Académique Documents
Professionnel Documents
Culture Documents
Authorizations
Agenda
I.
II. Authorization Concept in mySAP BW 3.0 III. mySAP BW Authorization Concept Implementation IV. HR Authorizations in mySAP BW 3.0 V. Authorizations in mySAP SEM VI. Authorizations in SAP Enterprise Portal VII. Demonstrations
Company Profile
SAP SI Systems Integration is a majority-owned subsidiary of SAP Professional services in selected industries and knowledge areas (i.e. Business Intelligence) 1,600 employees worldwide Systems integrator for mySAP.com solutions and 3rd party applications Significant global player in the mySAP.com space with international market presence Partner for large corporations and mid-size companies Internationally diverse team of experienced consultants US headquarter in Atlanta and offices in Philadelphia and Irvine/Los Angeles
Monier
1
Authentication
Single Sign-On
2
Portal Server
Third Party System
5
User Directory
User Management
6
Secure Network
FI_ROLE
FI_TRANS_CODE FI_COMP_CODES F_BURS ACT: FI_AC TARGET: FI_COMP_CODES ACT: Display , Create TARGET: 0001-0005 1. Menu 2. Authorizations 3. Workflow 4. Organizational Structure
Single Role
(Activity Group) Financial Planning: Plan Entry Re-evaluation ...
Authorization Profile
Other Icons
Other Icons
View field contents Maintain field contents Delete field contents, inactive authorization, or further authorizations for an object Copy authorization Inactivate an active authorization, or authorizations for an object Reactivate an inactive authorization Merge several authorizations Transactions for an authorization object Allocation of full authorization
User Buffer
Role 7
Composite Role A
Composite Role B
Authorization Profile
Change Documentation
Information Complexity in BW
+ simplification - security User User Role (Channels, Activity Groups) InfoAreas InfoCubes Queries InfoObjects - Key figures InfoObjects - Characteristic Values - simplification + security
Warehouse Design
Workbench Objects Variables Query Objects InfoCube Objects ODS Objects InfoSources InfoObjects Source Systems
Warehouse Administration
InfoPackages Monitor Meta Data Reporting Agent Settings
InfoSet in BEx
S_RS_ISET For displaying / maintaining InfoSets
New Authorization Objects (continued) S_RS_COMP1 Is checked additionally with S_RS_COMP Checks for authorizations on query components dependent on the owner (creator RSZOWNER) Authorizations are necessary, e.g. for creating queries S_RS_IOBJ Authorization object for working with InfoObjects Is checked if authorization is not available via S_RS_ADMWB Additional checks for update rule authorizations
Pre-Calculated Objects
OLAP Engine Check if it is Pre-Calculated Object: Do Not Refresh Data But Check Authorization If It is Copied Pre-Cached Data, theres no possibility to Check Authorization for: Pre-Calculated Report Agent
Query Views
Inherited from Query
Prior to 3.0, InfoObjects were protected via authorization object S_RS_ADMW (Administrator Workbench Object = INFOOBJECT). You were only able to assign the authorization either for all InfoObjects or for none. Solution: As of 3.0 there is an additional authorization object S_RS_IOBJ. With this authorization object you can differentiate the authorization by the technical names of the InfoObjects (for example to permit namespace A* or B*). In such a case the user must not have the authorization for object S_RS_ADMWB, because one of the two authorizations is sufficient to process the InfoObjects.
1. Activate InfoObject 0TCTAUTHH from Business Content (if necessary). 2. Create Reporting Object by using 0TCTAUTHH and leaf InfoObject. 3. Define a description of a hierarchy authorization. 4. Create an authorization for the new authorization object. Enter the technical name of the description of a hierarchy authorization as value for field 0TCTAUTHH.
New Mode for Hierarchy Nodes In 2.0, the level must be given by an absolute value with respect to the hierarchy. With this new mode, the level is set relative to the node and remains the same when the node is moved to another position in the hierarchy. This will dramatically reduce the amount of maintenance required to maintain Unique Hierarchy Authorization Node Identifiers.
on cti M a s SS an Tr de R Co
A Different Way of Looking at InfoCubes Check Maintaining Authorizations for One, or More Users Collectively
2. Define Properties
Authorization Variables in BW 3.x 1. Create Variable & Define Properties in Query Designer
If this property is set, maintenance of the master data / texts individual records for this characteristic can be protected by means of authorizations. E.g., user A may only maintain values from 1000 1999 and user B may only maintain values from 2000 - 2999.
Authorization Requirements
Authorization Design
Implementation
Test
1. Functional scope definition. 2. Project team member user IDs & roles definition.
1. Role identification. 2. First identification of the authorization relevant characteristics. 3. Definition of an authorization strategy.
1. Collection of authorization requirements at the chosen level of detail. 2. Profile design. 3. Authorization implementation.
1. Test of authorizations.
mySAP BW MacroRoles
Data Modeler
(S_RS_RDEMO)
System Administrator(s)
(S_RS_RDEAD, S_RS_ROPAD & S_RS_ROPOP)
Reporting User
(S_RS_RREPU)
Reporting Developer
(S_RS_RREDE)
InfoCube-based Approach
You can collect the requirements allowing or not allowing for specific InfoCubes. If its convenient, you can use the concept of InfoArea to allow or not for a group of InfoCubes belonging to the same InfoArea. You can go in a more detail if you limit the accessibility of a cube, allowing only for a part of it. We can name dataset the Sub-InfoCube which is limited by the authorizations assigned to a user. In BW a dataset can be defined according to characteristics, key figures, hierarchies and their combinations.
In Visual Basic, Rem statement is used to add comments in the code. The bug is caused because there is no between False and Rem. To fix, add after False.
HR Authorizations in BW 3.0
HR Business Content
HR InfoCubes
20 in 2.1C
Available Hierarchies in HR
Organizational Units Cost Centers Employees Age Capacity Utilization Level Qualifications, Qualification Groups Business Events, Business Event Groups
Business Content: Calculations and Time series Business Content in HR also contains standard calculations / templates for calculations (approximately 70 templates for standard calculations) such as,
Predefined time series comparisons Calculation of averages
HR Authorization Concept in BW
Similar to other functional areas, mySAP BW has a comprehensive access control concept operating at various levels for HR,
Access authorization can be given
for complete reports for certain key figures (e.g. salary in HR InfoCube) even for certain characteristic values (e.g. a cost center)
Access authorizations are granted and changed in the Authorization for Reporting transaction (RSSM). From 3.0, Online Data Storage (ODS) objects are utilized to provide structural authorizations in BW.
HR Structural Authorization
HR Structural Authorization
PSA
T77PR Profile
R/3 Org. Structure
Transfer Rules Structural Authorizations
Security Check
Transfer Rules
T77UA Assignment
Structural Authorizations
T77UU User
ODSs
R/3 OLTP
mySAP BW
Steps to Install Structural Authorization 1. Create Structural Authorization Profile (IMG or OOSP) 2. Assign User to Profile (IMG or OOSB) 3. Update T77UU table to include User Name 4. Execute program RHBAUS00 to create INDX 5. Activate 0HR_PA_2 & 3 DataSource in R/3 and BW 6. Create 0HR_PA_2 & 3 InfoSource & Communications Structure 7. Activate and load ODS from R/3 8. Activate Target InfoObjects Authorization Relevant 9. Create Authorization Object in RSSM 10. Use RSSM or Execute RSSB Function Modules to generate BW Authorization 11. Create Query with Authorization Variables
HR Structural Authorization
Scenario
BW20 Incorporated
BW20-02 Group 2
CC: 2001 IT CC: 2001 Market
BW20-01 Group 1
CC: 2001 Sales CC: 2001 FI
BW20-03 Group 3
CC: 2001 HR
20010001 Employee #1 20010006 Employee #6 20010011 Employee #11 20010013 Employee #13 20010014 Employee #14
Key Benefits
Reduced the Redundant Security Setup Provide Cross System Consistency
Automatic Security Profile Generator Sourced from Four type of ODS Objects
Authorization Value ODS Hierarchy ODS Text ODS User List ODS
ODS Population
From R/3: HR Structural Authorizations From Flat Files
0TCTAUTHH 0ORGUNIT
Value
0TCA_DS01
Hier. Hier.
0TCA_DS02
Text
0TCA_DS03
ODS-Objects
0EMPLOYEE
Update Rules
InfoSource
Mapping & Transfer Rules DataSource DataSource DataSource
BW S-API
SAP BW Server
replicated Metadata
File File
Other Other
R/3 R/3
For Example: Global PI Sequence 3.0A Planning Profile Planning Package 3.0A Planning Method 3.0A Planning Set 3.0A Planning Level Planning Area
1
Authentication
Single Sign-On
Portal Server
5
User Directory
User Management
6
Secure Network
User
Portal Infrastructure
LDAP (XML)
Exchange Infrastructure
In September 2001, SAP advised all customers not to use the Global User Manager (Transaction SUUM) until further notice. Refer to OSS Note 433941.
Contacts