New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)

8/2/2019 New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)

1/72

An Ex per t Guide t oNew SAP BISec ur i t y Feat ures

Marc BernardSAP Labs


2/72

SAP AG 2006, 2

Objec t i ves

In this session you will

Learn how to grant access to data on various levels of detail

Find out how the new analysis authorizations compare to the oldconcept based on authorization objects

Understand the new options for defining authorizations

See a demonstration of the new functionality

Hear about migration tools

Take away information about the latest monitoring and auditing

capabilities for security settings


3/72

Overview of New Authorization Concept

Comparison of Old and New Authorization Concepts

Authorization Maintenance

Generating Authorizations Automatically

Assigning Authorizations to Users and Roles

Monitoring, Auditing, and Test Tools

Migration

Summary


4/72







Migration

Summary


5/72

SAP AG 2006, 5

SAP NetWeaver Sec ur i t y

DB and OS Abstraction.NET WebSphere

Sec ure User Acc ess

Infrastructure

Security

Sec ure Col laborat ion

Software

Lifecycle

S

ecurity

Appl ic a t ion Sec ur i ty

SAP Net Weaver Sec ur i t ySAP Net Weaver Sec ur i t y


6/72

SAP AG 2006, 6

SAP NetWeaver Roles and Aut hor izat ions 101

Application Security

Based on roles and authorization concept

Users are assigned to roles

Roles contain authorizations

Authorizations are defined for authorization objects

The system checks authorization objects against theauthorizations of the user


7/72

SAP AG 2006, 7

Com pariso n of OLTP and OLAP Sec ur i t y Needs

Security Needs in mySAP ERP (OLTP) Transaction-based security

Driven by:

Transaction codes

Specific field valuesWhich activities a user can perform

Focused on getting daily work completed as quickly and efficientlyas possible

Security Needs in SAP NetWeaver BI (OLAP) Analysis-based security

Driven by:

InfoProviders

QueriesData

Different business purpose and goals than OLTP

Focused on displaying, planning, and analyzing data


8/72

SAP AG 2006, 8

Termino logy

Standard Authorizations Based on standard role and authorization concept of SAP

Was and still are used for BI administrator and developer activities

Reporting Authorizations

Old security concept up to SAP NetWeaver 04 (up to SAP BW 3.5)

Control for which data a user has access to in a query

Realized through the standard authorization concept, whichhas many limitations

Analysis Authorizations

New security concept as of SAP NetWeaver 2004s

Is not based on standard authorization concept in order toovercome the limitations

Takes features of reporting and analysis in BI into consideration

Coveredi

n

thispres

entation


9/72

SAP AG 2006, 9

In t roduc t ion to Ana lys is Aut hor iza t ions

Sc enar io : Suf f ic ient Aut hor izat ions Complete selection is subset of

authorizations

Query results will be shown

Sc enar io : Insuf f ic ien t Aut hor iza t ions

Complete or part of selection

is outside of authorizations

Query results will not beshown at all

Authorizations

QuerySelection

Authorizations

QuerySelection


10/72

SAP AG 2006, 10

In t roduc t ion to Ana lys is Aut hor iza t ions (c ont .)

Ex c ep t ions fo r A l l-o r -Noth ing Ru le

Display hierarchies are automatically filteredby the authorization

Key figure values are not displayed if the key figure

is not authorized


11/72

SAP AG 2006, 11

Aut hor izat ion Levels

Ac c ess Can Be Rest r i c t ed by Author iza t ions On InfoCube Level

On Characteristic Level

On Characteristic Value Level

On Key Figure Level

On Hierarchy Node Level

Authorization

A

uthorization

Autho-rization

On Key Figure Level On Characteristic Value Level

On Characteristic Level


12/72






Monitoring, Auditing and Test Tools

Migration

Summary


13/72

SAP AG 2006, 13

Com par ing Author iza t ion Concept s

L im i t a t ions of ear l ier SAP BW re leases

Author iza t ion ob jec t s


14/72

SAP AG 2006, 14

Com par ing Aut hor iza t ion Conc epts (c ont . )

Im provement s w i t h SAP Net Weaver 2004s

Analys is aut hor iza t ionAuthor iza t ion ob jec t s


15/72

SAP AG 2006, 15

Com par ing Aut hor iza t ion Conc epts (c ont . )

Please see the appendix on your take-home CDfor a detailed comparison


16/72







Migration

Summary


17/72

SAP AG 2006, 17

St eps o f Author iza t ion Main tenanc e

Follow these steps to create your authorizations

InfoObject Maintenance (RSD1):

1. Define Authorization-Relevant Characteristics

2. Define Authorization-Relevant Attributes

Management of Analysis Authorizations (RSECADMIN):

3. Authorize Characteristic Values

4. Authorize Attribute Values

5. Authorize Hierarchies

6. Add Special Authorization Characteristics

7. Add Key Figure Authorizations

8. Add Variables in Authorizations


18/72

SAP AG 2006, 18

Bus iness Cont ent fo r Aut hor iza t ions

Before you get started, here are some tips:

Activate all Business Content related to authorizations beforeyou get started

InfoObjects: 0TCA* (and 0TCT* if not done already)

InfoCubes: 0TCA*

Set the following InfoObjects as authorization-relevant

0TCAACTVT

0TCAIPROV

0TCAVALID0TCAKYFNM

Add 0TCAIFAREA asan external hierarchycharacteristic to

0INFOPROV


19/72

SAP AG 2006, 19

1. Aut hor izat ion-Relevant Charact er is t ic s

Before restrictingauthorizations oncharacteristics, you

have to mark them asauthorization-relevant

InfoObject Maintenance (Transaction RSD1)


20/72

SAP AG 2006, 20

2. Author izing Nav igat iona l A t t r ibu tes

If you want to grantauthorizations onnavigational attributes,

mark them in theattribute tab strip asauthorization-relevant

InfoObject Maintenance (Transaction RSD1)


21/72

SAP AG 2006, 21

3. Aut hor izing Charac t er is t ic Values

Scenario: A group ofusers is authorizedonly to specific

sales organizations(e.g., Berlin andBirmingham)

Central maintenancefor (analysis)authorizations/transactionRSECADMIN


22/72

SAP AG 2006, 22

3. Aut hor izing Charac t er is t ic Values (c ont .)

A group of users isauthorized only tospecific salesorganizations(e.g., Berlin andBirmingham)

Possib le Valu es

EQ: Single value

BT: Range of values

CP: Contains (simple) patterns ending with * (e.g., XY*)

(Berlin)

(Birmingham)


23/72

SAP AG 2006, 23

Spec ia l Author izat ion Value

Spec ia l Author iza t ion Va lues (fo r a l l c harac t er i s t i c s )* (asterisk)

Denotes a set of arbitrary characters

Used alone to grant access to all values

Used at the end of a value to specify a simple pattern (example: SAP*)

: (colon)

Allows access only to aggregated data (e.g., allows information on all

sales areas only on aggregated level not on particular sales areas)

+ (plus)

Denotes exactly one character

Used at the end of a value to specify a simple pattern (example: RED+)

Used to specify date patterns (only for Validity (0TCAVALID))

# (hash)

Stands for the initial or unassigned value


24/72

SAP AG 2006, 24

4. Author izing Nav igat iona l A t t r ibu tes

Navigat iona l A t t r i bu tes

Can be assigned individually

Tip: The referencing

characteristic(here: 0D_SALE_ORG) doesnot need to beauthorization-relevant


25/72

SAP AG 2006, 25

5. Aut hor izing Hierarc h ies

In the same way as withvalue authorization,you can also grantauthorizations onhierarchy levels

Assume youll have asales organizationas depicted


26/72

SAP AG 2006, 26

5. Aut hor izing Hierarc h ies (c ont .)

Now you grantaccess for the

complete Americasand France

You can alsouse variables toflexibly and

dynamicallydeterminehierarchynodes


27/72

SAP AG 2006, 27

Only the selected nodes


Use case: Hierarchiesthat happen to be

restructured regularly

Subtree below nodes

Subtree below nodes to level (incl.)

Complete hierarchy

Subtree below nodes to(and including) level (relative)

Type of Aut hor izat ion


28/72

SAP AG 2006, 28


Val id i t y Range

Which authorization hierarchy is checked against the currentlyused hierarchy (strictness of check)?

Name, Version Identical, and Key Date Less Than or Equal to

Name and Version Identical

Name Identical

All Hierarchies

Recommendation: Try to be as strict as possible!


29/72

SAP AG 2006, 29

6. Spec ia l Author iza t ion Charac t er i s t i c s

Aut hor iza t ions on Spec ia l Charac t er i s t i c s

Some special characteristics can be included in an authorization.Note: They must not be included in queries!

These special characteristics must be assigned to a user in at least one

authorization InfoProvider

Validity

Activity

Insert special

characteristics


30/72

SAP AG 2006, 30

6. Spec ia l Author iza t ion Charac t er i s t i c s (cont .)

RecommendationIt is not technically necessary to include these specialcharacteristics in every authorization, but it is considered abest practice in order to retain clarity

6 S i l A h i i Ch i i ( )


31/72

SAP AG 2006, 31


InfoProvider Grant authorization to particular InfoProviders

Technical name: 0TCAIPROV

Possible values:

Single value (EQ) One InfoProvider

Range (BT) Range of InfoProviders

Pattern (CP) Selection of InfoProviders (e.g., 0SD_*)

Hierarchy node Selection of InfoProviders based on InfoArea hierarchy

Default* All InfoProviders

6 S i l A th i t i Ch t i t i ( t )


32/72

SAP AG 2006, 32


Va l id i ty Define when authorizations are valid or not valid

Technical name: 0TCAVALID

Possible values

Include (I) Grant authorization

Exclude (E) Deny authorization ^

Single value (EQ) Exactly one date

Range (BT) Range of dates

Less or Equal (LE) Everything value in FROM field ^

Greater or Equal (GE) Everything >= value in FROM field ^Less Than (LT) Everything < value in FROM field ^

Pattern (CP) Selection of dates ^

+ (plus) denotes exactly one character (e.g., 01.++.2005 until 10.++.2005:allows access only the first 10 days of each month in 2005)

Default* Always valid

^ Exclude (E), special ranges (LE, GT, GE, LT), and the plus pattern (+)work ONLY for this special characteristic!

6 S i l A th i t i Ch t i t i ( t )


33/72

SAP AG 2006, 33


Ac t i v i t y Grant authorization to different activities

Technical name: 0TCAACTVT

Possible values:

02 Change data (for example, for business planning)

03 Display data

Default03 Display data

7 K ey Figure Aut hor izat ions


34/72

SAP AG 2006, 34

7. K ey Figure Aut hor izat ions

K ey Figure Author izat ions Grant authorization to particular key figures

Technical name: 0TCAKYFNM

Possible values

Single value (EQ) Exactly one key figure

Range (BT) Selection of key figuresPattern (CP) Selection of key figures based on pattern

Default* All key figures

Tip: If a particular key figure is defined as authorization-relevant, it willbe checked for every InfoProvider

8 Var iab les in Aut hor izat ions


35/72

SAP AG 2006, 35

8. Var iab les in Aut hor izat ions

Var iables o f Type Custom er Ex i t

For value and/or hierarchy authorizations

Determined during query runtime using custom code

Example: Determine sales organization from assignments of the

user master data

Use enhancement RSR00001(transaction CMOD) for thenecessary coding


36/72


Comparison of Old and New Authorization ConceptsAuthorization Maintenance




Migration

Summary

St eps for Generat ing Aut hor izat ions


37/72

SAP AG 2006, 37

St eps for Generat ing Aut hor izat ions

Follow these steps to generate authorizations automatically:

Data Warehouse Workbench (RSA1):

1. Activate Business Content

2. Load DataStore Objects


3. Generate Authorizations

4. View Generation Log

Tip: Especially with high user counts or very detailedauthorizations, generating authorizations will save a lot ofmanual work

1 Ac t iva te Bus iness Cont ent


38/72

SAP AG 2006, 38

1. Ac t i va te Bus iness Cont ent

Business Content for Authorizations

SAP delivers Business Content for storing authorizations and userassignment of authorizations

Human Resources (HR)

Controlling (CO)

2. Load Dat aSt ore Objec t s


39/72

SAP AG 2006, 39

2. Load Dat aSt ore Objec t s

DataStore Objects for Authorizations Fill the DataStore objects with the user data and authorizations

Extract the data, for example, from an SAP R/3 source system

or

Load the data from a flat file

Tip: You might want to add some consistency checks here to avoid

errors during the generation later

3. Generat e Aut hor izat ions


40/72

SAP AG 2006, 40

3. Generat e Aut hor izat ions

Generation of Authorizations from DataStore Objects

Start the generation by specifying the relevant DataStore objects

4. V iew Generat ion Log


41/72

SAP AG 2006, 41

g

After the generation is complete, you can view a detailed log

First check errors, then also look at warnings


42/72





Monitoring, Auditing and Test Tools

Migration

Summary

St eps for Ass ign ing Aut hor izat ions to Users


43/72

SAP AG 2006, 43

p g g

Pick one of these options to assign authorizations to users:


1. Assign Individual Authorizations

2. Assign Groups of Authorizations

Role Maintenance (PFCG):

3. Assign Authorizations to Roles

Tip: You can use a combination of these options. If you already

have a role-based infrastructure in place, option 3will be the best.

1. Ass ign ing Ind iv idual Aut hor izat ions


44/72

SAP AG 2006, 44

Direct Assignment of Authorizations to Users

Select a user ID and changethe assignment

Then insert individual authorizations

to the assigned list

2. Ass ign ing Groups of Aut hor izat ions


45/72

SAP AG 2006, 45

Assignment of Groups of Authorizations to Users

You can group authorizations intoa hierarchy. Use InfoObject0TCTAUTH for this hierarchy

(youll have to activate the content

objects for this InfoObject).

Then you can assign one or

several authorization groups tothe selected user

Spec ia l Aut hor izat ion


46/72

SAP AG 2006, 46

Generated Special Authorization: 0BI_ALL

Automatically generated and not changeable

Grants authorizations for all values of all authorization-relevantcharacteristics

Adjusted whenever a new InfoObject is set to authorization-relevant

Simple possibility to grantauthorizations to everything(e.g., via role see next slide)

3. Ass ign ing Aut hor izat ions t o Roles


47/72

SAP AG 2006, 47

Role Maintenance

Alternatively to the direct assignment, you can also assignauthorizations to roles, which can then be assigned to users

Use authorization object S_RS_AUTH for the assignment ofauthorizations to roles

Maintain the authorizations as values for field BIAUTH


48/72






Migration

Summary

St eps for Moni t or ing, Audi t ing, and Test ing


49/72

SAP AG 2006, 49

Use these tools for monitoring, auditing, and testing authorizations:

1. Authorization Monitoring

2. Legal Audit

Tip: The improved monitoring capabilities are especially helpful forproduction support

1. Aut hor izat ion Moni tor ing


50/72

SAP AG 2006, 50

Checking Authorizations

Log on with your own user ID (production support role)

Check query execution with the authorizations of a specific user

Tip: There is no password required. Therefore, access to this support toolshould be restricted using authorization object S_RSEC.

1. Aut hor izat ion Moni t or ing (c ont .)


51/72

SAP AG 2006, 51

Evaluate Log Protocol

Turn on logging of user activitiesrelated to analysis authorizations

View detailed information aboutauthorization checks

Which characteristics are relevant?

Which selections are checked vs.which authorizations?

And much more ...

2. Legal Audi t ing


52/72

SAP AG 2006, 52

Rec ord ing of Changes

Activate the following VirtualProviders from the Business Content(VAL = Values, HIE = Hierarchies, UA = User Assignment)

The system records all changes to authorizations anduser assignments

Using a query, you can easily answer questions like:How many users have access to a given InfoCube?

Which users have access to company code 1000?

When was authorization GIVEMEALL created, and by whom?

2. Legal Audi t ing (c ont .)


53/72

SAP AG 2006, 53

Rec ord ing of Changes

Query Example

Linked into Administration Cockpit


54/72






Migration

Summary

St eps fo r Migra t ion o f Aut hor iza t ions


55/72

SAP AG 2006, 55

Follow these four steps to migrate authorizations:

Migration Tool (program RSEC_MIGRATION):

1. Select Users

2. Select Authorizations

3. Pick Assignment Method

4. Set Migration Mode

Tip: Allocate enough time to do the migration during your system

upgrade and for performing thorough tests

Before You St ar t


56/72

SAP AG 2006, 56

Migrat ion Suppor t

The migration is a singular event (i.e., not to be scheduled later)

During migration to the new authorization concept, the existingconcept wont be changed

Semi-automatic migration

The more complex the existing authorization concept, the more manualmigration work might be necessary

Customer-exit variables for 0TCTAUTHH cannot be migrated; the respectivehierarchy nodes must be assigned manually

Intensive tests are highly recommended

Before You St ar t (c ont .)


57/72

SAP AG 2006, 57

Recommendat ions

It is highly recommended to migrate to the new concept

The former authorization concept wont be supported any longer

You can, however, switch back to the former concept in someexceptional cases (IMG setting)

St ar t t he Migra t i on


58/72

SAP AG 2006, 58

Migra t ion St ep 0 Run ABAP program RSEC_MIGRATION (transaction SA38 or SE38)

1. User Selec t ion


59/72

SAP AG 2006, 59

User 2

Migra t ion St ep 1

Choose users

Migration can be done for singular user groups

Prerequisite: A user group must be complete and self-contained!

User 1Authorization Object 1

Authorization Object 2

Authorization Object 3

If User 1 is chosen andAuthorization Objects 1 and 2

should be migrated, you have tochoose User 2 as well in order tohave a completeuser group

Note: There might be entangled dependencies ofusers with respect to the authorization objects.Youll get a message with information on themissing users in case the user group

is not compete.

2. Aut hor izat ion Selec t ion


60/72

SAP AG 2006, 60

Migra t ion St ep 2

Choose authorization objects to be migrated

3. Ass ignm ent Met hod


61/72

SAP AG 2006, 61

Migra t ion St ep 3

Choose an assignment method

Direct user assignment

Migrated authorizations will be assigned to the users directly (not via roles)

Migrated authorizations have prefix RSR_ and will be treated like generatedauthorizations

Create new profiles

Generation of profiles based on authorization object S_RS_AUTH thatcontains the new, migrated authorizations

Preserves the existing role concept and adds new profiles to the role

Generated profiles have prefix RSR_

Extend existing profiles Existing profiles will be extended by

authorization object S_RS_AUTHcontaining the migrated authorizations

Undo migration

All migrated authorizations and profileswill be deleted; extended profiles containempty authorization object R_RS_AUTH

4. Migrat ion Mode


62/72

SAP AG 2006, 62

Migra t ion St ep 4

Choose details of authorization migration expert mode

Settings for referencing navigational attributes and characteristics areonly relevant for the compatibility mode setting in SAP BW 3.x

Please have a look at the detailed documentation for more information

Af ter t he Migra t ion Run


63/72

SAP AG 2006, 63

Migra t ion Pro t oc o l

At the end of the migration run, view the detailed protocol

Check for warnings and errors reported during the migration

Tip: The migration can bequite tricky. It helps ifyou have good

documentation of theexisting authorizationsetup (for example, todefine user groups for

the migration)


64/72







Migration

Summary

Where t o Find Free Publ ic Tec hnic a l In form at ion

SAP D l N t k (i t f d b l i )


65/72

SAP AG 2006, 65

s

dn.s

ap.c

om

SAP Developer Net w ork (i t s f ree and publ ic )

Where t o Find App l ic a t ion and Educat iona l In form at ion

SAP Serv ic e Mark et p lac e/sec ur i t y


66/72

SAP AG 2006, 66

service.sap.

com

SAP Serv ic e Mark et p lac e/sec ur i t y

SAP Sec ur i ty Web In form at ion L ink Col lec t ion


67/72

SAP AG 2006, 67

http: / /sdn.sap.com*

ht tp: / /serv ice.sap.com/secur i ty*

ht tp: / /serv ice.sap.com/secur i tyguide*

ht tp: / /serv ice.sap.com/educat ion*

http: / /help.sap.com/nw2004s

m ai l t o:sec ur i t [email protected] om

serv

ice.sap.com

** Requires login credentials to the SAP Service Marketplace

For m ore in format ion: Acc ess t he SAP Deve loper Netw ork www.sdn .sap .com

The central hub for the SAP technology


68/72

SAP AG 2006, 68

gy

community Everyone can connect, contribute and

collaborate- consultants, administrators anddevelopers

Focus around SAP NetWeaver and SAP xApps

High quality of technical resources

Articles, how-to guides, weblogs,collaborative areas, discussion forums anddownloads, toolkits and code-samples

A collaboration platform, not a one-waystreet

SAP experts from customers, partners andSAP

SDN is powered by SAP NetWeaver

Built on the SAP Enterprise Portal

Featuring collaboration capabilities of SAPKnowledge Management

7 K ey Po int s to Tak e Home

BI authorizations for analysis are based on an appropriate


69/72

SAP AG 2006, 69

BI authorizations for analysis are based on an appropriate

concept for business-oriented security requirements

Using the new concept for analysis authorizationsis recommended

The new features contain major improvements foradministrators, leading to lower TCO

Authorizations can be generated automatically based on

various DataStores

The infrastructure for maintenance and monitoring of analysisauthorizations is highly integrated

Take a good look at the new reporting capabilities to supportusage and auditing of authorizations

A migration support tool is available

Quest ions?


70/72

SAP AG 2006, 70

Q& Am arc .be [email protected] om


71/72

Demo


72/72

SAP AG 2006, 72

New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)

Documents

Transcript of New Features of New SAP BI 7 0 Authorization as Authorization Concept (2)