New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
-
Upload
kumar-casanova -
Category
Documents
-
view
247 -
download
0
Transcript of New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
1/72
An Ex per t Guide t oNew SAP BISec ur i t y Feat ures
Marc BernardSAP Labs
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
2/72
SAP AG 2006, 2
Objec t i ves
In this session you will
Learn how to grant access to data on various levels of detail
Find out how the new analysis authorizations compare to the oldconcept based on authorization objects
Understand the new options for defining authorizations
See a demonstration of the new functionality
Hear about migration tools
Take away information about the latest monitoring and auditing
capabilities for security settings
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
3/72
Overview of New Authorization Concept
Comparison of Old and New Authorization Concepts
Authorization Maintenance
Generating Authorizations Automatically
Assigning Authorizations to Users and Roles
Monitoring, Auditing, and Test Tools
Migration
Summary
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
4/72
Overview of New Authorization Concept
Comparison of Old and New Authorization Concepts
Authorization Maintenance
Generating Authorizations Automatically
Assigning Authorizations to Users and Roles
Monitoring, Auditing, and Test Tools
Migration
Summary
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
5/72
SAP AG 2006, 5
SAP NetWeaver Sec ur i t y
DB and OS Abstraction.NET WebSphere
Sec ure User Acc ess
Infrastructure
Security
Sec ure Col laborat ion
Software
Lifecycle
S
ecurity
Appl ic a t ion Sec ur i ty
SAP Net Weaver Sec ur i t ySAP Net Weaver Sec ur i t y
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
6/72
SAP AG 2006, 6
SAP NetWeaver Roles and Aut hor izat ions 101
Application Security
Based on roles and authorization concept
Users are assigned to roles
Roles contain authorizations
Authorizations are defined for authorization objects
The system checks authorization objects against theauthorizations of the user
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
7/72
SAP AG 2006, 7
Com pariso n of OLTP and OLAP Sec ur i t y Needs
Security Needs in mySAP ERP (OLTP) Transaction-based security
Driven by:
Transaction codes
Specific field valuesWhich activities a user can perform
Focused on getting daily work completed as quickly and efficientlyas possible
Security Needs in SAP NetWeaver BI (OLAP) Analysis-based security
Driven by:
InfoProviders
QueriesData
Different business purpose and goals than OLTP
Focused on displaying, planning, and analyzing data
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
8/72
SAP AG 2006, 8
Termino logy
Standard Authorizations Based on standard role and authorization concept of SAP
Was and still are used for BI administrator and developer activities
Reporting Authorizations
Old security concept up to SAP NetWeaver 04 (up to SAP BW 3.5)
Control for which data a user has access to in a query
Realized through the standard authorization concept, whichhas many limitations
Analysis Authorizations
New security concept as of SAP NetWeaver 2004s
Is not based on standard authorization concept in order toovercome the limitations
Takes features of reporting and analysis in BI into consideration
Coveredi
n
thispres
entation
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
9/72
SAP AG 2006, 9
In t roduc t ion to Ana lys is Aut hor iza t ions
Sc enar io : Suf f ic ient Aut hor izat ions Complete selection is subset of
authorizations
Query results will be shown
Sc enar io : Insuf f ic ien t Aut hor iza t ions
Complete or part of selection
is outside of authorizations
Query results will not beshown at all
Authorizations
QuerySelection
Authorizations
QuerySelection
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
10/72
SAP AG 2006, 10
In t roduc t ion to Ana lys is Aut hor iza t ions (c ont .)
Ex c ep t ions fo r A l l-o r -Noth ing Ru le
Display hierarchies are automatically filteredby the authorization
Key figure values are not displayed if the key figure
is not authorized
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
11/72
SAP AG 2006, 11
Aut hor izat ion Levels
Ac c ess Can Be Rest r i c t ed by Author iza t ions On InfoCube Level
On Characteristic Level
On Characteristic Value Level
On Key Figure Level
On Hierarchy Node Level
Authorization
A
uthorization
Autho-rization
On Key Figure Level On Characteristic Value Level
On Characteristic Level
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
12/72
Overview of New Authorization Concept
Comparison of Old and New Authorization Concepts
Authorization Maintenance
Generating Authorizations Automatically
Assigning Authorizations to Users and Roles
Monitoring, Auditing and Test Tools
Migration
Summary
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
13/72
SAP AG 2006, 13
Com par ing Author iza t ion Concept s
L im i t a t ions of ear l ier SAP BW re leases
Author iza t ion ob jec t s
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
14/72
SAP AG 2006, 14
Com par ing Aut hor iza t ion Conc epts (c ont . )
Im provement s w i t h SAP Net Weaver 2004s
Analys is aut hor iza t ionAuthor iza t ion ob jec t s
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
15/72
SAP AG 2006, 15
Com par ing Aut hor iza t ion Conc epts (c ont . )
Please see the appendix on your take-home CDfor a detailed comparison
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
16/72
Overview of New Authorization Concept
Comparison of Old and New Authorization Concepts
Authorization Maintenance
Generating Authorizations Automatically
Assigning Authorizations to Users and Roles
Monitoring, Auditing, and Test Tools
Migration
Summary
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
17/72
SAP AG 2006, 17
St eps o f Author iza t ion Main tenanc e
Follow these steps to create your authorizations
InfoObject Maintenance (RSD1):
1. Define Authorization-Relevant Characteristics
2. Define Authorization-Relevant Attributes
Management of Analysis Authorizations (RSECADMIN):
3. Authorize Characteristic Values
4. Authorize Attribute Values
5. Authorize Hierarchies
6. Add Special Authorization Characteristics
7. Add Key Figure Authorizations
8. Add Variables in Authorizations
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
18/72
SAP AG 2006, 18
Bus iness Cont ent fo r Aut hor iza t ions
Before you get started, here are some tips:
Activate all Business Content related to authorizations beforeyou get started
InfoObjects: 0TCA* (and 0TCT* if not done already)
InfoCubes: 0TCA*
Set the following InfoObjects as authorization-relevant
0TCAACTVT
0TCAIPROV
0TCAVALID0TCAKYFNM
Add 0TCAIFAREA asan external hierarchycharacteristic to
0INFOPROV
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
19/72
SAP AG 2006, 19
1. Aut hor izat ion-Relevant Charact er is t ic s
Before restrictingauthorizations oncharacteristics, you
have to mark them asauthorization-relevant
InfoObject Maintenance (Transaction RSD1)
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
20/72
SAP AG 2006, 20
2. Author izing Nav igat iona l A t t r ibu tes
If you want to grantauthorizations onnavigational attributes,
mark them in theattribute tab strip asauthorization-relevant
InfoObject Maintenance (Transaction RSD1)
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
21/72
SAP AG 2006, 21
3. Aut hor izing Charac t er is t ic Values
Scenario: A group ofusers is authorizedonly to specific
sales organizations(e.g., Berlin andBirmingham)
Central maintenancefor (analysis)authorizations/transactionRSECADMIN
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
22/72
SAP AG 2006, 22
3. Aut hor izing Charac t er is t ic Values (c ont .)
A group of users isauthorized only tospecific salesorganizations(e.g., Berlin andBirmingham)
Possib le Valu es
EQ: Single value
BT: Range of values
CP: Contains (simple) patterns ending with * (e.g., XY*)
(Berlin)
(Birmingham)
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
23/72
SAP AG 2006, 23
Spec ia l Author izat ion Value
Spec ia l Author iza t ion Va lues (fo r a l l c harac t er i s t i c s )* (asterisk)
Denotes a set of arbitrary characters
Used alone to grant access to all values
Used at the end of a value to specify a simple pattern (example: SAP*)
: (colon)
Allows access only to aggregated data (e.g., allows information on all
sales areas only on aggregated level not on particular sales areas)
+ (plus)
Denotes exactly one character
Used at the end of a value to specify a simple pattern (example: RED+)
Used to specify date patterns (only for Validity (0TCAVALID))
# (hash)
Stands for the initial or unassigned value
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
24/72
SAP AG 2006, 24
4. Author izing Nav igat iona l A t t r ibu tes
Navigat iona l A t t r i bu tes
Can be assigned individually
Tip: The referencing
characteristic(here: 0D_SALE_ORG) doesnot need to beauthorization-relevant
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
25/72
SAP AG 2006, 25
5. Aut hor izing Hierarc h ies
In the same way as withvalue authorization,you can also grantauthorizations onhierarchy levels
Assume youll have asales organizationas depicted
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
26/72
SAP AG 2006, 26
5. Aut hor izing Hierarc h ies (c ont .)
Now you grantaccess for the
complete Americasand France
You can alsouse variables toflexibly and
dynamicallydeterminehierarchynodes
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
27/72
SAP AG 2006, 27
Only the selected nodes
5. Aut hor izing Hierarc h ies (c ont .)
Use case: Hierarchiesthat happen to be
restructured regularly
Subtree below nodes
Subtree below nodes to level (incl.)
Complete hierarchy
Subtree below nodes to(and including) level (relative)
Type of Aut hor izat ion
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
28/72
SAP AG 2006, 28
5. Aut hor izing Hierarc h ies (c ont .)
Val id i t y Range
Which authorization hierarchy is checked against the currentlyused hierarchy (strictness of check)?
Name, Version Identical, and Key Date Less Than or Equal to
Name and Version Identical
Name Identical
All Hierarchies
Recommendation: Try to be as strict as possible!
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
29/72
SAP AG 2006, 29
6. Spec ia l Author iza t ion Charac t er i s t i c s
Aut hor iza t ions on Spec ia l Charac t er i s t i c s
Some special characteristics can be included in an authorization.Note: They must not be included in queries!
These special characteristics must be assigned to a user in at least one
authorization InfoProvider
Validity
Activity
Insert special
characteristics
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
30/72
SAP AG 2006, 30
6. Spec ia l Author iza t ion Charac t er i s t i c s (cont .)
RecommendationIt is not technically necessary to include these specialcharacteristics in every authorization, but it is considered abest practice in order to retain clarity
6 S i l A h i i Ch i i ( )
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
31/72
SAP AG 2006, 31
6. Spec ia l Author iza t ion Charac t er i s t i c s (cont .)
InfoProvider Grant authorization to particular InfoProviders
Technical name: 0TCAIPROV
Possible values:
Single value (EQ) One InfoProvider
Range (BT) Range of InfoProviders
Pattern (CP) Selection of InfoProviders (e.g., 0SD_*)
Hierarchy node Selection of InfoProviders based on InfoArea hierarchy
Default* All InfoProviders
6 S i l A th i t i Ch t i t i ( t )
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
32/72
SAP AG 2006, 32
6. Spec ia l Author iza t ion Charac t er i s t i c s (cont .)
Va l id i ty Define when authorizations are valid or not valid
Technical name: 0TCAVALID
Possible values
Include (I) Grant authorization
Exclude (E) Deny authorization ^
Single value (EQ) Exactly one date
Range (BT) Range of dates
Less or Equal (LE) Everything value in FROM field ^
Greater or Equal (GE) Everything >= value in FROM field ^Less Than (LT) Everything < value in FROM field ^
Pattern (CP) Selection of dates ^
+ (plus) denotes exactly one character (e.g., 01.++.2005 until 10.++.2005:allows access only the first 10 days of each month in 2005)
Default* Always valid
^ Exclude (E), special ranges (LE, GT, GE, LT), and the plus pattern (+)work ONLY for this special characteristic!
6 S i l A th i t i Ch t i t i ( t )
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
33/72
SAP AG 2006, 33
6. Spec ia l Author iza t ion Charac t er i s t i c s (cont .)
Ac t i v i t y Grant authorization to different activities
Technical name: 0TCAACTVT
Possible values:
02 Change data (for example, for business planning)
03 Display data
Default03 Display data
7 K ey Figure Aut hor izat ions
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
34/72
SAP AG 2006, 34
7. K ey Figure Aut hor izat ions
K ey Figure Author izat ions Grant authorization to particular key figures
Technical name: 0TCAKYFNM
Possible values
Single value (EQ) Exactly one key figure
Range (BT) Selection of key figuresPattern (CP) Selection of key figures based on pattern
Default* All key figures
Tip: If a particular key figure is defined as authorization-relevant, it willbe checked for every InfoProvider
8 Var iab les in Aut hor izat ions
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
35/72
SAP AG 2006, 35
8. Var iab les in Aut hor izat ions
Var iables o f Type Custom er Ex i t
For value and/or hierarchy authorizations
Determined during query runtime using custom code
Example: Determine sales organization from assignments of the
user master data
Use enhancement RSR00001(transaction CMOD) for thenecessary coding
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
36/72
Overview of New Authorization Concept
Comparison of Old and New Authorization ConceptsAuthorization Maintenance
Generating Authorizations Automatically
Assigning Authorizations to Users and Roles
Monitoring, Auditing, and Test Tools
Migration
Summary
St eps for Generat ing Aut hor izat ions
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
37/72
SAP AG 2006, 37
St eps for Generat ing Aut hor izat ions
Follow these steps to generate authorizations automatically:
Data Warehouse Workbench (RSA1):
1. Activate Business Content
2. Load DataStore Objects
Management of Analysis Authorizations (RSECADMIN):
3. Generate Authorizations
4. View Generation Log
Tip: Especially with high user counts or very detailedauthorizations, generating authorizations will save a lot ofmanual work
1 Ac t iva te Bus iness Cont ent
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
38/72
SAP AG 2006, 38
1. Ac t i va te Bus iness Cont ent
Business Content for Authorizations
SAP delivers Business Content for storing authorizations and userassignment of authorizations
Human Resources (HR)
Controlling (CO)
2. Load Dat aSt ore Objec t s
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
39/72
SAP AG 2006, 39
2. Load Dat aSt ore Objec t s
DataStore Objects for Authorizations Fill the DataStore objects with the user data and authorizations
Extract the data, for example, from an SAP R/3 source system
or
Load the data from a flat file
Tip: You might want to add some consistency checks here to avoid
errors during the generation later
3. Generat e Aut hor izat ions
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
40/72
SAP AG 2006, 40
3. Generat e Aut hor izat ions
Generation of Authorizations from DataStore Objects
Start the generation by specifying the relevant DataStore objects
4. V iew Generat ion Log
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
41/72
SAP AG 2006, 41
g
After the generation is complete, you can view a detailed log
First check errors, then also look at warnings
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
42/72
Overview of New Authorization Concept
Comparison of Old and New Authorization ConceptsAuthorization Maintenance
Generating Authorizations Automatically
Assigning Authorizations to Users and Roles
Monitoring, Auditing and Test Tools
Migration
Summary
St eps for Ass ign ing Aut hor izat ions to Users
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
43/72
SAP AG 2006, 43
p g g
Pick one of these options to assign authorizations to users:
Management of Analysis Authorizations (RSECADMIN):
1. Assign Individual Authorizations
2. Assign Groups of Authorizations
Role Maintenance (PFCG):
3. Assign Authorizations to Roles
Tip: You can use a combination of these options. If you already
have a role-based infrastructure in place, option 3will be the best.
1. Ass ign ing Ind iv idual Aut hor izat ions
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
44/72
SAP AG 2006, 44
Direct Assignment of Authorizations to Users
Select a user ID and changethe assignment
Then insert individual authorizations
to the assigned list
2. Ass ign ing Groups of Aut hor izat ions
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
45/72
SAP AG 2006, 45
Assignment of Groups of Authorizations to Users
You can group authorizations intoa hierarchy. Use InfoObject0TCTAUTH for this hierarchy
(youll have to activate the content
objects for this InfoObject).
Then you can assign one or
several authorization groups tothe selected user
Spec ia l Aut hor izat ion
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
46/72
SAP AG 2006, 46
Generated Special Authorization: 0BI_ALL
Automatically generated and not changeable
Grants authorizations for all values of all authorization-relevantcharacteristics
Adjusted whenever a new InfoObject is set to authorization-relevant
Simple possibility to grantauthorizations to everything(e.g., via role see next slide)
3. Ass ign ing Aut hor izat ions t o Roles
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
47/72
SAP AG 2006, 47
Role Maintenance
Alternatively to the direct assignment, you can also assignauthorizations to roles, which can then be assigned to users
Use authorization object S_RS_AUTH for the assignment ofauthorizations to roles
Maintain the authorizations as values for field BIAUTH
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
48/72
Overview of New Authorization Concept
Comparison of Old and New Authorization ConceptsAuthorization Maintenance
Generating Authorizations Automatically
Assigning Authorizations to Users and Roles
Monitoring, Auditing, and Test Tools
Migration
Summary
St eps for Moni t or ing, Audi t ing, and Test ing
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
49/72
SAP AG 2006, 49
Use these tools for monitoring, auditing, and testing authorizations:
1. Authorization Monitoring
2. Legal Audit
Tip: The improved monitoring capabilities are especially helpful forproduction support
1. Aut hor izat ion Moni tor ing
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
50/72
SAP AG 2006, 50
Checking Authorizations
Log on with your own user ID (production support role)
Check query execution with the authorizations of a specific user
Tip: There is no password required. Therefore, access to this support toolshould be restricted using authorization object S_RSEC.
1. Aut hor izat ion Moni t or ing (c ont .)
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
51/72
SAP AG 2006, 51
Evaluate Log Protocol
Turn on logging of user activitiesrelated to analysis authorizations
View detailed information aboutauthorization checks
Which characteristics are relevant?
Which selections are checked vs.which authorizations?
And much more ...
2. Legal Audi t ing
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
52/72
SAP AG 2006, 52
Rec ord ing of Changes
Activate the following VirtualProviders from the Business Content(VAL = Values, HIE = Hierarchies, UA = User Assignment)
The system records all changes to authorizations anduser assignments
Using a query, you can easily answer questions like:How many users have access to a given InfoCube?
Which users have access to company code 1000?
When was authorization GIVEMEALL created, and by whom?
2. Legal Audi t ing (c ont .)
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
53/72
SAP AG 2006, 53
Rec ord ing of Changes
Query Example
Linked into Administration Cockpit
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
54/72
Overview of New Authorization Concept
Comparison of Old and New Authorization ConceptsAuthorization Maintenance
Generating Authorizations Automatically
Assigning Authorizations to Users and Roles
Monitoring, Auditing, and Test Tools
Migration
Summary
St eps fo r Migra t ion o f Aut hor iza t ions
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
55/72
SAP AG 2006, 55
Follow these four steps to migrate authorizations:
Migration Tool (program RSEC_MIGRATION):
1. Select Users
2. Select Authorizations
3. Pick Assignment Method
4. Set Migration Mode
Tip: Allocate enough time to do the migration during your system
upgrade and for performing thorough tests
Before You St ar t
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
56/72
SAP AG 2006, 56
Migrat ion Suppor t
The migration is a singular event (i.e., not to be scheduled later)
During migration to the new authorization concept, the existingconcept wont be changed
Semi-automatic migration
The more complex the existing authorization concept, the more manualmigration work might be necessary
Customer-exit variables for 0TCTAUTHH cannot be migrated; the respectivehierarchy nodes must be assigned manually
Intensive tests are highly recommended
Before You St ar t (c ont .)
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
57/72
SAP AG 2006, 57
Recommendat ions
It is highly recommended to migrate to the new concept
The former authorization concept wont be supported any longer
You can, however, switch back to the former concept in someexceptional cases (IMG setting)
St ar t t he Migra t i on
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
58/72
SAP AG 2006, 58
Migra t ion St ep 0 Run ABAP program RSEC_MIGRATION (transaction SA38 or SE38)
1. User Selec t ion
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
59/72
SAP AG 2006, 59
User 2
Migra t ion St ep 1
Choose users
Migration can be done for singular user groups
Prerequisite: A user group must be complete and self-contained!
User 1Authorization Object 1
Authorization Object 2
Authorization Object 3
If User 1 is chosen andAuthorization Objects 1 and 2
should be migrated, you have tochoose User 2 as well in order tohave a completeuser group
Note: There might be entangled dependencies ofusers with respect to the authorization objects.Youll get a message with information on themissing users in case the user group
is not compete.
2. Aut hor izat ion Selec t ion
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
60/72
SAP AG 2006, 60
Migra t ion St ep 2
Choose authorization objects to be migrated
3. Ass ignm ent Met hod
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
61/72
SAP AG 2006, 61
Migra t ion St ep 3
Choose an assignment method
Direct user assignment
Migrated authorizations will be assigned to the users directly (not via roles)
Migrated authorizations have prefix RSR_ and will be treated like generatedauthorizations
Create new profiles
Generation of profiles based on authorization object S_RS_AUTH thatcontains the new, migrated authorizations
Preserves the existing role concept and adds new profiles to the role
Generated profiles have prefix RSR_
Extend existing profiles Existing profiles will be extended by
authorization object S_RS_AUTHcontaining the migrated authorizations
Undo migration
All migrated authorizations and profileswill be deleted; extended profiles containempty authorization object R_RS_AUTH
4. Migrat ion Mode
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
62/72
SAP AG 2006, 62
Migra t ion St ep 4
Choose details of authorization migration expert mode
Settings for referencing navigational attributes and characteristics areonly relevant for the compatibility mode setting in SAP BW 3.x
Please have a look at the detailed documentation for more information
Af ter t he Migra t ion Run
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
63/72
SAP AG 2006, 63
Migra t ion Pro t oc o l
At the end of the migration run, view the detailed protocol
Check for warnings and errors reported during the migration
Tip: The migration can bequite tricky. It helps ifyou have good
documentation of theexisting authorizationsetup (for example, todefine user groups for
the migration)
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
64/72
Overview of New Authorization Concept
Comparison of Old and New Authorization Concepts
Authorization Maintenance
Generating Authorizations Automatically
Assigning Authorizations to Users and Roles
Monitoring, Auditing, and Test Tools
Migration
Summary
Where t o Find Free Publ ic Tec hnic a l In form at ion
SAP D l N t k (i t f d b l i )
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
65/72
SAP AG 2006, 65
s
dn.s
ap.c
om
SAP Developer Net w ork (i t s f ree and publ ic )
Where t o Find App l ic a t ion and Educat iona l In form at ion
SAP Serv ic e Mark et p lac e/sec ur i t y
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
66/72
SAP AG 2006, 66
service.sap.
com
SAP Serv ic e Mark et p lac e/sec ur i t y
SAP Sec ur i ty Web In form at ion L ink Col lec t ion
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
67/72
SAP AG 2006, 67
http: / /sdn.sap.com*
ht tp: / /serv ice.sap.com/secur i ty*
ht tp: / /serv ice.sap.com/secur i tyguide*
ht tp: / /serv ice.sap.com/educat ion*
http: / /help.sap.com/nw2004s
m ai l t o:sec ur i t [email protected] om
serv
ice.sap.com
** Requires login credentials to the SAP Service Marketplace
For m ore in format ion: Acc ess t he SAP Deve loper Netw ork www.sdn .sap .com
The central hub for the SAP technology
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
68/72
SAP AG 2006, 68
gy
community Everyone can connect, contribute and
collaborate- consultants, administrators anddevelopers
Focus around SAP NetWeaver and SAP xApps
High quality of technical resources
Articles, how-to guides, weblogs,collaborative areas, discussion forums anddownloads, toolkits and code-samples
A collaboration platform, not a one-waystreet
SAP experts from customers, partners andSAP
SDN is powered by SAP NetWeaver
Built on the SAP Enterprise Portal
Featuring collaboration capabilities of SAPKnowledge Management
7 K ey Po int s to Tak e Home
BI authorizations for analysis are based on an appropriate
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
69/72
SAP AG 2006, 69
BI authorizations for analysis are based on an appropriate
concept for business-oriented security requirements
Using the new concept for analysis authorizationsis recommended
The new features contain major improvements foradministrators, leading to lower TCO
Authorizations can be generated automatically based on
various DataStores
The infrastructure for maintenance and monitoring of analysisauthorizations is highly integrated
Take a good look at the new reporting capabilities to supportusage and auditing of authorizations
A migration support tool is available
Quest ions?
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
70/72
SAP AG 2006, 70
Q& Am arc .be [email protected] om
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
71/72
Demo
-
8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)
72/72
SAP AG 2006, 72