BI Authorizations

_________________________________
_________________________________
An A-to-Z Guide on How _________________________________

to Develop a Flexible _________________________________
Position-Based Security _________________________________
Model for SAP _________________________________
NetWeaver Business
_________________________________
Intelligence
_________________________________
Tracey Brookes _________________________________
Sapient Corp _________________________________
© 2008 Wellesley Information Services. All rights reserved.
What We’ll Cover …

_________________________________
• What makes a good BI security model? _________________________________
• How and why to set up a flexible position-based model _________________________________
Roles for BI user type
_________________________________
Special function roles
InfoArea and Data Target-level security _________________________________
InfoObject-level security _________________________________
• How to control ad hoc query creation using role menus _________________________________
• How to leverage the company organizational hierarchy _________________________________
• Wrap-up
_________________________________
_________________________________
What Makes A Good BI Security Model?

_________________________________
• Many mistakes from a bad security model come from _________________________________
trying to apply SAP ERP security principles to a
_________________________________
Business Intelligence (BI) model
An SAP ERP transaction code does not equal SAP NetWeaver® _________________________________
BI transaction code _________________________________
SAP NetWeaver BI is not transaction-driven, but data- and
function-driven! _________________________________
f Data access is controlled in SAP NetWeaver BI by _________________________________
configuring different restrictions on authorization object
S_RS_COMP _________________________________
_________________________________
_________________________________
2
What Should My Security Strategy Achieve?
_________________________________
• Recognizes that positions and departments may change _________________________________
• Recognizes that people may change _________________________________
• Recognizes that roles need to be flexibly assembled so _________________________________
that they can be easily changed
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
BI Security Model Dos and Don’ts

_________________________________
• Do: _________________________________
Use your organization’s structural hierarchy for role allocation
_________________________________
Use single roles
Document common transactions in only one role _________________________________
Identify common elements across requirements and groups _________________________________
accordingly
Capture distinct activities in one role _________________________________
f E.g., ad hoc query creation _________________________________
Create a logical naming standard for InfoProviders and queries
_________________________________
f Use wildcards (*) in restricting values assigned to
authorization objects _________________________________
Separate roles that have authorization objects and menus _________________________________
Separate roles that hold reports that are transported
(standardized/certified) vs. production-created reports (ad hoc)
4
BI Security Model Dos and Don’ts (cont.)

_________________________________
• Don’t: _________________________________
Assign roles directly to user IDs
_________________________________
Use composite roles
Use one role to contain everything for a specific position _________________________________
(~ most SAP-delivered roles) _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
5
Using Your Organization’s Structural Hierarchy
_________________________________
• Do seek the benefits of using your organization’s _________________________________
structural hierarchy for role allocation
_________________________________
Organizational Unit/Work Center _________________________________
_________________________________
Job
Indirec
t Role (AG) Dire _________________________________
ct
Position (S) _________________________________
Employee (P)
_________________________________
UserID (US) _________________________________
_________________________________
• Value represented between ( ) = SAP ERP object types
6
Using Your Organization’s Structural Hierarchy (cont.)

_________________________________
• Indirect Role Assignment _________________________________
This allows for authorizations to be inferred from the higher _________________________________
levels in the organizational hierarchy down to the lower levels
The use of single roles allocated across an organizational _________________________________
hierarchy thus functions similarly as a composite role would. _________________________________
Thus the reasoning: composite roles are no longer required.
Added flexibility if employees change positions; roles do not _________________________________
have to be moved as roles are allocated to the position and not _________________________________
the person
f Authorization update is immediate with no maintenance lag
_________________________________
in time. Not violating company security policy. _________________________________
_________________________________

_________________________________
• Recognize the difference in role assignments _________________________________
Indirect: blue (best approach)
_________________________________
Direct: black
_________________________________
_________________________________
_________________________________
_________________________________
Direct _________________________________
Indirect
_________________________________
_________________________________
8
_________________________________
• Since the use of the Organizational Hierarchy allows for _________________________________
inferring authorizations, there is no need for doubling up
_________________________________
on the same authorizations or using composite roles
_________________________________
• No longer a need for one role to contain all authorizations
for a requirement (~ SAP-Delivered roles) _________________________________
Purchasing Manager: _________________________________
f Execute Business Explorer (BEx) Analyzer via RRMX
_________________________________
f Execute, create, and modify queries prefixed ZM*
Purchasing Operations: _________________________________

f Execute Business Explorer (BEx) Analyzer via RRMX _________________________________
f Execute queries prefixed ZM*
_________________________________
Using Your Organization’s Structural Hierarchy: Result

_________________________________
_________________________________
S_TCODE: RRMX Query
User _________________________________
_________________________________
S_TCODE: RRMX _________________________________
Power User
_________________________________
_________________________________
S_TCODE: RRMX Department Administrator _________________________________
_________________________________
_________________________________
S_TCODE: RSA1, RRMX BI Developer
10
Using Your Organization’s Structural Hierarchy:

Result (cont.) _________________________________
S_RS_COMP: InfoArea = 0MM*; InfoCube = *;
Component = ZM*; Activity = Display ; MM _________________________________
Subobject = REP Query
User _________________________________
S_RS_COMP: InfoArea = 0MM*; InfoCube = *; _________________________________

Component = ZM*; Activity = Create, Modify; MM
Subobject = REP
_________________________________
Power User
_________________________________

MM
Component = ZM*; Activity =; Delete; Department Administrator
Subobject = REP
_________________________________
_________________________________
S_RS_COMP: n/a
BI Developer _________________________________
**BI Developer infers all of the above under
the hierarchy allocation scheme 11
_________________________________
_________________________________
• Wrap-up
_________________________________
_________________________________
12
Pros and Cons of the SAP-Delivered Roles

_________________________________
• Pros _________________________________
Provides a template for role analysis if no roles exist _________________________________
Grants ideas for role creation rather than building roles entirely
from scratch _________________________________
Good guideline when you have no experience in SAP _________________________________
NetWeaver BI security, but I don’t recommend it in general
_________________________________
Technical Content for areas like BI Statistics and
Administration Cockpit have delivered SAP roles already _________________________________
configured for use
_________________________________
f Contains all complex iViews, queries, Web templates, and
authorizations necessary for displaying the BI Statistics’ _________________________________
Technical Content
_________________________________
f Will never change unless SAP updates them
13
Pros and Cons of the SAP-Delivered Roles (cont.)

_________________________________
• Cons _________________________________
A lot of the delivered roles have been around since
SAP BW 1.2b
_________________________________
Highly position-based at the lowest level; very specific _________________________________
Roles are not unique – authorization objects are duplicated _________________________________
Use composite roles
_________________________________
Tend to require a lot of maintenance since all of the roles need
to be modified rather than one role radiating downwards _________________________________
through a tree
_________________________________
Not SOX compliant
_________________________________
_________________________________
14
Pros and Cons of the SAP-Delivered Roles (cont.)
_________________________________
• The one SAP-delivered role I would recommend using: _________________________________
SAP_SAP_BW_BI_ADMINISTRATOR. Why?
_________________________________
BI Technical Content is all SAP-Delivered Objects and
thus requires no additional “tweaking” to make it work _________________________________
If modifications are made to the BI Technical Content, SAP
_________________________________
would also update the reliant role
BI Technical Content is same across every Business _________________________________
Intelligence installation; thus non-client specific
_________________________________
BI Technical Content is segregated from the rest of the
Data Warehouse _________________________________
Make sure you have the latest SAP modifications by using current versions
_________________________________
of all the SAP-Delivered Objects related to the Administration Cockpit
_________________________________
f If you make enhancements or use your own naming convention as a copy
of the role, you could fall behind maintenance if BI Technical Content is
reinstalled 15
How to Set up a (More) Flexible, Position-Based Model

_________________________________
• Let’s revisit a few statements: _________________________________
“Since the use of the Organizational Hierarchy allows for _________________________________
inferring authorizations, there is no need for doubling up on the
same authorizations or using composite roles.” _________________________________
“No longer a need for one role to contain all authorizations for a _________________________________
requirement”
“BI is not transaction-driven but data- and function-driven” _________________________________
• All authorizations can be grouped according to: _________________________________
Function or action a user can perform _________________________________
Data a user can view
_________________________________
The roles defined in this presentation also work in an SAP NetWeaver BI 7.0
environment. However, they should be modified to incorporate the new _________________________________
authorization objects rolled out as part of that release.
16
How to Set up a (More) Flexible, Position-Based

Model (cont.) _________________________________
• User Actions _________________________________
BI User Type Roles
f Examples – Query User, Power User, Department
_________________________________
Administrator, Developer _________________________________
Special Function Roles
f Examples – Release Transports, Delete InfoObject Master data
_________________________________
• User Data Viewed _________________________________
InfoArea/Data Target Roles _________________________________
f Examples – MM, FI, HR, SD, PM
Supply Costing: Financial Data assigned to MM users _________________________________
InfoObject Restrictions (InfoObject/data-level security)
_________________________________
f Examples – 0COSTCENTER, 0CO_AREA
Menu Folder Roles _________________________________
f Example – Finance queries viewed only by Finance Dept.
17
Four Key BI User Types
_________________________________
_________________________________
Query
User _________________________________
_________________________________
Power User
_________________________________
_________________________________
_________________________________
Department Administrator _________________________________
_________________________________
_________________________________
BI Developer
18
Translating Requirements into User Role Types

_________________________________
• Identify tasks for each BI User Type _________________________________
Transactions that are common between roles belong in the one _________________________________
role allocated to the highest level of the organization hierarchy
f Transaction RRMX is assigned to the Query User role only _________________________________
f Since the Query User role is allocated at a node higher than _________________________________
other roles, the authorizations are inherited down to the
lower levels _________________________________
• “1_Task Matrix.xls” _________________________________
The document lists all tasks associated with each BI User Type _________________________________
role defined in this presentation
_________________________________
Your requirements may vary depending on your business, but
these assignments were derived from more than one company _________________________________
Client
Issue 19
Four Key BI User Types

_________________________________
• BI User Type role definitions in this presentation are _________________________________
based on actions defined in the Task Matrix
_________________________________
Task Query Power SAP _________________________________
User User NetWeaver
BI Dept. _________________________________
Admin.
Execute BEx from SAPGUI (RRMX) or Start Programs X X X _________________________________
Execute queries/workbooks X X X
_________________________________
Create/Change own query (BWD/BWQ/BWP) X X
_________________________________
Create/Change another user’s query (BWD/BWQ/BWP) X
Save ad hoc query to ad hoc menu role (BWD/BWQ/BWP) X X _________________________________

Save standard query to standard menu role (BWD) X
_________________________________
Delete a query X
20
1 – Query User Role
_________________________________
• Applies to ALL systems _________________________________
• Ability to execute BEx Analyzer _________________________________
S_TCODE
_________________________________
f Transaction code = RRMX
S_GUI _________________________________
f Activity = 60, 61 (Import, Export) _________________________________
f Authorization for GUI activities, execution of workbooks
_________________________________
S_BDS_DS and S_BDS_D
f Activity = 03, 30; Class Type = OT
_________________________________
f Authorization for document set _________________________________
f S_GUI and S_BDS_DS enables users to save workbooks to
_________________________________
their Favorites Folder
21
1 – Query User Role (cont.)

_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• InfoArea tab should not be seen _________________________________

on Query Open _________________________________
S_RS_FOLD _________________________________
f Hide ‘Folder’ Pushbutton = X (True)
22
1 – Query User Role (cont.)

_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• Role usertype_queryuser_ZBW_A_UT_QU_AL_ALL that
you can import into your system 23
2 – Power User Role
_________________________________
• Applies to ALL systems _________________________________
• Ability to save queries to Ad hoc Menu
S_USER_AGR
_________________________________
f Activity: 01,02,22 _________________________________
f Role Name: {based on role naming convention} ZBW_M_FI_D
• Ability to create and change department ad hoc BEx queries …

_________________________________
S_RS_COMP
Z* = Ad hoc queries _________________________________
f Activity: 01,02; InfoArea: 0COOM; InfoCube: *
Y* = Certified/
Component: ZF* (ad-hoc); Type: REP Standard Queries
_________________________________
• … Only related to their user ID _________________________________
S_RS_COMP1
f Activity: 02; Component: ZF* ; Type: REP ; Owner = $USER
_________________________________
• InfoArea tab should be seen on Query Open _________________________________
S_RS_FOLD
f Hide ‘Folder’ Pushbutton = ‘ ’ (False) 24
2 – Power User Role (cont.)

_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• Role usertype_poweruser_finance_ZBW_A_UT_PU_FI_ALL
25
2 – Power User Role (cont.)

_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• Individual user requirements would define the need for an
_________________________________
SAP BW development-only role
• Only an example of the ALL role is supplied in this _________________________________
presentation _________________________________
_________________________________
• Role usertype_poweruser_finance_ZBW_A_UT_PU_FI_ALL
26
3 – BI Department Administrator Role
_________________________________
• Different authorizations apply to ALL systems and BWD-only _________________________________
systems
_________________________________
• Ability to modify queries in the Standard Menu (BWD)
S_USER_AGR _________________________________
f Activity: 01,02,06,22
_________________________________
f Role Name: {based on role naming convention} ZBW_M_FI_C
• Ability to modify department Standard BEx queries (BWD) … _________________________________
S_RS_COMP _________________________________
f Activity: 01,02,06; InfoArea: 0COOM; InfoCube: *
Component: YF* (standard/transported); Type: REP
_________________________________
• … Related to any user ID Z* = Ad hoc queries
Y* = Certified/ Standard
_________________________________
S_RS_COMP1 Queries
_________________________________
f Activity: 02,06; Component: YF* ; Type: REP ; Owner = *
27
3 – BI Department Administrator Role (cont.)

_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• Role usertype_deptadmin_bwd_ZBW_A_UT_DA_FI_BWD
28

_________________________________
• Ability to delete queries in the Department Menu (ALL) _________________________________
S_USER_AGR
_________________________________
f Activity: 06
f Role Name: {based on role naming convention} ZBW_M_FI_D _________________________________

• Ability to modify and delete department ad hoc BEx _________________________________
queries (ALL) … Where is Display (03) See InfoArea/ _________________________________
S_RS_COMP and Execute (16)? Data Target roles
_________________________________
f Activity: 06; InfoArea: 0COOM; InfoCube: *
Component: ZF* (standard/transported); Type: REP _________________________________
• … Related to any user ID Z* = Ad hoc queries
_________________________________
Y* = Certified/
S_RS_COMP1 Standard Queries
_________________________________
f Activity: 02,06; Component: ZF* ; Type: REP ; Owner = *
29
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• Role usertype_deptadmin_all_ZBW_A_UT_DA_FI_ALL
30

_________________________________
• Ability to display all Master Data related to Finance _________________________________
• Master Data viewable in ALL systems _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• Role usertype_deptadmin_all_ZBW_A_UT_DA_FI_ALL
31
4 – BI Developer Role
_________________________________
• All authorizations to do with query development would _________________________________
be inherited by the power user and department
_________________________________
administrator classifications
• BI developer roles have two different role distinctions _________________________________
similar to the BI Department Administrator _________________________________
SAP BW developer-only: this role is not transported _________________________________
ALL: this role is transported and is applicable to SAP NetWeaver
BI Dev, QA, and Prod environments _________________________________
_________________________________
Due to the number of tasks and size, screenshots of this role are _________________________________
not included in this presentation. Refer to the take-home CD.
f Role usertype_developer_all_ZBW_A_UT_DV_IT_ALL
_________________________________
f Role usertype_developer_bwd_ZBW_A_UT_DV_IT_BWD
32
Organizational Hierarchy and BI User Type Impacts
_________________________________
_________________________________
Query User Role _________________________________
1000 Corporate
_________________________________
1001 Logistics Department
Job_1 MM Dept. Admin. Role
_________________________________
1001001 Purchasing Manager _________________________________
1002111 Purchase Operations 1
MM Power User Role _________________________________
Job_2 _________________________________
1002 Finance Department _________________________________
_________________________________
33

_________________________________
_________________________________
• Wrap-up
_________________________________
_________________________________
34
Special Function Roles

_________________________________
• Special Function roles are distinct from the main stream _________________________________
roles as they are functions that are assigned temporarily
_________________________________
or address one-off scenarios
• Highly company-dependent _________________________________
• Examples: _________________________________
Display Data Warehouse Workbench _________________________________
f Assigned to BI Department Administrators during testing
_________________________________
phase
Release Transports _________________________________
f When BI Developers are not permitted to release transports _________________________________
super user reviews and releases transports
_________________________________
f Assigned to BI Department Administrators for controlling
BEx Transport releases in their area alone
35
Special Function Roles (cont.)
_________________________________
• Examples: _________________________________
Delete Data from Data Targets
_________________________________
f Assigned to control data maintenance
f Data is not owned nor is it the responsibility of the BI

_________________________________
Developer; Data is owned by the responsible functional areas _________________________________
or business analysts assigned to the functional area
_________________________________
Maintenance of Master Data
f In this solution, maintenance of master data is tasked under _________________________________
the appropriate Department’s BI Administrator
_________________________________
f This function could be split out to a special function
depending on company requirements _________________________________
f Each master data is owned only by one department _________________________________
36

_________________________________
_________________________________
• Wrap-up
_________________________________
_________________________________
37
InfoArea and Data Target-Level Security

_________________________________
S_RS_COMP: InfoArea = 0MM*; InfoCube = *;
Component = ZM*; Activity = Display ; MM _________________________________
Subobject = REP Query
User _________________________________

Component = ZM*; Activity = Create, Modify; MM
Subobject = REP Power User
_________________________________
_________________________________

MM
Component = ZM*; Activity = Delete; Department Administrator
Subobject = REP
_________________________________
_________________________________
S_RS_COMP: n/a
BI Developer _________________________________
38
InfoArea and Data Target-Level Security (cont.)
_________________________________
• SAP NetWeaver BI 7.x has impacted these role _________________________________
classifications
_________________________________
• S_RS_COMP is still valid
_________________________________
• The use of S_RS_ICUBE, S_RS_ISET, S_RS_ODSO, and
S_RS_MPRO has changed _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
39

_________________________________
• SAP states the following on help.sap.com: Where
to
_________________________________
Authorization Objects for InfoProvider Access FIND it
_________________________________
The authorization objects S_RS_ICUBE, S_RS_MPRO,
S_RS_ISET, and S_RS_ODSO will no longer be checked during _________________________________
query processing. Instead, the check is performed using
_________________________________
special characteristics 0TCAIPROV, 0TCAACTVT, and
0TCAVALID. These authorization objects are offered during _________________________________
migration configuration as a migration option. If you select
these authorization objects, authorization for these special _________________________________
characteristics are generated according to the entries in the _________________________________
Activity and the associated field for the corresponding
InfoProvider and then assigned to the users. _________________________________
• What does this mean and what are the impacts? _________________________________
Where
to
http://help.sap.com/saphelp_nw70/helpdata/en/ad/8f7842fdb70f53e10000000a
FIND it 155106/frameset.htm 40

_________________________________
• After you migrate to the new Reporting Analysis _________________________________
Authorization concept, the following authorization
_________________________________
restriction combinations are no longer needed
S_RS_ICUBE, S_RS_IOBJ, S_RS_ISET, S_RS_MPRO _________________________________
f Activity: 03 _________________________________
f Subobject: DATA
_________________________________
• The above restrictions can be removed from existing
_________________________________
roles as they have been replaced by the restrictions
defined on authorization object S_RS_AUTH, created _________________________________
under transaction RSECADMIN (RSECADMIN replaces _________________________________
transaction RSSM for building InfoObject level security)
_________________________________
41
_________________________________
• Pre BI 7.x – Obsolete Concept enabled the INACTIV authorization _________________________________
object – should be active as they are still used
• The following illustrates Post BI 7.x – new Reporting Analysis _________________________________
Concept enabled and thus INACTIV status: _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
42

_________________________________
• The InfoArea/Data Target role should be created to look _________________________________
like the following illustration on version BI 7.x when the _________________________________
Reporting Analysis Concept has been switched to the
new concept _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
InfoArea_datatarget_fico_all_ZBW_A_DT_0FMCO_ALL
43

_________________________________
• Organizational Hierarchy _________________________________
_________________________________
1000 Corporate 0SCM Supply Chain Management
1001 Logistics Department InfoArea _________________________________
Job_1 _________________________________
ZFPU_M01 Goods
1001001 Purchasing Manager Receipts (Finance)
_________________________________
_________________________________
Job_2 0FI Finance InfoArea
_________________________________
1002 Finance Department (includes 0FICO InfoArea) _________________________________
_________________________________
44
_________________________________
_________________________________
• Wrap-up
_________________________________
_________________________________
45
InfoObject Level Security

_________________________________
• Prior to SAP NetWeaver BI 7.x (SAP BW 2.x, 3.x) _________________________________
RSSM: Transaction used to create InfoObject level security roles _________________________________
automatically
• Now with SAP NetWeaver BI 7.x _________________________________
RSECADMIN: Transaction used to create InfoObject level _________________________________
security roles automatically
_________________________________
Program RSEC_MIGRATION: Program that assists in migrating
SAP BW 3.x authorization objects to new BI 7.x format _________________________________
_________________________________
For more information on InfoObject level security concepts for either SAP BW _________________________________
3.x or SAP NetWeaver BI 7.x, please refer to presentation “Options, Strategies,
and Best Practices for Migrating to and Using SAP NetWeaver Business _________________________________
Intelligence 7.0 Authorization Concepts”
46
InfoObject Level Security (cont.)

_________________________________
Enterprise-wide Authorization Object (ZBI_ALL) _________________________________
1000 Corporate (ZBI_ALL = 0BI_ALL – FI restriction)
1001 Logistics Department _________________________________

Job_1 _________________________________
_________________________________
Job_2 Cost Center Restrictions (ALL) _________________________________
1002 Finance Department Cost Center Restrictions (1001 ONLY) _________________________________
Cost Center Restrictions (2* – 3*)
_________________________________
This is based on
BI 7.x concepts
47
_________________________________
_________________________________
• Wrap-up
_________________________________
_________________________________
48
How to Control Ad Hoc Query Creation Using Menus in

Roles _________________________________
• What are menu folder roles? _________________________________
Areas to define the folder structures where workbooks and _________________________________
queries are saved for storage in SAP NetWeaver BI and are
accessed by other SAP NetWeaver BI users. They are defined _________________________________
by the Basis team under the PFCG transaction code in the
_________________________________
role’s Menu tab and are separate from Authorization Roles.
SAP NetWeaver BI users can access the queries and _________________________________
workbooks stored in the Menu roles from the BEx Analyzer
_________________________________
under the Role tab.
_________________________________
_________________________________
_________________________________
49

Roles (cont.) _________________________________
• What are menu folder roles? (cont.) _________________________________
Ad hoc menu folder roles
_________________________________
f Capture reports that users have created in the production
environment directly where users want to circulate them to a _________________________________
greater audience (e.g., Department)
_________________________________
Standard (Certified) menu folder roles
f Capture reports that users have created in development and
_________________________________
transported to production. They are certified through quality, _________________________________
usually tested thoroughly for performance, and follow
company query design standards _________________________________
_________________________________
_________________________________
50
Roles (cont.) _________________________________
• Accessing _________________________________
Menu
_________________________________
Folder
Roles from _________________________________
SAPGUI _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
51

Roles (cont.) _________________________________
• Accessing _________________________________
Menu Folder
Roles from _________________________________
SAP BEx _________________________________
Analyzer
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
52

Roles (cont.) _________________________________
• Rules to prevent loss of information _________________________________
Initially, both ad hoc and Standard/Certified menu roles should
be created in SAP NetWeaver BI Development and transported
_________________________________
through the system landscape _________________________________
On-going maintenance or adjustments to Standard/Certified
_________________________________
Menus will still be conducted in the development environment
On-going maintenance or adjustments to ad hoc menus will be _________________________________
maintained directly in the affected system and never be _________________________________
transported again after the initial folder setup to prevent
query/folder overwriting during transport _________________________________
f Any additional folders need to be added manually in the
_________________________________
Production environment
All transported queries and workbooks need a menu role _________________________________
assigned; otherwise, they cannot be viewed by the users
53
Roles (cont.) _________________________________
• DO separate roles that have authorization objects and _________________________________
menus
_________________________________
• DO separate roles that hold reports that are transported
(standardized/certified) versus production-created _________________________________
reports (ad hoc) _________________________________
• But why? _________________________________
Authorizations and menus operate on a different modification
schedule: Menus get updated more frequently with queries, _________________________________
workbooks, and Web reports _________________________________
Ensures ad hoc queries, workbooks, and Web reports created in
a Production system are not overwritten by the same role after _________________________________
transporting from Development: Two separate roles – one ad
_________________________________
hoc (Production developed objects) and one standard/certified
(Development created objects) should be used.
54

Roles (cont.) _________________________________
• Ad hoc query creation controlled through menus and _________________________________
naming conventions under the BI User Type definitions _________________________________
BW Dev. (BWD) BW Prod. (BWP)
Y* Standard
Y* Standard
Query Query _________________________________
Standard Standard
Standard Workbooks
Workbooks
Standard _________________________________
Menu Menu
Standard Web Reports
Standard Web Reports _________________________________
Z* Ad hoc Query _________________________________
Ad hoc Workbooks _________________________________
BWD Ad hoc Ad hoc Web Reports
_________________________________
Menu Z* Ad hoc Query BWP Ad hoc _________________________________
Correct Ad hoc Workbooks Menu
Setup Ad hoc Web Reports
55

Roles (cont.) _________________________________
• Incorrect setup overwrites any ad hocs created in BWP _________________________________
_________________________________
BWD
Y* Standard Query _________________________________
Standard Workbooks _________________________________
One Standard Web Reports _________________________________
Menu _________________________________
_________________________________
_________________________________
Z* Ad hoc Query (BWD)
_________________________________
Incorrect Ad hoc Workbooks (BWD)
Setup Ad hoc Web Reports (BWD) 56
Roles (cont.) _________________________________
• Incorrect setup overwrites any ad hocs created in _________________________________
BWP (cont.)
_________________________________
BWD BWP
Y* Standard
Y* Standard Query Query _________________________________
Standard
Standard Workbooks
Workbooks _________________________________
One Standard Web Reports
Menu One _________________________________
Menu _________________________________
_________________________________
Z* AdZ*hoc
Ad Query
hoc Query
(BWD)
(BWP)
_________________________________
Incorrect AdAd
hoc
hoc
Workbooks
Workbooks
(BWD)
(BWP)
Setup Ad
Adhoc
hocWeb
WebReports
Reports(BWD)
(BWP) 57

Roles (cont.) _________________________________
• Incorrect setup overwrites any ad hocs created in _________________________________
BWP (cont.) _________________________________
BWD BWP
Y* Standard Query
_________________________________
Standard Workbooks _________________________________

One _________________________________
Menu _________________________________
_________________________________
Z*
Z* Ad
Ad hoc
hoc Query
Query (BWD)
(BWP)
_________________________________
Incorrect Ad
Adhoc
hocWeb
Workbooks
Reports (BWD)
(BWP)
Setup Ad
Adhoc
hocWeb
Workbooks
Reports (BWD)
(BWP) 58

Roles (cont.) _________________________________
• How to set up Menu role in transaction PFCG _________________________________
Menu light will
be red if Menu _________________________________
folders are _________________________________
empty. This is
okay for initial _________________________________
setup. _________________________________
Authorization
light will _________________________________
remain red as _________________________________
Authorizations
and Menus are _________________________________
defined in two _________________________________
separate roles
59
Roles (cont.) _________________________________
Corporate Menu Folders
_________________________________
1000 Corporate
Logistics Department Menu Folders _________________________________
1001 Logistics Department
(Both Ad hoc and Standard Menus)
Job_1 _________________________________
_________________________________
Job_2 _________________________________
Finance Department Menu Folders
1002 Finance Department _________________________________
(Both Ad hoc and Standard Menus)
_________________________________
60

Roles (cont.) _________________________________
• Loss of functionality in SAP NetWeaver BI 7.x _________________________________
Enter in Role feature no longer supported in BEx
_________________________________
_________________________________
GOTCHA! _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
61

Roles (cont.) _________________________________
• So how can you get queries and workbooks into Menus? _________________________________
• Queries: can still be saved into the role. This doesn’t _________________________________
create a new technical ID.
_________________________________
• Workbooks: cannot be saved into the role, as this would
create a new technical ID _________________________________
Workaround for saving reports/workbooks into menu roles _________________________________
f Option 1: Use the old SAP BW 3.x tools to assign them. This
_________________________________
doesn’t affect the version the query is developed in.
Tip f OR _________________________________
f Option 2: Go into transaction PFCG and assign the _________________________________
reports/workbooks manually. You may need to review your
authorization strategy for this since transaction PFCG is _________________________________
usually a Security Administrator’s role only.
62
Roles (cont.) _________________________________
• Go into transaction PFCG and assign the reports/ _________________________________
workbooks manually:
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Tip _________________________________
63

_________________________________
_________________________________
• Wrap-up
_________________________________
_________________________________
64
How to Distribute the HR Organization Structure

_________________________________
• Cannot use normal BI extraction toolset under the Data _________________________________
Warehouse Workbench (transaction RSA1)
_________________________________
SAP NetWeaver BI master data extraction of InfoObject
0ORGUNIT populates the data warehouse _________________________________
The HR Organization Structure used for role allocation is _________________________________
separate from the data warehouse and thus functions
differently (e.g., distribute method and loading outside of SAP _________________________________
NetWeaver BI ETL toolsets)
_________________________________
• Prerequisites
_________________________________
Infotype 0105 is maintained
Table T77S0, Group PLOGI, Semantic Abbreviation PLOGI has _________________________________
01 Active Plan version in both systems _________________________________
All users must exist in both systems (Central User
Administration [CUA] distribution) 65
How to Distribute the HR Organization Structure (cont.)
_________________________________
• Six steps to distribution _________________________________
Create the HR-ORG distribution model (view of entire tree) in
_________________________________
the source system (e.g., SAP ERP)
Generate partner profiles in SAP ERP and CUA systems _________________________________
If employee (P) object type is undefined in the source system, _________________________________
create an outbound filter using the customer exit in the source
system _________________________________
Activate the change pointers, write change pointers in Infotype _________________________________
0105
_________________________________
Distribute the initial HR-ORG hierarchy
Distribute changes to the HR-ORG hierarchy _________________________________
• Refer to document for greater details _________________________________
“Indirect Role Assignment using HR-ORG.pdf”
66
How to Distribute the HR Organization Structure (cont.)

_________________________________
• Potential issues _________________________________
Model doesn’t distribute. Under step “Creating an HR-ORG _________________________________
Distribution Model in the Sending System,” the filter definitions
for the HR System as Target System may not work as _________________________________
documented
_________________________________
f Solution: Create different Filter Groups, run different
parameters during initialization and delta of objects _________________________________
f Refer to document for greater details _________________________________
“Indirect Role Assignment using HR-ORG Supplement.doc”
_________________________________
Model isn’t found in target system under CUA model, although _________________________________
it is successfully distributed
_________________________________
f Solution: Plan the Report RPDAPP01 with type HRMD_ABA
67
How to Allocate Roles Using HR Organization Structure

_________________________________
• Ensure the Organization Model setting is active _________________________________
Execute transaction PFCG
_________________________________
Select Goto Settings
Choose option “Complete view (Organizational Management _________________________________
and workflow)” _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
68
How to Allocate Roles Using HR Organization
Structure (cont.) _________________________________
• Nine steps to HR-ORG role allocation _________________________________
Execute transaction PFCG
_________________________________
Specify the role for assignment
Choose the User tab page _________________________________
Click the Organizational Mgmt button _________________________________
Click the Assignment button _________________________________
Choose Agent Type Organizational unit
_________________________________
Enter Search term * and select Org tree icon. HR-ORG is
displayed. _________________________________
Select the node for allocation. Choosing a high node auto _________________________________
selects lower level nodes.
Specify relationship validity period. Create. _________________________________
69

Structure (cont.) _________________________________
• Step 1 – Execute transaction PFCG _________________________________
• Step 2 – Specify the role for assignment _________________________________
• Step 3 – Choose the User tab page _________________________________
• Step 4 – Click the Organizational Mgmt button
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
70

Structure (cont.) _________________________________
• Step 5 – Click the Assignment button _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Any user IDs that appear green in the tree have been _________________________________
directly assigned to the role _________________________________
_________________________________
71
Structure (cont.) _________________________________
• Step 6 – Choose Agent Type Organizational unit _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• Step 7 – Enter Search term * and select Org tree icon _________________________________
72

Structure (cont.) _________________________________
• Step 8 – Select the node for allocation _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
73

Structure (cont.) _________________________________
• Step 9 – Specify relationship validity period. Create. _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
74
Structure (cont.) _________________________________
• Result of the allocation from the HR-ORG tree _________________________________
perspective:
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
• Organization levels that appear blue in the tree have had Indirect _________________________________
role assignments allocated. Green highlights are Direct role
assignments.
75

Structure (cont.) _________________________________
• Result of the allocation from role perspective defined _________________________________
under transaction PFCG _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
Direct
Indirect _________________________________
_________________________________
_________________________________
76

_________________________________
_________________________________
• How to leverage the company organizational hierarchy
_________________________________
• Wrap-up
_________________________________
_________________________________
77
Query User Example (Direct User Assignment)
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
78
Power User Example (Direct User Assignment)

_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
79
BI Department Administrator Example (Direct User

Assignment) _________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
80
Resources
_________________________________
• SAP Service Marketplace note _________________________________
934848 “Collective note: (FAQ) BI Administration Cockpit”
• Documentation BI Administration Cockpit _________________________________
http://help.sap.com/saphelp_nw70/helpdata/en/43/15c54048035a39e10000000 _________________________________
a422035/content.htm
• Documentation BI Query Runtime Statistics _________________________________
http://help.sap.com/saphelp_nw70/helpdata/en/ef/372242c4e05033e10000000 _________________________________
a155106/content.htm
• How to Upload Roles into your BI System _________________________________
“How to Upload the Roles.doc” _________________________________
• Indirect Role Assignments
http://help.sap.com/saphelp_nw04/helpdata/en/8b/3c713eeaac5441e10000000 _________________________________
a114084/frameset.htm
_________________________________
f “Indirect Role Assignment Using HR-ORG.PDF”
f “Indirect Role Assignment Using HR-ORG Supplement.doc”

81
Resources (cont.)
_________________________________
• Indirect Role Assignments (cont.) _________________________________
SAP Service Marketplace (https://websmp109.sap-ag.de/notes *) _________________________________
f SAP Note 200343: HR-CA-ALE: Composite SAP Note Re
Distributing HR Master Data _________________________________
f SAP Note 363187: HR-CA-ALE: Initial Distribution w. _________________________________
HRMD_A/ HRMD_ABA (hint)
_________________________________
f SAP Note 200066: HR-CA-ALE: Q&A for Setting Up HR-ALE
Scenarios _________________________________
This note contains links to the QuickStart documentation
_________________________________
for ALE and the ALE HR business processes
f SAP Note 581019: Distribute PFCG HR-ORG model for _________________________________
indirect role assignment _________________________________
82
7 Key Points to Take Home

_________________________________
• Use the HR Organizational Hierarchy to distribute roles _________________________________
across an organization
_________________________________
• Allocate roles to positions, jobs, and organizational unit
nodes and not a user’s logon ID _________________________________
• Capture common transactions at the highest point _________________________________
defined in the dependency of BW User Types _________________________________
E.g., if an action is required by both Power User and
_________________________________
Department Administrator, modify the Power User role
• Use Single roles and allow the hierarchy to build the _________________________________
combined “composite-like” authorizations _________________________________
_________________________________
83
7 Key Points to Take Home (cont. )
_________________________________
• More effort is required in the initial setup of a flexible _________________________________
model. However, an inflexible one requires higher on-
_________________________________
going maintenance and is more prone to security
inconsistencies. _________________________________
• Separate roles that control user actions with roles that _________________________________
control viewing of data _________________________________
• Separate roles that have authorizations defined within _________________________________
them from roles that contain only menus as they operate
on a different maintenance schedule _________________________________
_________________________________
_________________________________
84
Your Turn!
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
_________________________________
How to contact me: _________________________________
Tracey Brookes _________________________________
tbrookes@sapient.com
85
Notes:
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
Notes:
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
Wellesley Information Services, 990 Washington Street, Suite 308, Dedham, MA 02026
Copyright © 2008 Wellesley Information Services. All rights reserved.

BI Authorizations

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

BI Authorizations

Transféré par

Droits d'auteur :

Formats disponibles

_________________________________

An A-to-Z Guide on How _________________________________

What We’ll Cover …

What Makes A Good BI Security Model?

BI Security Model Dos and Don’ts

BI Security Model Dos and Don’ts (cont.)

Using Your Organization’s Structural Hierarchy (cont.)

Using Your Organization’s Structural Hierarchy (cont.)

 Purchasing Operations: _________________________________

Using Your Organization’s Structural Hierarchy: Result

Using Your Organization’s Structural Hierarchy:

S_RS_COMP: InfoArea = 0MM*; InfoCube = *; _________________________________

S_RS_COMP: InfoArea = 0MM*; InfoCube = *; _________________________________

Pros and Cons of the SAP-Delivered Roles

Pros and Cons of the SAP-Delivered Roles (cont.)

How to Set up a (More) Flexible, Position-Based Model

How to Set up a (More) Flexible, Position-Based

Translating Requirements into User Role Types

Four Key BI User Types

Save ad hoc query to ad hoc menu role (BWD/BWQ/BWP) X X _________________________________

1 – Query User Role (cont.)

• InfoArea tab should not be seen _________________________________

1 – Query User Role (cont.)

• Ability to create and change department ad hoc BEx queries …

2 – Power User Role (cont.)

2 – Power User Role (cont.)

3 – BI Department Administrator Role (cont.)

3 – BI Department Administrator Role (cont.)

f Role Name: {based on role naming convention} ZBW_M_FI_D _________________________________

3 – BI Department Administrator Role (cont.)

What We’ll Cover …

Special Function Roles

f Data is not owned nor is it the responsibility of the BI

What We’ll Cover …

InfoArea and Data Target-Level Security

S_RS_COMP: InfoArea = 0MM*; InfoCube = *; _________________________________

S_RS_COMP: InfoArea = 0MM*; InfoCube = *; _________________________________

InfoArea and Data Target-Level Security (cont.)

InfoArea and Data Target-Level Security (cont.)

InfoArea and Data Target-Level Security (cont.)

InfoArea and Data Target-Level Security (cont.)

InfoObject Level Security

InfoObject Level Security (cont.)

1001 Logistics Department _________________________________

How to Control Ad Hoc Query Creation Using Menus in

How to Control Ad Hoc Query Creation Using Menus in

How to Control Ad Hoc Query Creation Using Menus in

How to Control Ad Hoc Query Creation Using Menus in

How to Control Ad Hoc Query Creation Using Menus in

How to Control Ad Hoc Query Creation Using Menus in

How to Control Ad Hoc Query Creation Using Menus in

Standard Web Reports _________________________________

How to Control Ad Hoc Query Creation Using Menus in

How to Control Ad Hoc Query Creation Using Menus in

How to Control Ad Hoc Query Creation Using Menus in

What We’ll Cover …

How to Distribute the HR Organization Structure

How to Distribute the HR Organization Structure (cont.)

How to Allocate Roles Using HR Organization Structure

How to Allocate Roles Using HR Organization

How to Allocate Roles Using HR Organization

How to Allocate Roles Using HR Organization

How to Allocate Roles Using HR Organization

Purchasing Operations: _________________________________

S_RS_COMP: InfoArea = 0MM; InfoCube = ; _________________________________

S_RS_COMP: InfoArea = 0MM; InfoCube = ; _________________________________

S_RS_COMP: InfoArea = 0MM; InfoCube = ; _________________________________

S_RS_COMP: InfoArea = 0MM; InfoCube = ; _________________________________