutual Authentication
Antonino Piraino
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
PDF
4 layer Arch & Reference Arch of IoT.pdf
sendilkumar66
 
DOCX
Basics of Cloud Computing - Cloud Ecosystem
suthak11
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Melanie Swan
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
Modernising the Digital Integration Hub
Daniel Toomey
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
How IoT Sensor Integration in 2025 is Transforming Industries Worldwide
Rejig Digital
 
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Metrics GmbH
 
TEXTILE technology diploma scope and career opportunities
kriti38
 
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Configure Apache Mutual Authentication
Antonino Piraino
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
4 layer Arch & Reference Arch of IoT.pdf
sendilkumar66
 
Basics of Cloud Computing - Cloud Ecosystem
suthak11
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 

SAP BI 7 security concepts

  • 1. BI 7 Security Concepts
  • 2. Topics Covered: • Difference between BW 3.x and BI 7 • Securing reporting users access • Authorization Trace • Creation of Analysis Authorization • Assignment of Analysis Authorization • Securing Access to Workbooks • Additional BI7 Security Features • New Authorization Objects
  • 3. There was no SAP delivered authorization object to link the hierarchies to Roles. Customized Auth object need to be created which will fall under SAP Class RSR. Difference between BW 3.x and BI Security SAP delivered Auth object S_RS_AUTH (Class RS) can be added to the Roles and further linked to analysis authorization
  • 4. Contd… RSSM RSECADMIN Old transaction: RSSM Concept of authorization: 'Reporting Authorization' New transaction : RSECADMIN Concept of authorization: 'Analysis Authorization'
  • 5. Contd… Authorization: PFCG (Role based approach) Authorization: PFCG (Role based approach) RSECAUTH (Analysis Authorization Based Approach)
  • 6. Contd… Full Authorization: SAP_ALL, SAP_NEW 0BI_ALL: Allow full authorization for the IO authorization relevant, Used in the authorization object: S_RS_AUTH Full Authorization: SAP_ALL, SAP_NEW
  • 7. Authorization objects are grouped according to authorization object classes. The major authorization object class in BI is RS. S_RS_COMP: Decides which Info area, Info provider’s data user can view S_RS_COMP1: Decides which owner’s queries a user can execute S_RS_FOLD: Hide or display the “Info Area” push button for end users S_RS_AUTH: Gives access to analysis Authorizations S_RS_ADMWB: Used by BW administrator for Modeling and controlling Some other Auth objects: To save workbooks/Queries to Roles S_USER_AGR: In which Role user can add workbooks and Queries S_USER_TCD: should have value as RRMX and used in conjunction with S_USER_AGR Authorization Objects in BI 7
  • 8. In BI 7, reporting users access needs to be restricted to certain levels like InfoCube Level: Restrict at the InfoCube level. Characteristic Level/Info Object: Restrict access to all values for a particular characteristic. Characteristic Value Level: Restrict access to certain values of a particular characteristic. Key Figure Level: Restrict access to certain key figures. Hierarchy Node: Restrict access to certain nodes of a hierarchy Restricting access in BI
  • 9. Below are the minimum authorization requirements for a reporting user: • Analysis authorizations for an Info Provider • S_RS_COMP (Activities 03, 16) • S_RS_COMP1 (Query owner) • S_RFC (Bex Analyzer or Bex Browser only) • S_TCODE (RRMX for Bex Analyzer) A reporting user must have authorizations for the S_RS_COMP, S_RS_COMP1 authorization objects as well as analysis authorizations for the Info Provider on which the query is based. In addition, if the reporting user will be using the Bex Analyzer reporting tool, they will need authorizations for object S_RFC and S_TCODE with authorization for transaction code RRMX. Securing Data Access for Reporting Users
  • 10. Secure by Info Cube: If the authorizations need to be checked only on Info Provider level. You can then create roles that allow you to run queries from the specified Info Provider (s). Securing by Query: Another option would be to use the Info Provider in conjunction with the query name. To do this, you will need a strict naming convention for query names so that security does not have to be updated each time a new query is created. Securing by Info Object: Allowing two user to execute the same query, but to get different results based on their assigned data access for division, cost center, or some other Info Object, is known as info Object level security or field level security Options for Securing Data Access
  • 11. The more granular level of restricting access of the users is at Info Object/Field level . The following procedure shows the steps you must be following when setting up security for an Info Object: 1. Define the Info Object as authorization relevant. 2. Create (or adjust) analysis authorizations for the Info Object. 3. Assign authorizations to users. 4. Add a variable to the queries. Securing by Info Object:
  • 12. The Authorization Relevant setting for an Info Object made in the Info Object definition on the Business Explorer tab. The business needs will drive which Info Objects should be relevant for security. • Execute Tcode RSD1 • Enter the info object name • Go to Business Explorer Tab • Select the check box “Authorization Relevant” • Activate the info object Authorization Relevance
  • 13. Analysis Authorizations are fundamental building blocks of the new reporting concept which contains both the data value and hierarchy restrictions. • Execute Tcode RSECADMIN • Go to Maintenance in Authorization Tab • Enter The Analysis Authorization and click Create Create analysis authorizations:
  • 14. Once you have created analysis authorizations, users will need access to the right authorizations according to business needs. You can assign authorizations in roles using S_RS_AUTH or directly in transaction RSECADMIN or RSU01. Assign authorizations to users:
  • 15. Add a variable to the queries If we want a query to only provide results based on the division, for example, then the query itself needs the ability to filter specific division values. Before we can secure on division, the query must be able to restrict data by division. The only way the query can restrict data dynamically is through a variable. The variable can be added anytime independent of the other steps listed here.
  • 16. Exercises: • Create a simple query from an existing Info Cube, execute it, and save it as a new workbook • Defining Info Object-Level Security for Reporting Users • Limit query access within the Bex Analyze using S_RS_COMP1 and S_RS_FOLD
  • 18. Trace Tool : ST01 and RSECADMIN Transaction code ST01 executes a trace tool that exists on all ABAP based systems. Among other purposes, this tool serves as trace for all SAP-provided authorizations objects. You simply turn on the trace (for a specific user), and when the trace is completed you can see which authorization objects were checked and the results of the check. In transaction RSECADMIN →Analysis you can execute a trace that is specific to BI analysis authorizations. Analysis authorizations will not appear in the ST01 trace
  • 19. Authorization Trace In BI 7 we can Trace : 1) Authorization Monitoring 2) Change log of Analysis authorization
  • 20. Authorization Monitoring Checking Authorizations • Log on with your own user ID • Check query execution with the authorizations of a specific user
  • 21. Contd…….. Evaluate Log Protocol • Turn on logging of user activities related to analysis authorizations • View detailed information about authorization checks
  • 22. Change log of Analysis authorization Activate the following Virtual Providers from the Business Content (VAL = Values, HIE = Hierarchies, UA = User Assignment) The system records all changes to authorizations and user assignments. Queries can be built on these Info Providers to find out the trace of - How many users have access to a given InfoCube? - Which users have access to company code X? - When was authorization “XYZ” created, and by whom?
  • 23. Exercise (s): • Trace BI authorizations • ST01 Trace
  • 25. Creation of Analysis Authorization There are two ways to create the analysis authorization in BI 7 1. Manual creation of analysis authorization through RSECAUTH Tcode 2. Automatic generation of analysis authorization approach (for mass creation and assignment)
  • 26. Creation through RSECADMIN 1) Execute Tcode RSECADMIN 2) Go to Maintenance in Authorization Tab 3) Enter The Analysis Authorization and click Create
  • 27. Automatic generation of analysis authorization With the generation of analysis authorizations, we can load authorized values from other systems into Data Store objects and generate authorizations from them. This approach is generally used for mass creation of analysis authorization and assignment of these authorizations to the users. Steps to be performed: Data Warehouse Workbench (RSA1): 1. Activate Business Content 2. Load of Data Store Objects Management of Analysis Authorizations (RSECADMIN): 3. Generate Authorizations 4. View Generation Log
  • 28. Activate Business Content SAP delivers Business Content for storing authorizations and user assignment of authorizations should be activated
  • 29. Load of Data Store Objects • Fill the Data Store objects with the user data and authorizations • Extract the data, for example, from an SAP R/3 source system or from a flat file Note: Some consistency checks should be added to avoid errors during the generation later
  • 30. Generate Authorizations Start the generation by specifying the relevant Data Store objects
  • 31. View Generation Log Detailed log can be viewed once the generation is completed
  • 33. Assignment of authorization 1. Direct assignment of Analysis authorization through RSECADMIN 2. Indirect assignment through Roles (PFCG)
  • 34. Direct assignment Direct assignment of Analysis authorization through RSECADMIN
  • 35. Pros: • This approach removes the use of creating Roles for the corresponding analysis authorization . Cons: • No Change documents are provided by SAP for assigning and removal of Analysis authorization from the user • No SUIM (System User Information Management) reports are provided by SAP for analysis authorization • No possible way to assign mass analysis authorization to the users at a stretch. Analysis authorization based Approach:
  • 36. • If an id is deleted using SU01 who is having analysis authorization assigned to it, these authorization will not get deleted from the user’s profile. If the same id is recreated, automatically user id will be populated with the earlier analysis authorizations. So if this approach is followed, it is always recommended that analysis authorization are manually deleted from the user id using RSU01 and then id using SU01 Contd…..
  • 37. Indirect Assignment • Alternatively to the direct assignment, we can also assign authorizations to roles, which can then be assigned to users. • Use authorization object S_RS_AUTH for the assignment of authorizations to roles • Maintain the authorizations as values for field BIAUTH
  • 38. Pros: • All the Change documents are already available • All the existing SUIM reports are already available • Possible to perform mass assign role assignment Cons: • Roles need to be created corresponding to the analysis authorization which will include more maintenance in the system Pros and Cons
  • 39. Query is more the technical definition of what the results should look like. Workbooks are actual results that have been formatted and can be refreshed each time the workbook is executed. The query is a definition of what data the query should fetch and how the data should be initially displayed. A query definition includes rows, columns, filters, and free characteristics. The workbook is a result set of the query. In this workbook, the data is displayed by sales organization. Every time the user executes the workbook, the data will be refreshed, but the format can remain the same, depending on the settings for the query in the workbook. Multiple query results saved in workbooks from the same query definition enable users to customize how they want to review the results and analyze the data. Queries and Workbooks:
  • 40. If a user wants to save a workbook to a location where it can be easily accessed by others, they need to save to a Role. Saving to a Role means saving to a security role. You may want to set up roles specifically for saving workbooks. You can then assign the role to all parties who need to share workbooks. In order to save workbooks to roles, a user needs: • S_USER_AGR: Authorizations: Role check • S_USER_TCD: Transactions in roles The authorization object S_USER_AGR has two fields: Activity and Role Name. For the Activity field, the user must have at least values 01, 02 and 22. If the user can delete workbooks, they will also need value 06. For the Role Name, you should enter the specific roles you have created for saving workbooks. Authorization object S_USER_TCD has one field, Transaction Code. The user needs value RRMX in this field. Saving workbooks to Queries:
  • 42. BI 7 Security Features
  • 43. Concept of BW security remains the same in BI 7 while changes are more with respect to new authorization features, more authorization objects, newer Tcodes and more flexibility. 1. Analysis Authorization 2. Special Characteristics 3. Special Authorization: 0BI_ALL 4. Variables in Authorization (Custom Exit) 5. Colon authorization 6. Pound Authorization 7. Key Figure Authorization 8. Authorizing Navigational Attributes BI 7 Security Features
  • 44. Analysis Authorizations are fundamental building blocks of the new reporting concept which contains both the data value and hierarchy restrictions. This is also called data level access. With the new NW2004s analysis authorisation principles it is now possible to create an analysis authorisation object directly on an info object The authorisation can either be single values or a value range or created with a reference to a hierarchy, provided the info object is created with a hierarchy and the info object is authorisation relevant. Analysis Authorization:
  • 45. These special characteristics must be assigned to a user in at least one authorization 0TCAACTVT: Restrict access to activities i.e. display, create, change etc 0TCAIPROV: Restrict access to the Info Provider i.e. Info Cube, ODS, Multi provider etc 0TCAVALID: Provides the validity of the analysis authorization All these authorization should be marked as authorization relevant Special Characteristics:
  • 46. An authorization for all values of authorization-relevant characteristics is created automatically in the system. It has the name 0BI_ALL. It can be viewed, but not changed. Every user that receives this authorization can access all the data at any time. Each time an Info Object is activated and the property “authorization relevant” is changed for the characteristic or a navigation attribute, 0BI_ALL is automatically adjusted. A user that has a profile with the authorization object S_RS_AUTH and has entered 0BI_ALL (or has included value as *) has complete access to all data. 0BI_ALL
  • 47. Variables of type Customer Exit can be used with the special value $ (as escape sequence) as prefix before the variable name. This enables dynamic granting of authorizations (authorized values are retrieved at runtime). Customer exit reads the variable values using a selection routine placed in the function module EXIT_SAPLRRBR_001 inside of enhancement RSR0001. (This Enhancement is accessed via transaction code CMOD). Custom Exit: The advantage of this method is that you can give all users the same authorization by placing the variable name with a $ sign in front of it instead of a value in The characteristic value (or the hierarchy node)
  • 48. Colon (: )as Authorization Two Purposes for Colon Authorization Value: If the Info Provider has sensitive data, it could be that you do not want the user to see any summarized data. For example, let us assume you have an Info Provider that has sensitive forecasting data. In this business scenario you have chosen to secure by Info Objects (for example, Company Code). If you do not want a user with access to Company Code 1000 to see ANY data from other company codes, then you might not Give this user the colon (:) value in the authorization. This would mean that ANY queries on your Info Provider that do not use the Company Code Info Object will fail for this user. Second purpose of the Colon authorization is to give user access to the aggregated data. For example, user can see Total of sales done by all sales organization but details data of only his sales organization.
  • 49. Pound (#) as Authorization Using a Pound Sign (#) as an Authorization Value: When data is loaded into SAP BW, some fields may be marked as no value assigned (posted with INITIAL). If you have secured an Info Object that has data that is unassigned in the Info Cube, you may choose to give the user a pound sign (#) in order to avoid an authorization error at runtime. The # character is interpreted as authorization for the display of the value Not assigned (posted with INITIAL).
  • 50. Key Figure Authorization This restriction is used to grant authorization to particular key figures to the users. • Technical name: 0TCAKYFNM • Possible values: - Single value (EQ) Exactly one key figure - Range (BT) Selection of key figures - Pattern (CP) Selection of key figures based on pattern Note: If a particular key figure is defined as authorization-relevant, it will be checked for every Info Provider
  • 51. Authorizing Navigational Attributes: To restrict the access to navigational attributes, it should be marked as authorization- relevant in attribute tab strip. Note: The referencing characteristic does not need to be authorization-relevant
  • 52. Authorizing Navigational Attributes: To restrict the access to navigational attributes, it should be marked as authorization- relevant in attribute tab strip. Note: The referencing characteristic does not need to be authorization-relevant
  • 54. Below are the new authorization objects in BI7 for administration workbench, business Explorer and analysis authorization. Authorization objects for the Data Warehousing Workbench: S_RS_DS: For the DataSource or its sub objects (NW2004s) S_RS_ISNEW: For new InfoSources or their sub objects (NW 2004s) S_RS_DTP: For the data transfer process and its sub objects S_RS_TR: For transformation rules and their sub objects S_RS_CTT: For currency translation types S_RS_UOM: For quantity conversion types S_RS_THJT: For key date derivation types S_RS_PLENQ: Authorizations for maintaining or displaying the lock settings S_RS_RST: Authorization object for the RS trace tool S_RS_PC: For process chains S_RS_OHDEST: Open Hub Destination BI 7 new Authorization Objects
  • 55. Authorization objects for the Business Explorer: S_RS_DAS: For Data Access Services S_RS_BTMP: For BEx Web templates S_RS_BEXTX: Authorizations for the maintenance of BEx texts Authorization objects for the Admin of analysis authorizations S_RSEC: Authorization for assignment and administration of analysis authorizations S_RS_AUTH: Authorization object to include analysis authorizations in roles Changed Authorization Objects: S_RS_ADMWB (Data Warehousing Workbench: Objects): New values for filed RSADMWBOBJ has been added like BIA_ZA, CNG_RUN, CONT_ACT etc for activities like BI Accelerator Monitor Checks and Attribute Change Run.