Bwauthconcepts JUDI 1204[1]
-
Upload
pablo-machorro -
Category
Documents
-
view
33 -
download
5
Transcript of Bwauthconcepts JUDI 1204[1]
-
AuthorizationsAuthorizationsmySAP Business IntelligencemySAP Business Intelligence
Mohamed JudiSAP Systems Integration America
Session Code: 1204
-
I. Introduction to SAP Authorization Concept
II. Authorization Concept in mySAP BW 3.0
III. mySAP BW Authorization Concept Implementation
IV. HR Authorizations in mySAP BW 3.0
V. Authorizations in mySAP SEM
VI. Authorizations in SAP Enterprise Portal
VII. Demonstrations
Agenda
-
Company Profile
SAP SI Systems Integration is a majority-owned subsidiary of SAP
Professional services in selected industries and knowledge areas (i.e. Business Intelligence)
1,600 employees worldwide Systems integrator for mySAP.com solutions and 3rd
party applications
Significant global player in the mySAP.com space with international market presence
Partner for large corporations and mid-size companies
Internationally diverse team of experienced consultants
US headquarter in Atlanta and offices in Philadelphia and Irvine/Los Angeles
-
Our SAP Business Intelligence Focus
To optimize processes, information & technology inz Reporting and Analytical Applicationsz Data Warehousing & Information Deploymentz Planning, Budgeting and Consolidationz Enterprise and Financial Managementz Performance Mgmt and Balanced Scorecardsz Knowledge and Content
Management
-
Monier
SAP SI America: Trusted Advisors in SAP Business Intelligence
-
Sensitive Security Areas
1
2
3
4
5
6
Authentication
User ManagementSecure Network
Secure Communication
Authorization
Single Sign-On
User Directory
Third Party System
Portal Server
-
Development User Administration & SecurityObject Class
Authorization Object
Authorizations Authorization Profiles
User Master Record
4. Organizational Structure
F* , VA03
Display , Create
0001-0005
1. Menu
2. Authorizations
3. Workflow
FI_COMP_CODES
CROSS_APPS
FI_AC
S_TCODE
F_BURS
ACT:
TARGET:
FI_TRANS_CODE
ACT:
TARGET:
FI_TRANS_CODE
FI_COMP_CODES
FI_ROLE
TCD: TCD:
Technical Overview of the SAP Authorization Concept
-
Financial Planning: Plan Entry Re-evaluation ...
User Menus from Single Roles
Authorizations (Profiles)
User Assignments
ProfileGenerator
Single Role(Activity Group)
Authorization Profiles in Roles
Financial ManagerComposite Role(Collective Activity
Group)
-
AuthorizationProfile
Profile Generator: Create Authorization Profiles
-
Traffic LightsTraffic Lights
Organizational fields have missing values (Cant generate)
Non-organizational fields have missing values (Authorization failure)
All fields have values assigned (Doesnt mean they have the right values!)
Other IconsOther IconsView field contents
Maintain field contents
Delete field contents, inactive authorization,or further authorizations for an object
Copy authorization
Inactivate an active authorization,or authorizations for an object
Reactivate an inactive authorization
Merge several authorizations
Transactions for an authorization object
Allocation of full authorization
Other IconsOther Icons
Authorization Maintenance: Icon Legend
-
User Buffer
-
Role 1
Role 2
Role 3Role 4
Role 5
Role 6
Role 7
Composite Role A
Composite Role B
Assigning Users to Roles (Activity Groups)
-
AuthorizationProfile
Comparing the User Master
-
Whos Changing
What?
Note: If tracing is not activated, there is no way to view changes in RSSM.
Change Documentation
-
Authorization Concept in BW 3.0
-
32 4
5
1
BW 3.0 Authorizations Overview with a BI Perspective
-
User
User Role (Channels, Activity Groups)
InfoAreas
InfoCubes
Queries
InfoObjects - Key figures
InfoObjects - Characteristic Values
+ simplification- security
- simplification+ security
Information Complexity in BW
-
z Warehouse Design Workbench Objects Variables Query Objects InfoCube Objects ODS Objects InfoSources InfoObjects Source Systems
z Warehouse Administration InfoPackages Monitor Meta Data Reporting Agent Settings
Authorization Relevant Elements
-
Open Dialog S_RS_FOLD
System Manager Can Turn Off InfoArea Specify X (true) in the authorization maintenance for suppressing Prevent Global View
Variable Definition in Query Definition S_RS_COMP
New Authorizations Check for Variables in Query Definition Object type is VAR Available in BW 3.0A Support Package 2
InfoSet in BEx S_RS_ISET
For displaying / maintaining InfoSets
Authorization Objects to Support New 3.0 Functions
-
S_RS_FOLD - Turn Off InfoArea Folder
-
S_RS_COMP1 Is checked additionally with S_RS_COMP Checks for authorizations on query components dependent on
the owner (creator RSZOWNER) Authorizations are necessary, e.g. for creating queries
S_RS_IOBJ Authorization object for working with InfoObjects Is checked if authorization is not available via S_RS_ADMWB Additional checks for update rule authorizations
New Authorization Objects (continued)
-
With Role Based Authorization Web Report can be published into a Role as:
URL MiniApp iView
Web Templates is similar to the Workbooks: Role Based Web Application Designer is Based on Web Template: Role Based
Pre-Calculated Objects OLAP Engine Check if it is Pre-Calculated Object:
Do Not Refresh Data But Check Authorization
If It is Copied Pre-Cached Data, theres no possibility to Check Authorization for: Pre-Calculated Report Agent
Authorization in the Web Environment
-
Web Items Accessible Via Library of Items which are Assigned to Roles Similar to Web Template Handling No Restriction once you have Access to Certain Library
Can DisplayCan Change, if Delete Authorization is Granted Same Authorization as Assign Library
Query Views Inherited from Query
Authorization in the Web Environment - Continued
-
z Prior to 3.0, InfoObjects were protected via authorization object S_RS_ADMW (Administrator Workbench Object = INFOOBJECT). You were only able to assign the authorization either for all InfoObjects or for none.
Solution:Solution:z As of 3.0 there is an additional authorization object S_RS_IOBJ.
With this authorization object you can differentiate the authorization by the technical names of the InfoObjects (for example to permit namespace A* or B*).
z In such a case the user must not have the authorization for object S_RS_ADMWB, because one of the two authorizations is sufficient to process the InfoObjects.
Authorization Object for Securing InfoObjects
-
1. Mark characteristics as "Authorization Relevant
2. Create an Authorization Object for Reporting
3. Create Authorizations with the values
3 Steps to Setup InfoObject Authorizations in BW
-
1. Mark characteristics as Authorization Relevant
-
2. Create an Authorization Object for Reporting
-
3. Create Authorizations in Profile
-
1. Activate InfoObject 0TCTAUTHH from Business Content (if necessary).
2. Create Reporting Object by using 0TCTAUTHH and leaf InfoObject.
3. Define a description of a hierarchy authorization.
4. Create an authorization for the new authorization object. Enter the technical name of the description of a hierarchy authorization as value for field 0TCTAUTHH.
4 Steps to Setup Hierarchy Authorizations in BW
-
1. Activate 0TCTAUTHH in Business Content
-
2. Create Authorization Object with 0TCTAUTHH
-
3. Define a Description of a Hierarchy Node
-
9 In 2.0, the level must be given by an absolute value with respect to the hierarchy. With this new mode, the level is set relative to the node and remains the same when the node is moved to another position in the hierarchy.
9 This will dramatically reduce the amount of maintenance required to maintain Unique Hierarchy Authorization Node Identifiers.
New Mode for Hierarchy Nodes
-
4. Create an Authorization for the New Object
-
Transa
ction
Code R
SSM
Maintaining Unique Hierarchy Node IDs
Transporting Hierarchy Authorization Ids and
InfoCube Check
Maintaining Authorization Objects
& InfoCubes Check
A Different Way of Looking at
InfoCubes Check
Maintaining Authorizations for
One, or More Users Collectively
PFCG!
Authorizations for Reporting
-
1. Create Variable
2. Define Properties
3. Assign Variable to Query
Authorization Variables in BW 2.x
-
1. Create Variable & Define Properties in Query Designer
2. Assign Variable to Query
Authorization Variables in BW 3.x
-
Authorization Variables Characteristic Value Type
-
Multiple Selection View
Authorization Variables Hierarchy Node Type
-
If this property is set, maintenance of the master data / texts individual records for this characteristic can
be protected by means of authorizations. E.g., user A may only maintain values from 1000 -
1999 and user B may only maintain values from 2000 - 2999.
Maintenance of Master Data with Authorization
-
mySAP BW Authorization Concept
Implementation
-
Strategyfor
Authorizations
Role Identification, First Requirements
Authorization Requirements
Authorization Design
Implementation
Test
BW authorization Requirements
Collection Template
(with suggested design rules)
Authorization Concept ASAP Methodology
-
Authorization Tasks in the ASAP Roadmap Project Preparation
1. Functional scope definition.2. Project team member user IDs & roles definition.
-
1. Role identification.2. First identification of the authorization relevant
characteristics.3. Definition of an authorization strategy.
Authorization Tasks in the ASAP Roadmap Business Blueprint
-
1. Collection of authorization requirements at the chosen level of detail.
2. Profile design.3. Authorization implementation.
Authorization Tasks in the ASAP Roadmap Realization
-
1. Test of authorizations.
Authorization Tasks in the ASAP Roadmap Final Preparation
-
Data Modeler(S_RS_RDEMO)
System Administrator(s)(S_RS_RDEAD, S_RS_ROPAD & S_RS_ROPOP)
Reporting User(S_RS_RREPU)
Reporting Developer(S_RS_RREDE)
mySAP BW MacroRoles
-
InfoCube-based ApproachYou can collect the requirements allowing or not allowing for specific
InfoCubes. If its convenient, you can use the concept of InfoArea to allow or not for a group of InfoCubes belonging to the same InfoArea.You can go in a more detail if you limit the accessibility of a cube, allowing only
for a part of it. We can name dataset the Sub-InfoCube which is limited by the authorizations assigned to a user. In BW a dataset can be defined according to characteristics, key figures, hierarchies and their combinations.
Query Name-based Approach For pure reporting users (not allowed to build new queries) you can use the
query names to simplify the authorization design, creating specific queries for specific roles and allowing only certain query names. The disadvantage of this approach is that theres no relationship between query name and set of data, so new queries are potentially security dangers.
InfoCube Independent Dataset ApproachBefore the data model you dont know the InfoCubes, but you can express
authorization requirements through data set, i.e. limitations on to characteristics, key figures, hierarchies and their combinations at various level of detail.
Authorization Requirements Collection Approaches
-
The Authorization Accelerator
-
The Authorization Accelerator A Bug
-
In Visual Basic, Remstatement is used to add comments in the code.
The bug is caused because there is no
between False and Rem. To fix, add after False.
The Authorization Accelerator The Fix
-
HR Authorizations in BW 3.0
-
HR Key Figures / Standard QueriesApproximately 140 predefined Queriesand 200 Key Figures in 2.1C
HR InfoCubes20 in 2.1C
HR Extractors for R/315 in 2.1C
HR Business Content
-
Available Hierarchies in HR Organizational Units Cost Centers Employees Age Capacity Utilization Level Qualifications, Qualification Groups Business Events, Business Event Groups
Hierarchies as Characteristics for Navigation
-
Business Content in HR also contains standard calculations / templates for calculations (approximately 70 templates for standard calculations) such as, Predefined time series comparisons Calculation of averages
Business Content: Calculations and Time series
-
Similar to other functional areas, mySAP BW has a comprehensive access control concept operating at various levels for HR, Access authorization can be given
9for complete reports9for certain key figures (e.g. salary in HR InfoCube)9even for certain characteristic values (e.g. a cost center)
Access authorizations are granted and changed in the Authorization for Reporting transaction (RSSM).
From 3.0, Online Data Storage (ODS) objects are utilized to provide structural authorizations in BW.
HR Authorization Concept in BW
-
Bring Structural Authorization into BW Environment Selectively or bring all R/3 Structural Authorizations Restrictions
Active Plan version only without time-dependency Delivered contents supports Organization, Position & EE only DataSource supports all Object types from R/3, but additional
customized update rules required in BW Accelerator will be available to guide Implementation
Authorization for Display Attributes Available in BW 2.0B since patch 7
HR Structural Authorization
-
RSSM or
Function
Module
PSA PSAPSA PSA
R/3 Org. Structure
T77PR T77PR ProfileProfile
T77UA T77UA AssignmentAssignment
T77UU T77UU UserUser
INDXCluster
(0HR_PA_2)(0HR_PA_3)
DataSources
0HR_PA_2And
0HR_PA_3Data
Sources
Structural Authorizations
0PA_DS02
PSATransfer Rules
Structural Authorizations
ODSs
R/3 OLTP mySAP BW
Security Check
Transfer R
ules
0PA_DS03
HR Structural Authorization
-
1. Create Structural Authorization Profile (IMG or OOSP)2. Assign User to Profile (IMG or OOSB)3. Update T77UU table to include User Name4. Execute program RHBAUS00 to create INDX5. Activate 0HR_PA_2 & 3 DataSource in R/3 and BW6. Create 0HR_PA_2 & 3 InfoSource & Communications Structure7. Activate and load ODS from R/38. Activate Target InfoObjects Authorization Relevant9. Create Authorization Object in RSSM10. Use RSSM or Execute RSSB Function Modules to generate BW
Authorization11. Create Query with Authorization Variables
Steps to Install Structural Authorization
-
HR Structural Authorization
-
BW20 Incorporated
BW20-02Group 2
BW20-01Group 1
BW20-03Group 3
CC: 2001IT
CC: 2001Market
CC: 2001Sales
CC: 2001FI
CC: 2001HR
20010009Employee #9
20010004Employee #4
20010003Employee #3
20010008Employee #8
20010001Employee #1
20010006Employee #6
20010011Employee #11
20010013Employee #13
20010014Employee #14
20010005Employee #5
20010010Employee #10
20010002Employee #2
20010007Employee #7
20010012Employee #12
Scenario
-
Why Automated Authorizations Generator Simplify the Process to Maintain InfoObject Level of Authorization Enable Authorizations Generated from R/3 and Non-R/3 Source Systems Bring R/3 Structural Authorizations to BW via Standard Business
Content Full Refresh on a Customer Selected Frequency
Key Benefits Reduced the Redundant Security Setup Provide Cross System Consistency
Motivation and Benefits
-
Sourced from Four type of ODS Objects Authorization Value ODS Hierarchy ODS Text ODS User List ODS
ODS Population From R/3: HR Structural Authorizations From Flat Files
New HR Structural Authorizations Business Content New RSSM User Interface
Automatic Security Profile Generator
-
ODS-Objects
SAP BWServer
InfoSource
Update Rules
BW Metadata
replicated Metadata
DataSourceDataSource
FileFile R/3R/3OtherOther
BWS-API
Mapping & Transfer Rules
ValueValue HierHier.. TextTextUserUser
AssignAssign
0TCA_DS01 0TCA_DS02 0TCA_DS03 0TCA_DS04
T. Code: RSSM Generate AuthorizationT. Code: RSSM Generate Authorization< Auth Object >
0TCTAUTHH
0ORGUNIT
0EMPLOYEE
DataSource
Automatic Profile Generation Architecture
-
Value ODS Object Overview
-
Hierarchy ODS Object Overview
-
Generating Authorizations in RSSM
-
Steps to Create Authorization from Flat Files
Generate Profiles via RSSM or RSSB program
Create AuthorizationValue InfoSource & ODS
Define Reporting Object
Create Authorization Hierarchy InfoSource & ODS
Create Update Rules &Flat Files for ODS Loads
Mark InfoObjects Auth. Relevant Define Reporting Auth Object via RSSM
Create Authorizations Variable in Query Definition
Use 0TCA_DS01 as template ODS name must be XXXX_DS01
Use 0TCA_DS02 as template ODS name must be XXXX_DS02
The data format = YYYYMMDD or per your Default Format
Several Objects can define as constant
RSSM: Find your ODSs & Mark Auth Object
Exec RSSB_Generate_Authorizations
Define Variables for Auth InfoObjects Include Variables in your Queries
-
Authorizations in mySAP SEM
-
Authorizing Transaction Datain mySAP BW
Authorizing Customizing Datain mySAP SEM
For Example:Cost CenterProfit CenterPersonnel Number..etc.
For Example:Global PI SequencePlanning ProfilePlanning PackagePlanning MethodPlanning SetPlanning LevelPlanning Area
3.0A
3.0A
3.0A
3.0A
Enhancements of Authorization Concept in SEM 3.0
-
Authorizations in Enterprise Portal
-
Enterprise Portal Sensitive Security Areas
1 2
3
4
5
6
Authentication
User ManagementSecure Network
Secure Communication
Authorization
Single Sign-On
User Directory
Third Party System
Portal Server
-
CentralUserStore
User
Portal Infrastructure
WebApplication
ServerOther
ApplicationServer
Exchange Infrastructure
LDAP (XML)
Decentralized Role Assignment
Registration, Authentication, Role Definition
Local Authorization Configuration
mySAP Technology New User Management
-
Depending on what release you are currently on, the level of integration of your SAP systems with your corporate directories can differ.
Recently, Directory Services and the Lightweight Directory Access Protocol (LDAP) has become the focal point for access to centralorganizational and configuration data across the entire system landscape.
As of SAP Basis Release 4.5, Central User Administration and Global User Manager1 functionalities exist within SAP systems via ALE.
As of SAP Basis Release 4.6, access to corporate directories is facilitated from the SAP system with the LDAP Connector.
With SAP Web Application Server 6.10 comes support for periodic synchronization of user data with your corporate directory using the LDAP Connector.
1 In September 2001, SAP advised all customers not to use the Global User Manager (Transaction SUUM) until further notice. Refer to OSS Note 433941.
Central User Management
-
Contacts
Mohamed [email protected]
Business Intelligence & TechnologySAP Systems Integration America, LLC
5 Concourse Parkway, Suite 925Atlanta GA 30328
http://www.sap-si.com
-
Thank you for attending!Please remember to complete and return
your evaluation form following this session.
Session Code: 1204