SAP BusinessObjects Profitability and Cost Management ...

PUBLICSAP BusinessObjects Profitability and Cost ManagementDocument Version: 10.0 – 2020-07-15

SAP BusinessObjects Profitability and Cost Management Security Guide

© 2

020

SAP

SE o

r an

SAP affi

liate

com

pany

. All r

ight

s re

serv

ed.

THE BEST RUN

Content

1 Typographic conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Document History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73.1 Security in SAP BusinessObjects Profitability and Cost Management. . . . . . . . . . . . . . . . . . . . . . . . .73.2 About this Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

4 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

5 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

6 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176.1 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

User Administration Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Users and Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Password Control and Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

6.2 User Data Synchronization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386.3 Integration into Single Sign On Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

SAP BusinessObjects Profitability and Cost Management Default Security. . . . . . . . . . . . . . . . . 39Single Sign On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39Multiple System Login. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

7 Authorizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427.1 Security access levels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

User Group Security Access Levels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437.2 Security Descriptors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Action Access Security Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Field Access Security Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45Dimension Access Security Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Report Task Access Security Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Security Descriptor Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

7.3 Group / Descriptor Assignments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78To assign security levels for a user group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78To assign security levels to multiple security descriptors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

7.4 Group/Dimension Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80To set Group / Dimension security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

7.5 Viewing a User's security settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

8 Books Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

2 PUBLICSAP BusinessObjects Profitability and Cost Management Security Guide

Content

8.1 Books Action Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .838.2 Home Pages/Default Books. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .838.3 Book Security Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

9 Network and Communications Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859.1 Communication Channel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 859.2 Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

10 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

11 Error Message Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

12 Login Dialog Box Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92

13 Security for Third Party Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

14 Dispensable Functions with Impacts on Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

15 Other Security-relevant Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9715.1 Security Export. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9715.2 Profitability and Cost Management ActiveX Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Security Mechanisms for Profitability and Cost Management ActiveX Control. . . . . . . . . . . . . . . 98Security Settings to Install the Profitability and Cost Management ActiveX Control. . . . . . . . . . . 98Security-relevant Information for the Profitability and Cost Management ActiveX control. . . . . . . 99

16 Security Logging and Tracing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

17 The main documentation types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102

SAP BusinessObjects Profitability and Cost Management Security GuideContent PUBLIC 3

1 Typographic conventions

Typographic conventions used in SAP BusinessObjects Profitability and Cost Management documentation

Type Style Represents Example

Example text Name of an interface element with which the user interacts, such as buttons, options, lists, boxes, menus, and icons

To save the file, type a filename in the Name box and click Save.

EXAMPLE Single keyboard action Press F1 to access Help.

EXAMPLE + TEXT Keyboard combination action

You can select multiple items using CTRL + SHIFT

Example text A nested menu command

Select File Import

Example text Name of a window, dialog box, or screen

The Import dialog box opens.

Terminology specific to the product

In the application, security descriptors are used to assign security access levels to groups.

Example\text A file path The files are in the following directory: Program Files\SAP BusinessObjects\PCM.

Example text A file or folder name Save the MyModel.xml file in the Models folder.

Name of a command or method

Use the NEWMODEL command to create a new model.

Name of a:

functionBook object or controlgrid value

For basic Capacity Rules where Alerts are required, you must insert the predefined RaiseCapacityAlert function in your file.The DataManager object is connected to the Keys object.The LineItemValue grid value is primarily used to represent general ledger values.

Code fragments All rule structures start with Function.

System messages The following message displays: Incorrect username and password.

Text inputted by the user

Type localhost in the Server box and click OK.

Example textSystem messages A confirmation dialog box displays the following:

Are you sure you want to add the following sibling?:MyVersion

An example of code, longer than a code fragment

Function CellValue CellValue=x End Function


Typographic conventions

Type Style Represents Example

<Example text> Name of a parameter The LOADVOLUMEDATA command has the <LoadID> parameter.

<Example text> Name of a child item in a dimension hierarchy

The <Fixed Cost Line Item> attribute identifies <Line Items> that you wish to treat as fixed costs.

Example text The name of a document

For more information, see the SAP BusinessObjects Profitability and Cost Management Modeling User Guide.

SAP BusinessObjects Profitability and Cost Management Security GuideTypographic conventions PUBLIC 5

2 Document History

The current version of this document is version 1.4. The following table provides an overview of the most important changes to prior and current versions of this document:

Version Important Changes

Version 1.0 (May 2011) Initial version of the Security Guide for SAP BusinessObjects Profitability and Cost Management 10.0

Version 1.1 (November 2011) As part of the release of Support Package 02, the document contains the following changes:

● The “Field Access Security Cost Object Group Definitions” section is updated to reflect that security descriptors previously found in only Transactional Costing type models are now also available to Profitability and Costing and Bill of Materials type models.

Version 1.2 (May 2012) As part of the release for Support Package 03, a new topic, “Error Message Security” is added, which describes how to enable error message information to be hidden.

Version 1.3 (August 2012) As part of the release for Support Package 04, a new topic, Login Dialog Box Security, is added, which describes how to deactivate the option to remember user details in the login dialog box.

Version 1.4 (February 2013) As part of the release of Support Package 06, the document includes the following changes:

● The section on the Rules Security security desciptor is updated.

● A new security descriptor, Manage Grid Styles, is added to the section on Action Access security descriptors.

You can download the latest version of the guide from the SAP Help Portal at http://help.sap.com.


Document History

3 Introduction

CautionThis guide does not replace the administration or operation guides that are available for productive operations.

Target Audience

System administratorsTechnology consultants

This document is not included as part of the installation guides, operation manuals, or upgrade guides. Such guides are only relevant for a certain part of the software life cycle, whereas the Security Guide provides information that is relevant for all life cycle phases.

Why Is Security Necessary?

With the increasing use of distributed systems and the Internet for managing business data, the demands on security are also on the rise. When using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical information. User errors, negligence, or attempted manipulation of your system should not result in loss of information or processing time. These demands on security apply likewise to SAP BusinessObjects Profitability and Cost Management. To assist you in securing the product, we provide this Security Guide.

3.1 Security in SAP BusinessObjects Profitability and Cost Management

SAP BusinessObjects Profitability and Cost Management is a powerful financial modeling tool that uses the latest technology to make budgeting, forecasting, and forward planning both responsive and simple to control. It has been assembled to provide for all aspects of strategic planning.

The software is designed to operate in a web environment with an international user community. These users require a diverse range of security privileges to the various financial models used by any company. Administrators are responsible for creating and maintaining this user security.

Security is broadly managed on two levels - application security for individual users and model security. Application security for individual users is applied across all models in the database. In model security, settings are specific for each model.

SAP BusinessObjects Profitability and Cost Management Security GuideIntroduction PUBLIC 7

Users who are not Administrators can perform some administrative functions, but only if an Administrator has given them the security privilege to do so.

CautionSAP BusinessObjects Profitability and Cost Management does not store or display personal data, but does store and display items such as IP addresses and e-mail addresses (for example, log files can contain IP addresses and the database can contain e-mail addresses). You should bear this in mind before you distribute SAP BusinessObjects Profitability and Cost Management log files or data to third parties.

3.2 About this Document

This Security Guide provides an overview of the security-relevant information that applies to SAP BusinessObjects Profitability and Cost Management.

Overview of the Main Sections

This Security Guide comprises the following main sections:

● “Before you Start”This section contains references to other documentation that contains security-relevant information.

● “Technical System Landscape”This section provides an overview of the technical components and communication paths that are used by the system.

● “User Administration and Authentication”This section provides an overview of the following user administration and authentication aspects:

Recommended tools to use to manage security for users, models, and Books; how to create users and groups; and password control and security.User types and user groups delivered with the product.An overview of user synchronization.An overview of how integration into Single Sign On environments is possible.

● “Authorizations”This section provides an overview of how security access is handled in the application on a per model basis, using security access levels and security descriptors.

● “Books Security”This section describes how security is handled for Books in the application using Books Action Access, default Books, and security descriptors and access levels.

● “Network and Communication Security”This section provides an overview of the communication paths used by the system and the security mechanisms that apply. It also includes recommendations for the network topology to restrict access at the network level.

● “Data Storage Security”This section provides an overview of any critical data that is used by product and the security mechanisms that apply.


Introduction

● “Security for Third-Party or Additional Applications”This section provides security information that applies to third-party or additional applications that are used with SAP BusinessObjects Profitability and Cost Management.

● “Dispensable Functions with Impacts on Security”This section provides an overview of functions that have impacts on security and can be disabled or removed from the system.

● “Other Security-Relevant Information”This section contains information about:

Security Export● “Security Logging and Tracing”

This section describes how security-relevant information for the application is stored; lists the database tables that contain this information; and provides references for more information on security logging and tracing.

SAP BusinessObjects Profitability and Cost Management Security GuideIntroduction PUBLIC 9

4 Before You Start

Additional Information

For more information about specific topics, see the addresses on the SAP Service Marketplace as shown in the following table:

Content SAP Service Marketplace Address

Security service.sap.com/security

Related SAP Notes service.sap.com/notes

Released platforms service.sap.com/platforms

SAP Solution Manager service.sap.com/solutionmanager

Related Documentation

The following table lists where you can find more security-relevant information in the documentation for SAP BusinessObjects Profitability and Cost Management:

Topic Guide Location

“Detailed Monitoring and Tools for Problem and Performance Analysis”

SAP BusinessObjects Profitability and Cost Management Administrator's Guide

SAP Service Marketplace (service.sap.com)

“Administration Tools” SAP BusinessObjects Profitability and Cost Management Administrator's Guide


“User Management Tools” SAP BusinessObjects Profitability and Cost Management Administrator's Guide


“Software components in SAP BusinessObjects Profitability and Cost Management”

SAP BusinessObjects Profitability and Cost Management Master Guide


“DCOM Security Configuration” SAP BusinessObjects Profitability and Cost Management Installation Guide


“To configure a new Application server” SAP BusinessObjects Profitability and Cost Management Installation Guide


“To configure a new Web server” SAP BusinessObjects Profitability and Cost Management Installation Guide


“Web client deployment” SAP BusinessObjects Profitability and Cost Management Installation Guide



Before You Start

Topic Guide Location

“Login security basic checks” SAP BusinessObjects Profitability and Cost Management Installation Guide


“Configuring the SAP BusinessObjects Financial Information web service”

SAP BusinessObjects Profitability and Cost Management Installation Guide


“Firewall configuration” SAP BusinessObjects Profitability and Cost Management Installation Guide


“Security Alerts” SAP BusinessObjects Profitability and Cost Management Modeling User Guide

SAP Help Portal (help.sap.com)

“To configure access between SAP BusinessObjects Profitability and Cost Management and BusinessObjects Enterprise”

SAP BusinessObjects Profitability and Cost Management Integration Guide


“User synchronization” SAP BusinessObjects Profitability and Cost Management Integration Guide


SAP BusinessObjects Profitability and Cost Management Security GuideBefore You Start PUBLIC 11

5 Technical System Landscape

The figure below shows an overview of the software component structure for the application. A description follows.

SAP BusinessObjects Profitability and Cost Management is a three-tier application. The main applications are based on a ROLAP (Relational Online Analytical Processing) concept and use a relational database as the primary storage mechanism for raw data. Connected to the database is the Application (or Model) server, which extracts and calculates data on demand. A remote web server or directly linked clients are configured to attach to the Model server for users to view Books via the web client or the Book Viewer.

The tiers require the following components:

Database serverApplication (or Model) serverWeb serverClients - both rich clients, such as the Model Builder application, and thin clients such as the web client


Technical System Landscape

Optional components include the following:

Terminal/Citrix serverWork Manager serverReport Manager server

The software can run as a standalone application or as part of a BusinessObjects Enterprise environment. It can also be integrated with SAP BusinessObjects Business Intelligence platform for authentication purposes. The software also has an OLE/DB (Object Linking and Embedding/ Database) for OLAP (Online Analytical Processing) or ODBO connector called MDX ODBO Connector, which provides MDX (Multidimensional Expressions) access to the following:

Microsoft Excel 2003Microsoft Excel 2007Microsoft Excel 2010 - x86 and x64SAP BusinessObjects Web IntelligenceSAP BusinessObjects Infoview

The software also provides an XMLA (Extensible Markup Language for Analysis) service called the MDX XMLA Provider, which provides an XMLA service and supports queries of model data.

If Single Sign On (SSO) is configured so that the software authenticates against the Central Management Server (CMS) of SAP BusinessObjects Business Intelligence platform, and the FIMService web service is installed and configured, the software can work in conjunction with SAP BusinessObjects Financial Information Management software.

The figure below shows an overview of the system architecture. An description of the system architecture follows.

SAP BusinessObjects Profitability and Cost Management Security GuideTechnical System Landscape PUBLIC 13

The three-tier architecture comprises the following:

● Database tierThe database layer comprises a fixed schema that contains the following:

Tables for the base model dataTables to store resultsStored procedures for updating the contents of the tablesStored procedures for the bulk loading of data into models



● Server tierPCMServer is a Windows DCOM (Distributed Component Object Model) service that controls user authentication via Single Sign On (SSO), and also user access to models. One instance of this DCOM service exists per deployment.PCMMain is the Windows DCOM service that controls the model-level security for all models on the Application server.PCMModel is the Windows DCOM server that hosts each model in a deployment. It is a call-centric, in-memory calculation engine that supports both the standard ABM (activity-based management) methodology and business user-defined rules-based cubes. All application servers and services are written in C/C++ for both 32-bit and 64-bit Microsoft WindowsPCMWebService is an ASP (Active Server Pages) page running in Microsoft IIS (Internet Information Server) that manages the HTTP/HTTPS communications from instances of the Profitability and Cost Management ActiveX. The Web Server communicates to the application services via the shared C/C++ proxy.PCM FIM is a .NET2 application hosted by IIS and written in C#, which provides a service for the Financial Information Management application to consume. PCM FIM communicates to the application services via the C/C++ proxy.

● Client tierModel Builder is a rich client, written in Delphi, that allows business consultants to build and maintain both the data and metadata of SAP BusinessObjects Profitability and Cost Management. Model Builder is also used to build Books, which allow rich web screens to be displayed.Data Bridge is a rich client, written in Delphi, that allows business consultants to import data and metadata into a model from files or external systems via RFC (Remote Function Call), SQL, or MDX using LSDAL (Lightship Data Access Layer).PCM OCX (ActiveX Control File) is a thin ActiveX client, written in Delphi, that allows end users to view Books over the Internet or intranet. From within Books, users can view and update data in a model.PCM ODBO (OLE DB for OLAP) is an OBDO/XMLA (XML for Analysis) access layer written in C/C++ that allows consumers such as Microsoft Excel, SAP BusinessObjects Voyager, XCelsius, and SAP BusinessObjects Web Intelligence (WEBI) read access to the data and metadata in a Profitability and Cost Management model. PCM ODBO (OLE DB for OLAP) is an OBDO/XMLA (XML for Analysis) access layer written in C/C++ that allows consumers such as Microsoft Excel read access to the data and metadata in a Profitability and Cost Management model. Write access is also available to those consumers that support it.All clients access the application layer through a shared C/C++ proxy that supports authentication via SSO and also local caching to reduce unnecessary round-tripping. The application also supports SSO authentication against the CMS of the SAP BusinessObjects Profitability and Cost Management Business Intelligence platform. Communications to the Application server layer is via DCOM or via a Profitability and Cost Management client/server TCP/IP stub layer.

For more information about the technical system landscape and the software components, see the resources listed in the table below.

Topic GuideQuick link to the SAP Service Marketplace

“Software components in SAP BusinessObjects Profitability and Cost Management”

SAP BusinessObjects Profitability and Cost Management Master Guide

http://service.sap.com

SAP BusinessObjects Profitability and Cost Management Security GuideTechnical System Landscape PUBLIC 15

Related Information

Communication Channel Security [page 85]



6 User Administration and Authentication

Security in SAP BusinessObjects Profitability and Cost Management is assigned to users through User Groups. User Groups can be thought of as categories that hold a collection of users with identical functions and security access levels.

The user security settings apply to all models across the system.

SAP BusinessObjects Profitability and Cost Management allows a great deal of flexibility in the levels of security access that can be applied to different areas of the application. Security can be used to allow different levels of access to individual dimension items, grid values, Books, and actions in the various application areas.

Security access is allocated using security descriptors that are referenced by User Groups. Security descriptors are labels that are attached to actions, data fields, and specific components within a model. Security access levels are then assigned to these security descriptors to determine what users can do according to the User Groups to which they belong.

Users and groups are common to all models but security descriptors and Group assignment levels are on a per model basis. Therefore, if you have more than one model on the same database, users and user groups are visible across all models. However, security levels are not automatically inherited across models. The exception to this are members of the ADMINISTRATORS group, who automatically have full access to all security descriptors.

In this section, we describe the tools you use to manage users and groups, the various system-defined user groups, and how to set up users in appropriate User Groups, together with their password and login requirements in the following topics:

● “User Management”This topic lists the tools to use for user management, describes the standard users and User Groups delivered with SAP BusinessObjects Profitability and Cost Management, and explains the relationship between User Groups and security licences. This topic describes how to create and maintain Users and Groups, and how set passwords. It explains password control and security, and also describes how to control user access to models.

● “User Data Synchronization”SAP BusinessObjects Profitability and Cost Management can share user data with SAP BusinessObjects Business Intelligence platform. This topic describes how the user data is synchronized.

● Integration into Single Sign-On EnvironmentsThis topic describes how SAP BusinessObjects Profitability and Cost Management supports Single Sign-On mechanisms.

6.1 User Management

In this section we describe how to manage users: what tools to use, how to create and maintain users and groups, and how to manage password control and security. These topics are covered in the following sections:

● User Administration Tools

SAP BusinessObjects Profitability and Cost Management Security GuideUser Administration and Authentication PUBLIC 17

The tools to manage users are listed and described in a table, with directions on where to find more information.

● Users & GroupsThis section describes system-defined users and groups, security licences, how to create and maintain users, and how to control user access to models.

● Password Control and SecurityThis section describes how to make strong passwords obligatory, how to configure password expiry, and how to configure the number of login failures permitted before a user account is locked.

6.1.1 User Administration Tools

The table below shows the tools to use for user management and user administration with SAP BusinessObjects Profitability and Cost Management.

Tool Detailed Description Prerequisites

Model Administration Security tab The Security tab in the Model Administration dialog box enables Administrators to control which models users have access to. For more information on Model Administration, see the SAP BusinessObjects Profitability and Cost Management Administrator's Guide and the “User Model Access” topic later in this section.

To view the Security tab, a user must be a member of the ADMINISTRATORS user group.

System Properties dialog box in the Model Builder application

The Security tab in the System Properties dialog box provides system level options for password control. For more information, see the “Password Control and Security” topic later in this section.

To set password control options, a user must be a member of the ADMINISTRATORS user group.

The Single Sign On screen of the Configuration Wizard.

In the Single Sign On screen, administrators can configure the type of login security to be implemented for users in the system. For more information, see the SAP BusinessObjects Profitability and Cost Management Installation Guide.

User and Groups Maintenance screen in the Model Builder application

Users, groups, and associated security settings are managed in the User and Groups Maintenance screen of the Model Builder application. For more information see the “Users & Groups” topic later in this section and the SAP BusinessObjects Profitability and Cost Management Modeling User Guide.

To create and manage users and groups, a user must be a member of the ADMINISTRATORS user group.

Security Descriptors screen in the Model Builder application

Security descriptors can be viewed, added, and edited in the “Security Descriptors” screen of the Model

To create and edit security descriptors, a user must be a member of the ADMINISTRATORS user group.


User Administration and Authentication


Builder application. For more information, see the “Security Descriptors” topic later in this section.

Groups/Descriptor Assignments screen in the Model Builder application.

Security descriptors can be assigned to user groups and the security level for the descriptor set in the Groups/Descriptor Assignments screen in the Model Builder application. For more information, see the “Group/Dimension Security” topic later in the section.

To allocate security options, a user must be a member of the ADMINISTRATORS user group.

Security Explorer screen in the Model Builder application.

The Security Explorer screen displays the security settings for each user, but does not provide any editing options. For more information, see the “Viewing a User's security settings” topic later in this section.

Access to the screen is controlled by the User Security Interrogation Security descriptor. To access the screen, a user must belong to a group that has this security descriptor allocated with the access level, Full Access.

Group/Dimension Security screen in the Model Builder application

The Group/Dimension Security screen enables Administrators to set the default hierarchy level at which a group member is able to view a dimension. For more information, see the Group/Dimension Security topic later in this section.

To set dimension security, a user must be a member of the ADMINISTRATORS or MODELBUILDERS groups.

Model Builder - User Synchronization The User Synchronization feature synchronizes Profitability and Cost Management user accounts with SAP BusinessObjects Business Intelligence platform user accounts for Single Sign On authentication. For more information, see the SAP BusinessObjects Integration Guide.

User synchronization is usually performed by an Administrator during setup.

User Monitor The User Monitor tool enables Administrators to locate which models are in use on the network and to log off any associated established system user connections. For more information, see the SAP BusinessObjects Profitability Administrator's Guide.

To log off another user in the User Monitor, a user must be a member of the ADMINISTRATORS group.

System Information The System Information tool is used to determine the current status of the system and can assist in troubleshooting. For more information, see the SAP BusinessObjects Profitability Administrator's Guide.

Group/Default Book Assignment screen in the Model Builder application

The Group/Default Book Assignment screen is used to assign a default book to a group. This provides a means of

To assign a default book to a group, a user must be a member of the



controlling access to books. For more information, see the “Books Security” topic later in this guide.

ADMINISTRATORS or MODELBUILDERS groups.

Books Editor Property Pane - Formatting tab

In the Formatting tab of the Property Pane, you can set a Dimension Access Security descriptor that can limit which users have access to that book. For more information, see the “Book Security Assignment” topic later in this guide.

To create a edit and edit books, a user must be a member of the ADMINISTRATORS, MODELBUILDERS, or BOOKBUILDERS groups

Related Information

User Model Access [page 35]Users and Groups [page 20]Security Descriptors [page 44]Group/Dimension Security [page 80]Viewing a User's security settings [page 81]Group / Descriptor Assignments [page 78]Books Security [page 83]Book Security Assignment [page 84]Password Control and Security [page 37]

6.1.2 Users and Groups

User access to each model is controlled by model-specific User Group security settings. So, when setting up security for the application, it is useful to start by defining the access requirements at the User Group level.

There are five system-defined user groups, and you can create any number of additional groups as required. The application is supplied with a default system administrator who is a member of every system-defined group and has access to all models and settings.

TipWhen setting up security in the application, it is useful to start from a point of view of categorizing users and then creating relevant User Groups rather than trying to tailor Groups around the requirements of specific user. This provides greater flexibility in the long term.

Related Information



Creating a new Group [page 26]Creating and Maintaining Users [page 27]System Administrator [page 21]System-Defined User Groups [page 21]User & Group Maintenance Information and Management [page 33]User Group Security Access Levels [page 43]User Group Security Licenses [page 24]

6.1.2.1 System Administrator

The application is supplied with a default Administrator user when first installed. This Administrator user is a superuser who always has full access and editing rights to all system facilities and models. The login credentials for the default Administrator are username = administrator and password = administrator. For greater security, we recommend that you rename this system-defined user and change the default password.

We also recommend that you create administrator users specific to your organization rather than use this default Administrator user, which is intended for the initial setup. This default user does not use any of the license allocations purchased for the software and can be unassigned from any User Group that is not needed, for example ENDUSERS.

6.1.2.2 System-Defined User Groups

The following five system-defined User Groups exist in the software:

EVERYONEADMINISTRATORSMODELBUILDERSBOOKBUILDERSENDUSERS

These are system-generated on installation and define basic user types and thereby automatically allow or restrict access to different areas and functionality of the application. In the application, the names of these system-defined User Groups are distinguishable from user-defined groups by their uppercase lettering and the fact that they have accompanying icons.

TipIt is useful to think of these system-defined User Groups in terms of attaching basic user functionality, and to create additional User Groups to allocate more specific user security access levels.

Every new user automatically belongs to the EVERYONE group, and needs to be made a member of another group to gain access to the application.


Related Information

Model Builder Access [page 25]ENDUSERS group [page 24]Book Builder Access [page 25]BOOKBUILDERS group [page 23]ADMINISTRATORS group [page 22]Creating a new Group [page 26]EVERYONE group [page 22]MODEL BUILDERS group [page 23]User Group Security Access Levels [page 43]

6.1.2.2.1 EVERYONE group

All users must belong to the EVERYONE group. This group defines a basic level of access to different functions, values, and general dimension attributes in the software. Access levels are cumulative for any other groups to which a user belongs, so the EVERYONE access levels must be left at a basic level, whereas additional groups are normally used for defining higher access levels.

6.1.2.2.2 ADMINISTRATORS group

An Administrator can:

● Create and manage models● Create and manage users and groups● Create security descriptors and allocate security options● Create and unlock Books● Create item properties● Create aliases● View model security and security alerts● Perform all other actions and edit all items in the application, dependent on which license type is inherited

through additional group membership. This restricts access according to principles outlined in each user group topic for each user. Membership of the MODELBUILDERS, BOOKBUILDERS, or ENDUSERS group gives access to the corresponding functionality in the Model Builder application or application interface.

NoteBy default, members of the ADMINISTRATORS group have full access to all dimensions and security descriptors. This level of access can be altered by the superuser System Administrator.



Related Information

Model Builder Access [page 25]ENDUSERS group [page 24]Book Builder Access [page 25]BOOKBUILDERS group [page 23]MODEL BUILDERS group [page 23]System Administrator [page 21]

6.1.2.2.3 MODEL BUILDERS group

Model Builders primarily have access to the Model Builder application. A member of the MODEL BUILDERS group inherits a Model builder license and ENDUSERS functionality. This allows potential access to almost all components of the software. A Model Builder, given the correct access, can perform the following activities:

● Manage models - including creating and deleting models● Import and export data● Edit dimension items● Perform dimension assignments● Build and save grid layouts● Create and edit Books● Perform Driver Analysis● Access Books over the web

Related Information

Model Builder Access [page 25]

6.1.2.2.4 BOOKBUILDERS group

A member of the BOOKBUILDERS group inherits a Book Builder license and an End User license. The Book Builder licence allows access to a more targeted set of functions in Model Builder that are useful to users who build books. When a Book Builder logs in to the application, they cannot access the full functionality of Model Builder, but only those features required to create and edit Books and to build and export grids and layouts. The End User licence allows Book Builders to access Books over the web.

A Book Builder can perform the following activities:

● Build and export layouts in the View Builder● Build and export layouts in Data Explorer● Create and edit Books


● Access Books over the web

Related Information

Book Builder Access [page 25]

6.1.2.2.5 ENDUSERS group

Membership of the ENDUSERS group gives users access to published Books over the web or through the Book Viewer application. The books that are available to ENDUSERS are specified by either an Administrator or Model Builder. Access can also be determined by membership of additional user-defined User Groups. This ensures that ENDUSERS can see only those Books, and the grids they contain, that are relevant to them.

An End User can:

● View information within Books in the form of grids, reports, and charts.● View and edit data via Books● Select a Data Alias to use for viewing information● Select the currency in which monetary values are displayed● View Model alerts

NoteMembers of the ENDUSERS group do not have access rights to the Model Builder application).

Related Information

End User Access [page 26]

6.1.2.3 User Group Security Licenses

The product has two main applications—the Model Builder application - which includes book building functionality - and the End User interface. Membership to one of the User Groups is compulsory in order to access the relevant part of the product. Access to applications and application functionality is determined by using the system-defined User Groups.

System-defined User Groups have an additional purpose to physically restricting access to specific security descriptors. These User Groups are also linked to license types, which are used to define user roles at the base level. Such user roles are defined to a certain extent in terms of which particular form of the application users may access.



Licenses are inherited according to User Group membership, with some User Groups inheriting more than one type of user license. These are detailed in each relevant topic.

NoteCustomers with legacy license agreements can have licenses that map to the system-defined user groups outlined previously. Customers with SAP license agreements have SAP Professional User or SAP Limited Professional User licenses. Members of the ADMINISTRATORS, MODELBUILDERS, and BOOKBUILDERS groups inherit an SAP Professional User license. Members of the ENDUSERS group inherit an SAP Limited Professional User license.

Related Information

Administrator Access [page 26]Book Builder Access [page 25]End User Access [page 26]Model Builder Access [page 25]

6.1.2.3.1 Model Builder Access

A member of the MODELBUILDERS group automatically inherits a license to the Model Builder application - including its book building functionality - in addition to the web interface. (A Model Builder may be involved in creating Books as well as model structures and may therefore wish to preview Books over the web).

Related Information

MODEL BUILDERS group [page 23]

6.1.2.3.2 Book Builder Access

A member of the BOOKBUILDERS group automatically inherits a license to access the book building functionality in the Model Builder application in addition to a license to access to the web interface. (A Book Builder may want to preview newly created Books over the web interface to ensure that they display to an acceptable standard).

NoteA Book Builder has restricted access to the Model Builder application. For example, Book Builders cannot access the model building functionality in the Model Builder application such as the dimension and assignment screens, but can access the functions to build grids and layouts that they wish to include in Books. These functions include View Builder and Data Explorer in addition to general functions.


Related Information

BOOKBUILDERS group [page 23]

6.1.2.3.3 End User Access

A member of ENDUSERS inherits only a license permitting them to access the SAP BusinessObjects Profitability and Cost Management web interface or Book Viewer application.

NoteAn End User cannot access the Model Builder application due to their license restrictions. An End User can only log in to the Web Client and Book Viewer to view Books.

Related Information

ENDUSERS group [page 24]

6.1.2.3.4 Administrator Access

A member of the ADMINISTRATORS group inherits a license that permits them to perform certain administration functions, such as basic user security, model security, and partitioning. When this access is combined with MODELBUILDERS access, the user has Full Access to all aspects of the Model Builder application and web use. This allows a user to assign specific security to dimension items and user groups within all models to which they have access, depending on model security.

Related Information

ADMINISTRATORS group [page 22]

6.1.2.4 Creating a new Group

Groups are used to assign security access permissions. They allow you to define types of users with common access permissions to data and actions in the application, thus saving time when adding users with common requirements. You can define any number of Groups.



6.1.2.4.1 To create a new Group

Procedure

1. Select Tools Security Users and Groups .2. Once in the User and Group Maintenance screen, hover the cursor in the Groups area and right-click to

display the context menu.3. Select Add.

A default group name is inserted into the edit box.4. Enter the name required for the new group.

Once you have entered a group name it will appear in the Groups list. You can then, if you want to, create new users and assign them to existing user groups.

Related Information

To assign User Groups [page 28]Creating and Maintaining Users [page 27]Group context menu [page 35]

6.1.2.5 Creating and Maintaining Users

The User and Group Maintenance screen is accessed by selecting Tools Security Users and Groups . In this screen, administrators can create new users and carry out basic security administration tasks for users, such as assigning them to groups, enabling or disabling user accounts, and resetting passwords. User Properties are maintained that hold individual user details and options for password protection. The Default Model Group option provides additional security because it allows a user group to be associated with an individual Model Builder who subsequently controls access for all users to models created by that individual.

TipBy applying settings in System Properties, you can further configure password protection to ensure the use of strong passwords and to cause passwords to expire at set intervals.

Related Information

Account Enable / Disable [page 31]To assign User Groups [page 28]Password Properties [page 30]Password Reset [page 29]


Password Control and Security [page 37]User’s Default Model Group [page 28]

6.1.2.5.2 To assign User Groups

Context

Users must be assigned to Groups to inherit security settings and allow access to the application. A user can be assigned to more than one Group, in which case they will inherit the widest level of security access assigned to each of the security descriptors - that is, the least restricted level.

To assign a user to a group:

Procedure

1. Select Tools Security Users and Groups .2. In the User and Group Maintenance screen, assign users to groups by selecting the required users in the

Users pane and selecting the check box adjacent to the relevant group in the Groups pane. Similarly, you can unassign User Groups by clearing the checked box.

6.1.2.5.3 User’s Default Model Group

Default Model Group allows a user group to be associated with an individual Model Builder. Locate this feature by selecting Default Model Group from the context menu in the Users pane of the User and Group Maintenance screen to access the User's New Model Group dialog box.

The dialog box contains a Group list, from which you select a User group to which all new models created by that user are automatically assigned.

The default setting for Default Model Group is the MODELBUILDERS group, which gives all members of the MODELBUILDERS group access to all new models. However, an individual user may be assigned to an alternative Default Model Group if required, and new models subsequently created by that user may only be accessed by users that are members of this group.

This would be useful, for example, if you wanted to create a model that should only be accessed by members of a User Group named European Model Builders. For the user who is to create the model, you set the Default Model Group to European Model Builders. Once this user creates the model, only users who are members of the European Model Builders group can access it.

Access to models is therefore controlled by membership of the Default Model Group, rather than on the basis of being a Model Builder. This allows more than one Model Builder to work within a system without having access to all the models present. (Administrators can see all models by default.) The model security access remains associated with a model, regardless of whether it is copied, and this may only be amended by an administrator.



NoteAllocating a default model group to a user does not automatically make this user a member of the group - they need to be assigned to it manually in the Users and Groups Maintenance screen or in the Security tab of the Model Administration screen.

Related Information

To assign User Groups [page 28]User & Group Maintenance Information and Management [page 33]User Model Access [page 35]

6.1.2.5.4 Password Reset

An administrator can reset user passwords at any point. Reset Password is located on the context menu of the Users pane of the User and Group Maintenance screen. Multiple users can be reset at the same time, providing the password is to be the same across all users.

When a user’s password needs to be reset, this state is denoted by a symbol next to the user name. The most likely circumstances that would require a user’s password to be reset are:

● When users are first created (because a random password is set for new users)● When users are imported into a database with a model, because user passwords cannot be exported from

the original model.● Alternatively, a user may forget their password and need it to be reset without having been locked out of

the application. In this case, an administrator can reset a user password using the procedure outlined previously.

Passwords can contain spaces, mixed case letters, alphanumeric and non-alphanumeric characters, and are case sensitive. The default minimum password length is 5 characters. Password properties such as minimum password length and keyboard combinations (strong passwords) are defined on the Security tab of the System Properties screen.

After resetting the user’s password, the administrator can set the User Properties to force the user to change their password when they next log in.

NoteThe default Administrator password cannot be reset using the User and Group Maintenance screen. The user password can only be reset by the Administrator changing the password in Tools Change Password .


Related Information

Password Properties [page 30]Password Control and Security [page 37]User & Group Maintenance Information and Management [page 33]

6.1.2.5.5 Password Properties

The options on the User Properties General tab allow the administrator to set individual user password options. You locate this tab by selecting Properties from the context menu of the Users area of the User and Group Maintenance screen.

The SID (Security Identifier) may be stored against a user in the system as an alternative means of User access, instead of the username and password. The use of SIDs increases the security of SSO (Single Sign On) integration because an SID is not easily identifiable with a specific user.

When a SID is used to log in, the Windows Client user interface and web user interface display the username, rather than the SID.

Password expiry can improve security by forcing users to change their password at set intervals. By default, when new users are created the Password never expires property is switched on. Expiry Interval and Expiry Warning interval are configured in the System Properties window.

The User Properties dialog box contains Full Name, Description, E-mail address, and SID boxes. This dialog box also enables a number of password settings to be configured using four options:

● User must change password at next login – This forces the user to reset their password when first logging on to the system. This setting is required if the user is to be forced to change their password once it has been either set at creation time or reset at any other time.

● User cannot change password – This option is set only if the Administrator intends to manage all user password changes or in conjunction with the Password never expires option.

● Password never expires - This is the default setting when a new user is created. This must be left enabled if the password expiry security is not required.

● Account is disabled – This provides the same functionality as the Disable Account command on the User context menu.

Related Information

Account Enable / Disable [page 31]Password Expiry [page 37]User & Group Maintenance Information and Management [page 33]



6.1.2.5.6 Account Enable / Disable

This function is useful when a user has disabled their account through too many unsuccessful login attempts. The number of unsuccessful logins allowed is held in System Properties. This value is normally set to 3 and a user account is automatically disabled after the fourth unsuccessful login attempt. Once this occurs, the user must contact an Administrator to enable their account again via the Users and Groups screen.

Similarly, a user’s account is disabled if the user fails to change their password before the number of days set in the Password Expiry Interval.

Alternatively, you can set a user account to disabled if you want to deny the user access if, for example, they no longer need to use the system.

Related Information

Configuring Login Failure Count [page 38]Password Expiry [page 37]To enable an account [page 31]To disable an account [page 32]User context menu [page 34]User & Group Maintenance Information and Management [page 33]

6.1.2.5.6.1 To enable an account

Context

A disabled account is denoted by a red cross next to the user name.

To enable a disabled user account:

Procedure

1. Select the user in the User panel of the User and Groups Maintenance screen.2. Either:

○ Select Enable Account(s) from the right-click context menu or○ Select Properties from the right-click context menu, then in the User Properties dialog box, clear the

Account is disabled check box.


Results

The red cross is removed and the account is unlocked.

Related Information

Account Enable / Disable [page 31]To disable an account [page 32]

6.1.2.5.6.2 To disable an account

Context

To disable a user account:

Procedure

1. Select the user in the User pane of the User and Groups Maintenance screen.2. Either:

○ Select Disable Account(s) from the context menu or○ Select Properties from the context menu and in the User Properties dialog box, select Account is

disabled.

Results

The account is locked out and a red cross appears next to the user name.

Related Information

Account Enable / Disable [page 31]To enable an account [page 31]



6.1.2.6 User & Group Maintenance Information and Management

Users and Groups are created and maintained via the User and Group Maintenance screen. You access this screen by selecting Tools Security Users and Groups . By default, the left-hand pane contains the user names and the middle pane contains User Groups. The Users and Groups panes can be swapped using the context menu to allow an alternative focus that displays members according to Group membership. Information about a user is displayed when that user is selected in the Users pane.

There are two main areas of additional features on the User and Group Maintenance screen. These are the information panel down the right-hand side and additional commands on the context menu.

TipTo view the security access levels for an individual user implied by their group membership, use the Security Explorer screen ( Tools Security Security Explorer ).

Related Information

Group context menu [page 35]User & Group Maintenance Information Panel [page 34]User context menu [page 34]Users & Groups Sorting [page 35]Viewing a User's security settings [page 81]


6.1.2.6.1 User & Group Maintenance Information Panel

The User and Group Maintenance screen has an Information area in the right-hand pane. This area displays information about a selected User.

Standard user information is available in this pane, including the username, the date the user was created, who created the user, the user's email address (for use in additional SAP BusinessObjects Profitability and Cost Management applications such as Work Manager), and user group membership. An Edit User Information command is also available.

If multiple users are selected in the user screen, their user information is displayed in order in the user information area.

TipYou can minimize this panel by selecting the area between the two arrows in the cross bar separating it from the middle pane. Similarly, select the same area at the right-hand side of the window to display the Information panel when it is minimized.

6.1.2.6.2 User context menu

The User context menu contains the main functions required to manage Users.

● Add inserts a new User with an initial default name.● Delete allows you to delete one or more selected Users in the panel.● Reset Password(s) allows you to reset one or more selected User passwords.● Rename allows you to rename a selected user.● Enable Account(s) allows you to enable a user account that has been locked out after too many

unsuccessful login attempts (an account is locked after the System Properties login failure account has been exceeded).

● Disable Account(s) allows you to disable a user account, which prevents that user being able to log in to the application.

● Properties - the options on the General tab allow the administrator to set individual user password options and enter Full Name, Description, and E-mail data. The Member Of tab shows Group membership for that user.

● Default Model Group allows you to specify a user group to which all new models created by that user are assigned.

● Synchronize SAP BusinessObjects Users allows you to import users from or export users to SAP BusinessObjects Business Intelligence platform for the purpose of synchronizing user names to enable universal security access. For more information on synchronizing users, see the SAP BusinessObjects Profitability and Cost Management Integration Guide.

● Swap User / Group view swaps the position of the Users and Groups panes on the screen for personal preference.



Related Information

Account Enable / Disable [page 31]Password Properties [page 30]Password Reset [page 29]User’s Default Model Group [page 28]

6.1.2.6.3 Group context menu

● Add allows you to add additional groups, which initially have a default group name to be to be edited.● Delete allows you to delete one or more selected groups.● Rename allows you to edit an existing group name.● Filter on Membership allows you to filter the groups viewed. If this is checked, only the groups to which a

selected user is assigned are displayed in the Groups panel.● Swap User / Group Focus swaps the position of Users and Groups on the screen for personal preference.

Related Information

Creating a new Group [page 26]

6.1.2.6.4 Users & Groups Sorting

User names and Group names can be sorted in alphabetical order in their respective panels by selecting their column headers in the User and Group Maintenance screen. The order in which they are sorted is denoted by an upward- or downward-pointing arrow in the column header.

NoteThe Groups pane is sorted slightly differently to the Users pane - predefined User Groups are grouped together followed by user-defined Groups.

6.1.2.7 User Model Access

The Security tab on the Model Administration screen is available to only Administrators. The Security tab lists the model name and description on the left-hand side, and Groups on the right-hand side. Model security restricts access to models according to the User Group to which a model is assigned. To be able to view a model in the Model Selection dialog box in the Windows client or the web, a user must be a member of a User Group assigned to that model. Without being assigned to an appropriate group, the user is effectively denied access to the model.


Security access is assigned to each Model according to User Group membership. By default, a model is created with access for ADMINISTRATORS and MODELBUILDERS only. This is not the case for a model created by a user who has been assigned an alternative Default Model Group.

In order for members of any other groups to access the model, an Administrator must assign each Group security access within the Security tab in Model Administration. A user who is a member of several user Groups has access to see each model that Group is assigned to. Further security restrictions can then be assigned within each model.

All columns within the Security tab are sortable and the Group / Model focus can be switched to allow security assignments to be viewed in a variety of ways. Sorting is denoted by an arrow in the column header.

You can also view Models according to the Users assigned to them using the View Models by User button in the Security tab. This opens the User Models dialog box, which allows an Administrator to select a User name and to see which models that user has access to.

Related Information

Group / Descriptor Assignments [page 78]User’s Default Model Group [page 28]

6.1.2.7.1 To access the Model Administration screen

Context

Model Administration can be accessed only if you are logged into Model Builder without a model open. With the appropriate Action Access security privilege, you can achieve this in three different ways:

Procedure

● Close the model you are in and click the Manage Models toolbar icon

● Close the model you are in and select Tools Model Admin .● After entering your user name and password to log in, the Model Selection dialog box is displayed, where

you can click Model Admin.The first time you access the application, the available models pane appears blank; otherwise it shows all accessible models.

Results

Any of the above three methods allows you access to Model Administration.



6.1.3 Password Control and Security

The System Properties window is accessed via Tools Security System Properties . The Security tab provides system level options for password control that can be set by an administrator:

● The Set Minimum Password Length box● The Strong Password, requires at least one non alpha key check box● The Default Password Expiry Interval (days) box● The Login failure count before disabling box● The Password History to check on change of password box● The Strong password, requires at least on non alpha key check box

The default minimum password length may be specified as required.

Related Information

Configuring Login Failure Count [page 38]Password Expiry [page 37]To make strong passwords obligatory [page 37]

6.1.3.1 To make strong passwords obligatory

Context

Strong password protection ensures that users are forced to use a combination of letters and numbers or keyboard symbols when creating a login password.

To enforce use of strong passwords:

Procedure

1. Select Tools Security System Properties .2. On the Security tab, select the checkbox Strong Password, requires at least one non alpha key.

6.1.3.2 Password Expiry

Password expiry can improve security by forcing users to change their password at set intervals. The Password Expiry settings are held on the System Properties window accessed via Tools Security System Properties .


The Default Password Expiry Interval (days) is set to 90 days by default, while the minimum value that can be set is 30 days. The Password Expiry Warning (days) is the number of days before a password is due to expire that will cause the user to be prompted to change their password. With the correct privileges, a user can reset their password at any time and the expiry period can be reset. If the user fails to change their password before the expiry date, the account is disabled and must be reset by an administrator.

Related Information

Account Enable / Disable [page 31]

6.1.3.3 Configuring Login Failure Count

It is possible to configure the number of login failures allowed before user accounts are locked. This is set on the System Properties window accessed from the Tools Security System Properties . The minimum value is 3 attempts, which is also the default setting.

Once a user account is locked, only an administrator can reset it.

Related Information

Account Enable / Disable [page 31]

6.1.3.4 Checking Password History

To improve password security, administrators can set restrictions on the re-use of passwords in the Password History to check on change of password box.

In this box, you specify the number of previously used passwords to check against when a user changes their password. For example, if you specify a value of 10, the system checks the new password against the 10 most recently used passwords for that user. If the new password is the same as an old one, the user receives an error message and must enter a different password.

This setting comes into effect when a user is forced to change their current password because it is due to expire. The default value for the setting is 5 and you cannot set it to a lower value.

6.2 User Data Synchronization

A user synchronization tool is provided that allows the synchronization of user names between an SAP BusinessObjects Profitability and Cost Management system and SAP BusinessObjects Business Intelligence



platform. This ensures that user names that belong to one or both systems are synchronized to enable universal Enterprise security access.

If a user is synchronized with SAP BusinessObjects Business Intelligence platform, the User Properties dialog box, which is accessed via the Properties context menu item for the user in the User and Group Maintenance screen, has a Authentication Servers tab. The tab displays the names of the SAP BusinessObjects Business Intelligence platform servers that the user is synchronized across. The tab also allows you to disassociate multiple or individual servers from the user by removing the ability to use Enterprise authentication with that source.

For more information on user synchronization, see the SAP BusinessObjects Profitability and Cost Management Integration Guide.

6.3 Integration into Single Sign On Environments

SAP BusinessObjects Profitability and Cost Management can be configured to use either the application's default security or can be integrated with Windows NT LAN Manager (NTLM), Windows™ Active Directory or LDAP compliant systems to allow Single Sign on (SSO). In addition, it is possible to integrate logins over the web with Web Security directory services.

This section outlines the available system login options and explains how to integrate SAP BusinessObjects Profitability and Cost Management login with Web security.

6.3.1 SAP BusinessObjects Profitability and Cost Management Default Security

For the default security, only those users created by the Administrator and stored in the database can log into SAP BusinessObjects Profitability and Cost Management applications, depending on their assigned roles.

6.3.2 Single Sign On

To use Single Sign-On (SSO), a user login that matches the user's Windows login must have been created in SAP BusinessObjects Profitability and Cost Management. If the Windows and application logins match and the roles assigned to that user permit access, the applications will open without requiring the user to enter a username and password.

User logins created in SAP BusinessObjects Profitability and Cost Management do not require a password because the user has already been authenticated. However, configuring passwords will permit a user to bypass SSO and access applications using default security. This can be useful to log on as administrator and create logins that match a user's Windows login, or where a user wishes to gain access using a different login, or when the machine is not networked. To bypass SSO, you hold down the Shift key while clicking the Login icon, which causes the default Login dialog box to appear.

You can configure the software with the following login options.


● Allow Users to Select from the List of Available Authentication Types - select this option to allow users to select a Single Sign On type from a list in the Login dialog box. You can choose which Single Sign On types are available in the list.

● Profitability and Cost Management Standard Security - This option uses the software's user security.● Windows NT Security - A user's access is determined by authentication against a windows domain via

NTLM.● Windows Active Directory Security - SAP BusinessObjects Profitability and Cost Management access is

determined by user authentication against the Active Directory service for the domain.● LDAP Security - SAP BusinessObjects Profitability and Cost Management access is determined by user

authentication against an Lightweight Directory Access Protocol (LDAP) compliant directory service.● Enterprise - The Enterprise security features can be configured for either SAP BusinessObjects Business

Intelligence platform 4.0 or the SAP BusinessObjects Information Platform Services 4.0 software.● Web Security - SAP BusinessObjects Profitability and Cost Management can be integrated with Web

security to allow SSO access to Books viewed over the web. The application's security must be integrated with Web Security.

When configuring these login options, you can also specify a default login option. For more information on configuring these security settings, see the SAP BusinessObjects Profitability and Cost Management Installation Guide.

TipIf logging onto the web through SSO fails for any reason, provided that Enable Secondary Logon has been set during configuration of the product, the usual login form is displayed. If the configuration option has not been set, an error message is displayed.

To use the override procedure, cancel the login dialog box or any error message. Then, while holding down the Shift key, click the Refresh icon or the GO button. You can then enter the required username and password.

6.3.2.1 To integrate SAP BusinessObjects Profitability and Cost Management login with Web security

Context

The System Administrator can take the following steps to allow application security to be integrated with Web security.

The following steps assume you have set up a Form based Authentication scheme that is used in the Policy Domain protecting the IIS (Internet Information Services) web resources for the software.

To integrate security settings:



Procedure

1. In the COREid Access Manager locate the Policy Domain that was created to protect the Resource for the IIS PCM Directory.

2. Select the Policy and click the Default Rules tab.3. In the Authentication Rule Actions tab, click Add.4. In the Redirect To box for the Authentication Success, enter the hostname and path to book.asp, found in

the PCM IIS files folder - for example /PCM/book.asp5. Click Save.6. In the Authorization Rules tab, click the Actions tab7. Click Add.8. In the Authorization Success Return section, add a Return Attribute with the following properties:

a. Type: HeaderVarb. Name: [header var name] (the default value used in the SAP BusinessObjects Profitability and Cost

Management Configuration Wizard - EPMSSO). If an SID (Security Identifier) has been provided for the user, this will be used in place of the Username value.

c. Return Attribute: [Attribute name] for example, where [Attribute name] is the identifier that will be used to match the user names defined in SAP BusinessObjects Profitability and Cost Management security, or an attribute that equates to the SID.

9. Click Save.10. Ensure the Policy is enabled.

Results

The system should now be configured to allow SSO access to the web application.

Related Information

Password Properties [page 30]

6.3.3 Multiple System Login

During configuration of the product, you configure login options to connect to multiple systems. The following options are available:

● You can allow users to enter the name of the sever to which they want to connect during login.● You can configure a list of available servers from which users can select

For more information on configuring multiple system options, see the SAP BusinessObjects Profitability and Cost Management Installation Guide.


7 Authorizations

In SAP BusinessObjects Profitability and Cost Management security access is allocated using security descriptors that are referenced by User Groups. Security access levels are then assigned to these security descriptors to determine what users can do according to the User Groups to which they belong.

Different levels of security access are possible for different security actions, fields, and dimension descriptors—ranging from Full Access to No Access, depending on the particular security descriptor. Security access levels can be set for User groups in the Group/Descriptor Assignment screen.

Users and groups are common to all models but security descriptors and Group assignment levels are on a per model basis (excluding the Model Administration actions). Security levels are not automatically inherited across models. The exception to this are members of the ADMINISTRATORS group, who automatically have full access to all security descriptors .

NoteOnly a member of the ADMINISTRATORS group can assign security descriptors within the application.

In this section we describe security levels and security descriptors for the product, and explain how to assign levels and descriptors, as well as how to set Group/Dimension security in the following topics:

● “Security access levels”This topic lists and decribes the security access levels that are available in the application and explains how group membership affects the security access levels of a user.

● “Security descriptors”This topic describes the groups of security desciptors and provides definitions of the different descriptors within those groups.

● “Group / Descriptor Assignments”This topic explains how to assign security descriptors to groups.

● “Group/Dimension Security”This topics describes Group/Dimension security and explains how to set Group/Dimension security.

● “Viewing a User's security settings”This topic descibes how to use the Security Explorer screen to view a summary of all the security settings for a user.

7.1 Security access levels

Security descriptors can be assigned differing levels of security access, which have different effects. The number of access levels available varies depending on the actual security descriptor selected.

The basic levels of security are detailed below:

● No Access denies a user any access to an action, value, or dimension item. The user cannot see the item in their view.


Authorizations

● View Only allows a user to view an item assigned with that security, but they cannot edit the item or data of that item. Values that normally appear editable are not editable when this security level is assigned.

● Edit Data allows a user to view an item and to edit values of that item, but not the structure. Dimension items cannot be edited or inserted with this level of access.

● Edit Structure allows a user to view and edit a dimension item in name and hierarchy structure. With this level of Dimension Access security, you can insert new items, move existing items, and edit item names. Books may be created but not edited.

● Full Access gives a user full access to an item—similar to the level of an Administrator.

By Default, the ADMINISTRATORS group has Full Access to all Security Descriptors except for the following:

● Resource Drivers Assignment● Responsibility Center / Activity Assignment● Activity Reassignment● Cost Object Assignment

Related Information

Action Access Security Group Definitions and Security Levels [page 48]Dimension Access Security Group [page 77]Field Access Security Group Definitions [page 66]Report Task Access Security Group [page 78]

7.1.1 User Group Security Access Levels

Security access for each user group is controlled by security descriptors. However, before defining your users and groups, it is important to understand how access levels for groups can be applied to suit your requirements.

Individual users inherit the security levels assigned to each of the groups to which they belong for a specific model. When a user belongs to more than one User Group, they inherit a combination of the widest security permitted within all of those User Groups. For example, if the Administrators group has the security level No Access to Maintaining Users and a User Maintenance group has Full Access, a user who is a member of both groups attains Full Access to Maintaining Users.

For licensing purposes, some tasks require users to be a member of one the ADMINISTRATORS, MODELBUILDERS or BOOKBUILDERS groups to perform the task. However, every user does not need to be permitted the access levels that are assigned to these predefined groups by default, if this is not required.

For example, the default access level to the security descriptor Create Model Security is Full Access for Model Builders. To allow users to open the Model Builder application but prevent them from creating new models, change Create Model Security access to No Access for Model Builders. Now you can have users that belong solely to the MODELBUILDERS group who can open the Model Builder application without being able to create new models. Next, create another new User Group and assign it Full Access to Create Model Security. Thus you can have other users belonging to both the MODELBUILDERS group and the newly created group, who can open the Model Builder application and also create new models.

SAP BusinessObjects Profitability and Cost Management Security GuideAuthorizations PUBLIC 43

Related Information

Security Descriptors [page 44]

7.2 Security Descriptors

Security Descriptors are used to assign security access levels to Groups. They are also labels that can be assigned to actions, data fields or dimension elements, and books within a model. Security access levels are then assigned to these Security Descriptors on a group-by-group basis to allow or restrict User Group access to various actions or elements within a model.

Select Tools Security Security Descriptors to open the Security Descriptors screen. The Security Descriptors are divided into four groups: Action Access Security Group, Field Access Security Group, Dimension Access Security Group, and Report Task Access Security Group. The Group level items in this screen can be expanded or contracted for display preferences by double-clicking. The description for each Security Descriptor is displayed in the information area of the screen in the Description column on the right-hand side of the screen.

The descriptors in the Action Access and Field Access Security Groups are all predefined and may not be edited. The Dimension Access and Report Task Access Security Groups each contain a predefined descriptor which may be edited, namely Default Dimension Security and Default Report Task Security. The groups can also have additional descriptors defined by an administrator for each particular model.

Related Information

Action Access Security Group [page 44]Dimension Access Security Group [page 46]Field Access Security Groups [page 45]Report Task Access Security Group [page 48]

7.2.1 Action Access Security Group

Action Access Security Descriptors are predefined actions in the software to which you may limit a user’s access. For example, security levels may be assigned according to the role of a user, especially where different levels of access are required within each role (for example, View Builder, Book Builder, Model Builder).

Action Access Security is mainly divided into Import / Export, Books, Model Management, Driver Analysis, Assignment functionality, Password Access, and Data Alias Access.


Authorizations

Related Information

Action Access Security Group Definitions and Security Levels [page 48]

7.2.2 Field Access Security Groups

Field Access Security Descriptors refer to Value fields defined on Grid layouts. Different levels of user may need different levels of access to specific values. Field Access Security Descriptors can be used to restrict access to values displayed in both the Windows Client, the Web Client, and Book Viewer. For Profitability and Costing models, Bill of Materials models, and Transactional Costing models, the Security Descriptors screen divides Field Access Security Descriptors into the following groups:

Field Access Security General GroupField Access Security Activity GroupField Access Security Cost Object GroupField Access Security Driver GroupField Access Security Service GroupField Access Security Delta GroupField Access Security Data Values Group

For Objectives and Metrics models, Field Access Security Descriptors are divided into the following groups:

Field Access Security General GroupField Access Security Metric GroupField Access Security Objective GroupField Access Security Boundary GroupField Access Security Weighting GroupField Access Security Data Values GroupField Access Security Icon and Color Group

The groups listed here map to the groups of grid values available in View Builder.

TipField Access security works in conjunction with Dimension Descriptor security. A user must have sufficient levels of access in BOTH of these groups to edit or view Values.

Related Information

Field Access Security Group Definitions [page 66]


7.2.3 Dimension Access Security Group

Dimension Access Security Descriptors are definable security labels that can be applied to almost any Dimension line item (only excluding Currencies, Capacity Rules, and User defined Rules). Default Dimension Security is the only descriptor initially available under which all Dimension items are automatically assigned when they are first created. However, personalized security descriptors may also be added to this group.

Dimension Access Security Descriptors are assigned to Dimension items using the Security section of the Dimension screen item details panel. They can also be assigned to Books using the Book Security setting within the Formatting tab of specific books. To restrict access to specific Dimension items within your model, personalized descriptors must be assigned.

NoteDimension Access Security Descriptors can be used in Books to restrict User Group access to specific Books.

Related Information

Book Security Assignment [page 84]To create/amend personalized Dimension Access security descriptors [page 46]To remove a Dimension Access security descriptor [page 47]

7.2.3.1 To create/amend personalized Dimension Access security descriptors

Context

Open the Security Descriptors screen using Tools Security Security Descriptors .

Procedure

1. Select either the group or another descriptor within the group.2. To add a new descriptor, select Add from the context menu.

The Add Security Descriptor dialog box appears, prompting you to enter a name in the Descriptor Name box and a description in the Description box.

This facility allows you to personalize security across dimensions.3. To edit the name or description of an existing descriptor, either select Edit Name or Edit Description from

the context menu.


Authorizations

The name and/or description associated with any Dimension Access security descriptor can be amended to provide more detailed information appropriate for each action.

Results

Once you have defined a Dimension security descriptor, it appears under this group in the Security Descriptors list and security access can now be assigned to this in the Group / Descriptor Assignment screen.

7.2.3.2 To remove a Dimension Access security descriptor

Context

Open the Security Descriptors screen using Tools Security Security Descriptors .

To remove a Dimension Access security descriptor:

Procedure

1. Right-click the item required in the Security Descriptor list and select Delete in the context menu.

NoteOnce a security descriptor has been assigned for use in your model, you cannot subsequently delete that descriptor and the Delete option is grayed out. This applies, for example, to the Book Security selected for a Book or to the Security selected for a dimension item.

A message box asks you to confirm the remove action.2. Click OK to remove the security descriptor, or click Cancel to cancel the operation.

TipYou can select multiple security descriptors for deletion at the same time by selecting security descriptors while holding down the CTRL key or by using SHIFT + CTRL to select a list of security descriptors. You then right-click the selected items, select Delete, and confirm the deletion.

Related Information

Book Security Assignment [page 84]


7.2.3.3 Security Access Interactions

Field Access Security and Dimension Access Security levels can be used to restrict the values and dimension items users can view or edit. These two security descriptor types interact in grid layouts in both Books and View Builder. If a user has restricted access to either a dimension item or grid value, they are restricted in viewing or editing all items directly relevant to these elements.

Security of this type is useful to restrict access across <Responsibility Centers> and their associated <Line Items>, for example, or the values a user can see at different levels within a company (for example, data entry, cost center manager).

7.2.4 Report Task Access Security Group

This group contains a single descriptor, Default Report Task Security Descriptor, which controls access to the Report Manager application.

7.2.5 Security Descriptor Definitions

The tables that follow provide definitions for the different types of security descriptors.

7.2.5.1 Action Access Security Group Definitions and Security Levels

Security Descriptor Security

This descriptor is available to all model types.

Access to Security Descriptors in Model Builder

Security Level Access allowed Additional requirements

View Only Every user must have this minimum level of access.

Full Access 1. Add, rename, change the description, and delete security descriptors

2. Change the security level assigned to a group3. Access the Security Descriptor drop-down list in di

mension windows – dimension items Security area

1. Must be a member of ADMINISTRATORS group.

2. Full Access to Open Models required.


Authorizations

Book Security


Access to the Books functionality within the Windows client and over the web


No Access Access to Books denied

View Only View only access for (published) books 1. Must be a member of ADMINISTRATORS, MODELBUILDERS or BOOKBUILDERS.

2. The security access assigned to the book via the Dimension Access security descriptor needs to be taken into account.


Full Access 1. Change the security descriptor assigned to a book (in the book’s Formatting tab, Book Security field)

2. Add a new book3. Rename a book4. View and Edit a book5. Publish books6. Re-arrange books hierarchy7. Copy a book8. Delete a book9. Unlock a book10. Set Group/Default Book Assignment

Import Security


Access to import data from an XML file


No Access Cannot perform imports into the application

Full Access Imports of data into the application can be performed via:

● Model Builder - Import function● Console Wizard ● Data Bridge

NoteUsers may import an XML file that could contain items that they do not have access to. For example, books can be imported even if the user does not have access to the Book Security descriptor.

1. Must be a member of either ADMINISTRATORS or MODELBUILDERS.



Export Security


Access to export data to an XML file


No Access Cannot perform exports from the application

Full Access Exports of data from the application can be performed via:

● Model Builder - Export function● Console Wizard

NoteTo ensure the integrity of an export file, it is possible to include items that the user does not have access to.



Create Model Security


Access to create new models


No Access Cannot create new models

Full Access Able to create new a model via:

● Console Wizard● Model Builder - Model Administration


Delete Model Security


Access to delete existing models


No Access Cannot delete models

Full Access Able to delete a model to which user has access via:

● Console Wizard ● Model Builder - Model Administration



Authorizations

Copy Model Security


Access to copy existing models


No Access Cannot copy models

Full Access Able to copy a model to which user has access via Model Builder - Model Administration


Model Definition Security


Model Definition Security


No Access Cannot alter model name or model properties or put the model in partitioning mode.

Full Access Able to:

1. Alter the description of a model to which the user has access

2. Rename a model to which the user has access.3. Amend model properties of a model to which the

user has access, including:○ Alter the description of the model○ Alter the Enabled/Disabled state of the

model○ Change the Model Server○ Specify whether database auditing is operat

ing for the model4. Access the Model Calculation options5. Create and maintain Navigator screens6. Alter group dimension security


Able to:

1. Alter the Admin Mode state of the model that the user has access to, therefore allowing Model Partitioning.

1. Must be a member of either ADMINISTRATORS or MODELBUILDERS

2. Access affected by Dimension Security Descriptors

Data Alias Management Security



Access to Manage Data Aliases


No Access In Model Builder, access is denied to the Manage Data Aliases dialog box , and the user cannot edit an alias using the Edit Data Aliases command in the context menu command in the Dimension Item Details pane in the dimension screen.

Edit Data In Model Builder, access is denied to the Manage Data Aliases dialog box , but the user can edit an alias using the Edit Data Aliases command in the context menu command in the Dimension Item Details pane in the dimension screen.

Full Access Access to Model Builder - Manage Data Aliases function allows user to Add, Rename or Delete a Data Alias.

1. Must be a member of ADMINISTRATORS



Driver Analysis Security

This descriptor is available to all Profitability and Costing, Objectives and Metrics, and Transactional Costing type models.

Access to the Driver Analysis functionality


No Access Unable to perform Driver Analysis Calculation.

Full Access Able to perform the Model Builder - Driver Analysis Calculation functions:

1. Start New Analysis2. Perform driver and cost analysis3. Copy results between versions



3. Access affected by Dimension Security descriptors

Process Definition Security


Access to the Work Manager application


No Access Unable to login to Work Manager application


Authorizations


Full Access Able to:

1. Manage Work Manager processes2. Run Workflow processes and flows3. Access the users information from within the

Workflow application

Resource Drivers Assignment Security


Access to the Resource Drivers Assignment functionality


No Access Access denied to Model Builder – Resource Drivers Assignment functionality.

Full Access Access to all Model Builder - Resource Drivers Assignment functionality via the Resource Drivers Assignment screen.


2. Access affected by Dimension Security descriptors

Responsibility Center / Activity Assignment Security


Access to the Responsibility Center / Activity Assignment functionality


No Access Access denied to Model Builder – Responsibility Center / Activity Assignment functionality.

Full Access Access to all Model Builder - Responsibility Center / Activity Assignment functionality via the Responsibility Centers/Activities Assignment screen.



Activity Reassignment Security



Activity Reassignment Security


No Access Access denied to Model Builder™ – Activity Reassignment functionality.

Full Access Access to all Model Builder™ – Activity Reassignment functionality via the Activities Reassignment screen.



Cost Object Assignment Security


Access to the Cost Object Assignment functionality


No Access Access denied to Model Builder™ – Cost Object Assignment functionality.

Full Access Access to all Model Builder™ – Cost Object Assignment functionality via the Cost Object Assignment screen.



Open Models Security


Open Models Security


No Access Access denied to Model Selection dialog box in Model Builder™. This setting is appropriate for a user group that can administer users but not open models.

NoteThe ability of End Users to open models via web or Book Viewer™ is not affected.


Full Access Able to open models in Model Builder™.


Authorizations

Maintain Users and Groups Security


Access to User and Group Maintenance and Model Group Assignments


No Access Access in Model Builder™ denied to:

● User and Group Maintenance● Model Administration Security tab

Full Access In Model Builder™ able to:

1. Open the User and Group Maintenance screen to:○ Add/Delete a user○ Reset a user’s password○ Get a list of users○ Add/Delete a group○ Get a list of groups○ Get a list of the user’s group assignments○ Change a user’s status○ Add/Remove a user to/from a group○ Rename a user○ Rename a group○ Amend user properties○ Set a user’s Default Model Group

2. Access Model Administration Security tab to:○ Give a group access to a model○ Remove a group’s access to a model

1. Must be a member of ADMINISTRATORS group

Metric Responsibility Center Assignment Security

This descriptor is available to only Objectives and Metrics type models.

Access to Metrics/Responsibility Centers Assignment Functionality

Security Level Access Allowed Additional Requirements

No Access In Model Builder, access is denied to the Metrics/Responsibility Centers Assignment screen

View Only In Model Builder, access is denied to the Metrics/Responsibility Centers Assignment screen

Edit Data In Model Builder, access is denied to the Metrics/Responsibility Centers Assignment screen



Edit Structure In Model Builder, the ability to access the Metrics/Responsibility Centers Assignment screen and to do the following:

Assign <Metrics> to <Responsibility Centers>Delete assignments

1. User must be a member of either the ADMINISTRATORS or MODELBUILDERS user groups

2. Access is affected by the access level the Dimension Security descriptors

Full Access In Model Builder, the ability to access the Metrics/Responsibility Centers Assignment screen and to do the following:

Assign <Metrics> to <Responsibility Centers>Delete assignments

Metric Employee Assignment Security


Access to Metrics/Employees Assignment Functionality


No Access In Model Builder, access to the Metrics/Employee Assignments screen is denied.

View Only In Model Builder, access to the Metrics/Employee Assignments screen is denied.

Edit Data In Model Builder, access to the Metrics/Employee Assignments screen is denied.

Edit Structure In Model Builder, the ability to access the Metrics/Employee Assignments screen and do the following:

Assign <Metrics> to <Employees>Delete assignmentsCreate overridesDelete overrides

1. The user must be a member of either the ADMINISTRATORS or MODELBUILDERS user groups

2. Access depends on the access levels of the Dimension Security Descriptors


Authorizations


Full Access In Model Builder, the ability to access the Metrics/Employee Assignments screen and do the following:

Assign <Metrics> to <Employees>Delete assignmentsCreate overridesDelete overrides

Objective Responsibility Center Assignment


Access to Objectives/Responsibility Centers Assignment Functionality


No Access In Model Builder, access is denied to the Objectives/Responsibility Centers Assignment screen

View Only In Model Builder, access is denied to the Objectives/Responsibility Centers Assignment screen

Edit Data In Model Builder, access is denied to the Objectives/Responsibility Centers Assignment screen


2. Access is affected by the access level of the Dimension Security Descriptors

Edit Structure In Model Builder, the ability to access the Objectives/Responsibility Centers Assignment screen and to do the following:

Assign an Objective to a Responsibility CenterDelete assignments

Full Access In Model Builder, the ability to access the Objectives/Responsibility Centers Assignment screen and to do the following:

Assign an Objective to a Responsibility CenterDelete assignments

Objectives Employees Assignment Security

This descriptor is available to only Objectives and Metrics types models.


Access to Objectives/Employees Assignments Functionality


No Access In Model Builder, access to the Objectives/Employees Assignment screen is denied.

View Only In Model Builder, access to the Objectives/Employees Assignment screen is denied.

Edit Data In Model Builder, access to the Objectives/Employees Assignment screen is denied.

Edit Structure In Model Builder, the ability to access the Objectives/Employees Assignment screen and do the following:

Assign <Objects> to <Employees>Delete assignmentsCreate overridesDelete overrides


2. Access depends the access level of the Dimension Security Descriptors

Full Access In Model Builder, the ability to access the Objectives/Employees Assignment screen and do the following:

Assign <Objects> to <Employees>Delete assignmentsCreate overridesDelete overrides

Objective Metric Assignment Security


Access to the Objectives/Metrics Assignment Functionality


No Access In Model Builder, access to the Objectives/Metrics Assignment screen is denied.

View Only In Model Builder, access to the Objectives/Metrics Assignment screen is denied.

Edit Data In Model Builder, access to the Objectives/Metrics Assignment screen is denied.


Authorizations


Edit Structure In Model Builder, the ability to access the Objectives/Metrics Assignment screen and do the following:

Assign an< Objective> to a <Metric>Delete assignments



Full Access In Model Builder, the ability to access the Objectives/Metrics Assignment screen and do the following:

Assign an< Objective> to a <Metric>Delete assignments

Objective Linked Objective Assignment Security


Access to Objectives/Linked Objectives Assignment Functionality


No Access In Model Builder, access to the Objectives/Linked Objectives Assignment screen is denied.

View Only In Model Builder, access to the Objectives/Linked Objectives screen is denied.

Edit Data In Model Builder, access to the Objectives/Linked Objectives screen is denied.

Edit Structure In Model Builder, the ability to access to the Objectives/Linked Objectives Assignment screen and do the following:

Create an assignment hat links one <Objective> to anotherDelete assignments



Full Access In Model Builder, the ability to access to the Objectives/Linked Objectives Assignment screen and do the following:

Create an assignment hat links one <Objective> to anotherDelete assignments


Boundary Assignment Security

This descriptor is available only to Objectives and Metrics type models.

Access to the Boundaries Assignment Functionality

Security Level Access Allowed

No Access In Model Builder, access to the Boundaries Assignment screen is denied.

View Only In Model Builder, access to the Boundaries Assignment screen is denied.

Edit Data In Model Builder, access to the Boundaries Assignment screen is denied.

Edit Structure In Model Builder, the ability to access the Boundaries Assignment screen and to do the following:

● View <Boundary Attributes> and their associated <Boundaries >

● Assign the following visual characteristics to the regions between <Boundaries>:

Range ColorData ColorIcon



Full Access In Model Builder, the ability to access the Boundaries Assignment screen and to do the following:

● View <Boundary Attributes> and their associated <Boundaries >

● Assign the following visual characteristics to the regions between <Boundaries>:

Range ColorData ColorIcon

Rules security



Authorizations

Access to Rules Manager, Advanced Rules Manager, and rules editing



● Rules Manager● Advanced Rules Manager● Dimension screen option to open Rule Editor

Full Access Access in Model Builder™ to:

● Rules Manager● Advanced Rules Manager● Rule Editor

Cell Memo Security


Access to Cell Memos


No Access ● Cell memos not visible in grids or reports● Memo icons not displayed in cells● Context menu option Edit Memo not available

View Only ● Cell memos and icons displayed● Memo editing not allowed● Context menu option Edit Memo not available

Edit Data ● Cell memos and icons displayed● Memo editing, creation, and deletion allowed

Cell memos use the combined security levels of all the key items for a cell. So even if the Cell Memo Security is set to Edit Data, Edit Structure, or Full Access, a user can edit a cell memo only if they also have edit privileges for all key items for a cell.

Edit Structure ● Cell memos and icons displayed● Memo editing, creation, and deletion allowed

Full Access ● Cell memos and icons displayed● Memo editing, creation, and deletion allowed

User Security Interrogation Security


Access to the Security Explorer screen



● Security Explorer



Full Access Access in Model Builder™ to:

● Security Explorer

CPU Constraint Security

This descriptor is available to all model types. It controls access to the model calculation options that you use to apply CPU throttling. For more information on CPU Throttling, see the SAP Profitability and Cost Management Modeling User Guide

Access to CPU Throttling Options


No Access In Model Builder, users can view - but cannot edit - the following model calculation options:

Maximum CPU UsageFirst CPU UsageBackground Calculation

The Modify context menu option for the setting is greyed out, and if a user double-clicks a setting to modify it, an error message is displayed that states that the user has insufficient rights.

Full Access In Model Builder, the ability to access and set the following model calculation options:

Maximum CPU UsageFirst CPU UsageBackground Calculation

ADMINISTRATORS are granted Full Access by default. Other user groups have No Access by default.

Remote Configuration Security


Access to the Remote Configuration tool


No Access Access is denied to the Remote Configuration tool.

By default, the descriptor is set to Full Access for members of the ADMINISTRATORS group and No access to all other groups. For remote configuration security, we recommend that you cre


Authorizations


View Only Access is allowed to the Remote Configuration tool; the user can retrieve system information reports and config-urations, but cannot publish configura-tions.

ate a user group specifically for remote configuration administrators and assign the appropriate permissions to the group. We recommend that remote configuration administrator has the administrative right to do remote configu-rations, but does not have the right to work with data.

Edit Data Access is denied to the Remote Configuration tool.

Edit Structure Access is denied to the Remote Configuration tool.

Full Access Access is allowed to the Remote Configuration tool; the user can perform all functions, create and edit configurations, and publish and distribute configurations to local and remote machines.

Shared Export ID Security


NoteSettings for this descriptor apply only to the Model Builder interface. The settings do not affect access to Export IDs via Console.

Access to Shared Export IDs

Security Level Access Allowed Additional Information

No Access No access to shared Export IDs, as follows:

● No shared Export IDs are available in the Export and Export to Universe dialog boxes.

● No shared Export IDs are available in the Manage Export IDs dialog box.

● The user can cannot create shared IDs.

By default, this descriptor is set to Full Access for the ADMINISTRATORS and MODELBUILDERS user groups, and No Access for all other groups.


Security Level Access Allowed Additional Information

Full Access The user has access to, and can fully manage, all shared Export IDs, as follows:

● All shared Export IDs are available in the Export and Export to Universe dialog boxes.

● All shared Export IDs are available in the Manage Export IDs dialog box. The user can rename or delete the shared IDs, and clear all results for an ID.

● The user can create shared IDs.

All Users Export ID Security


NoteSettings for this descriptor apply only to the Model Builder interface. The settings do not affect access to Export IDs via Console.

Access to Export IDs of Individual Users


No Access No access to the personal, non-shared Export IDs of other users, as follows:

● The Export IDs of other users are not available in the lists in the Export and Export to Universe dialog boxes. Only the user's own personal Export IDs are available.

● The Export IDs of other users are not available in the Manage Export IDs dialog box. The user can manage only the personal Export IDs that they have created.

By default, this descriptor is set to Full Access for the ADMINISTRATORS group, and No Access for all other groups.


Authorizations


Full Access The user has access to, and can fully manage the personal, non-shared Export IDs of all other users, as follows:

● The Export IDs of all other users are available in the lists in the Export and Export to Universe dialog boxes.

● The Export IDs of all other users are available in the Manage Export IDs dialog box. The user can rename or delete the users' IDs, and clear all results for an ID.

Manage Item Properties


Access to Managing Item Properties


No Access In Model Builder, access is denied to the Manage Properties dialog box and the user cannot edit a property using the Edit Property command in the context menu for the Dimension Items Details pane in the dimension screen.

By default, this descriptor is set to Full Access for the ADMINISTRATORS group, and No Access for all other groups.

Edit data In Model Builder, access is denied to the Manage Properties dialog box. However, the user can edit a property using the Edit Property command in the context menu for the Dimension Items Details pane in the dimension screen.

Full Access In Model Builder, user can access the Manage Properties dialog box and perform the following actions:

Add a propertyDelete a propertyRename a propertyEdit a property

Manage Grid Styles Security

This descriptor is available for all model types


Access to Grid Styles Functionality in View Builder


No Access In Model Builder, the Grid Styles panel is not available in View Builder.

However, a user with the correct permissions to create a book can specify which grid style to apply to a layout displayed in Grid or Report object in a book. This is done via the Styles property of the associated Data Manager object.

By default, this descriptor is set to Full Access for the ADMINISTRATORS group, and No Access for all other groups

Full Access In Model Builder, the Grid Styles panel is available in View Builder and the user can perform the following actions:

Create a grid style.Edit a grid style.Delete a grid style.

If the user has permissions to create a book, they can also specify which grid style to apply to a layout displayed in a Grid or Report object in a book.

7.2.5.2 Field Access Security Group Definitions

Every grid value has its own security descriptor to control user access. The following topics list the security descriptors available for each group of grid values.

7.2.5.2.1 Field Access Security General Group Definitions

The following table lists the security descriptors found in the Field Access Security General Group:

Security Descriptor Model Type

CurrencyRate Security Profitability and Costing, Bill of Materials, Transactional Costing, Objectives and Metrics

LineItemValue Security Profitability and Costing, Bill of Materials, Transactional Costing

LineItemFixedValue Security Profitability and Costing, Bill of Materials, Transactional Costing

LineItemVariability Security Profitability and Costing, Bill of Materials, Transactional Costing


Authorizations


LineItemCalculatedFixedValue Security Profitability and Costing, Bill of Materials, Transactional Costing

LineItemDetailValue Security Profitability and Costing, Bill of Materials, Transactional Costing

LineItemDetailValueNC Security Profitability and Costing, Bill of Materials, Transactional Costing

SpreadValue Security Profitability and Costing, Bill of Materials, Transactional Costing

WorkSheetValue Security Profitability and Costing, Bill of Materials, Transactional Costing

UOMFactor Security Bill of Materials

EmployeeResultValue Security Objectives and Metrics

7.2.5.2.2 Field Access Security Activity Group Definitions

The following table lists the security descriptors found in the Field Access Security Activity Group:


ActivityValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ActivityVariableValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ActivityFixedValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ActivityUnitRate Security Profitability and Costing, Bill of Materials, Transactional Costing

ActivityLineItemValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ActivityLineItemFixedValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ActivityLineItemVariableValue Security Profitability and Costing, Bill of Materials, Transactional Costing

SummaryActivityValue Security Profitability and Costing, Bill of Materials, Transactional Costing

SummaryActivityFixedValue Security Profitability and Costing, Bill of Materials, Transactional Costing

SummaryActivityVariableValue Security Profitability and Costing, Bill of Materials, Transactional Costing

SourceActivityLineItemValue Security Profitability and Costing, Bill of Materials, Transactional Costing



SourceActivityLineItemFixedValue Security Profitability and Costing, Bill of Materials, Transactional Costing

SourceActivityLineItemVariableValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ExternalActivityValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ExternalActivityVariableValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ExtenalActivityFixedValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ReassignedInValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ReassignedOutValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ReassignedFinalValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ReassignedMoveValue Security Profitability and Costing, Bill of Materials, Transactional Costing

SummaryMovementValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ReassignSplitValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ReassignSplitPostValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ReassignSplitInValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ReassignSplitOutValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ReassignActivityLineItemValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ReassignActivityServiceValue Security Profitability and Costing, Bill of Materials, Transactional Costing

SummaryServiceActivityValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ServiceActivityValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ServiceActivityUnitRate Security Profitability and Costing, Bill of Materials, Transactional Costing

PostReassignLineItemValue Security Profitability and Costing, Bill of Materials, Transactional Costing

PostReassignLineItemFixedValue Security Profitability and Costing, Bill of Materials, Transactional Costing


Authorizations


PostReassignLineItemVariableValue Security Profitability and Costing , Bill of Materials, Transactional Costing

7.2.5.2.3 Field Access Security Cost Object Group Definitions

The following table lists the security descriptors found in the Field Access Security Cost Object Group:


UnitPrice Security Profitability and Costing, Bill of Materials, Transactional Costing

UnitsSold Security Profitability and Costing, Bill of Materials, Transactional Costing

Revenue Security Profitability and Costing, Bill of Materials, Transactional Costing

SummaryCostObjectValue Security Profitability and Costing, Bill of Materials, Transactional Costing

SummaryCostObjectFixedValue Security Profitability and Costing, Bill of Materials, Transactional Costing

SummaryCostObjectVariableValue Security Profitability and Costing, Bill of Materials, Transactional Costing

SummaryPreCostObjectValue Security Profitability and Costing, Bill of Materials, Transactional Costing

SummaryPostCostObjectValue Security Profitability and Costing, Bill of Materials, Transactional Costing

Contribution Security Profitability and Costing, Bill of Materials, Transactional Costing

GrossContribution Security Profitability and Costing, Bill of Materials, Transactional Costing

CostObjectValue Security Profitability and Costing, Bill of Materials, Transactional Costing

CostObjectFixedValue Security Profitability and Costing, Bill of Materials, Transactional Costing

CostObjectVariableValue Security Profitability and Costing, Bill of Materials, Transactional Costing

DirectCostObjectValue Security Profitability and Costing, Bill of Materials, Transactional Costing

DirectCostObjectFixedValue Security Profitability and Costing, Bill of Materials, Transactional Costing

DirectCostObjectVariableValue Security Profitability and Costing, Bill of Materials, Transactional Costing



PrimaryDriverVolume Security Profitability and Costing, Bill of Materials, Transactional Costing

PrimaryDriverUnitRate Security Profitability and Costing, Bill of Materials, Transactional Costing

DirectPrimaryDriverVolume Security Profitability and Costing, Bill of Materials, Transactional Costing

DirectPrimaryDriverUnitRate Security Profitability and Costing, Bill of Materials, Transactional Costing

TraceBackValue Security Profitability and Costing, Bill of Materials, Transactional Costing

TraceBackFixedValue Security Profitability and Costing, Bill of Materials, Transactional Costing

TraceBackVariableValue Security Profitability and Costing, Bill of Materials, Transactional Costing

TargetCostObjectValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ActivityCostObjectValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ActivityCostObjectFixedValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ActivityCostObjectVariableValue Security Profitability and Costing, Bill of Materials, Transactional Costing

LineItemCostObjectValue Security Profitability and Costing, Bill of Materials, Transactional Costing

LineItemCostObjectFixedValue Security Profitability and Costing, Bill of Materials, Transactional Costing

LineItemCostObjectVariableValue Security Profitability and Costing, Bill of Materials, Transactional Costing

TotalCostObjectValue Security Profitability and Costing, Bill of Materials, Transactional Costing

TotalCostObjectFixedValue Security Profitability and Costing, Bill of Materials, Transactional Costing

TotalCostObjectVariableValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ExternalCostObjectValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ExternalCostObjectFixedValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ExternalCostObjectVariableValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ServiceCostObjectValue Security Profitability and Costing, Bill of Materials, Transactional Costing


Authorizations


DirectServiceCostObjectValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ServicePrimaryDriverVolume Security Profitability and Costing, Bill of Materials, Transactional Costing

ServicePrimaryDriverUnitRate Security Profitability and Costing, Bill of Materials, Transactional Costing

DirectServicePrimaryDriverVolume Security Profitability and Costing, Bill of Materials, Transactional Costing

DirectServicePrimaryDriverUnitRate Security Profitability and Costing, Bill of Materials, Transactional Costing

SourceCostObjectValue Security Profitability and Costing, Bill of Materials, Transactional Costing

SourceCostObjectFixedValue Security Profitability and Costing, Bill of Materials, Transactional Costing

SourceCostObjectVariableValue Security Profitability and Costing, Bill of Materials, Transactional Costing

CostObjectActivityUnitRate Security Profitability and Costing, Bill of Materials, Transactional Costing

CostObjectActivityFixedUnitRate Security Profitability and Costing, Bill of Materials, Transactional Costing

JointCostObjectValue Security Profitability and Costing, Bill of Materials, Transactional Costing

JointCostObjectFixedValue Security Profitability and Costing, Bill of Materials, Transactional Costing

JointCostObjectVariableValue Security Profitability and Costing, Bill of Materials, Transactional Costing

DefaultBOMMakeupVolume Security Bill of Materials

BOMMakeupVolume Security Bill of Materials

BOMUnitRate Security Bill of Materials

BOMFixedUnitRate Security Bill of Materials

BOMComponentVolume Security Bill of Materials

BOMComponentUnitRate Security Bill of Materials

BOMComponentFixedUnitRate Security Bill of Materials

BOMComponentFixedUnitRate Security Bill of Materials

BOMComponentExternalUnitRate Security Bill of Materials

BOMProductUnitRate Security Bill of Materials

ExtActivityCostObjectUnitRate Security Transactional Costing

ExtActivityCostObjectFixedUnitRate Security Transactional Costing

ExtActivityCostObjectVariableUnitRate Security Transactional Costing



CostObjectActivityLineItemUnitRate Security Profitability and Costing, Bill of Materials, Transactional Costing

CostObjectActivityLineItemFixedUnitRate Security Profitability and Costing, Bill of Materials, Transactional Costing

7.2.5.2.4 Field Access Security Driver Group Definitions

The following table lists the security descriptors found in the Field Access Security Driver Group:


ResourceDriverValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ResourceDriverSplit Security Profitability and Costing, Bill of Materials, Transactional Costing

ResourceDriverPctSplit Security Profitability and Costing, Bill of Materials, Transactional Costing

ActivityDriverValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ServiceDriver Security Profitability and Costing, Bill of Materials, Transactional Costing

EmployeeResourceDriverSplit Security Profitability and Costing, Bill of Materials, Transactional Costing

BOMProductionVolume Security Bill of Materials

BOMUnitsSold Security Bill of Materials

BOMCalculatedUnitsSold Security Bill of Materials

7.2.5.2.5 Field Access Security Service Group Definitions

The following table lists the security descriptors found in the Field Access Security Service Group:

Security Descriptors Model Type

ServiceVariableFactor Security Profitability and Costing, Bill of Materials, Transactional Costing

ServiceFixedUnitRate Security Profitability and Costing, Bill of Materials, Transactional Costing

ServiceUnitRate Security Profitability and Costing, Bill of Materials, Transactional Costing

ServiceCost Security Profitability and Costing, Bill of Materials, Transactional Costing


Authorizations


ServiceIncome Security Profitability and Costing, Bill of Materials, Transactional Costing

7.2.5.2.6 Field Access Security Delta Group Definitions

The following table lists the security descriptors found in the Field Access Security Delta Group:


LineItemDeltaValue Security Profitability and Costing, Bill of Materials, Transactional Costing

LineItemOriginalValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ResourceDriverDeltaValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ResourceDriverOriginalValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ResourceDriverTargetValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ResourceDriverDeltaSplit Security Profitability and Costing, Bill of Materials, Transactional Costing

ResourceDriverOriginalSplit Security Profitability and Costing, Bill of Materials, Transactional Costing

ResourceDriverTargetSplit Security Profitability and Costing, Bill of Materials, Transactional Costing

ActivityDriverDeltaValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ActivityDriverOriginalValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ActivityDriverTargetValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ServiceDriverDeltaValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ServiceDriverOriginalValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ServiceDriverTargetValue Security Profitability and Costing, Bill of Materials, Transactional Costing


7.2.5.2.7 Field Access Security Data Values Group


LineItemDataValue Security Profitability and Costing, Bill of Materials, Transactional Costing

LineItemDetailDataValue Security Profitability and Costing, Bill of Materials, Transactional Costing

SpreadDataValue Security Profitability and Costing, Bill of Materials, Transactional Costing

WorkSheetDataValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ResourceDriverDataValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ResourceDriverDataSplit Security Profitability and Costing, Bill of Materials, Transactional Costing

ActivityDriverDataValue Security Profitability and Costing, Bill of Materials, Transactional Costing

DataUnitPrice Security Profitability and Costing, Bill of Materials, Transactional Costing

DataUnitsSold Security Profitability and Costing, Bill of Materials, Transactional Costing

DataRevenue Security Profitability and Costing, Bill of Materials, Transactional Costing

ServiceDriverDataValue Security Profitability and Costing, Bill of Materials, Transactional Costing

EmployeeResourceDriverDataSplit Security Profitability and Costing, Bill of Materials, Transactional Costing

ExternalActivityDataValue Security Profitability and Costing, Bill of Materials, Transactional Costing

ExternalCostObjectDataValue Security Profitability and Costing, Bill of Materials, Transactional Costing

BOMMakeupDataVolume Security Bill of Materials

ExternalBOMDataUnitRate Security Bill of Materials

BOMProductionDataVolume Security Bill of Materials

BOMDataUnitsSold Security Bill of Materials

ExtActivityCostObjectDataUnitRate Security Transactional Costing

MetricActualDataValue Security Objectives and Metrics

MetricTargetDataValue Security Objectives and Metrics

MetricBasePointDataValue Security Objectives and Metrics

ObjectiveActualDataValue Security Objectives and Metrics

ObjectiveTargetDataValue Security Objectives and Metrics


Authorizations


ObjectiveBasePointDataValue Security Objectives and Metrics

ObjectiveWeightingDataValue Security Objectives and Metrics

ObjectiveMetricWeightingDataValue Security Objectives and Metrics

ObjectiveActualBoundaryDataValue Security Objectives and Metrics

ObjectivePercentBoundaryDataValue Security Objectives and Metrics

MetricActualBoundaryDataValue Security Objectives and Metrics

MetricPercentBounaryDataValue Security Objectives and Metrics

EmployeePercentBoundaryDataValue Security Objectives and Metrics

7.2.5.2.8 Field Access Security Metric Group Definitions

The following table lists the security descriptors found in the Field Access Security Metric Group:


MetricActualValue Security Objectives and Metrics

MetricActualAdjustementValue Security Objectives and Metrics

MetricTargetValue Security Objectives and Metrics

MetricTargetAdjustmentValue Security Objectives and Metrics

MetricBasePointValue Security Objectives and Metrics

MetricTotalActualValue Security Objectives and Metrics

MetricTotalTargetValue Security Objectives and Metrics

MetricVarianceValue Security Objectives and Metrics

MetricAchievementValue Security Objectives and Metrics

7.2.5.2.9 Field Access Security Objective Group Definitions

The following table lists the security descriptors found in the Field Access Security Metric Group:


ObjectiveActualValue Security Objectives and Metrics

ObjectiveActualAdjustementValueSecurity Objectives and Metrics

ObjectiveTargetValue Security Objectives and Metrics

ObjectiveTargetAdjustmentValue Security Objectives and Metrics

ObjectiveBasePointValue Security Objectives and Metrics



ObjectiveTotalActualValue Security Objectives and Metrics

ObjectiveTotalTargetValue Security Objectives and Metrics

ObjectiveAchievementValue Security Objectives and Metrics

ObjectiveLinkedResultValue Security Objectives and Metrics

ObjectiveMetricResultValue Security Objectives and Metrics

ObjectiveResultValue Security Objectives and Metrics

7.2.5.2.10 Field Access Security Boundary Group Definitions

The following table lists the security descriptors found in the Field Access Security Boundary Group:


ObjectiveActualBoundaryValue Security Objectives and Metrics

ObjectivePercentBoundaryValue Security Objectives and Metrics

MetricActualBoundaryValue Security Objectives and Metrics

MetricPercentBoundaryValue Security Objectives and Metrics

EmployeePercentBoundaryValue Security Objectives and Metrics

7.2.5.2.11 Field Access Security Weighting Group Definitions

The following table lists the security descriptors found in the Field Access Security Weighting Group:

Security Descriptor Model Types

ObjectiveWeightingValue Security Objectives and Metrics

ObjectiveWeightingPctValue Security Objectives and Metrics

ObjectiveMetricWeightingValue Security Objectives and Metrics

ObjectiveMetricWeightingPctValue Security Objectives and Metrics

7.2.5.2.12 Field Access Security Icon and Color Group Definitions

The following table lists the security descriptors found in the Field Access Security Icon and Color Group:


Authorizations


MetricTotalActualIcon Security Objectives and Metrics

MetricTotalActualRangeColor Security Objectives and Metrics

MetricTotalActualDataColor Security Objectives and Metrics

MetricAchievementIcon Security Objectives and Metrics

MetricAchievementRangeColor Security Objectives and Metrics

MetricAchievementDataColor Security Objectives and Metrics

ObjectiveTotalActualIcon Security Objectives and Metrics

ObjectiveTotalActualRangeColor Security Objectives and Metrics

ObjectiveTotalActualDataColor Security Objectives and Metrics

ObjectiveAchievementIcon Security Objectives and Metrics

ObjectiveAchievementRangeColor Security Objectives and Metrics

ObjectiveAchievementDataColor Security Objectives and Metrics

ObjectiveMetricAchievementIcon Security Objectives and Metrics

ObjectiveMetricAchievementRangeColor Security Objectives and Metrics

ObjectiveMetricAchievementDataColor Security Objectives and Metrics

ObjectiveLinkedResultIcon Security Objectives and Metrics

ObjectiveLinkedResultRangeColor Security Objectives and Metrics

ObjectiveLinkedResultDataColor Security Objectives and Metrics

ObjectiveResultIcon Security Objectives and Metrics

ObjectiveResultRangeColor Security Objectives and Metrics

ObjectiveResultDataColor Security Objectives and Metrics

EmployeeResultIcon Security Objectives and Metrics

EmployeeResultRangeColor Security Objectives and Metrics

EmployeeResultDataColor Security Objectives and Metrics

7.2.5.3 Dimension Access Security Group

Security Descriptor Security Descriptor Definition

Default Dimension Security The default security descriptor is initially assigned to all dimension items and Books.


7.2.5.4 Report Task Access Security Group

Security Descriptor Security Descriptor Definition

Default Report Task Security Access to the Report Manager application.

7.3 Group / Descriptor Assignments

Security is assigned to groups using the Group / Descriptor Assignments screen, accessed via ToolsSecurity Group/Descriptor Assignments . In this screen all predefined and user-defined security descriptors are displayed with an associated security Access Level for each group.

NoteUsers and groups are common to all models but security descriptors and Group assignment levels are on a per model basis.

To view the security access level of a Group, you select a Group in the User Groups area. Assigned security levels are displayed next to each security descriptor. Security descriptor groups can be expanded and collapsed to group level or leaf level by clicking the group node icon. Security access levels may only be amended by members of the ADMINISTRATORS group.

Related Information

Security Access Interactions [page 48]Security access levels [page 42]To assign security levels for a user group [page 78]To assign security levels to multiple security descriptors [page 79]

7.3.1 To assign security levels for a user group

Context

To assign security levels for a User Group:


Authorizations

Procedure

1. Select the group in the User Groups area.2. View the required security descriptor by expanding the group node if necessary.3. Select the current Security level for that group.

This displays a list with all security levels available for that descriptor, for example No Access, View Only, Edit Data, Edit Structure, and Full Access.

4. Select the required level of access in the Security Level list.

Related Information

To assign security levels to multiple security descriptors [page 79]

7.3.2 To assign security levels to multiple security descriptors

Context

To assign the same security levels to multiple security descriptors and Groups at the same time:

Procedure

1. Select the required Groups using the CTRL key or SHIFT key, then select the security descriptors to be assigned.

2. Once these are selected, select one of the security levels.This displays the list of available access levels. Only the access levels that are common to all the selected descriptors are available for selection.

3. Select the required level of access in the Security Level list.All the selected security descriptors are assigned to this level.

Results

Repeat this process for all the security descriptors required for the group. Security assignments take effect almost immediately.


7.4 Group/Dimension Security

Group/Dimension security is intended primarily as a way of restricting access to certain parts of a dimension hierarchy. You can set the default hierarchy level at which a member will be able to view a dimension. Setting a level allows a user to see all elements at that level and below, but nothing at a higher level.

NoteUsers and groups are common to all models but Group/Dimension access levels are set on a per model basis.

Related Information

To set Group / Dimension security [page 80]

7.4.1 To set Group / Dimension security

Context

Any user who is a member of the ADMINISTRATORS group can configure Group / Dimension security

Procedure

1. Select Tools Security Group/Dimension SecurityThe Group Dimension Security screen opens. The screen contains a Dimension list at the top, beneath which is a pane which lists Groups and Root Items. The right-hand side of the screen displays an Information area.

2. In the Dimension list, select the Dimension for which you want to configure Security.All the existing groups are listed in the left-hand pane. Apart from the ADMINISTRATORS and EVERYONE groups, the default setting for the Root Item for all other groups is <NONE>.

3. To set a default access level, select a Group and click the adjacent area under Root Item. Click the list to display the hierarchy, including the attribute groups, for the selected dimension, and set the required level of access.

NoteIf the setting for the EVERYONE group is set to be the top level item of the dimension, all parts of that dimension are visible to all users. To implement Group/Dimension security, the setting for the EVERYONE group must be set to the lowest acceptable level of access for all users or set to <NONE>.


Authorizations

Results

Selecting an element sets a default dimension for the group and the selection set by clicking outside the selection area. Changes are not finalized until the screen is closed.

TipAll the assigned levels for the selected group are summarized in a separate pane on the right of the screen.

7.5 Viewing a User's security settings

The Security Explorer screen displays the security settings for each user. Its purpose is to provide an overview of permissions and access levels for each user, but without any editing options.

To open the Security Explorer screen select Tools Security Security Explorer . You can open multiple instances of the Security Explorer.

Users and their security settings are displayed in the left hand pane in the Security Item column, in a navigation tree structure. For each item selected in the Security Item column, additional information is displayed in the Details pane at the right of the Security Explorer screen.

Select the required security item to see the access level settings for Groups of which the user is a member:

The tree for each user contains the following expandable nodes:

● is a Member of Groups - the groups that the user is a member of.● Implied Action Access - this shows model administration Action Access security descriptors (non-model

specific). Expanding this node displays the cumulative level of user access implied by group membership to these security descriptors in the Details column.

● Implied Report Descriptor Access - the levels of user access implied by group membership to the Report Manager security descriptors in the Report Task Access Security Group. Expanding this node displays the relevant security descriptors and the cumulative level of user access implied by group membership to these security descriptors in the Information column.

● has access to Models - lists the models that the user has access to implied by group membership. For each model, it displays the following nodes, which expand to display either the relevant security descriptors or dimension items and the overall access settings that apply:○ Implied Model Action Access - the levels of user access implied by group membership to the model

specific Action Access security descriptors.○ Implied Field Access - the levels of user access implied by group membership to the Field Access

security descriptors.○ Implied Dimension Security Descriptor Access - the levels of user access implied by group membership

to the Dimension Access security descriptors.○ Group Root Assignments - the levels of access to dimension root assignments implied by user group

membership.○ Implied Dimension Access - the levels of access to dimensions and their items implied by user group

membership.


NoteTo access the security settings for each user, the application impersonates the selected user logging on each time you select a user in the Security Explorer screen. For this reason, you must ensure that access to this feature is restricted, preferably to the administrator only. Access to this screen is controlled by the User Security Interrogation Security descriptor.

Related Information

Group/Dimension Security [page 80]Security Descriptors [page 44]User & Group Maintenance Information and Management [page 33]Action Access Security Group Definitions and Security Levels [page 48]


Authorizations

8 Books Security

Books have several different levels of security. Access can be restricted to all Books in the client and individual Books in the client application, over the web, or in Book Viewer™. The Book that is defined as the default book for each user group—that is, the default book selection available to a user over the web or Book Viewer™—can also be used to restrict access. Finally, a custom descriptor can be assigned to a Book and access controlled through this.

Related Information

Book Security Assignment [page 84]Books Action Access [page 83]Home Pages/Default Books [page 83]

8.1 Books Action Access

Access to the Books function in the application can be restricted by a member of the ADMINISTRATORS group using the Group/Descriptor Assignment screen. Limited security access to Books Security restricts a user’s ability to create or edit all Books within the client application. Restricted access is indicated by a red cross on Book icons in the Books Panel or (No Access) displayed next to the Books hierarchy in Books Manager .

Related Information

Group / Descriptor Assignments [page 78]

8.2 Home Pages/Default Books

A Home Page (or Default Book) is required for all Groups of users who access the web. This page may be an individual Book if only one Book is to be accessed, or it can be created as a home page purely to provide access to other Books over the web using a series of hyperlinks that direct users to appropriate Books.

Different Home Pages/Default Books can be set up for each different Group of users. This way you can create different Books that contain different series of hyperlinks, so Users will only see the hyperlinks to Books that are relevant to the particular Groups to which they belong.

SAP BusinessObjects Profitability and Cost Management Security GuideBooks Security PUBLIC 83

NoteWhere a User is a member of more than one Group, all Default Books for those Groups are available for selection over the web.

Default Books are set by an Administrator using the Groups/Default Book Assignment screen accessed via Tools Security Group/Default Book Assignment .

The Group/Default Book Assignment screen displays all the User Groups for a model in the Groups column and lists the default book assigned to each User Group in the Default Book column. If Default Book is not assigned to a User Group, the Default Book column displays <NONE> for that User Group.

To set the Default Book for a User Group, select the required group, then click <NONE> in the Default Book column or click the existing Default Book that you wish to change for that group. This displays a list from which you can select the required book.

These settings can then be exported and imported with each corresponding model.

8.3 Book Security Assignment

Book security works in a similar manner to dimension item security.

The Default Dimension Security descriptor is assigned by default to all newly created books. A user needs Full Access to this descriptor in order to both create and edit books.

Personalized dimension security can be defined by the introduction of additional descriptors within the Dimension Access Security Group. This allows a specific Dimension Access Security descriptor to be applied to an individual Book using the Book Security field from the Book Properties Formatting tab. Potentially, any Dimension Access Security descriptor could be assigned to a Book regardless of whether it has previously applied to dimension items or is relevant only to the Book.

Once a Dimension Access Security descriptor has been applied, if an end user with restricted access to the dimension descriptor tries to follow a link to the Book, an appropriate error message appears and prevents display of the Book. Access is assigned in the usual manner by groups in the Group/Descriptor Assignment screen.

Related Information

Dimension Access Security Group [page 46]Group / Descriptor Assignments [page 78]


Books Security

9 Network and Communications Security

Your network infrastructure is extremely important in protecting your system. Your network needs to support the communication necessary for your business needs without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database layer, then there is no way for intruders to compromise the machines and gain access to the back end system's database or files. In addition, if users are not able to connect to the server LAN (local area network), they cannot exploit well-known bugs and security holes in network services on the server machines.

For more information on the network topology, see the SAP BusinessObjects Profitability and Cost Management Master Guide. More information on network and communications security is provided in the following topics:

● “Communication Channel Security”This topic describes the communication paths and protocols used by SAP BusinessObjects Profitability and Cost Management.

● “Network Security”This topic describes the recommended network topology for the system and includes a list of the ports needed to operate the software.

9.1 Communication Channel Security

The table below shows the communication channels used by SAP BusinessObjects Profitabilty and Cost Management, the protocol used for the connection, and the type of data transferred.

Communication Channel Protocol Used Type of Data TransferredData Requiring Special Protection

Rich clients and Application or Model server

DCOM or Sockets Model data and metadata Passwords, proprietary business financial and performance records

Web server and Application server

DCOM or Sockets Model data and metadata Passwords, proprietary business financial and performance records

Web clients and Web server HTTP/HTTPS Model data and metadata Passwords, proprietary business financial and performance records

Database Server and Application Server

SQL Native Client, Oracle Native Client, OLEDB

Model data and metadata Passwords, proprietary business financial and performance records

Terminal/Citrix Server and Application Server

DCOM or Sockets Model data and metadata, user data

Passwords, proprietary business financial and performance records

SAP BusinessObjects Profitability and Cost Management Security GuideNetwork and Communications Security PUBLIC 85

Communication Channel Protocol Used Type of Data TransferredData Requiring Special Protection

Financial Information Management server and Database server

SQL Model data and metadata Passwords, proprietary business financial and performance records

Financial Information Management server and Web server

HTTP/HTTPS Model data and metadata Passwords, proprietary business financial and performance records

BusinessObjects Enterprise server and Application server

COBRA Model data and metadata Passwords, proprietary business financial and performance records

Data Bridge application and external systems via LSDAL

SQL, MDX, RFC Model data and metadata Passwords, proprietary business financial and performance records

For more information on the protocols used by the application, see the “Protocols in SAP BusinessObjects Profitability and Cost Management architecture” topic in the SAP BusinessObjects Profitability and Cost Management Master Guide.

9.2 Network Security

Network structure

For information on network topology, see the SAP Profitability and Cost Management Master Guide. The figure below shows an example of a typical system infrastructure with firewalls between the Web server and web users and between the Terminal/Citrix server and terminal users.


Network and Communications Security

If you wish to use firewalls between any components in the system, they must be configured to allow the required ports to pass through. For more information on configuring DCOM security and firewalls for the application, see the SAP Profitability and Cost Management Installation Guide.

NoteThe figures and descriptions provided in the documentation serve as examples only. Every implementation of SAP Profitability and Cost Management is unique and must be suited to a specific customer's particular needs. For this reason, we strongly recommend that you discuss your network security requirements with your SAP consultant for the product.

Ports

The table below lists the Profitability and Cost Management applications and transport types, and the ports on which they communicate:

Application Port Range

Web server or IIS (Internet Information Server) 80

Report Manager User-defined

SAP BusinessObjects Profitability and Cost Management Security GuideNetwork and Communications Security PUBLIC 87

Application Port Range

Sockets transport layer 6790 - 7790

DCOM transport layer (via RPC ) 5000 - 5020

For more information about ports and firewall configuration, see the “Firewall Configuration” topic in the SAP Profitability and Cost Management Installation Guide.


Network and Communications Security

10 Data Storage Security

Data Storage

SAP BusinessObjects Profitability and Cost Management stores the following data:

User Authentication dataModel source data - for example model structure data and non-calculated resultsCalculated resultsExported data

The application also temporarily stores data - such as previously returned calculation results - in various caches.

User authentication data such as passwords are stored in encrypted fields in either the database or in the registry on Primary and Secondary model servers in the following locations on 32-bit machines:

HKEY_LOCAL_MACHINE\Software\Business Objects\Profitability\Workflow\PasswordHKEY_LOCAL_MACHINE\Software\Business Objects\Profitability\Database\Password

On 64-bit machines, the information is stored in the following locations:

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Business Objects\Profitability\Workflow\PasswordHKEY_LOCAL_MACHINE\Software\Wow6432Node\Business Objects\Profitability\Database\Password

If Windows authentication is used for the database connection, rather than individual user credentials, no user credentials are stored in the second location. Both the Windows client and the web client can be configured to remember the last username to log into a client application. This information is also stored in the registry.

If Single Sign On (SSO) is used, SAP BusinessObjects Profitability and Cost Management does not perform authentication; it is delegated to the chosen SSO system. In this case, all data storage and encryption is dealt with elsewhere.

The source data for models is stored in the Profitability and Cost Management relational database. When a model is loaded in the application for the first time, the PCMMain service loads all necessary data from the database and then calculates the results for the model. While the model is open, the results are stored in temporary files. After the model is closed, the results are consolidated and stored in the ModelRes.EPM file, which is in a proprietary format.

Model data can be exported to tables in the database schema using the Export to Universe or Export to Database functions. These tables have their names prefixed with PPR_. The exported data is a snapshot of calculation results and is not updated as a result of further calculations. The exported data is used as a source for reporting tools.

Some model data can be stored temporarily by being cached by services such as PCMServer and PCMMain. On the web, some data can be cached inside the DllHost.exe process running on the web server. Both the PAD Model proxy on the web server and the ActiveX on the web client can hold previously retrieved results. However, these are not accessible in the form of files.

SAP BusinessObjects Profitability and Cost Management Security GuideData Storage Security PUBLIC 89

Changes to Work Manager processes are cached in the PCMWFOBJ.syn file in C:\PCMTemp\Workflow. This file is used to update Workflow objects at regular intervals. However, it is not human-readable and the data is relevant to the Workflow process rather than to models.

Permissions

The model data is accessed directly by only the Profitability and Cost Management model services. These services require read and write permissions to both the local machine and the database.

Data Protection

The required level of protection is the Default security setting. At the default setting, data is protected by database security and Windows NT security on the Application servers. Database tables are not encrypted; customers should arrange security encryption suited to their relational database management system, and consult the vendor's documentation in this regard.

No protection is provided for temporary results data because it is in an unreadable format.

Data caches are binary streams, therefore the data is already encrypted and compressed, as is the data that is passed between the web clients and the web server. SSL (Secure Sockets Layer) is available to further encrypt data between web client and the web server is necessary, for example if a customer is scripting parameters that can be passed between Books, because the parameters are passed in plain text in the URL otherwise.

Cookies and data security

The Profitability and Cost Management web client is a digitally signed ActiveX control that does not read persisted data other than session cookies to maintain state. Data in cookies can therefore be cleared by clearing the Internet Explorer caches (the web client supports only Internet Explorer as a browser). The session cookie allows the system to record who has submitted data because the system needs to match users with security descriptors to ensure that only permitted users of a model can view and enter data.

Related Information

SAP BusinessObjects Profitability and Cost Management Default Security [page 39]


Data Storage Security

11 Error Message Security

When an error message is displayed as the result of an exception in the application, it is possible to view additional details such as the call stack, registers and so on. For environments where this is considered a security risk, the level of detail available in error messages can be controlled by adding values to the following registry key:

● On 64-bit Windows: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Business Objects\Profitability

● On 32-bit Windows: HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Profitability

The values are as follows:

● HideErrorDetail: If this value is present, the user cannot see call stacks, registers, and so on when errors are shown, because it prevents the Details button from appearing in the error message dialog box.

● HideErrorMessage: If this value is present, the user sees a generic error message, rather than the actual message from the exception.

● HideLogLocation: If this value is present, the file path to the log file location is not displayed to the user when an error is raised.

● DisableUILogging: This value completely disables error logging for the Model Builder application.● CustomErrorMessage: If present, this string value is displayed as the text in the error message dialog box

(instead of “An error has occurred”). This is only shown if HideErrorMessage is also present.

SAP BusinessObjects Profitability and Cost Management Security GuideError Message Security PUBLIC 91

12 Login Dialog Box Security

As a security measure, you can hide the Remember User Details checkbox on the Login dialog box by using a registry key.

The checkbox will no longer be displayed if the registry contains one of the following keys:

● For a 64-bit operating system: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Business Objects\Profitability\HidePersistUser

● For a 32-bit operation system: HKEY_LOCAL_MACHINE\SOFTWARE\Business Objects\Profitability\HidePersistUser


Login Dialog Box Security

13 Security for Third Party Applications

SAP BusinessObjects Profitability and Cost Management database server requires either Microsoft SQL Server or Oracle software. For more information on the supported software, see the SAP BusinessObjects Profitability and Cost Management Master Guide. For more information on security for the database software, see the relevant vendor's documentation.

The software can be installed in the following SAP BusinessObjects Business Intelligence platform (Enterprise) environments and be configured for SSO against the Central Management Server (CMS) of the following:

BusinessObjects Enterprise Service Pack 3 + FixPack 3.5SAP BusinessObjects User Management System 3.1Full version of SAP BusinessObjects Business Intelligence platform 4.0Client version of SAP BusinessObjects Business Intelligence platform 4.0SAP BusinessObjects Business Information platform services 4.0

For more information on the supported versions of the software, see the SAP BusinessObjects Profitability and Cost Management Master Guide.

For more information on configuring SSO with the BusinessObjects Business Intelligence platform and integrating with BusinessObjects Enterprise Service Pack 3 + FixPack 3.5, see the SAP BusinessObjects Profitability and Cost Management Installation Guide and the SAP BusinessObjects Profitability and Cost Management Integration Guide.

For more information on security for a BusinessObjects Business Intelligence platform environment and the above applications, see the BusinessObjects Enterprise Administrator's Guide, available on the SAP Help Portal.

When the FIMService web service is correctly installed and configured, and the Enterprise security setting is correctly configured to set up a Single Sign On (SSO) connection between the two applications, SAP BusinessObjects Profitability and Cost Management can work in conjunction with SAP BusinessObjects Financial Information Management.

For more information on installation and configuration, see the SAP BusinessObjects Profitability and Cost Management Installation Guide.

For information on security for Financial Information Management, see the SAP BusinessObjects Financial Information Management Security Guide available on the SAP Help Portal at http://help.sap.com.

Related Information

User Data Synchronization [page 38]

SAP BusinessObjects Profitability and Cost Management Security GuideSecurity for Third Party Applications PUBLIC 93

14 Dispensable Functions with Impacts on Security

For security reasons, only the necessary functions needed by an application should be activated. Any optional features or functions should be deactivated. The table below lists which software components in SAP BusinessObjects Profitability and Cost Management are mandatory (M), optional (O), or recommended (R) in a typical installation.

Table of Software Components

SYSTEM COMPONENT

SOFTWARE FEATURESApplication (Model) server Web server

Work Manager server

Report Manager server

Client workstations

INSTALLATION TYPE Server Client Client Client Client

Core Components M M M M M

Model Builder R R R R M

Book Viewer R R R R M

Web Components R M O O O

Data Bridge R R O R O

Work Manager O O M O O

Report Manager O O O M O

Language support tools R R R R R

MDX ODBO Connector O O O O R

MDX XMLA Provider O O O O O

Microsoft .NET Framework* M M M M M

Microsoft Scripting Engine* M M M M M

Microsoft SQL Command O O O O O

Microsoft SQL Native Client R O O O O

Microsoft XML Parser* M M M M M

MS Installer* M M M M M

SAP BusinessObjects User Management Client* M M M M M

Software components that are marked with an asterisk (*) in the table are prerequisites and are installed by default. You can choose not to install other components by deselecting them in the Custom Setup screen during installation. Choosing not to install Work Manager, Report Manager, or Data Bridge has no impact on security or the system.


Dispensable Functions with Impacts on Security

NoteIn this version of the product, the server and client components of Work Manager and Report Manager can be installed independently of each other. This means that client Work Manager and Report Manager GUIs can be installed with more safety on client machines because they cannot be reconfigured as Work Manager and Report Manager servers.

For more information of software recommendations and software prerequisites, see the SAP BusinessObjects Profitability and Cost Management Installation Guide and the SAP BusinessObjects Profitability and Cost Management Master Guide.

Access to features is also controlled by membership to user groups and security descriptors. For example, members of the ENDUSERS group do not have access to the Model Builder application. You can restrict access for many users at once using the Security screens in the Model Builder application. In addition, the toolbar of the Model Builder application can be customized for each user to remove components.

The majority of end users of the application - those who are not Model Builders or Book Builders - need only to view and enter data in Books. For this reason, they require either only a web browser and the Profitability and Cost Management ActiveX control, or the Book Viewer application. These users have read/write or read only access to the dimension items and data types within the grids published in the Books to which they have access according to their user group membership.

The effect of limiting access to features or deactivating features is that users without access cannot perform tasks that require those features.

The SAP BusinessObjects Profitability and Cost Management installation installs the following utilities:

ConfigureConsoleConsole WizardService ManagerService InformationUser MonitorEnd to End Trace LauncherRemote Configuration

The security of some of these utilities is governed by local admin rights and some by group membership. For more information, see the SAP Profitability and Cost Management Administrator's Guide. These tools can be deleted if not required. A standalone Book Viewer installation installs only the Configure tool. With local admin rights, a user can use Configure to change the application server to which the Book Viewer application points.

The installation program, setup.exe, can be run remotely or locally. Deleting setup.exe does not affect a user's ability to change features that are already installed. However, local admin rights are required.

Related Information

Users and Groups [page 20]Security Descriptors [page 44]Group / Descriptor Assignments [page 78]

SAP BusinessObjects Profitability and Cost Management Security GuideDispensable Functions with Impacts on Security PUBLIC 95

Group/Dimension Security [page 80]


Dispensable Functions with Impacts on Security

15 Other Security-relevant Information

This section includes security-relevant information in the following topics:

● “Security Export”This topic describes the security settings for a model that can be exported as an XML file.

● “Profitability and Cost Management ActiveX control”This topic explains the security-related aspects of the ActiveX control used by the Profitability and Cost Management web client

15.1 Security Export

Some security settings within a model can be exported into an XML file using the standard export procedure. This facility is only available to the ADMINISTRATORS and MODELBUILDERS groups with sufficient security access privileges to import and export data.

The applicable security settings can be exported as part of a normal model export and are included with the model data or can be exported separately without other model data.

The following parameters can be exported into an XML file:

● Security descriptors (both name and type)● Model security descriptors (Dimension security descriptors assigned to dimension items)● Security Descriptor Groups (Group / Descriptor access assignments)● Users and Groups information and assignments● Default Book security assignments● Model security (User Group access to a particular model)

NoteUser passwords are not exported.

15.2 Profitability and Cost Management ActiveX Control

The Profitability and Cost Management web client uses an ActiveX control. The control manages the following functions:

Logging in and out of the applicationOpening and closing modelsNavigating to BooksInterpreting the VBScript behind Books

SAP BusinessObjects Profitability and Cost Management Security GuideOther Security-relevant Information PUBLIC 97

Translating application requests into HTML code for HTTP transfer and decoding responsesAllowing users to view remote system messagesAllowing users to change their preferences for the applicationCommunicating data requests to Profitability and Cost Management web services and obtaining responses

If your security policy does not allow the use of active code, you lose all web functionality. To view Books in this case, use the Book Viewer application instead.

For more information on using the web client and Book Viewer, see the SAP BusinessObjects Profitability and Cost Management Modeling User Guide.

15.2.1 Security Mechanisms for Profitability and Cost Management ActiveX Control

To secure data that is transferred during a web session, the following security mechanisms are available:

● Secure Sockets Layer (SSL)SSL can be used to enable 128-bit encryption status to all data traveling between the web server and a user's browser.

● Digital SignatureThe ActiveX has a Verisign Digital Certificate, so customers can be certain that the web page being accessed and the ActiveX control being downloaded originate from SAP BusinessObjects.

15.2.2 Security Settings to Install the Profitability and Cost Management ActiveX Control

The table that follows describes security settings and permissions that you need to consider when installing the ActiveX control:

Security Mechanism Setting

Group Policy Consider whether any Group Policy Object settings in operation could affect the deployment of the control.

NoteWe do not make any recommendations concerning Group Policy Objects.

Folder Permissions To deploy the control successfully, the following folders require read and write permissions:

● C:\Windows\Downloaded Program Files - for automated download installation

● C:\Program files\SAP BusinessObjects\PCM - for installation using webveiwersetup.exe


Other Security-relevant Information

Security Mechanism Setting

Browser Settings The only supported browser for the web client is Microsoft Internet Explorer. To access the security settings in Internet

Explorer, choose Tools Internet Options . On the Security tab, choose Custom Level. The minimum setting to deploy the ActiveX control are as follows:

Download signed Active X controls - EnableRun ActiveX controls and plugins - EnableScript ActiveX Controls marked safe for scripting - Enable

The following settings may be required:

Access data sources across domains - Enable if client is in a different domain to the web serverActive Scripting - Prompt

For more information on installing and deploying web client, see the SAP BusinessObjects Profitability and Cost Management Installation Guide.

15.2.3 Security-relevant Information for the Profitability and Cost Management ActiveX control

The following information can be useful to Administrators or anyone evaluating potential security risks associated with deploying ActiveX controls.

Deployed CAB File

The name of the deployed CAB file is PCMDataX.CAB

Supported Methods, Events, and Properties

For more information on the methods, events, and properties supported by the ActiveX control, see the “Book Objects” section in the SAP BusinessObjects Profitability and Cost Management Modeling Reference Guide.

Parameters

For more information on parameters, see the “URL Format” section in the SAP BusinessObjects Profitability and Cost Management Modeling User Guide.

SAP BusinessObjects Profitability and Cost Management Security GuideOther Security-relevant Information PUBLIC 99

Scripting Functionality

The ActiveX control requires scripting functionality and has been marked safe for scripting.

Persisted Data

The ActiveX control does not need to read persisted data other than session cookies. It is not possible to read, write, create, detect, or delete arbitrary persisted data on the file system, registry, or USB devices. The control is marked safe for initialization.

Data Format and Data Type

The ActiveX control loads data from the Profitability and Cost Management application in a binary stream specific to the development language and application. The stream contains data and graphics used to display the Profitability and Cost Management web page and to return entered data. The data does not have a specific security implementation and does not contain macros.

Data Passing

The ActiveX control does not inherently enable data to pass between Internet web sites, from an intranet to the Internet, or from a local computer to the Internet.

NoteIf your networks are set up in such a way that the Profitability and Cost Management system is in another network, the deployment team should resolve this issue.

Memory Leaks and Buffer Overruns

To date, there are no known memory leaks and overruns.

Strings

Strings from the network are encoded by the ActiveX control and sent back to the Applications server.


Other Security-relevant Information

16 Security Logging and Tracing

The Model Builder application supplies alert messages to provide information on the current state of a model. Three types of alert messages are available, including Security alerts. Security alerts provide system-wide user information such as failed login attempts and can be seen by all users of the system. For more information on Security alerts. as well as log and trace files, see the SAP BusinessObjects Profitability and Cost Management Modeling User Guide and the SAP BusinessObjects Profitability and Cost Management Administrator's Guide.

SAP does not provide a text change log for authorization management and authentication configuration. However, providing that auditing is enabled, all changes are stored in the database; and database administrators or reporting experts can extract information on changes to authorization and authentication configuration.

Security must be enabled at both the database level and the model level.

NoteIf you enable auditing, auditing is enabled for EVERY action in the system. This can impact performance.

You activate the global setting for database auditing in the Configuration Wizard. For more information about configuration, see the SAP BusinessObjects Profitability and Cost Management Installation Guide.

You activate auditing for individual models in the Model Administration screen. For more information, see the SAP BusinessObjects Profitability and Cost Management Modeling User Guide and the SAP BusinessObjects Profitability and Cost Management Administrator's Guide.

The database tables that hold security-relevant information are the following:

EPO_AU_DEFAULT_BOOKEPO_AU_GROUP_INFOEPO_AU_GROUPSEPO_AU_MODEL_GROUPSEPO_AU_MODELSEPO_AU_SECURITYEPO_AU_SECURITY_INFOEPO_AU_SECURITY_NAMEEPO_AU_USER_GROUPEPO_AU_USER_INFOEPO_AU_USERS

The table names are the same for Microsoft SQL Server and Oracle databases. For more information on the database tables, see the relevant section of the SAP BusinessObjects Profitability and Cost Management Database Administrator's Guide.

SAP BusinessObjects Profitability and Cost Management Security GuideSecurity Logging and Tracing PUBLIC 101

17 The main documentation types

The following is an overview of the document types that you will need in the various phases of life cycle of an SAP BusinessObjects Profitability and Cost Management solution.

Cross-Phase Documentation

User Guides

The SAP BusinessObjects Profitability and Cost Management user guides are function- and workflow-oriented documentation for the various SAP BusinessObjects Profitability and Cost Management applications and supported model types such as Model Builder, Data Bridge, Work Manager, Report Manager, Objectives and Metrics modeling, Transactional Costing modeling, and others.

Target group:

AdministratorsModel BuildersBook BuildersEnd UsersConsultants

Reference Guides


The main documentation types

The SAP BusinessObjects Profitability and Cost Management reference guides describe in detail the definition, purpose, function, and usage of grid values, functions, Book scripting, and Workflow properties relevant to the various supported model types.

Target group:

AdministratorsModel BuildersBook BuildersConsultants

Installation Guide

The SAP BusinessObjects Profitability and Cost Management Installation Guide describes the installation and configuration of the software.

Target group:

System ArchitectsSystem AdministratorsTechnology consultantsDecision makers and project teams for implementations

Administrator's Guide

The SAP BusinessObjects Profitability and Cost Management Administrator's Guide is the starting point for administrating the system. It describes the administrative tools and tasks such as model administration, user monitoring, and backup and restore.

Target group:

System AdministratorsModel BuildersConsultants

Security Guide

The SAP BusinessObjects Profitability and Cost Management Security Guide describes how to manage application, user, and model security. It includes detailed definitions of all security descriptors used in the application.

Target group:

System AdministratorsTechnology Consultants

Database Guide

The SAP BusinessObjects Profitability and Cost Management Database Administrator's Guide describes system database requirements and offers detailed installation, management, and maintenance procedures. Detailed descriptions of database procedures and tables are also provided.

Target group:

Database AdministratorsSystem AdministratorsConsultants

SAP BusinessObjects Profitability and Cost Management Security GuideThe main documentation types PUBLIC 103

Implementation documentation

Master Guide

The SAP BusinessObjects Profitability and Cost Management Master Guide is the starting point for the technical implementation of SAP BusinessObjects Profitability and Cost Management. It provides an overview of the application from a technical perspective, describes the system architecture, lists hardware and software requirements, and offers an overall implementation sequence as well as pointing to important documentation.

Target group:

System ArchitectsSystem AdministratorsConsultantsDecision makers and project teams for upgrades

Upgrade documentation

What's New

The What's New document contains brief descriptions of new features or changes in the product since the previous release.

Target group:


Upgrade Guide

This document describes the technical upgrade and migration of SAP BusinessObjects Profitability and Cost Management.

Target group:



The main documentation types

Important Disclaimers and Legal Information

HyperlinksSome links are classified by an icon and/or a mouseover text. These links provide additional information.About the icons:

● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements with SAP) to this:

● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any

damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.

Videos Hosted on External PlatformsSome videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within the control or responsibility of SAP.

Beta and Other Experimental FeaturesExperimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the experimental features in a live operating environment or with data that has not been sufficiently backed up.The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example CodeAny software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Gender-Related LanguageWe try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.

SAP BusinessObjects Profitability and Cost Management Security GuideImportant Disclaimers and Legal Information PUBLIC 105

www.sap.com/contactsap

© 2020 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. The information contained herein may be changed without prior notice.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.

Please see https://www.sap.com/about/legal/trademark.html for additional trademark information and notices.

THE BEST RUN

https://www.sap.com/about/legal/trademark.html

SAP BusinessObjects Profitability and Cost Management ...

Documents

Transcript of SAP BusinessObjects Profitability and Cost Management ...