mySAP Business Intelligence

Authorizations

Session Code: 1204

Mohamed Judi SAP Systems Integration America

Agenda

I.

Introduction to SAP Authorization Concept

II. Authorization Concept in mySAP BW 3.0 III. mySAP BW Authorization Concept Implementation IV. HR Authorizations in mySAP BW 3.0 V. Authorizations in mySAP SEM VI. Authorizations in SAP Enterprise Portal VII. Demonstrations

Company Profile
SAP SI Systems Integration is a majority-owned subsidiary of SAP Professional services in selected industries and knowledge areas (i.e. Business Intelligence) 1,600 employees worldwide Systems integrator for mySAP.com solutions and 3rd party applications Significant global player in the mySAP.com space with international market presence Partner for large corporations and mid-size companies Internationally diverse team of experienced consultants US headquarter in Atlanta and offices in Philadelphia and Irvine/Los Angeles

Our SAP Business Intelligence Focus

To optimize processes, information & technology in

Reporting and Analytical Applications Data Warehousing & Information Deployment Planning, Budgeting and Consolidation Enterprise and Financial Management Performance Mgmt and Balanced Scorecards Knowledge and Content Management

SAP SI America: Trusted Advisors in SAP Business Intelligence

Monier

Sensitive Security Areas

3 4
Secure Communication Authorization

1
Authentication

Single Sign-On

2
Portal Server
Third Party System

5
User Directory

User Management

6
Secure Network

Technical Overview of the SAP Authorization Concept

Development
Object Class Authorization Object
S_TCODE CROSS_APPS TCD:

User Administration & Security

Authorizations Authorization Profiles User Master Record

FI_TRANS_CODE TCD: F* , VA03

FI_ROLE

FI_TRANS_CODE FI_COMP_CODES F_BURS ACT: FI_AC TARGET: FI_COMP_CODES ACT: Display , Create TARGET: 0001-0005 1. Menu 2. Authorizations 3. Workflow 4. Organizational Structure

Authorization Profiles in Roles

Profile Generator

Single Role
(Activity Group) Financial Planning: Plan Entry Re-evaluation ...

Financial Manager Composite Role

(Collective Activity Group)

User Menus from Single Roles Authorizations (Profiles) User Assignments

Profile Generator: Create Authorization Profiles

Authorization Profile

Authorization Maintenance: Icon Legend Traffic Lights

Organizational fields have missing values (Cant generate) Non-organizational fields have missing values (Authorization failure) All fields have values assigned (Doesnt mean they have the right values!)

Other Icons

Other Icons
View field contents Maintain field contents Delete field contents, inactive authorization, or further authorizations for an object Copy authorization Inactivate an active authorization, or authorizations for an object Reactivate an inactive authorization Merge several authorizations Transactions for an authorization object Allocation of full authorization

User Buffer

Assigning Users to Roles (Activity Groups)

Role 5 Role 2 Role 1 Role 3 Role 4 Role 6

Role 7

Composite Role A

Composite Role B

Comparing the User Master

Authorization Profile

Change Documentation

Whos Changing What?

Note: If tracing is not activated, there is no way to view changes in RSSM.

Authorization Concept in BW 3.0

BW 3.0 Authorizations Overview with a BI Perspective

5 2 4

Information Complexity in BW
+ simplification - security User User Role (Channels, Activity Groups) InfoAreas InfoCubes Queries InfoObjects - Key figures InfoObjects - Characteristic Values - simplification + security

Authorization Relevant Elements

Warehouse Design
Workbench Objects Variables Query Objects InfoCube Objects ODS Objects InfoSources InfoObjects Source Systems

Warehouse Administration
InfoPackages Monitor Meta Data Reporting Agent Settings

Authorization Objects to Support New 3.0 Functions Open Dialog

S_RS_FOLD System Manager Can Turn Off InfoArea Specify X (true) in the authorization maintenance for suppressing Prevent Global View

Variable Definition in Query Definition

S_RS_COMP New Authorizations Check for Variables in Query Definition Object type is VAR Available in BW 3.0A Support Package 2

InfoSet in BEx
S_RS_ISET For displaying / maintaining InfoSets

S_RS_FOLD - Turn Off InfoArea Folder

New Authorization Objects (continued) S_RS_COMP1 Is checked additionally with S_RS_COMP Checks for authorizations on query components dependent on the owner (creator RSZOWNER) Authorizations are necessary, e.g. for creating queries S_RS_IOBJ Authorization object for working with InfoObjects Is checked if authorization is not available via S_RS_ADMWB Additional checks for update rule authorizations

Authorization in the Web Environment With Role Based Authorization

Web Report can be published into a Role as: URL MiniApp iView Web Templates is similar to the Workbooks: Role Based Web Application Designer is Based on Web Template: Role Based

Pre-Calculated Objects
OLAP Engine Check if it is Pre-Calculated Object: Do Not Refresh Data But Check Authorization If It is Copied Pre-Cached Data, theres no possibility to Check Authorization for: Pre-Calculated Report Agent

Authorization in the Web Environment - Continued Web Items

Accessible Via Library of Items which are Assigned to Roles Similar to Web Template Handling No Restriction once you have Access to Certain Library Can Display Can Change, if Delete Authorization is Granted Same Authorization as Assign Library

Query Views
Inherited from Query

Authorization Object for Securing InfoObjects

Prior to 3.0, InfoObjects were protected via authorization object S_RS_ADMW (Administrator Workbench Object = INFOOBJECT). You were only able to assign the authorization either for all InfoObjects or for none. Solution: As of 3.0 there is an additional authorization object S_RS_IOBJ. With this authorization object you can differentiate the authorization by the technical names of the InfoObjects (for example to permit namespace A* or B*). In such a case the user must not have the authorization for object S_RS_ADMWB, because one of the two authorizations is sufficient to process the InfoObjects.

3 Steps to Setup InfoObject Authorizations in BW

1. Mark characteristics as "Authorization Relevant

2. Create an Authorization Object for Reporting

3. Create Authorizations with the values

1. Mark characteristics as Authorization Relevant

2. Create an Authorization Object for Reporting

3. Create Authorizations in Profile

4 Steps to Setup Hierarchy Authorizations in BW

1. Activate InfoObject 0TCTAUTHH from Business Content (if necessary). 2. Create Reporting Object by using 0TCTAUTHH and leaf InfoObject. 3. Define a description of a hierarchy authorization. 4. Create an authorization for the new authorization object. Enter the technical name of the description of a hierarchy authorization as value for field 0TCTAUTHH.

1. Activate 0TCTAUTHH in Business Content

2. Create Authorization Object with 0TCTAUTHH

3. Define a Description of a Hierarchy Node

New Mode for Hierarchy Nodes In 2.0, the level must be given by an absolute value with respect to the hierarchy. With this new mode, the level is set relative to the node and remains the same when the node is moved to another position in the hierarchy. This will dramatically reduce the amount of maintenance required to maintain Unique Hierarchy Authorization Node Identifiers.

4. Create an Authorization for the New Object

Authorizations for Reporting

Maintaining Authorization Objects & InfoCubes Check

on cti M a s SS an Tr de R Co

A Different Way of Looking at InfoCubes Check Maintaining Authorizations for One, or More Users Collectively

PFCG! Maintaining Unique Hierarchy Node IDs

Transporting Hierarchy Authorization Ids and InfoCube Check

Authorization Variables in BW 2.x 1. Create Variable

2. Define Properties

3. Assign Variable to Query

Authorization Variables in BW 3.x 1. Create Variable & Define Properties in Query Designer

2. Assign Variable to Query

Authorization Variables Characteristic Value Type

Authorization Variables Hierarchy Node Type

Multiple Selection View

Maintenance of Master Data with Authorization

If this property is set, maintenance of the master data / texts individual records for this characteristic can be protected by means of authorizations. E.g., user A may only maintain values from 1000 1999 and user B may only maintain values from 2000 - 2999.

mySAP BW Authorization Concept Implementation

Authorization Concept ASAP Methodology

Role Identification, First Requirements

Authorization Requirements

Strategy for Authorizations

Authorization Design

BW authorization Requirements Collection Template (with suggested design rules)

Implementation

Test

Authorization Tasks in the ASAP Roadmap Project Preparation

1. Functional scope definition. 2. Project team member user IDs & roles definition.

Authorization Tasks in the ASAP Roadmap Business Blueprint

1. Role identification. 2. First identification of the authorization relevant characteristics. 3. Definition of an authorization strategy.

Authorization Tasks in the ASAP Roadmap Realization

1. Collection of authorization requirements at the chosen level of detail. 2. Profile design. 3. Authorization implementation.

Authorization Tasks in the ASAP Roadmap Final Preparation

1. Test of authorizations.

mySAP BW MacroRoles

Data Modeler
(S_RS_RDEMO)

System Administrator(s)
(S_RS_RDEAD, S_RS_ROPAD & S_RS_ROPOP)

Reporting User
(S_RS_RREPU)

Reporting Developer
(S_RS_RREDE)

Authorization Requirements Collection Approaches

InfoCube-based Approach
You can collect the requirements allowing or not allowing for specific InfoCubes. If its convenient, you can use the concept of InfoArea to allow or not for a group of InfoCubes belonging to the same InfoArea. You can go in a more detail if you limit the accessibility of a cube, allowing only for a part of it. We can name dataset the Sub-InfoCube which is limited by the authorizations assigned to a user. In BW a dataset can be defined according to characteristics, key figures, hierarchies and their combinations.

Query Name-based Approach

For pure reporting users (not allowed to build new queries) you can use the query names to simplify the authorization design, creating specific queries for specific roles and allowing only certain query names. The disadvantage of this approach is that theres no relationship between query name and set of data, so new queries are potentially security dangers.

InfoCube Independent Dataset Approach

Before the data model you dont know the InfoCubes, but you can express authorization requirements through data set, i.e. limitations on to characteristics, key figures, hierarchies and their combinations at various level of detail.

The Authorization Accelerator

The Authorization Accelerator A Bug

The Authorization Accelerator The Fix

In Visual Basic, Rem statement is used to add comments in the code. The bug is caused because there is no between False and Rem. To fix, add after False.

HR Authorizations in BW 3.0

HR Business Content

HR Key Figures / Standard Queries

Approximately 140 predefined Queries and 200 Key Figures in 2.1C

HR InfoCubes
20 in 2.1C

HR Extractors for R/3

15 in 2.1C

Hierarchies as Characteristics for Navigation

Available Hierarchies in HR
Organizational Units Cost Centers Employees Age Capacity Utilization Level Qualifications, Qualification Groups Business Events, Business Event Groups

Business Content: Calculations and Time series Business Content in HR also contains standard calculations / templates for calculations (approximately 70 templates for standard calculations) such as,
Predefined time series comparisons Calculation of averages

HR Authorization Concept in BW

Similar to other functional areas, mySAP BW has a comprehensive access control concept operating at various levels for HR,
Access authorization can be given
for complete reports for certain key figures (e.g. salary in HR InfoCube) even for certain characteristic values (e.g. a cost center)

Access authorizations are granted and changed in the Authorization for Reporting transaction (RSSM). From 3.0, Online Data Storage (ODS) objects are utilized to provide structural authorizations in BW.

HR Structural Authorization

Bring Structural Authorization into BW Environment

Selectively or bring all R/3 Structural Authorizations Restrictions
Active Plan version only without time-dependency Delivered contents supports Organization, Position & EE only DataSource supports all Object types from R/3, but additional customized update rules required in BW

Accelerator will be available to guide Implementation

Authorization for Display Attributes

Available in BW 2.0B since patch 7

HR Structural Authorization

PSA
T77PR Profile
R/3 Org. Structure
Transfer Rules Structural Authorizations

Security Check

Transfer Rules

T77UA Assignment

INDX Cluster (0HR_PA_2) (0HR_PA_3) Data Sources

0HR_PA_2 And 0HR_PA_3 Data Sources

Structural Authorizations

T77UU User

ODSs

PSA PSA 0PA_DS02

0PA_DS03

RSSM or Function Module

R/3 OLTP

mySAP BW

Steps to Install Structural Authorization 1. Create Structural Authorization Profile (IMG or OOSP) 2. Assign User to Profile (IMG or OOSB) 3. Update T77UU table to include User Name 4. Execute program RHBAUS00 to create INDX 5. Activate 0HR_PA_2 & 3 DataSource in R/3 and BW 6. Create 0HR_PA_2 & 3 InfoSource & Communications Structure 7. Activate and load ODS from R/3 8. Activate Target InfoObjects Authorization Relevant 9. Create Authorization Object in RSSM 10. Use RSSM or Execute RSSB Function Modules to generate BW Authorization 11. Create Query with Authorization Variables

HR Structural Authorization

Scenario
BW20 Incorporated

BW20-02 Group 2
CC: 2001 IT CC: 2001 Market

BW20-01 Group 1
CC: 2001 Sales CC: 2001 FI

BW20-03 Group 3
CC: 2001 HR

20010009 Employee #9 20010004 Employee #4

20010003 Employee #3 20010008 Employee #8

20010001 Employee #1 20010006 Employee #6 20010011 Employee #11 20010013 Employee #13 20010014 Employee #14

20010005 Employee #5 20010010 Employee #10

20010002 Employee #2 20010007 Employee #7 20010012 Employee #12

Motivation and Benefits Why Automated Authorizations Generator

Simplify the Process to Maintain InfoObject Level of Authorization Enable Authorizations Generated from R/3 and Non-R/3 Source Systems Bring R/3 Structural Authorizations to BW via Standard Business Content Full Refresh on a Customer Selected Frequency

Key Benefits
Reduced the Redundant Security Setup Provide Cross System Consistency

Automatic Security Profile Generator Sourced from Four type of ODS Objects
Authorization Value ODS Hierarchy ODS Text ODS User List ODS

ODS Population
From R/3: HR Structural Authorizations From Flat Files

New HR Structural Authorizations Business Content New RSSM User Interface

Automatic Profile Generation Architecture

< Auth Object >

T. T. Code: Code: RSSM RSSM Generate Generate Authorization Authorization

BW Metadata
User Assign
0TCA_DS04

0TCTAUTHH 0ORGUNIT

Value
0TCA_DS01

Hier. Hier.
0TCA_DS02

Text
0TCA_DS03

ODS-Objects

0EMPLOYEE

Update Rules

InfoSource
Mapping & Transfer Rules DataSource DataSource DataSource
BW S-API

SAP BW Server

replicated Metadata

File File

Other Other

R/3 R/3

Value ODS Object Overview

Hierarchy ODS Object Overview

Generating Authorizations in RSSM

Steps to Create Authorization from Flat Files

Define Reporting Object Create Authorization Value InfoSource & ODS Create Authorization Hierarchy InfoSource & ODS Create Update Rules & Flat Files for ODS Loads Generate Profiles via RSSM or RSSB program Create Authorizations Variable in Query Definition Mark InfoObjects Auth. Relevant Define Reporting Auth Object via RSSM Use 0TCA_DS01 as template ODS name must be XXXX_DS01 Use 0TCA_DS02 as template ODS name must be XXXX_DS02 The data format = YYYYMMDD or per your Default Format Several Objects can define as constant RSSM: Find your ODSs & Mark Auth Object Exec RSSB_Generate_Authorizations Define Variables for Auth InfoObjects Include Variables in your Queries

Authorizations in mySAP SEM

Enhancements of Authorization Concept in SEM 3.0

Authorizing Customizing Data in mySAP SEM

Authorizing Transaction Data in mySAP BW

For Example: Global PI Sequence 3.0A Planning Profile Planning Package 3.0A Planning Method 3.0A Planning Set 3.0A Planning Level Planning Area

For Example: Cost Center Profit Center Personnel Number . . etc.

Authorizations in Enterprise Portal

Enterprise Portal Sensitive Security Areas

3 4
Secure Communication Authorization

1
Authentication

Single Sign-On

Portal Server

Third Party System

5
User Directory

User Management

6
Secure Network

mySAP Technology New User Management

User

Portal Infrastructure
LDAP (XML)

Registration, Authentication, Role Definition

Decentralized Role Assignment

Central User Store

Web Application Server

Other Application Server

Local Authorization Configuration

Exchange Infrastructure

Central User Management

Depending on what release you are currently on, the level of integration of your SAP systems with your corporate directories can differ. Recently, Directory Services and the Lightweight Directory Access Protocol (LDAP) has become the focal point for access to central organizational and configuration data across the entire system landscape. As of SAP Basis Release 4.5, Central User Administration and Global User Manager1 functionalities exist within SAP systems via ALE. As of SAP Basis Release 4.6, access to corporate directories is facilitated from the SAP system with the LDAP Connector. With SAP Web Application Server 6.10 comes support for periodic synchronization of user data with your corporate directory using the LDAP Connector.

In September 2001, SAP advised all customers not to use the Global User Manager (Transaction SUUM) until further notice. Refer to OSS Note 433941.

Contacts

Mohamed Judi mohamed.judi@sap.com

Business Intelligence & Technology 5 Concourse Parkway, Suite 925 Atlanta GA 30328 http://www.sap-si.com

SAP Systems Integration America, LLC

Thank you for attending!

Please remember to complete and return your evaluation form following this session.

Session Code: 1204