BW Security
-
Upload
hackentesgyn -
Category
Documents
-
view
71 -
download
7
description
Transcript of BW Security
-
SAP BW Security Practices
Andreas WilmsmeierManaging Director
COMPENDIT
Email: [email protected]
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 2
COMPENDIT
Provides premier, industry leading business intelligence solutions
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 3
Agenda
A generic setup to minimize role maintenance
Company policies and legal requirements
Automatic generation of authorization and other useful techniques
Changes to authorization objects in BW 3.0
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 4
A Generic Hierarchy Of Roles
Common Authorizations
Common Power User Authorizations
Common End User Authorizations
Common Administrator Authorizations
Business Role Specific Authorizations
Business Role Specific Menu
Business Role Specific Authorizations
Business Role Specific Authorizations
Data Value Authorizations
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 5
Common Authorizations
Common authorizations should go to a common authorizations role This way, there is only one single place where common
authorizations are maintained (e.g. after upgrades or as a consequence of changes to the overall authorization concept)
Examples: Authorizations for RFC access (RRMX, RSMENU,
RS_PERS_BOD, ) Transaction Codes (RRMX, ) Central functions (Document access, )
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 6
Common Authorizations for Power Users
Authorizations common to certain types of users (such as power users) should go to a common power user authorizations role (or to the one corresponding to the type of user) As for common authorizations this procedure keeps the
maintenance effort low for this type of authorization
Examples Batch job scheduling (for the reporting agent) Additional RFC calls, transactions Spooler (for the reporting agent)
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 7
Business Role Specific Authorizations
Examples for business role specific authorizations for power users Maintenance of menu roles
(e.g. access/add/change menu items) Business Explorer components
(e.g. access/add/change query elements) InfoProviders
(e.g. read access to certain InfoProviders)
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 8
Data Value Authorizations
Reporting authorizations based upon data values
Examples: Characteristics (cost centers, regions, sales offices, ) Key figures (sales revenue, costs, salary, ) Hierarchies (organizational, regional, )
Data value authorizations should be kept separate from non-reporting authorizations for ease of maintenance
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 9
Data Value Specific Authorizations Example
Assumptions Total number of different business roles = 30 Total number of different data values = 50
Scenario 1: Data value authorizations maintained in business roles: Total number of potential roles to maintain:
30 * 50 = 1500
Scenario 2: Data value authorizations kept separately: Total number of potential roles to maintain:
30 + 50 = 80
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 10
Business Role Specific Menus
Contain menu items available to the business role, usually maintained by power users
Examples: Web applications available BEx worksbooks available Relevant internal and external links to documents, web
pages, applications,
Should be kept separate to allow for use by multiple different types of users (such as end users and power users) or even in different business roles
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 11
Use of Composite Roles
Common Authorizations
Common Power User Authorizations
Common End User Authorizations
Common Administrator Authorizations
Business Role Specific Authorizations
Business Role Specific Menu
Business Role Specific Authorizations
Business Role Specific Authorizations
Data Value Specific Authorizations
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 12
Use of Composite Roles
In conjunction with the generic role hierarchy approach, composite roles help simplifying the process of assigning roles to users
Composite roles consist of The basic authorization role The end user / power user / administrator / role One or more business specific authorization roles One or more business specific menu roles
Main benefit of this setup:Only one role (instead of 4) assigned to a user to grant
the authorizations required by a certain business role
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 13
Use of Authorization Templates
Common Authorizations
Common Power User Authorizations
Common End User Authorizations
Common Administrator Authorizations
Business Role Specific Authorizations
Business Role Specific Menu
Business Role Specific Authorizations
Business Role Specific Authorizations
Data Value Specific Authorizations
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 14
Use of Authorization Templates
Authorization templates can be used to copy empty authorizations to a role in the profile generator (PFCG)
SAP authorization templates are useful for defining common roles (such as basic, end user, power user, etc.)
Authorization templates can be defined in Transaction SU24 From within transaction PFCG, menu path Environment
- Maintain Templates
Custom templates are useful for defining business role specific authorizations
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 15
Naming Conventions
Clearly defined naming conventions are crucial for an efficient management of authorizations Naming conventions should be defined using a single
prefix or a hierarchy of prefixes for distinct application areas
Naming conventions should at least (but not only) be defined for reporting relevant objects(data providers, queries, workbooks, web templates, and so forth)
See Business Content for best practices
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 16
Naming Conventions
Naming conventions allow using wildcards in defining authorizations and avoid listing individual objects in order to allow access
Example: Authorizations for executing controlling queries
(Authorization object S_RS_COMP) InfoArea: 0CO* InfoProvider: 0CO* Component type: REP Component Name: 0CO* Activity: 16
Authorizations for maintaining and executing HR queries (Authorization object S_RS_COMP)
InfoArea: 0HR* InfoProvider: 0HR* Component type: * Component Name: 0HR* Activity: 01, 02, 03, 06, 16, 22
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 17
Agenda
A generic setup to minimize role maintenance
Company policies and legal requirements
Automatic generation of authorization and other useful techniques
Changes to authorization objects in BW 3.0
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 18
The Security Trade-Off
Information Democracy Less control of who knows
what Lower maintenance effort
Controlled Distribution of Information More control of who knows
what Higher maintenance effort
MaintenanceEffort
Control
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 19
Legal requirements
Legal requirements may affect your security design
Examples: Privacy regulations may force you to prohibit access to
certain personal information about employees, customers or other types of business partners
Financial results may be required to be publicly available so you may want to release this information to the public
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 20
Agenda
A generic setup to minimize role maintenance
Company policies and legal requirements
Automatic generation of authorization and other useful techniques
Changes to authorization objects in BW 3.0
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 21
Generation of Authorizations
Initial idea stems from making HR authorizations available to SAP BW in an automated way (this function is still part of the Business Content)
A more generic tool is available to generate authorizations based upon the following Business Content ODS Objects 0TCA_DS01 Reporting authorizations 0TCA_DS02 Reporting authorizations for hierarchies 0TCA_DS03 Texts 0TCA_DS04 Users
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 22
Authorization Generation Process
Authorizations & User Assignment
Transaction RSSM(Generation of Authorizations)
0TCA_DS01 0TCA_DS02 0TCA_DS03 0TCA_DS04
Staging Engine
DataSource DataSource DataSource
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 23
Generating Authorizations in 4 Steps
1. Copy ODS objects from Business Content Copies of 0TCA_DS0x allow for multiple different
authorization generation processes Not all ODS objects are required all the time
2. Implement DataSource / extraction process3. Define DataSources, InfoSource, transfer &
update rules in SAP BW4. Define and schedule authorization generation
process in RSSM
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 24
RSSM Generating Authorizations
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 25
Generated Authorizations Made Visible
Either use a MultiProvider on the authorization ODS objects
Or define an InfoCube including the main characteristics of the ODS objects and some key figures (such as dates) and update the InfoCube from the ODS objects
Defined queries as required
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 26
Agenda
A generic setup to minimize role maintenance
Company policies and legal requirements
Automatic generation of authorization and other useful techniques
Changes to authorization objects in BW 3.0
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 27
Changes in 3.0
S_RS_COMP New authorizations check for variables (object type
VAR) in query definition
S_RS_COMP1 - Owners Used to define query element authorizations based upon
ownership $USER is used for own query elements Used in addition to S_RS_COMP Both authorization objects are checked and evaluated as
as a logical AND
S_RS_FOLD Suppress InfoArea view of BEx elements
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 28
Changes in 3.0
S_RS_IOBJ Authorization object for working with InfoObjects in
addition to S_RS_ADMWB
S_RS_ISET Authorizations for InfoSets
S_RFC Additional RFC_NAME (RFC_TYPE FUGR, ACTVT 16)
RRXWS: BW Web Interface RS_PERS_BOD: Personalization of Bex Open Dialog RSMENU: Roles and Menus
S_GUI Authorization for GUI activities (activity 60 = Upload)
-
Monday, 28 April 2003 (C) 2003 COMPENDIT Andreas Wilmsmeier SAP BW Security 29
Side Note on MultiProviders
S_RS_MPRO - MultiProviders Used to define authorizations on a MultiProvider level Used in addition to InfoCube authorizations Results in fewer checks for authorizations on
MultiProvider queries, if BW is customized accordingly Business Information Warehouse - General BW Settings - Settings
for Authorizations
-
For more information:
COMPENDIT Inc.Phone: +1 312.673.1158 Fax: +1 312.896.9400 Email: [email protected]: www.compendit.com